Cross-Border Data Transfers

Subscribe to Cross-Border Data Transfers

The European Commission announced today a long-awaited decision that the UK data protection standards are adequate under the meaning of GDPR’s Article 45, providing a mechanism to enable transfer of data from the EU to the UK without the need for additional authorisation or putting in place additional safeguards. This decision will be in force for four years but can be withdrawn if the UK were to lower its standards and no longer provide EU citizens adequate protection for their personal data. The decision excludes personal data that is transferred for purposes of United Kingdom immigration control.

Continue Reading Free Data Flow to the UK May Continue – EU Adopts Adequacy Decision

Starting this fall, companies transferring personal data from the European Economic Area (EEA) will likely begin to see a flurry of contract renegotiations. On June 4, 2021, the European Commission adopted long awaited new Standard Contractual Clauses (SCCs) for transfers out of the EEA. SCCs have been one of the more popular ways for Companies to transfer personal data from the EEA to third countries whose privacy laws have not been deemed “adequate” (like the US). The prior SCCs pre-date GDPR (see our discussion here), and have been updated to (1) more directly address GDPR and (2) because of comments in Schrems II last July, which called into question their use (the court noted that even under SCCs, certain “supplementary measures” might be needed for cross-border transfers).
Continue Reading Understanding When to Use Two New Sets of Standard Contractual Clauses Issued by the EU

Many in the world have been watching the Brexit deal closely, including privacy lawyers and others who deal with global data transfers. Under the recently-announced deal, a temporary solution will allow companies to continue to transfer data between the UK and European Economic Area (EEA) as normal during a short post-Brexit transition period. As many know, transfers of personal data are restricted out of the EEA to third countries unless certain steps are taken or exceptions apply. One of those mechanisms being an EU determination that the country to which data is being transferred is “adequate.” With the current transition period set to expire December 31, 2020, and no adequacy decision for the UK issued yet from the Commission, companies have been worrying about how to receive data from the EEA into the UK given its impending status as a “third country.”
Continue Reading New Year, Same Transfers (for now): Temporary Brexit Deal Keeps EEA-UK Data Flowing

The EDPB has provided input about consent in its recent FAQs responding to the Schrems II invalidation of Privacy Shield. As we wrote about previously in this series, Schrems II impacted how companies transfer data from the EU to the U.S..  As background, under GDPR, consent from the individual can be relied on to transfer information from the EU to an entity outside of the EU’s borders if three conditions exist. The EDPB reminded companies of these three conditions in its FAQs, drawing on prior guidance about consent:
Continue Reading Schrems II Fallout Continued: Can Companies Rely on Consent?

On July 16, 2020, in the case colloquially known as “Schrems II,” the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, finding it an invalid mechanism for transferring data from the EU to the US. The CJEU concluded that the Standard Contractual Clauses (SCCs) are valid for the transfer of personal data outside the EU (which would include transfers to the US), with certain conditions.
Continue Reading CJEU Invalidates Privacy Shield, But Upholds SCCs with Conditions

As we previously reported the EU and Japan reached a tentative deal last summer to ease data transfer restrictions between them. That deal has now been approved by both the European Commission and by Japan and is effective immediately. When the tentative deal was reached, Japan promised to add several new data protection safeguards. Those included new individual rights and limits on further transfers to third countries. Japan also agreed to limit government access to personal data, and to give Europeans a way to complain about government access. Japan has now implemented those safeguards. As a result, the European Commission has decided that Japan provides an adequate level of protection for personal data under the EU’s General Data Protection Regulation. This means that personal data can now be transferred freely between the EU and Japan. The decision will be jointly reviewed in two years, and then every four years thereafter. It is the first adequacy decision under GDPR.
Continue Reading EU and Japan Finalize Data Transfer Deal

2018 saw two new members of APEC’s Cross Border Privacy Rules (CBPR) system: Australia and Chinese Taipei. They join the US, Mexico, Canada, Japan, South Korea and Singapore. As we have reported on previously, the CBPR system is meant to help companies transfer information between participating countries. In the coming months, Australia’s Attorney General plans to work with businesses to implement the system. The Chinese Development Council also plans to work with China’s ministries and departments to boost discussions about privacy protection with other countries. The system has often been compared to other cross-border schemes, including the Privacy Shield (see our update to that program). Companies join by completing self-assessments and participating with an “accountability agent” (in the US, there is only one approved accountability agent).
Continue Reading CBPR System Grows with Entry of Australia and Chinese Taipei

Late last year, Australia’s Attorney General confirmed that Australia planned to participate in APEC’s Cross Border Privacy Rules (CBPR) system. The CBPR system was intended to help companies that want to transfer personal data across the borders of participating countries. Currently there are five participating countries: Canada, Japan, South Korea, Mexico, and the US. This scheme has been viewed by some as a hopeful complement to the Binding Corporate Rules concept under the EU Data Privacy Directive. In recognition of the overlap between the two, the Article 29 Working Party and the APEC Electronic Steering Group put together a checklist of the commonalities between Binding Corporate Rules and CBPR certification.
Continue Reading As GDPR Looms, Australia to Participate in APEC’s CBPR Program