On May 30, 2023, one day before the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information (“Measures”) were scheduled to take effect, the Cyberspace Administration of China (“CAC”) released a first edition of its guidance on how organizations should complete the filing procedure for Standard Contracts (“CAC Guidance”). (See our prior blog posts on the Standard Contract here.)Continue Reading China Releases Guidance on Filing Standard Contract for the Cross-Border Transfer of Personal Information
Standard Contractual Clauses (SCCs)
China Finalizes Standard Contract for Cross-Border Transfers of Personal Information
On February 24, 2023, the Cyberspace Administration of China (“CAC”) released the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (“Measures”) (only available in Chinese here), including a template contract (“Standard Contract”) accompanying the Measures. The Measures will take effect on June 1, 2023, but are subject to a 6-month grace period to allow companies time to bring their activities into compliance.
The finalization of the Measures marks another important step forward in the establishment of China’s cross-border data transfer framework. With implementing rules for all three lawful transfer mechanisms now in place, China appears to be entering into a new phase where cross-border transfer activities will be more closely regulated and enforcement actions are more likely to arise for non-compliance. Continue Reading China Finalizes Standard Contract for Cross-Border Transfers of Personal Information
EDPB Publishes Draft Guidelines on Interplay of Article 3 GDPR and the GDPR’s Cross-Border Transfer Rules
On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (available here). The draft guidelines are currently subject to a public consultation period that ends on January 31, 2022; interested stakeholders can submit their feedback here.
In this blog post, we provide a brief background on the issues addressed in the draft guidelines, and summarize the key takeaways.Continue Reading EDPB Publishes Draft Guidelines on Interplay of Article 3 GDPR and the GDPR’s Cross-Border Transfer Rules
Swiss Federal Data Protection Authority Recognizes the New EU Standard Contractual Clauses as a Lawful Mechanism to Transfer Personal Data Outside of Switzerland
On August 27, 2021, the Swiss Federal Data Protection Authority announced that it recognizes the EU recently approved standard contractual clauses as a transfer mechanism to transfer Swiss personal data to non-adequate countries (see here and here). However, the standard contractual clauses will need to be adjusted to meet the requirements of the Swiss Ordinance to the Federal Act on Data Protection (“FADP”).
Continue Reading Swiss Federal Data Protection Authority Recognizes the New EU Standard Contractual Clauses as a Lawful Mechanism to Transfer Personal Data Outside of Switzerland
UK Information Commissioner’s Office Opens Public Consultation on Policy Proposals and Documentation for International Transfers
On August 11, 2021, the UK Information Commissioner’s Office (“ICO”) opened a public consultation to solicit stakeholder input regarding the UK’s approach to regulating international transfers of personal data under the UK General Data Protection Regulation (“UK GDPR”) (see here). To kick off this initiative, the ICO published a consultation paper setting out various policy options that the UK is considering, as well as:
- a draft set of contractual templates to facilitate transfers of personal data outside the UK, including: (1) a draft international data transfer agreement (“IDTA”); and (2) a draft international transfer addendum to be appended to the recently approved EU standard contractual clauses (“EU Addendum”); and
- a draft transfer impact assessment tool designed to help controllers and processors transferring personal data under the UK GDPR satisfy the requirements articulated by the Court of Justice of the European Union (“CJEU”) in the Schrems II decision (see here).
The ICO has requested that interested stakeholders submit their feedback by no later than October 7, 2021. In this blog post, we summarize these documents and tools, and identify topics that interested stakeholders may want to address when preparing their submission to the public consultation.Continue Reading UK Information Commissioner’s Office Opens Public Consultation on Policy Proposals and Documentation for International Transfers
EDPB Adopts Finalized Recommendations on Supplemental Transfer Tools to Ensure GDPR-Compliant Data Transfers
On June 21, 2021, the European Data Protection Board (“EDPB”) published its finalized recommendations on measures that supplement transfer tools to ensure compliance with the General Data Protection Regulation (“GDPR”), where organizations transfer personal data from the European Economic Area (“EEA“) to a country outside the EEA (“third country”) (see here). While the final version retains much of the language of the draft version released in November 2020 (see here), it includes several notable updates.
Continue Reading EDPB Adopts Finalized Recommendations on Supplemental Transfer Tools to Ensure GDPR-Compliant Data Transfers
New Standard Contractual Clauses Raise Questions Under Irish Law
The new standard contractual clauses (“SCCs“) issued by the European Commission (see our prior blog post here) continue to prove controversial. Among other things, the SCCs require that the law of the European Union (“EU“) Member State underpinning them provides third-party beneficiary rights. Most EU Member States are civil law jurisdictions that already provide such rights. Ireland, however, is a common law jurisdiction like the U.S. and the UK, and as such, depends largely on evolving case law to define the scope of various rights and obligations.
Continue Reading New Standard Contractual Clauses Raise Questions Under Irish Law
European Commission Publishes New Standard Contractual Clauses
Today, June 4th, 2021, the European Commission (“Commission”) published the final version of its new standard contractual clauses for the international transfer of personal data (“SCCs”) (see here). While the final version retains much of the language of the draft version released in November 2020 (see here), it includes several notable updates. When finalizing the SCCs, the Commission took into account the joint opinion of the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor, feedback submitted by stakeholders during the public consultation period, and the opinions of EU Member States’ representatives.
In this blog post, we identify several key features of the new SCCs that organizations should keep in mind when preparing to implement them in contractual agreements going forward.Continue Reading European Commission Publishes New Standard Contractual Clauses
EDPB and EDPS Release Joint Opinion on Draft EU Standard Contractual Clauses
On January 19, 2021, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint opinion on the draft standard contractual clauses for international data transfers (“draft SCCs”) published by the European Commission (“EC”) on November 12, 2020, including a marked-up version of the clauses.
Continue Reading EDPB and EDPS Release Joint Opinion on Draft EU Standard Contractual Clauses
U.S. Government Issues White Paper on Privacy Safeguards Following Schrems II
In the wake of the Court of Justice of the European Union’s (“ECJ”) Schrems II decision invalidating the EU-U.S. Privacy Shield (“Privacy Shield”) but upholding the validity of standard contractual clauses (“SCCs”), the U.S. government has released a White Paper entitled “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II.” The Schrems II ruling requires companies relying on SCCs “to verify, on a case-by-case basis,” whether the level of protections afforded by the SCCs are respected and observed in the recipient country. According to the cover letter accompanying the White Paper, it “outlines the robust limits and safeguards in the United States pertaining to government access to data” as part of “an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the ECJ’s ruling.”
The cover letter emphasizes that while the White Paper is intended to help companies make the case that they can transfer personal data from the EU to the United States in compliance with EU law, it does not “eliminate the urgent need for clarity from European authorities or the onerous compliance burdens generated by the Schrems II decision.” It concludes by citing the importance of the “$7.1 trillion transatlantic economic relationship” and stating that “the Trump Administration is exploring all options at its disposal and remains committed to working with the European Commission to negotiate a solution that satisfies the ECJ’s requirements while protecting the interests of the United States.”
Continue Reading U.S. Government Issues White Paper on Privacy Safeguards Following Schrems II