"Binding Corporate Rules"

Two sets of regulations aimed at readying UK data protection law for a post-Brexit world have been promulgated in recent weeks.  These regulations, which were made pursuant to the EU (Withdrawal) Act 2018 (EUWA), will only come into force in most respects upon the UK’s withdrawal from the EU.  Broadly speaking, these regulations are intended to preserve the status quo post-Brexit by (1) amending certain provisions of the GDPR to allow it to be retained as UK domestic law and (2) transitionally adopting certain key decisions of the EU institutions that, collectively, would allow for the continued lawfulness of personal data flows out of the United Kingdom where currently permitted under EU law.  In both regards, these regulations are consistent with prior guidance from the UK Information Commissioner’s Office (discussed here).
Continue Reading UK Issues Regulations on Post-Brexit Data Protection Law

Today, the German supervisory authorities (“German DPAs”) responsible for data protection at federal and state (Länder) level published a position paper on the EU-U.S. Safe Harbor (available in German – see here).  This 14-point position paper follows a meeting that these authorities held last week.  Key points
Continue Reading Schrems (Safe Harbor) Judgment – German Data Protection Authorities Issue Position Paper

On June 2, 2015, the Article 29 Working Party updated its published guidance on the topic of Processor BCRs.  In their latest guidance document, the Working Party focus specifically on the sensitive topic of disclosures to  law enforcement agencies (LEAs).

By means of Processor BCRs, data processors are able to share EU-originating personal data within their group globally.  This increases the risk that foreign LEAs will either request or compel production of the data by group affiliates established outside the EU.  European concerns over the broad scope of U.S. government surveillance programs, and similar programs in other countries, undoubtedly provided the impetus for the guidance.  The Working Party recognizes this risk and appears to appreciate the difficult situation processors can find themselves in when asked to produce information to LEAs. In line with previous guidance relating to e-discovery, the Working Party proposes a “best-efforts” model.Continue Reading Article 29 Working Party Updates BCR Guidance