On Wednesday, March 30th Scott Warren, a Partner based in our Tokyo and Shanghai offices will speak at PrivSec Risk In Focus. He is appearing on a panel of distinguished speakers discussing International Data Transfers: Your Biggest Privacy Risk? This panel will take a look at the latest developments and from an international perspective.
On December 9, 2021, Ann LaFrance, SPB Senior Partner and Vice President of the International Institute of Communications (“IIC”), moderated a panel discussion involving U.S. and international stakeholders’ perspectives on privacy and data protection trends and the value of interoperability in cross-border data transfers at the IIC’s (virtual) annual Telecommunications & Media Forum…
In a draft adequacy decision, reported to have been seen by the Financial Times (FT), the European Commission (the “Commission”) is set to allow the continued free flow of data between the EU and UK, after confirming that the UK offers an adequate level of protection for personal data, pursuant to Article 45 of the General Data Protection Regulation (the “GDPR”). According to the FT, the draft decision can be expected this week.
The decision, once adopted, will replace the current interim solution, agreed under the EU-UK Trade and Cooperation Agreement, which allows for companies and organisations to transfer personal data from the EU to the UK up until 30 June 2021. For more information on the interim solution please see our previous update “Brexit Updated: Interim Deal Reached on EU-UK Data Transfers”.…
Continue Reading Brexit Updated: EU Set to Publish UK Adequacy Decision
Several important documents relating to the rules governing the transfer of EU personal data were published during the second week of November 2020 by the European Data Protection Board (EDPB) and the EU Commission. In addition, the EU Commission has also published new standard contractual clauses for use when transferring personal data between a controller and a processor within the EEA and to countries outside the EEA.
Transfers of Personal Data to Third Countries
In the aftermath of the landmark decision by the Court of Justice of the European Union (CJEU) on international data transfers – the so-called Schrems II judgment (see our post on this topic) – organizations have been awaiting additional guidance from EU authorities on measures that must be implemented to transfer personal data to third countries without being in breach of the Regulation (EU) 2016/679, i.e. the General European Data Protection Regulation (GDPR).
The following documents have been published in relation to implementation of Schrems II.
Continue Reading Watch Out for These Very Important Documents on “Transfers” and “Processing” of Personal Data
Since the Court of Justice of the EU (“CJEU”) decided in its Schrems II ruling that the Privacy Shield is no longer valid and that EU Standard Contractual Clauses (SCC) can no longer be used without extra scrutiny and require the implementation of additional security measures by both the EU data exporter and the US data importer, companies are wondering on how they can transfer data to non EU countries. According to the CJEU, the SCCs are still valid, but a level of protection for personal data equivalent to that in the EU must be ensured, which would not be the case if public authorities, such as intelligence services, can access EU personal data without adequate judicial oversight or due process.
Continue Reading German DPA Issues Guidance on Schrems II and the Transfer of Personal Data to Non-EU Countries
Webinar – July 30, 2020 (8:30a PDT, 11:30a EDT, 4:30p BST, 5:30p CEST)
The European Union’s highest court has ruled that the EU-US Privacy Shield data transfer mechanism is invalid. The court also ruled that another much-used transfer mechanism – the EU Standard Contractual Clauses (also known as Model Clauses) – is valid…
Many data controllers would like to use the consent of data subjects to transfer data to countries outside the European Economic Area. Has the General Data Protection Regulation 2016/679 (“GDPR”) made it easier use consent as a basis for international transfer than was the case under the Directive 95/46?
Rules on international transfer under GDPR
Chapter V of GDPR offers several legal bases for the transfer of personal data to third countries or international organizations:
- The suitability of the recipient country or entity on the basis of an adequacy decision of the European Commission (Article 45).
- The establishment of “appropriate safeguards” by the recipient (Article 46) such as standard contractual clauses adopted by the European Commission or BCRs (Article 47).
- The “Derogations for specific situations” provided by Article 49 (1) of the GDPR, which provides that transfers, where neither of the above applies, may be carried if one of the listed conditions is fulfilled. One of the derogations is the case where “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”.
The European Parliament plenary adopted on 5 July 2018 the LIBE Committee’s Motion for Resolution on the EU-US Privacy Shield (‘Privacy Shield) indicating the general Parliament’s position towards its functioning. The non-binding resolution calls for the suspension of the Privacy Shield unless the US demonstrates compliance with its requirements by 1 September 2018. As per our previous post, the European Parliament considers that the personal data protection provided by the Privacy Shield is not adequate. …
Continue Reading European Parliament Calls on US to Show Compliance with EU-US Privacy Shield Within Two Months
On 12 June 2018, the Civil Liberties, Justice and Home Affairs Committee (the ‘Committee’) of the European Parliament passed a Resolution, with a vote of 29 votes in favour, 25 opposed and 3 abstentions, calling on the European Commission to suspend the EU-US Privacy Shield arrangement (‘Privacy Shield’).
The Resolution calls for the international data transfer framework to be suspended unless the US demonstrates compliance by 1st September 2018, since it ‘fails to provide enough data protection for EU citizens.
Continue Reading Scrutiny of EU-US Privacy Shield