Latest Posts
Search for:
Tag

Data Transfer

Browsing
In Data Privacy

International Data Transfer: High on the Agenda of EU Commission and European Court of Justice

by , and 3 Mins Read

Introduction Recently, the European Commission published its evaluation report on the first two years of the General Data Protection Regulation (GDPR). The Commission focused on, in particular, two themes in its evaluation, being (1) international data transfers and (2) the cooperation and consistency among the European supervisory authorities. As to the latter, the Commission is of the opinion it should definitely be improved. With regard to international data transfer the Commission focuses on the review…

In Data Privacy

Data Transfer: Derogations for Specific Situations (Art. 49 GDPR)

by 5 Mins Read

In the context of the Schrems II case (see a summary here), we continue our analysis of alternative vehicles allowing the transfer of personal to third countries outside the European Economic Area. In previous papers, we focused on Binding Corporate Rules (BCR) [link] as alternatives to the Standard Contractual Clauses (SCC) [link]. This time, we will look at the so-called “derogations for specific situations” set forth under Article 49 GDPR as a subsidiary vehicle to…

In Data Privacy

Data Portability – Growing Adoption in APAC?

by and 6 Mins Read

The concept of data portability has been of increasing interest in APAC countries. This is partly influenced by data portability provisions in the GDPR. However, scoping and implementing data portability rights in practice is proving challenging. Here is a snapshot of differing and developing approaches.In Thailand, the right to data portability has been incorporated into the new Personal Data Protection Act, which will come into effect in May 2020. In India, the right to data…

In Data Privacy

Schrems II: The Data Importer Perspective

by and 5 Mins Read

Following our previous analysis of the consequences of the opinion of the advocate general Hendrik Saugmandsgaard Øe (a.g.) in the Schrems II case, from the data exporter perspective (available here), we now focus on the implications of the same with respect to the position of the data importer. Indeed, in the following paragraphs, we will turn our attention to the content of the Controller to Processor Standard Contractual Clauses (SCC) and, in particular, to some…

In Data Privacy

Binding Corporate Rules: An Attractive Inter-Company Data Transfer Vehicle and More

by and 4 Mins Read

At the doorstep of 2020, advocate general Hendrik Saugmandsgaard Øe (a.g.) rendered his opinion in the so called “Schrems II case” and opined on how European Court of Justice should deal with the GDPR’s regime for international data transfers. See here for a summary on the Schrems II case. In a series of blogs, we further elaborate on the consequences of that opinion and the impact it may have on the current international data transfer…

In Data Privacy

Data Protection Commissioner v Facebook Ireland (Schrems II): Advocate general’s opinion signals legal changes to standard contractual clauses

by , , , , , , , and 4 Mins Read

The European Union’s highest court, the Court of Justice of the European Union (CJEU), is evaluating the legitimacy of the EU standard contractual clauses (SCC). SCCs have been the bedrock of cross-border personal data transfers outside the EU for many years. Today, the advocate general (a.g.) has rendered an opinion on the Schrems II case. By way of brief background, Schrems II is a case before the Court of Justice of the European Union (CJEU)…

In Data Privacy

China proposes more stringent rules on export of personal information

by 1 Min Read

As part of the Cyberspace Administration of China (CAC)’s recent push to accelerate formulation of the implementation rules of the China Cybersecurity Law (CSL), it published the draft Measures for Security Assessment of Export of Personal Information (for public consultations) on 13 June 2019 (“Draft Security Assessment Measures”). As the CAC appears to propose adopting two separate sets of rules and requirements on the security assessment of outbound provision of personal information and important data,…

In Data Privacy

Equifax Part II – Key Learnings

by 6 Mins Read

In the first part of this article here we looked at the background facts and circumstances of breach in the Equifax decision by the UK’s DPA, the ICO. This second part sets out some key learnings from the case.Review intra-group data processing arrangementsThe ICO focussed on a number of flaws in the arrangements between Equifax and its US parent. In particular, the ICO noted that:At the relevant time, Equifax did not have an adequate data…

In Data Privacy

Data Protection – Significant developments on adequacy findings between Japan and Europe

by and 4 Mins Read

On 25 April 2018, Japan’s data protection authority published draft guidelines relating to adequacy findings for international personal data transfers from Europe to Japan (Guidelines). If the Guidelines come into force in their current form, subject to the EU’s adequacy decision, they will allow for personal data to be transferred from the EEA (which includes the EU, Iceland, Liechtenstein and Norway) to Japan without measures such as specific data subject consent or standard contractual clauses. These Guidelines…

In Cloud Computing

Responding to Stored Communications Act Demands Under the CLOUD Act

by 4 Mins Read

In the global digital economy, companies increasingly face conflicts between legal demands to produce data and local laws that restrict production of data. Congress recently enacted the CLOUD Act to address these conflicts in the context of the Stored Communications Act, 18 U.S.C. §§ 2701-2712 (“SCA”). Under the SCA, companies have struggled with how to respond to United States Government (“USG”) demands for data held in foreign jurisdictions where such disclosure may violate local laws…

Load More