Standard Contractual Clauses

As 2022 draws to a close, the international data transfer landscape from Europe continues to be dynamic, with anticipated updates including a further milestone on the Transatlantic Data Privacy Framework (“Framework”) for EU to U.S. data transfers, a new set of model clauses for data transfers to non-EU data importers who are already within the scope of the GDPR, and continued developments in cookie monitoring and enforcement.

Continue Reading What Do EU Data Transfers Have In Common with the Holidays? It’s All About the Clauses

Since the joint announcement by US President Joe Biden and European Commission President Ursula von de Leyen, on 25 March 2022, of an agreement in principle on the long-awaited replacement to the EU-US Privacy Shield, transatlantic data flows have again become the focus of GDPR discussions. The lack of details provided to date has, however, resulted in many organisations (and legal commentators alike) wondering where this leaves them.

Should US organisations prepare for certification to yet another incarnation of the Safe Harbor (which will almost certainly be subject to prompt legal challenge in the form of Schrems III)? Should organisations subject to the GDPR continue with their transfer impact assessments and the uncertainty of the standard contractual clauses (“SCCs”) when transferring personal data to the US? Will the new safeguards have any impact on the SCCs at all? And how will this affect transfers to the US from the UK or other non-EU jurisdictions?

Representatives of the US Government and the European Commission recently provided some much-needed context, including further details around the timing of the replacement framework and of the potential shape of the new redress mechanism. Their comments offer some hints about the UK’s approach to transatlantic and other international data flows.

Continue Reading Transatlantic Data Flows – Where Are We Now?

On Friday 25 March President Biden and the President of the European Commission jointly announced that they had reached an agreement in principle on a revised trans-Atlantic data flow mechanism.  The timing could not have been better, as I was moderating a panel on “International Data Transfers in 2022 and Beyond” at the Privacy + Security Forum Spring Forum on the same day.

The panel was made up of William Malcolm, Director of Privacy at Google, Vivienne Artz, OBE Chair of the International Regulatory Strategy Group Data Committee, and Joe Jones, Deputy Director International Data Transfers Data Policy Directorate at the UK’s Department for Culture, Media & Sport.  Our plan was to facilitate a discussion focused on recent enforcement actions and statements by data protection authorities in the EU and UK that had highlighted the increasingly complex challenges organizations face in complying with GDPR when transferring personal data out of Europe.  Instead we had a very engaging hour discussing how important data transfers are in a digital economy, noting that at the EU-US summit the discussion of data was second only to discussions of the situation in Ukraine; and that although the EU-US announcement had set Twitter feeds alight, it provided no information as to what the actual agreement was or how it would avoid falling foul of being challenged as Schrems III, IV or V. Finally, we brainstormed some ideas as to the direction or detail that could be contained in the new EU-US agreement and which could really drive change in the regulation of international data flows.

It was clear to all that following the CJEU’s ruling in Schrems II, which invalidated the EU-US Privacy Shield and made use of Standard Contractual Clauses more challenging for business, commercial organizations find themselves in the situation in which data transfers are becoming an impediment to business when really they should be the soil of the digital society in which services and societal benefits can grow globally.

Continue Reading International Data Transfers in 2022 and Beyond

Today RopesDataPhiles brings you thoughts from across the pond, with an update on the UK Information Commissioner’s international data transfer agreement and its supporting documentation.

Some days it all comes together.  The sun’s shining in London for what feels like the first time in months.  One of the kids is going on a week-long school trip.  And just when you think it can’t get any better, you remember that the UK Information Commissioner’s international data transfer agreement and its supporting documentation have come into effect, following a period of Parliamentary approval.

As of Monday, 21 March, organisations transferring personal data from the UK have a range of options for papering those transfers.  As you’ll see, it’s going to feel much like the pick ‘n’ mix you get at the cinema, only without the intense initial rush followed by a crippling sense of doom when you realise what’s ahead.  Or maybe it’s exactly like that.

Continue Reading The IDTAs of March

A recent decision by the Austrian Supervisory Authority (“SA”) casts a spotlight on the complexities of data transfers and cookie use, and highlights a shift in regulatory focus onto these topics in the year ahead. Regulators around Europe are increasingly beginning to weigh in on such transfers, and the outcomes of their deliberations will shape the data transfer compliance landscape in the months to come. These decisions present complex questions about the future of data transfers in the EU and UK.

Continue Reading Increased EU Scrutiny of US Data Transfers Through Cookie Use

Cyber SecurityAs we stand at the beginning of 2021 and a new presidential administration, we look back on the year behind us. Hindsight is always 2020, and 2020 may be best viewed in hindsight.  We saw rapid changes in the privacy space, prompted in part by the global COVID-19 response. Infrastructure and services across multiple sectors continue to rely on data and digital platforms to function. Five prominent developments shaped the data privacy environment in 2020.

Continue Reading Privacy Year in Review: 2020’s Hottest Topics

Cyber SecurityThe European Court of Justice this morning issued a significant – and fairly surprising – ruling on international data transfers in the Schrems II case. Standard contractual clauses remain valid, but the Privacy Shield is invalid and cannot be relied on to legitimise transfers of personal data from the EEA to the US.
Continue Reading Privacy Shield Invalid but SCCs Survive… What next for international personal data transfers?

The Opinion of Advocate-General (AG) Henrik Saugmandsgaardøe in the “Schrems II” case (C-311-18) was delivered on 19 December and will likely leave organisations, which currently rely on EC Commission-approved standard contractual clauses to ensure adequate protection for personal data that they transfer internationally heaving a collective sigh of relief, at least for the moment.

Continue Reading Schrems II and Standard Contractual Clauses – the Advocate-General’s Opinion