Tag

Data Transfer

Browsing

Introduction Recently, the European Commission published its evaluation report on the first two years of the General Data Protection Regulation (GDPR). The Commission focused on, in particular, two themes in its evaluation, being (1) international data transfers and (2) the cooperation and consistency among the European supervisory authorities. As to the latter, the Commission is of the opinion it should definitely be improved. With regard to international data transfer the Commission focuses on the review…

In the context of the Schrems II case (see a summary here), we continue our analysis of alternative vehicles allowing the transfer of personal to third countries outside the European Economic Area. In previous papers, we focused on Binding Corporate Rules (BCR) [link] as alternatives to the Standard Contractual Clauses (SCC) [link]. This time, we will look at the so-called “derogations for specific situations” set forth under Article 49 GDPR as a subsidiary vehicle to…

Following our previous analysis of the consequences of the opinion of the advocate general Hendrik Saugmandsgaard Øe (a.g.) in the Schrems II case, from the data exporter perspective (available here), we now focus on the implications of the same with respect to the position of the data importer. Indeed, in the following paragraphs, we will turn our attention to the content of the Controller to Processor Standard Contractual Clauses (SCC) and, in particular, to some…

At the doorstep of 2020, advocate general Hendrik Saugmandsgaard Øe (a.g.) rendered his opinion in the so called “Schrems II case” and opined on how European Court of Justice should deal with the GDPR’s regime for international data transfers. See here for a summary on the Schrems II case. In a series of blogs, we further elaborate on the consequences of that opinion and the impact it may have on the current international data transfer…

The European Union’s highest court, the Court of Justice of the European Union (CJEU), is evaluating the legitimacy of the EU standard contractual clauses (SCC). SCCs have been the bedrock of cross-border personal data transfers outside the EU for many years. Today, the advocate general (a.g.) has rendered an opinion on the Schrems II case. By way of brief background, Schrems II is a case before the Court of Justice of the European Union (CJEU)…

As part of the Cyberspace Administration of China (CAC)’s recent push to accelerate formulation of the implementation rules of the China Cybersecurity Law (CSL), it published the draft Measures for Security Assessment of Export of Personal Information (for public consultations) on 13 June 2019 (“Draft Security Assessment Measures”). As the CAC appears to propose adopting two separate sets of rules and requirements on the security assessment of outbound provision of personal information and important data,…

In the first part of this article here we looked at the background facts and circumstances of breach in the Equifax decision by the UK’s DPA, the ICO. This second part sets out some key learnings from the case.Review intra-group data processing arrangementsThe ICO focussed on a number of flaws in the arrangements between Equifax and its US parent. In particular, the ICO noted that:At the relevant time, Equifax did not have an adequate data…

On 25 April 2018, Japan’s data protection authority published draft guidelines relating to adequacy findings for international personal data transfers from Europe to Japan (Guidelines). If the Guidelines come into force in their current form, subject to the EU’s adequacy decision, they will allow for personal data to be transferred from the EEA (which includes the EU, Iceland, Liechtenstein and Norway) to Japan without measures such as specific data subject consent or standard contractual clauses. These Guidelines…

In the global digital economy, companies increasingly face conflicts between legal demands to produce data and local laws that restrict production of data. Congress recently enacted the CLOUD Act to address these conflicts in the context of the Stored Communications Act, 18 U.S.C. §§ 2701-2712 (“SCA”). Under the SCA, companies have struggled with how to respond to United States Government (“USG”) demands for data held in foreign jurisdictions where such disclosure may violate local laws…

On September 8, 2017, three U.S. companies settled actions brought by the Federal Trade Commission (“FTC”) for misleading consumers about their participation in the EU – U.S. Privacy Shield Framework (“Privacy Shield”). These were the first Privacy Shield enforcement actions brought by the FTC. The Privacy Shield replaced the U.S. – EU Safe Harbor framework as the legal mechanism for transatlantic data flows in August 2016. It functions through a self-certification process by which U.S.…