On 22 May 2023, the Irish data protection regulator (DPC) announced that it had issued a record-breaking €1.2 billion fine in a decision relating to non-compliant EU-to-U.S. data transfers under the GDPR. This fine imposed by the DPC substantially overshadows the previous record of €746 million under the GDPR, and raises several concerns for organisations transferring personal data from the EU to the U.S.
On February 22, 2023, the Cyberspace Administration of China (“CAC”) promulgated the final version of the Measures for the Standard Contract for Cross-Border Transfer of Personal Information (the “Measures”), along with the final version of the standard contractual clauses for cross-border transfer of personal information stipulated under the Personal Information Protection Law (the “PIPL SCCs”).
Introduction
Ahead of its much-anticipated guidance on the UK International Data Transfer Agreement / Addendum (IDTA) (the United Kingdom’s version of the EU standard contractual clauses (EU SCCs)), the UK data protection regulator, the Information Commissioner’s Office (ICO), has revised its guidance on international transfers of personal data under the UK GDPR (Transfer Guidance).
Continue Reading UK Data Protection Regulator Updates its Guidance on Data Transfers
Tune in to the first episode of Ropes & Gray’s new podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series will focus on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments
The Ropes & Gray Decoding Digital Health podcast series discusses the digital health industry and related legal, business and regulatory issues. In this episode, Digital Health Initiative co-lead and health care partner, Christine Moundas, interviews health care partner and member of the digital health group, David Peloquin. They discuss the legal challenges and potential solutions
International transfers of personal data under the UK GDPR are set to continue to be a key topic in 2023, in particular, regarding new UK adequacy regulations, transatlantic data flows, and updated guidance regarding the UK’s International Data Transfer Agreement (IDTA).
While 2022 saw the Department for Digital, Culture, Media & Sport (DCMS) and ICO comment on imminent updates on these issues, very little has actually materialised, leaving businesses and commentators alike hopeful that 2023 will be a year of increased certainty when undertaking restricted international transfers subject to the UK GDPR.
Continue Reading UK GDPR: What Will 2023 Hold for International Data Transfers?
As 2022 draws to a close, the international data transfer landscape from Europe continues to be dynamic, with anticipated updates including a further milestone on the Transatlantic Data Privacy Framework (“Framework”) for EU to U.S. data transfers, a new set of model clauses for data transfers to non-EU data importers who are already within the scope of the GDPR, and continued developments in cookie monitoring and enforcement.
On July 7, 2022, the Cyberspace Affairs Commission (“CAC”) of China issued the Measures on Security Assessment of Cross-Border Data Transfer (the “Security Assessment Measures”), which sets out the security assessment framework for cross-border data transfers. The Security Assessment Measures will become effective on September 1, 2022. In conjunction with the
On Friday 25 March President Biden and the President of the European Commission jointly announced that they had reached an agreement in principle on a revised trans-Atlantic data flow mechanism. The timing could not have been better, as I was moderating a panel on “International Data Transfers in 2022 and Beyond” at the Privacy + Security Forum Spring Forum on the same day.
The panel was made up of William Malcolm, Director of Privacy at Google, Vivienne Artz, OBE Chair of the International Regulatory Strategy Group Data Committee, and Joe Jones, Deputy Director International Data Transfers Data Policy Directorate at the UK’s Department for Culture, Media & Sport. Our plan was to facilitate a discussion focused on recent enforcement actions and statements by data protection authorities in the EU and UK that had highlighted the increasingly complex challenges organizations face in complying with GDPR when transferring personal data out of Europe. Instead we had a very engaging hour discussing how important data transfers are in a digital economy, noting that at the EU-US summit the discussion of data was second only to discussions of the situation in Ukraine; and that although the EU-US announcement had set Twitter feeds alight, it provided no information as to what the actual agreement was or how it would avoid falling foul of being challenged as Schrems III, IV or V. Finally, we brainstormed some ideas as to the direction or detail that could be contained in the new EU-US agreement and which could really drive change in the regulation of international data flows.
It was clear to all that following the CJEU’s ruling in Schrems II, which invalidated the EU-US Privacy Shield and made use of Standard Contractual Clauses more challenging for business, commercial organizations find themselves in the situation in which data transfers are becoming an impediment to business when really they should be the soil of the digital society in which services and societal benefits can grow globally.
Continue Reading International Data Transfers in 2022 and Beyond
Today RopesDataPhiles brings you thoughts from across the pond, with an update on the UK Information Commissioner’s international data transfer agreement and its supporting documentation.
—
Some days it all comes together. The sun’s shining in London for what feels like the first time in months. One of the kids is going on a week-long school trip. And just when you think it can’t get any better, you remember that the UK Information Commissioner’s international data transfer agreement and its supporting documentation have come into effect, following a period of Parliamentary approval.
As of Monday, 21 March, organisations transferring personal data from the UK have a range of options for papering those transfers. As you’ll see, it’s going to feel much like the pick ‘n’ mix you get at the cinema, only without the intense initial rush followed by a crippling sense of doom when you realise what’s ahead. Or maybe it’s exactly like that.