Since the joint announcement by US President Joe Biden and European Commission President Ursula von de Leyen, on 25 March 2022, of an agreement in principle on the long-awaited replacement to the EU-US Privacy Shield, transatlantic data flows have again become the focus of GDPR discussions. The lack of details provided to date has, however, resulted in many organisations (and legal commentators alike) wondering where this leaves them.

Should US organisations prepare for certification to yet another incarnation of the Safe Harbor (which will almost certainly be subject to prompt legal challenge in the form of Schrems III)? Should organisations subject to the GDPR continue with their transfer impact assessments and the uncertainty of the standard contractual clauses (“SCCs”) when transferring personal data to the US? Will the new safeguards have any impact on the SCCs at all? And how will this affect transfers to the US from the UK or other non-EU jurisdictions?

Representatives of the US Government and the European Commission recently provided some much-needed context, including further details around the timing of the replacement framework and of the potential shape of the new redress mechanism. Their comments offer some hints about the UK’s approach to transatlantic and other international data flows.

Continue Reading Transatlantic Data Flows – Where Are We Now?

On Friday 25 March President Biden and the President of the European Commission jointly announced that they had reached an agreement in principle on a revised trans-Atlantic data flow mechanism.  The timing could not have been better, as I was moderating a panel on “International Data Transfers in 2022 and Beyond” at the Privacy + Security Forum Spring Forum on the same day.

The panel was made up of William Malcolm, Director of Privacy at Google, Vivienne Artz, OBE Chair of the International Regulatory Strategy Group Data Committee, and Joe Jones, Deputy Director International Data Transfers Data Policy Directorate at the UK’s Department for Culture, Media & Sport.  Our plan was to facilitate a discussion focused on recent enforcement actions and statements by data protection authorities in the EU and UK that had highlighted the increasingly complex challenges organizations face in complying with GDPR when transferring personal data out of Europe.  Instead we had a very engaging hour discussing how important data transfers are in a digital economy, noting that at the EU-US summit the discussion of data was second only to discussions of the situation in Ukraine; and that although the EU-US announcement had set Twitter feeds alight, it provided no information as to what the actual agreement was or how it would avoid falling foul of being challenged as Schrems III, IV or V. Finally, we brainstormed some ideas as to the direction or detail that could be contained in the new EU-US agreement and which could really drive change in the regulation of international data flows.

It was clear to all that following the CJEU’s ruling in Schrems II, which invalidated the EU-US Privacy Shield and made use of Standard Contractual Clauses more challenging for business, commercial organizations find themselves in the situation in which data transfers are becoming an impediment to business when really they should be the soil of the digital society in which services and societal benefits can grow globally.

Continue Reading International Data Transfers in 2022 and Beyond

Today RopesDataPhiles brings you thoughts from across the pond, with an update on the UK Information Commissioner’s international data transfer agreement and its supporting documentation.

Some days it all comes together.  The sun’s shining in London for what feels like the first time in months.  One of the kids is going on a week-long school trip.  And just when you think it can’t get any better, you remember that the UK Information Commissioner’s international data transfer agreement and its supporting documentation have come into effect, following a period of Parliamentary approval.

As of Monday, 21 March, organisations transferring personal data from the UK have a range of options for papering those transfers.  As you’ll see, it’s going to feel much like the pick ‘n’ mix you get at the cinema, only without the intense initial rush followed by a crippling sense of doom when you realise what’s ahead.  Or maybe it’s exactly like that.

Continue Reading The IDTAs of March

A recent decision by the Austrian Supervisory Authority (“SA”) casts a spotlight on the complexities of data transfers and cookie use, and highlights a shift in regulatory focus onto these topics in the year ahead. Regulators around Europe are increasingly beginning to weigh in on such transfers, and the outcomes of their deliberations will shape the data transfer compliance landscape in the months to come. These decisions present complex questions about the future of data transfers in the EU and UK.

Continue Reading Increased EU Scrutiny of US Data Transfers Through Cookie Use

As 2021 comes to a close, so does our 12 Days of Data series, but we will see you on the other side in 2022 with more posts on the top privacy and data protection issues. 2021 was an interesting year. While vaccinations spread and some sense of normalcy started to return, new strains of COVID-19 led to additional waves of shutdowns that stalled many of the debates. In 2022, we anticipate that the move toward a new normal will continue, and we will once again start to see traction on some of these data, privacy, and cybersecurity issues. As a preview, here are some of the key areas where we expect to see potential developments in 2022.

Continue Reading Closing out the 12 Days of Data: What to Expect in 2022

On December 15, 2021, Australia and the United States signed an agreement that will make it more efficient for law enforcement agencies in both countries to obtain data about criminal suspects, but it leaves technology companies with concerning questions. The new agreement was forged under the Clarifying Lawful Overseas Use of Data (CLOUD) Act, a 2018 statute that enables law enforcement to more easily secure important electronic information about suspected crimes—including terrorism, violent crimes, sexual exploitation of children, and cybercrimes like ransomware or attacks on critical infrastructure—from global technology companies based in the United States. Although the agreement was designed to facilitate law enforcement investigations, it leaves unanswered the encryption privacy questions that have beset preceding agreements.

Continue Reading United States-Australia CLOUD Act Agreement Leaves Encryption Uncertainties

2021 was a busy year for data protection law in China. On June 10, 2021, the Standing Committee of the National People’s Congress of the People’s Republic of China adopted the Data Security Law (DSL), which went into effect on September 1, 2021. On August 20, 2021, the Standing Committee of the National People’s Congress enacted the Personal Information Protection Law (PIPL), which went into effect just last month, in November 2021. The DSL applies broadly to processing of all data, not just personal information or electronic data and expands on the provisions from China’s Cybersecurity Law, which was enacted in 2016. In contrast, the PIPL applies only to the processing of personal information and has been compared to Europe’s General Data Protection Regulation (GDPR), although that comparison may obscure the contours of China’s law more than it enlightens.

Consistent with the course of Chinese administrative law, the laws’ key terms, analyses, and processes will continue to be fleshed out and perhaps materially enhanced or diminished in a series of regulations, measures, standards, and guidance documents. The latest draft measures on cross-border transfers, which are being closely watched by organizations contemplating cross border data transfers, were published at the end of October, and comments were accepted through November. We expect China to continue finalizing the laws’ terms and measures in 2022.

Continue Reading What China’s New Data Laws Could Mean for 2022

The Courts of Justice of the European Union (CJEU) held in its July 2020 Schrems II decision that, in order for entities in other countries to import personal data from the European Economic Area (EEA), the importer must be able to provide data protections ‘essentially equivalent’ to those the EEA offers under its General Data Protection Regulation. The CJEU expressed particular concern that United States’ national security intelligence gathering laws prevent U.S.-based entities from providing such protections. This decision has sharply limited the sharing of clinical research data from the EEA to the United States. After describing the pertinent aspects of the Schrems II decision, this article evaluates U.S. national security intelligence gathering frameworks, including Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333. The article then leverages recent draft guidance from the European Data Protection Board to explain how entities may be able to adopt widely used contractual and technical measures, such as data pseudonymization, to provide ‘essentially equivalent’ protections in the clinical research context.

Continue Reading Demystifying Schrems II for the Cross-Border Transfer of Clinical Research Data

Cyber SecurityAs we stand at the beginning of 2021 and a new presidential administration, we look back on the year behind us. Hindsight is always 2020, and 2020 may be best viewed in hindsight.  We saw rapid changes in the privacy space, prompted in part by the global COVID-19 response. Infrastructure and services across multiple sectors continue to rely on data and digital platforms to function. Five prominent developments shaped the data privacy environment in 2020.

Continue Reading Privacy Year in Review: 2020’s Hottest Topics

The Court of Justice of the European Union (CJEU) dealt a blow to transatlantic data flows in July with its decision in Schrems II, invalidating the EU-U.S. Privacy Shield while conditionally approving the continued use of Standard Contractual Clauses (SCC). In a white paper published late last month, the U.S. government responded to the CJEU’s critical appraisal of American intelligence agencies’ data-collection practices by identifying Schrems II’s shortcomings and offering guidance to companies seeking to comply with it. Schrems II is problematic in various ways, the multi-agency paper concludes, but with minor adjustments, most EU-U.S. digital dealings should be able to continue as before.
Continue Reading What the CJEU Missed in Schrems II: American Agencies Respond