Adequate Level of Protection

On June 28, 2021, the European Commission adopted two decisions finding that the UK’s data protection regime provides an “adequate” level of protection for personal data transferred to the UK from the EU.  The first decision covers transfers governed by the GDPR, and permits private companies located in the EU to continue to transfer personal data to the UK without the need for additional arrangements (such as the Commission’s new Standard Contractual Clauses (“SCCs”), which we discuss here).  The second decision covers transfers under the Data Protection and Law Enforcement Directive, and permits EU law enforcement agencies to continue to transfer personal data to their counterparts in the UK.
Continue Reading European Commission Adopts Final UK Adequacy Decisions

On October 23, 2019, the European Commission (“Commission”) published its Report on the third annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document).  The Report “confirms that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield” (see also the Commission’s Press Release).  The Report welcomed a number of improvements following the second annual review, including efforts made by U.S. authorities to monitor compliance with the framework, as well as key appointments that have been made in the last year.  The Commission in particular noted the appointment of Keith Krach to the position of Privacy Shield Ombudsperson on a permanent basis, filling a vacancy that had been noted in previous reviews.  The Report also provided a number of recommendations for further improvement and monitoring.

Recognizing that, in its third year, Privacy Shield has “moved from the inception phase to a more operational phase,” the Report placed particular emphasis on the effectiveness of the “tools, mechanisms and procedures in practice.”  Not only has the number of Privacy Shield certifications exceeded 5,000 companies — eclipsing in three years the number of companies that had registered to the Safe Harbor Framework in its nearly 15 years of existence — the Report also noted that “an increasing number of EU data subjects are making use of their rights under the Privacy Shield and that the relevant redress mechanisms function well.”

As with prior reviews, the Commission sought feedback from trade associations, NGOs, and certified companies, and  addressed the functioning of (i) the framework’s commercial aspects, and (ii) U.S. authorities’ access to personal data.


Continue Reading Privacy Shield Third Annual Review

On 21 August 2012, the European Commission issued an Implementing Decision (the “Decision”) confirming that the Eastern Republic of Uruguay provides an adequate level of protection for personal data transferred from the European Union.  The effect of the Decision is to allow organizations established in European Member States to transfer personal data to organizations in Uruguay without additional protective measures being necessary.  It comes nearly four years after the country enacted its data protection statute, Act no. 18.331 on the Protection of Personal Data and Habeas Data Action of 11 August 2008 (the “Act”).


Continue Reading European Commission Issues Implementing Decision Finding Uruguay’s Data Protection Laws Provide Adequate Protection for Personal Data Transferred from EU

Today, the EU Commission formally approved Israel’s status as a country providing “adequate protection” for personal data under the European Data Protection Directive.  The Data Protection Directive generally prohibits personal data from being transferred outside the EU unless the data is subject to an “adequate level of protection,” or certain narrow exceptions apply.  As a