Transborder data flows are among the most significant and complex issues in the privacy profession at the moment. As the U.S. and EU work to finalize the highly anticipated Trans-Atlantic Data Privacy Framework, an announcement involving the other side of the North American continent aims to help mitigate some global complexity and promote data flows with privacy protections.  Calling it "a historic moment for international cooperation in the digital sector," U.S. Department of Commerce Secreta... Read More

The state of EU-U.S. data flows has unquestionably been the most talked about issue among data privacy professionals since the invalidation of EU-U.S. Privacy Shield. Despite excitement around the recent agreement in principle to stabilize data flows, remarks from involved parties at the IAPP Global Privacy Summit 2022 indicate the finish line is in sight but not quite on the immediate horizon. The political agreement announced by EU-U.S. officials March 25 for the Trans-Atlantic Data Privacy F... Read More

The European Commission has confirmed it will develop a supplemental set of standard contractual clauses to cover data transfers to data importers already subject to the EU General Data Protection Regulation. The confirmation appears in the minutes of the Sept. 14, 2021, European Data Protection Board meeting, where it discussed the upcoming EDPB guidelines on the interplay between Article 3 GDPR (on scope) and Chapter V (on data transfers). This announcement is a change in course for the EC. W... Read More

The European Commission’s release of updated standard contractual clauses and the European Data Protection Board’s recommendations on supplemental measures bring both welcome clarity and new challenges for companies transferring data from the European Union to the United States. On the positive side, the updated SCCs, which reflect the realities of the EU General Data Protection Regulation, are designed to be more flexible and their modular design makes them easier to use. They can be used for p... Read More

An unexpected impact of the Court of Justice of the European Union’s “Schrems II” decision is the confusion between the EU General Data Protection Regulation’s Article 45 and Article 46 assessments. There is a distinction between assessing the adequacy of a third country’s laws and assessing impediments in a third country to enforce contracts, Indicium Senior Strategist Lynn Goldstein, CIPP/US, writes. Defining key discrepancies, Goldstein offers a primer to ensure regulations are followed and d... Read More

As the one-year anniversary of the Court of Justice of the European Union's "Schrems II" decision approaches, the privacy industry has seen a wave of developments on international data transfers. The European Commission adopted new standard contractual clauses. The European Data Protection Board issued its recommendations on supplementary measures for data transfers and the commission adopted a pair of adequacy decisions for the U.K. All of these events took place within the last month, if you... Read More

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. The moment took place during a panel discussion among current and former U.S. Department of Commerce staff titled “The Evolution of International Privacy Policymaking in the U.S. Government.” Just as billed, the discussion ranged across data flow issues around the world, from the EU-U.S. Privacy Shield (“We’re almost done.”) to new privacy laws in Brazil and India. I... Read More

The Asia-Pacific Economic Cooperation approved the first U.S.-based nonprofit Accountability Agent in the APEC privacy certification systems. Following its approval by a joint oversight board and the 21 APEC economies, BBB National Programs announced it becomes one of seven worldwide recognized Accountability Agents in the APEC Cross Border Privacy Rules and Privacy Recognition for Processors systems. The nonprofit will work one-on-one with companies of all sizes doing business in the 21 econom... Read More

The Asia-Pacific Economic Cooperation is set to boost the status of its Cross-Border Privacy Rules program in the U.S. APEC has announced that certification firm Schellman & Company is the newest CBPR Accountability Agent in the U.S. following approval from a joint oversight panel. Accountability Agents work to ensure companies operating within the 21 APEC member economies have compliant privacy practices and policies in place. Schellman joins TrustArc subsidiary TRUSTe as the only U.S.-b... Read More

Australia and Chinese Taipei have become the latest economies to join the Asia-Pacific Economic Cooperation's Cross-Border Privacy Rules System. Both officially joined as of Nov. 23, when APEC's Electronic Commerce Steering Group Joint Oversight Panel put forward its final findings report. The CBPR system is a voluntary, accountability-based framework that serves to facilitate data flows across the APEC region. As members of the CBPR system, Australia and Chinese Taipei join the U.S., Mexico, Ja... Read More

Much of the privacy world is still focused on Europe and the implications of the EU General Data Protection Regulation (and eventually, the ePrivacy Regulation) for digital trade and data practices across borders, particularly between Europe and the U.S. However, Europe holds less than 10 percent of the world’s population, and developing economies in Asia are pressing for a seat at the table setting international rules and norms. Various actors have been working to develop cross-border trade agr... Read More

Lithuania’s data protection authority, the State Data Protection Inspectorate, released an FAQ on binding corporate rules, stating they can be used as a basis for companies to transfer personal data to third countries in accordance with the EU General Data Protection Regulation. The DPA said companies cannot solely rely on the European Commission’s decision on an adequate level of protection as the main basis for data transfers. The document details who can transfer data to a third country on th... Read More

Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis. BCRs are also not in the scope of the "Schrems II" decision, and... Read More

Pursuant to Resolution No. 159/2018 published Dec. 7, 2018, in the Official Gazette, the Agency of Access to Public Information (Agencia de Acceso a la Información Pública, in Spanish) approved a set of guidelines for binding corporate rules as a mechanism available to multinational companies to legitimize international data transfers within their group. BCRs are a mechanism to legitimize data exports within a corporate group. They are designed to be a global solution for multinational companie... Read More