China’s rise on the global stage has manifested itself in many ways, and it should be no surprise that China has gained prominence in terms of its privacy and security legislation. In recent years, major pieces of legislation have been promulgated: the 2017 Cybersecurity Law, the 2021 Data Security Law and the 2021 Personal Information Protection Law. One common area of interest arising from those three laws, especially for organizations, is how cross-border data transfers will be addressed and... Read More

On Nov. 1, 2021, China’s Personal Information Protection Law took effect and became the first Chinese law dedicated to protecting the personal information rights of individuals. However, due to a lack of implementation regulations and clarity, many companies face a situation where they are unsure how to comply with areas of the PIPL. Nowhere is this more of an issue than with Article 38 of the PIPL, which provides several conditions (or legal paths) that must be met before a cross-border data t... Read More

Google Chief Privacy Officer Keith Enright, CIPP/G, CIPP/US, wrote a blog post explaining the company's plans to abide by the Global Cross-Border Privacy Rules system. Enright touted the CBPR system as "an important step toward enabling continued, trusted data flows between participating jurisdictions." He added that Google will partake in the Global CBPR Forum to discuss "practical realities of services facing fragmented privacy regulations" while imploring further consultation on "how to make ... Read More

On June 30, 2022, the Cyberspace Administration of China released the long-awaited draft provisions on the Standard Contract for the Cross-border Transfer of Personal Information for public consultation. The deadline to submit comments is July 29, 2022. The draft provisions were circulated pursuant to Article 38 of China’s Personal Information Protection Law, under which the government-approved standard contract is one of the lawful transfer mechanisms available that a personal information proce... Read More

The European Commission published a Q&A on standard contractual clauses for data transfers under the EU General Data Protection Regulation. On Dec. 27, a new set of SCCs for international data transfers will replace existing SCCs. The Q&A offers practical guidance on the use of SCCs and assists stakeholders in compliance efforts, the Commission said, adding the document is “intended to be a ‘dynamic’ source of information and will be updated as new questions arise.”Full Story... Read More

An unexpected impact of the Court of Justice of the European Union’s “Schrems II” decision is the confusion between the EU General Data Protection Regulation’s Article 45 and Article 46 assessments. There is a distinction between assessing the adequacy of a third country’s laws and assessing impediments in a third country to enforce contracts, Indicium Senior Strategist Lynn Goldstein, CIPP/US, writes. Defining key discrepancies, Goldstein offers a primer to ensure regulations are followed and d... Read More

As the one-year anniversary of the Court of Justice of the European Union's "Schrems II" decision approaches, the privacy industry has seen a wave of developments on international data transfers. The European Commission adopted new standard contractual clauses. The European Data Protection Board issued its recommendations on supplementary measures for data transfers and the commission adopted a pair of adequacy decisions for the U.K. All of these events took place within the last month, if you... Read More

Google Chief Privacy Officer Keith Enright, CIPP/G, CIPP/US, wrote a blog post explaining the company's plans to abide by the Global Cross-Border Privacy Rules system. Enright touted the CBPR system as "an important step toward enabling continued, trusted data flows between participating jurisdictions." He added that Google will partake in the Global CBPR Forum to discuss "practical realities of services facing fragmented privacy regulations" while imploring further consultation on "how to make ... Read More

Politico reports the U.S. is pushing forward with various countries on the proposal for Global Cross-Border Privacy Rules despite potential friction with the EU General Data Protection Regulation. A recent meeting between 20 nations in Hawaii sought to finalize details of a global CBPR framework, which existing participants hope will include Brazil and the U.K. by year's end as well as other nations, like Bermuda and Chile, by 2023. However, unnamed EU officials indicated the CBPR framework woul... Read More

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. The moment took place during a panel discussion among current and former U.S. Department of Commerce staff titled “The Evolution of International Privacy Policymaking in the U.S. Government.” Just as billed, the discussion ranged across data flow issues around the world, from the EU-U.S. Privacy Shield (“We’re almost done.”) to new privacy laws in Brazil and India. I... Read More

The Asia-Pacific Economic Cooperation approved the first U.S.-based nonprofit Accountability Agent in the APEC privacy certification systems. Following its approval by a joint oversight board and the 21 APEC economies, BBB National Programs announced it becomes one of seven worldwide recognized Accountability Agents in the APEC Cross Border Privacy Rules and Privacy Recognition for Processors systems. The nonprofit will work one-on-one with companies of all sizes doing business in the 21 econom... Read More

The Asia-Pacific Economic Cooperation is set to boost the status of its Cross-Border Privacy Rules program in the U.S. APEC has announced that certification firm Schellman & Company is the newest CBPR Accountability Agent in the U.S. following approval from a joint oversight panel. Accountability Agents work to ensure companies operating within the 21 APEC member economies have compliant privacy practices and policies in place. Schellman joins TrustArc subsidiary TRUSTe as the only U.S.-b... Read More

The U.K. Information Commissioner's Office published updated guidance for using binding corporate rules as a data transfer mechanism. The updates are geared toward a "simplified" approach for controllers and processors with the ICO noting it will "only request supporting documents and commitments once during the U.K. approval process." The regulator also called BCRs a "gold standard" transfer mechanism that "demonstrates your commitment to implementing appropriate safeguards."Full Story... Read More

Lithuania’s data protection authority, the State Data Protection Inspectorate, released an FAQ on binding corporate rules, stating they can be used as a basis for companies to transfer personal data to third countries in accordance with the EU General Data Protection Regulation. The DPA said companies cannot solely rely on the European Commission’s decision on an adequate level of protection as the main basis for data transfers. The document details who can transfer data to a third country on th... Read More

Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis. BCRs are also not in the scope of the "Schrems II" decision, and... Read More

Pursuant to Resolution No. 159/2018 published Dec. 7, 2018, in the Official Gazette, the Agency of Access to Public Information (Agencia de Acceso a la Información Pública, in Spanish) approved a set of guidelines for binding corporate rules as a mechanism available to multinational companies to legitimize international data transfers within their group. BCRs are a mechanism to legitimize data exports within a corporate group. They are designed to be a global solution for multinational companie... Read More