Cross-Border Data Transfers

Subscribe to Cross-Border Data Transfers

Beginning today, the UK adequacy decision for US data protection measures goes into effect. As a result, UK companies can transfer personal information to entities in the US that are participants in the EU-US Data Privacy Framework (DPF). As part of the decision, the UK Secretary of State will review the ongoing sufficiency of the DPF every four years. The ICO, in supporting the decision, suggested that the UK Secretary of State look at specific factors when reassessing the program. These include the risk to UK data subjects for automated decision making and right to be forgotten.Continue Reading No Need to Mind the Gap – UK Extension is a Data Bridge for US-UK Data Transfers

Now that the EU has adopted its adequacy decision for the EU-US Data Privacy Framework (DPF), many companies are assessing whether participation makes sense. Participation by a US entity is a mechanism -but not the only mechanism- for two parties (one EU and one US) to transfer personal data from the EU to the US. Other transfer methods include Binding Corporate Rules or Standard Contractual Clauses. As we wrote recently, when the EU determined that the program was “adequate,” it noted that the safeguards developed by the US for the DPF applied to all methods of transfer. In other words, for BCRs or SCCs.Continue Reading Considerations for Participation in the EU-US Data Privacy Framework

The EU Commission adopted today an adequacy decision for the EU-US Data Privacy Framework. As we indicated last month, this has been an area closely watched by those transferring data from the EU to the US. The issue has been a contentious one. Concerns in particular have been raised on the EU side regarding US surveillance agencies’ ability to access non-US individuals’ personal information. These concerns led to the downfall of both of the Framework’s predecessors: Safe Harbor and Privacy Shield. Continue Reading EU Adopts Adequacy Decision for EU-US Data Privacy Framework

As those in the privacy world await the outcome of the EU-US privacy framework negotiations, the EDPB was in the news recently for a different mechanism for data transfers: Binding Corporate Rules. Namely, it adopted recommended standard forms for BCR applications by controllers and recommendations for the application process.Continue Reading EDPB Adopts Binding Corporate Rules Recommendations

The EU released its draft adequacy decision for the EU-US Data Privacy Framework, but all is not smooth sailing. As we wrote in October, the US developed the proposed new framework in response to the declared inadequacy of the EU-US Privacy Shield program. Continue Reading EU’s Initial Response to US Proposed Data Transfers Framework

President Biden signed a new executive order on Friday, with a framework that seeks to replace the existing Privacy Shield program. That program was found to be an invalid mechanism for transferring personal data between the EU and the US in 2020 (the Schrems II decision). Since then, companies have struggled to establish an appropriate mechanism for transfer of information from the EU to the US.Continue Reading EU To Review New EU-US Data Transfers Framework

As we have written in the past, APEC’s Cross-Border Privacy Rules (CBPR) program is intended to help companies more easily transfer personal data across borders. Participating companies complete self-assessments and participate with their local countries’ “accountability agent.” There are currently seven participating economies, which include the US, Canada, Japan. Those participating economies recently announced the development of a “Global CBPR Forum.” The Forum is tasked with, inter alia, creating an international certification system, reviewing members’ privacy standards, and ensuring that the program is “interoperable with other data protection and privacy frameworks.”
Continue Reading Formation of CBPR Forum Signals Continued Movement

It has been almost two years since the Privacy Shield was struck down as a valid data transfer mechanism in Schrems II. Many have been wondering “what’s next”? Will there be a replacement framework? When will that be released? Will the replacement be invalidated? Well, the European Commission and US recently announced an “agreement in principle” to replace the EU-US Shield Privacy Shield. The EDPB also recently released a statement welcoming the announcement, but reminding companies that the announcement is not actually a legal framework. Thus, nothing has changed… yet.
Continue Reading Waiting on a new EU-US Privacy Shield

Following a similar case from Austria, the French data protection authority recently concluded that certain use of cookies placed by US data analytics tools violated GDPR. The case came before the CNIL as the result of a complaint filed by “None of Your Business,” the non-governmental organization created by Max Schrems.
Continue Reading CNIL Recommends Using US Analytics Tools Only for Anonymous Statistical Data