The EU released its draft adequacy decision for the EU-US Data Privacy Framework, but all is not smooth sailing. As we wrote in October, the US developed the proposed new framework in response to the declared inadequacy of the EU-US Privacy Shield program.
Continue Reading EU’s Initial Response to US Proposed Data Transfers Framework
President Biden signed a new executive order on Friday, with a framework that seeks to replace the existing Privacy Shield program. That program was found to be an invalid mechanism for transferring personal data between the EU and the US in 2020 (the Schrems II decision). Since then, companies have struggled to establish an appropriate mechanism for transfer of information from the EU to the US.
Continue Reading EU To Review New EU-US Data Transfers Framework
The European Commission recently released a set of FAQs for the new EU standard contractual clauses (SCCs). The FAQs are based on feedback received from various stakeholders and currently address
Continue Reading Working Through the New EU SCCs? European Commission Releases FAQs
As we have written in the past, APEC’s Cross-Border Privacy Rules (CBPR) program is intended to help companies more easily transfer personal data across borders. Participating companies complete self-assessments and participate with their local countries’ “accountability agent.” There are currently seven participating economies, which include the US, Canada, Japan. Those participating economies recently announced the development of a “Global CBPR Forum.” The Forum is tasked with, inter alia, creating an international certification system, reviewing members’ privacy standards, and ensuring that the program is “interoperable with other data protection and privacy frameworks.”
Continue Reading Formation of CBPR Forum Signals Continued Movement
It has been almost two years since the Privacy Shield was struck down as a valid data transfer mechanism in Schrems II. Many have been wondering “what’s next”? Will there be a replacement framework? When will that be released? Will the replacement be invalidated? Well, the European Commission and US recently announced an “agreement in principle” to replace the EU-US Shield Privacy Shield. The EDPB also recently released a statement welcoming the announcement, but reminding companies that the announcement is not actually a legal framework. Thus, nothing has changed… yet.
Continue Reading Waiting on a new EU-US Privacy Shield
Following a similar case from Austria, the French data protection authority recently concluded that certain use of cookies placed by US data analytics tools violated GDPR. The case came before the CNIL as the result of a complaint filed by “None of Your Business,” the non-governmental organization created by Max Schrems.
Continue Reading CNIL Recommends Using US Analytics Tools Only for Anonymous Statistical Data
The European Commission recently adopted an adequacy decision regarding the Republic of Korea’s data protection laws. As a result of this decision, personal data can freely flow between the EEA and South Korea without the need for additional transfer mechanisms.
Continue Reading European Commission Adopts Korean Adequacy Decision
The Chinese agency charged with implementing and enforcing the new Personal Information Protection Law has issued draft measures for cross-border data transfers. Comments are due by November 28. As we detailed previously, the law requires that the Cyberspace Administration of China (CAC) conduct security assessments prior to certain information transfers out of China. Those situations included if the information transferred reached “significant” thresholds. Those thresholds have now been clarified in the draft.
Continue Reading China Draft PIPL Measures Outlines Thresholds for CAC Security Assessments
The European Commission announced today a long-awaited decision that the UK data protection standards are adequate under the meaning of GDPR’s Article 45, providing a mechanism to enable transfer of data from the EU to the UK without the need for additional authorisation or putting in place additional safeguards. This decision will be in force for four years but can be withdrawn if the UK were to lower its standards and no longer provide EU citizens adequate protection for their personal data. The decision excludes personal data that is transferred for purposes of United Kingdom immigration control.
Continue Reading Free Data Flow to the UK May Continue – EU Adopts Adequacy Decision
Starting this fall, companies transferring personal data from the European Economic Area (EEA) will likely begin to see a flurry of contract renegotiations. On June 4, 2021, the European Commission adopted long awaited new Standard Contractual Clauses (SCCs) for transfers out of the EEA. SCCs have been one of the more popular ways for Companies to transfer personal data from the EEA to third countries whose privacy laws have not been deemed “adequate” (like the US). The prior SCCs pre-date GDPR (see our discussion here), and have been updated to (1) more directly address GDPR and (2) because of comments in Schrems II last July, which called into question their use (the court noted that even under SCCs, certain “supplementary measures” might be needed for cross-border transfers).
Continue Reading Understanding When to Use Two New Sets of Standard Contractual Clauses Issued by the EU
China is continuing to move forward with its first comprehensive privacy law. China recently issued a second version of the draft Personal Information Protection Law (Draft PIPL) which will be
Continue Reading Update on the State of Privacy Law in China