Cross-Border Transfers

On June 2, 2025, the Global Cross-Border Privacy Rules (“CBPR”) Forum officially launched the Global CBPR and Privacy Recognition for Processors (“PRP”) certifications.  Building on the existing Asia-Pacific Economic Cooperation (“APEC”) CBPR framework, the Global CBPR and PRP systems aim to extend privacy certifications beyond the APEC region.  They will allow controllers and processors to voluntarily undergo certification for their privacy and data governance measures under a framework that is recognized by many data protection authorities around the world.  The Global CBPR and PRP certifications are also expected to be recognized in multiple jurisdictions as a legitimizing mechanism for cross-border data transfers.Continue Reading Global CBPR and PRP Certifications Launched: A New International Data Transfer Mechanism

On March 17, 2025, the Finnish Supervisory Authority (“SA”) announced that it is investigating the transfer of personal data related to human research samples by a Finnish university to a Chinese company for genetic analysis services.  Continue Reading Finnish Supervisory Authority Investigates Health Data Transfers to China

On 2 December 2024, the European Data Protection Board (“EDPB”) adopted its draft guidelines on Article 48 GDPR (the “Draft Guidelines”). The Draft Guidelines are intended to provide guidance on the GDPR requirements applicable to private companies in the EU that receive requests or binding demands for personal data from public authorities (e.g., law enforcement or national security agencies, as well as other regulators) located outside the EU.Continue Reading EDPB adopts draft guidelines on requirements when responding to requests from non-EU public authorities

On September 12, 2024, the European Commission announced that it will launch a public consultation on additional standard contractual clauses for international transfers of personal data to non-EU controllers and processors that are subject to the EU GDPR extra-territorially (“Additional SCCs”), something that has been promised by the European Commission as far back as 2022.  The public consultation is planned for the last quarter of 2024.Continue Reading EU Commission Announces New SCCs for International Transfers to Non-EU Controllers and Processors Subject to the GDPR

After nearly six months since the initial draft was issued for public comments on September 28, 2023 (see here for our previous alert on that development), on March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the final version of the Provisions on Promoting and Standardizing Cross-Border Data Flows (促进和规范数据跨境流动规定) ( “Provisions”) (Chinese version available here).  The Provisions take effect immediately.  

The newly finalized Provisions introduce significant changes to China’s existing cross-border data transfer regime.  These changes primarily involve exemptions from the previously mandated transfer mechanisms outlined in the Personal Information Protection Law (“PIPL”) and its implementing regulations.  Such mechanisms included undergoing a government-led security assessment, entering into a standardized contract, or obtaining personal information protection certification.  As a result, many companies that previously faced these requirements may now be exempt, easing their compliance burden for cross-border data transfers.  Importantly, the Provisions take precedence over any conflicting provisions within PIPL’s implementing regulations, including the Measures on the Standard Contract for Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer.Continue Reading China Eases Restrictions on Cross-Border Data Flows

On January 15, 2024, the European Commission released its report on the first review of the functioning of the existing eleven adequacy decisions adopted under the pre-GDPR framework.  

The Commission concluded that personal data transferred from the European Economic Area to any of Andorra, Argentina, Canada (for PIPEDA-regulated entities), the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to receive an adequate level of protection.Continue Reading European Commission Retains Adequacy Decisions for Data Transfers to Eleven Countries

On September 28, 2023, the Cyberspace Administration of China (“CAC”) issued draft Provisions on Standardizing and Promoting Cross-Border Data Flows (Draft for Comment) (规范和促进数据跨境流动规定(征求意见稿)) (draft “Provisions”) (Chinese version available here) for a public consultation, which will conclude on October 15, 2023. 

The draft Provisions propose significant changes to the existing cross-border data transfer regime established under China’s Personal Information Protection Law (“PIPL”).  Specifically, the draft Provisions provide certain exemptions to the requirement to adopt a transfer mechanism under Article 38 of the PIPL. In addition, the draft Provisions significantly lower the thresholds that trigger the obligation to undergo a government-administered security assessment or adopt Standard Contracts.  Moreover, in the event of a conflict between the draft Provisions and the PIPL’s implementing regulations (including the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer), the draft Provisions would prevail.Continue Reading China Proposes Significant Changes to Cross-Border Transfer Rules

On July 10, 2023, the European Commission adopted its adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”). The decision, which took effect on the day of its adoption, concludes that the United States ensures an adequate level of protection for personal data transferred from the EEA to companies certified to the DPF. This blog post summarizes the key findings of the decision, what organizations wishing to certify to the DPF need to do and the process for certifying, as well as the impact on other transfer mechanisms such as the standard contractual clauses (“SCCs”), and on transfers from the UK and Switzerland.Continue Reading European Commission Adopts Adequacy Decision on the EU-U.S. Data Privacy Framework

On May 30, 2023, one day before the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information (“Measures”) were scheduled to take effect, the Cyberspace Administration of China (“CAC”) released a first edition of its guidance on how organizations should complete the filing procedure for Standard Contracts (“CAC Guidance”). (See our prior blog posts on the Standard Contract here.)Continue Reading China Releases Guidance on Filing Standard Contract for the Cross-Border Transfer of Personal Information

On April 4, 2023, the European Commission announced that the EU and Japan had successfully completed the first periodic review of the Japan-EU mutual adequacy arrangement, adopted in 2019.  The mutual adequacy recognition – whereby Japan and the EU each have recognized the other’s data protection regime as adequate to protect personal data – complements the regions’ other bilateral partnerships, such as the EU-Japan Economic Partnership Agreement, the Strategic Partnership Agreement, and the recently launched EU-Japan Digital Partnership (see our previous blogpost here).

The review process led to the adoption of two reports by the Commission and the Personal Information Protection Commission of Japan (“PPC”), each discussing the functioning of their respective adequacy decisions.  According to the Commission’s report, the convergence between the EU and Japan’s data protection frameworks has further increased in recent years, and the mutual adequacy arrangement appears to be functioning well.  We provide below a brief overview of the Commission’s main findings.Continue Reading European Commission Announces Conclusion of First Review of Japan-EU Adequacy Arrangement