On September 12, 2024, the European Commission announced that it will launch a public consultation on additional standard contractual clauses for international transfers of personal data to non-EU controllers and processors that are subject to the EU GDPR extra-territorially (“Additional SCCs”), something that has been promised by the European Commission as far back as 2022. The public consultation is planned for the last quarter of 2024.Continue Reading EU Commission Announces New SCCs for International Transfers to Non-EU Controllers and Processors Subject to the GDPR
Data Transfers
Brazil Issues New Regulation on International Data Transfers
On August 23, 2024, the Brazilian Data Protection Authority (“ANPD”) published Resolution 19/2024, approving the Regulation on international data transfers and the content of standard contractual clauses (the “Regulation”). The Regulation implements the international data transfer framework under the Brazilian General Data Protection Law (“LGPD”).Continue Reading Brazil Issues New Regulation on International Data Transfers
European Commission Retains Adequacy Decisions for Data Transfers to Eleven Countries
On January 15, 2024, the European Commission released its report on the first review of the functioning of the existing eleven adequacy decisions adopted under the pre-GDPR framework.
The Commission concluded that personal data transferred from the European Economic Area to any of Andorra, Argentina, Canada (for PIPEDA-regulated entities), the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to receive an adequate level of protection.Continue Reading European Commission Retains Adequacy Decisions for Data Transfers to Eleven Countries
European Commission Announces Conclusion of First Review of Japan-EU Adequacy Arrangement
On April 4, 2023, the European Commission announced that the EU and Japan had successfully completed the first periodic review of the Japan-EU mutual adequacy arrangement, adopted in 2019. The mutual adequacy recognition – whereby Japan and the EU each have recognized the other’s data protection regime as adequate to protect personal data – complements the regions’ other bilateral partnerships, such as the EU-Japan Economic Partnership Agreement, the Strategic Partnership Agreement, and the recently launched EU-Japan Digital Partnership (see our previous blogpost here).
The review process led to the adoption of two reports by the Commission and the Personal Information Protection Commission of Japan (“PPC”), each discussing the functioning of their respective adequacy decisions. According to the Commission’s report, the convergence between the EU and Japan’s data protection frameworks has further increased in recent years, and the mutual adequacy arrangement appears to be functioning well. We provide below a brief overview of the Commission’s main findings.Continue Reading European Commission Announces Conclusion of First Review of Japan-EU Adequacy Arrangement
Cross-Border Data Transfer Developments in China
After more than seven months since China’s Personal Information Protection Law (《个人信息保护法》, “PIPL”) went into effect, Chinese regulators have issued several new (draft) rules over the past few days to implement the cross-border data transfer requirements of the PIPL. In particular, Article 38 of the PIPL sets out three legal mechanisms for lawful transfers of personal information outside of China, namely: (i) successful completion of a government-led security assessment, (ii) obtaining certification under a government-authorized certification scheme, or (iii) implementing a standard contract with the party(-ies) outside of China receiving the data. The most recent developments in relation to these mechanisms concern the standard contract and certification.Continue Reading Cross-Border Data Transfer Developments in China
Italian Garante Bans Use of Google Analytics
On June 23, 2022 the Italian data protection authority (“Garante”) released a general statement (here) flagging the unlawfulness of data transfers to the U.S. resulting from the use of Google Analytics. The Garante invites all Italian website operators, both public and private, to verify that the use of…
Continue Reading Italian Garante Bans Use of Google AnalyticsSwiss Federal Data Protection Authority Recognizes the New EU Standard Contractual Clauses as a Lawful Mechanism to Transfer Personal Data Outside of Switzerland
On August 27, 2021, the Swiss Federal Data Protection Authority announced that it recognizes the EU recently approved standard contractual clauses as a transfer mechanism to transfer Swiss personal data to non-adequate countries (see here and here). However, the standard contractual clauses will need to be adjusted to meet the requirements of the Swiss Ordinance to the Federal Act on Data Protection (“FADP”).
Continue Reading Swiss Federal Data Protection Authority Recognizes the New EU Standard Contractual Clauses as a Lawful Mechanism to Transfer Personal Data Outside of Switzerland
U.S. Government Issues White Paper on Privacy Safeguards Following Schrems II
In the wake of the Court of Justice of the European Union’s (“ECJ”) Schrems II decision invalidating the EU-U.S. Privacy Shield (“Privacy Shield”) but upholding the validity of standard contractual clauses (“SCCs”), the U.S. government has released a White Paper entitled “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II.” The Schrems II ruling requires companies relying on SCCs “to verify, on a case-by-case basis,” whether the level of protections afforded by the SCCs are respected and observed in the recipient country. According to the cover letter accompanying the White Paper, it “outlines the robust limits and safeguards in the United States pertaining to government access to data” as part of “an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the ECJ’s ruling.”
The cover letter emphasizes that while the White Paper is intended to help companies make the case that they can transfer personal data from the EU to the United States in compliance with EU law, it does not “eliminate the urgent need for clarity from European authorities or the onerous compliance burdens generated by the Schrems II decision.” It concludes by citing the importance of the “$7.1 trillion transatlantic economic relationship” and stating that “the Trump Administration is exploring all options at its disposal and remains committed to working with the European Commission to negotiate a solution that satisfies the ECJ’s requirements while protecting the interests of the United States.”
Continue Reading U.S. Government Issues White Paper on Privacy Safeguards Following Schrems II
UPDATE: AG Opinion in Schrems II Delayed
The Advocate General’s (“AG”) Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”), has been delayed until the 19th December 2019. (The original publication date was set for the week before, on the 12th December.)
The primary question before the…
Continue Reading UPDATE: AG Opinion in Schrems II Delayed
Privacy Shield Ombudsperson Confirmed by the Senate
On June 20, 2019, Keith Krach was confirmed by the U.S. Senate to become the Trump administration’s first permanent Privacy Shield Ombudsperson at the State Department. The role of the Privacy Shield Ombudsperson is to act as an additional redress avenue for all EU data subjects whose data is transferred…
Continue Reading Privacy Shield Ombudsperson Confirmed by the Senate