Archives: Cross-Border Transfers

Subscribe to Cross-Border Transfers RSS Feed

UPDATE: AG Opinion in Schrems II Delayed

The Advocate General’s (“AG”) Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”), has been delayed until the 19th December 2019.  (The original publication date was set for the week before, on the 12th December.) The primary question before the European Court of Justice (“ECJ”), and the AG, in Schrems … Continue Reading

Privacy Shield Third Annual Review

On October 23, 2019, the European Commission (“Commission”) published its Report on the third annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document).  The Report “confirms that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield” (see … Continue Reading

FTC Settles Enforcement Actions Relating to Privacy Shield Certifications

On September 3, 2019, the Federal Trade Commission (“FTC”) announced settlement agreements with five companies for alleged false claims of certification under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (collectively, “Privacy Shield”).  These settlements indicate that the FTC is continuing to actively enforce Privacy Shield commitments, as it has done with respect to several other … Continue Reading

European Commission Issues Report on the Implementation of the GDPR

On July 24, 2019, the European Commission (“the Commission”) published a report appraising Europe’s progress in implementing the General Data Protection Regulation (“GDPR”) as a central component of its revamped data protection framework.  In its report, the Commission highlights certain achievements resulting from implementation efforts, calls attention to issues that require further action, and describes … Continue Reading

Privacy Shield Ombudsperson Confirmed by the Senate

On June 20, 2019, Keith Krach was confirmed by the U.S. Senate to become the Trump administration’s first permanent Privacy Shield Ombudsperson at the State Department.  The role of the Privacy Shield Ombudsperson is to act as an additional redress avenue for all EU data subjects whose data is transferred from the EU or Switzerland … Continue Reading

China Seeks Public Comments on Draft Measures related to the Cross-border Transfer of Personal Information

On June 13, 2019, the Cyberspace Administration of China (“CAC”) issued the draft Measures on Security Assessment of the Cross-border Transfer of Personal Information (“Draft Measures”) for public comment. (The official Chinese version of the Draft Measures is available here, and an unofficial English translation is available here.) The comment period ends on July 13, … Continue Reading

CAC Releases Draft Regulation on the Protection of Children’s Personal Information Online

On May 31, 2019, the Cyberspace Administration of China (“CAC”) released the draft Regulation on the Protection of Children’s Personal Information Online (“Draft Regulation”) for public comment. (An official Chinese version is available here and an unofficial English translation of the Draft Regulation is available here.) The comment period ends on June 30, 2019. As mentioned … Continue Reading

China Releases Draft Measures for Data Security Management

On May 28, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for Data Security Management (“Draft Measures”) for public comment. (An official Chinese version of the Draft Measures is available here and an unofficial English translation is available here.) The comment period ends on June 28, 2019. The release of these Draft Measures demonstrates … Continue Reading

China’s Ministry of Public Security Issues New Personal Information Protection Guideline

On April 19, 2019, China’s Ministry of Public Security (“MPS”) released the final version of its Guideline for Internet Personal Information Security Protection (互联网个人信息安全保护指南) (the “Guideline”).  A previous version of the Guideline was released for public comments on November 30, 2018. Under China’s Cybersecurity Law (the “CSL”), MPS is the key regulator tasked with protecting … Continue Reading

EDPB releases information note in the event of a “No-deal Brexit”

On February 12, 2019, the European Data Protection Board (“EDPB”) published two information notes to highlight the impact of a so-called “No-deal Brexit” on data transfers under the EU General Data Protection Regulation (“GDPR”), as well as the impact on organizations that have selected the UK Information Commissioner (“ICO”) as their “lead supervisory authority” for … Continue Reading

China Releases Draft Amendments to the Personal Information Protection Standard

On February 1, 2019, China’s National Information Security Standardization Technical Committee (“TC260”) released a set of amendments to GB/T 35273-2017 Information Technology – Personal Information Security Specification (“the Standard”) for public comment.  The comment period ends on March 3. Although not legally binding, the Standard has been highly influential since becoming effective in May 2018, … Continue Reading

European Data Protection Board Releases Report on the Privacy Shield

On January 24, the European Data Protection Board (“EDPB”) adopted a report (“Report”) regarding the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”).  In a press release accompanying the Report, the EDPB welcomed efforts by EU and U.S. authorities to implement the Privacy Shield,  including in particular the recent appointment of a permanent … Continue Reading

Key Provisions in India’s Draft Personal Data Bill

Key Provisions in India’s Draft Personal Data Bill This post is a follow-up to our earlier post on the release of India’s draft personal data protection bill. In this post, we go into greater detail about the bill’s provisions and flag issues for companies worldwide that may process data in India or provide goods or … Continue Reading

Covington Webinar: Examining the CLOUD Act

Covington’s Alex Berengaut and Kate Goodloe today hosted a webinar on the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act.  The CLOUD Act was signed into law in March and creates a new framework for government access to data held by technology companies worldwide.  The webinar, hosted with DataGuidance, is available here.  The webinar expands … Continue Reading

Brazil’s New General Data Privacy Law Follows GDPR Provisions

On August 14, Brazilian President Michel Temer signed into law the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (English translation), making Brazil the latest country to implement comprehensive data privacy regulation. The law’s key provisions closely mirror the European Union’s General Data Privacy Regulation (“GDPR”), including significant extraterritorial … Continue Reading

EU and Japan conclude talks on reciprocal adequacy finding

On July 17, 2018, the European Commission successfully concluded negotiations with Japan on a reciprocal adequacy finding which will allow personal data to flow freely from the EU to Japan (and vice versa). The adequacy decision has not yet been formally adopted, as it must still undergo the respective EU and Japanese approval procedures, which … Continue Reading

CLOUD Act Creates New Framework for Cross-Border Data Access

On March 23, 2018, Congress passed, and President Trump signed into law, the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which creates a new framework for government access to data held by technology companies worldwide. The CLOUD Act, enacted as part of the Consolidated Appropriations Act, has two components. Part I:  Extraterritorial Reach of … Continue Reading

Future of Privacy Forum: Privacy Papers for Policymakers 2018

On the heels of the Federal Trade Commission’s (“FTC”) third annual “PrivacyCon,” the Future of Privacy Forum hosted its eighth annual “Privacy Papers for Policymakers” event on Capitol Hill—a gathering in which academics present their original scholarly works on privacy-related topics to D.C. policy wonks who may have a hand in shaping laws and regulations … Continue Reading

EU Commission Concludes Privacy Shield “Adequate” in first Annual Review

The European Commission has today published its Report on the first annual review of the EU-U.S. Privacy Shield (the Report is accompanied with a Staff Working Document, Infographic, and Q&A).  The Commission concludes that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to Privacy Shield-certified companies … Continue Reading

CJEU: EU-Canada proposed agreement on the transfer of Passenger Name Record data does not conform to EU data protection law standards

By Dan Cooper and Rosie Klement On July 26, 2017, the Court of Justice of the EU (CJEU) published Opinion 1-15 (the “Opinion”) on the proposed agreement between the European Union and Canada on the transfer and processing of passenger name record (“PNR”) data (the “Agreement”).  The Agreement was signed in 2014, but the CJEU … Continue Reading

South Korea Joins the APEC Cross-Border Privacy Rules Framework

South Korea has became the fifth member economy to join the Asia-Pacific Economic Cooperation’s (“APEC”) Cross-Border Privacy Rules (“CBPR”) system, a voluntary but legally enforceable code of conduct that aims to facilitate secure data transfers and e-commerce between parties to the agreement. Established in 2011, the CBPR system aims to provide a minimum level of … Continue Reading

New Proposed Standard Sheds Light on Cross-Border Security Assessment in China

On May 27, 2017, China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), released Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft Version) (the “draft Standard”) for public comments.  The official Chinese version of … Continue Reading

First Annual Privacy Shield Review Will Comprehensively Assess the Framework

The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C.  The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, … Continue Reading
LexBlog