EU-U.S. Privacy Shield

2022 was another eventful year in the realm of privacy, security and innovation.  Privacy World was there every step of the way, to keep you informed on key developments.  Starting next week, we will be rolling out our popular Year in Review series.  As a lead up to that, below are our ten most popular

The European Commission (the “Commission”) published today its draft adequacy decision for the US (the “Draft Decision”). This paves the way for an institutionalized personal data transfer mechanism across the Atlantic to emerge (and already raises the prospects of it being under scrutiny again).

If your pre- holidays’ workload (that also includes the transition of your old SCCs to the new ones, another transfer duty, does not allow you to read the full 134-page Draft Decision, here is a little tour of what you need to know before it becomes final (and this might still take some time).
Continue Reading Third Time Lucky or Schrems III? The European Union Data Pact with the US Moves One Step Closer (To Be Challenged – Again)

Background

On October 7, 2022, US President Joe Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the Executive Order), introducing new safeguards to protect the personal data shared between the EU and the US.

The Executive Order is the first tangible step towards a new transatlantic framework for personal data transfers, following the March 25, 2022, joint announcement by the European Commission president, Ursula von der Leyen, and US President Biden that they had reached an agreement in principle on a successor to the Privacy Shield.

While details of the actual content leaked over time, here is a summary of what the Executive Order is providing, but, more importantly, what the signature of the order means, not only for those who will be able to certify to the revised Privacy Shield, but also for all others.
Continue Reading We Have an EO, but Not (Yet) a New Transfer Mechanism

Earlier today, President Biden issued the Executive Order that is expected to lay the groundwork for the replacement for Privacy Shield.   

Key Takeaway 

President Biden issued an Executive Order to help pave the way for a new mechanism to transfer personal data subject to EU data protection law from the EU to the US. Whether and when the new mechanism will be available for US businesses remains to be seen.Continue Reading Biden Administration Issues Executive Order for Privacy Shield Replacement

On Wednesday, March 30th Scott Warren, a Partner based in our Tokyo and Shanghai offices will speak at PrivSec Risk In Focus.  He is appearing on a panel of distinguished speakers discussing International Data Transfers: Your Biggest Privacy Risk? This panel will take a look at the latest developments and from an international perspective.

On December 9, 2021, Ann LaFrance, SPB Senior Partner and Vice President of the International Institute of Communications (“IIC”), moderated a panel discussion involving U.S. and international stakeholders’ perspectives on privacy and data protection trends and  the value of interoperability in cross-border data transfers at the IIC’s (virtual) annual Telecommunications & Media Forum

In a draft adequacy decision, reported to have been seen by the Financial Times (FT), the European Commission (the “Commission”) is set to allow the continued free flow of data between the EU and UK, after confirming that the UK offers an adequate level of protection for personal data, pursuant to Article 45 of the General Data Protection Regulation (the “GDPR”). According to the FT, the draft decision can be expected this week.

The decision, once adopted, will replace the current interim solution, agreed under the EU-UK Trade and Cooperation Agreement, which allows for companies and organisations to transfer personal data from the EU to the UK up until 30 June 2021. For more information on the interim solution please see our previous update “Brexit Updated: Interim Deal Reached on EU-UK Data Transfers”.
Continue Reading Brexit Updated: EU Set to Publish UK Adequacy Decision

"Hot" ButtonSeveral important documents relating to the rules governing the transfer of EU personal data were published during the second week of November 2020 by the European Data Protection Board (EDPB) and the EU Commission. In addition, the EU Commission has also published new standard contractual clauses for use when transferring personal data between a controller and a processor within the EEA and to countries outside the EEA.

Transfers of Personal Data to Third Countries

In the aftermath of the landmark decision by the Court of Justice of the European Union (CJEU) on international data transfers – the so-called Schrems II judgment (see our post on this topic) – organizations have been awaiting additional guidance from EU authorities on measures that must be implemented to transfer personal data to third countries without being in breach of  the Regulation (EU) 2016/679, i.e. the General European Data Protection Regulation (GDPR).

The following documents have been published in relation to implementation of Schrems II.
Continue Reading Watch Out for These Very Important Documents on “Transfers” and “Processing” of Personal Data

Data Protection ShieldSince the Court of Justice of the EU (“CJEU”) decided in its Schrems II ruling that the Privacy Shield is no longer valid and that  EU Standard Contractual Clauses (SCC) can no longer be used without extra scrutiny and require the implementation of additional security measures by both the EU data exporter and the US data importer, companies are wondering on how they can transfer data to non EU countries. According to the CJEU, the SCCs are still valid, but a level of protection for personal data equivalent to that in the EU must be ensured, which would not be the case if public authorities, such as intelligence services, can access EU personal data without adequate judicial oversight or due process.
Continue Reading German DPA Issues Guidance on Schrems II and the Transfer of Personal Data to Non-EU Countries

Webinar – July 30, 2020 (8:30a PDT, 11:30a EDT, 4:30p BST, 5:30p CEST)

Register Here

The European Union’s highest court has ruled that the EU-US Privacy Shield data transfer mechanism is invalid. The court also ruled that another much-used transfer mechanism – the EU Standard Contractual Clauses (also known as Model Clauses) – is valid