The next domino in the finalization of the proposed EU-U.S. Data Privacy Framework has fallen. The European Commission published its draft adequacy decision recognizing the essential equivalence of U.S. data protection standards, paving the way for finalization of the DPF and unimpeded data flows. The U.S. executive order committing to an overhaul of foreign intelligence agencies' access to personal data and creation of a new redress system for EU citizens spurred the preliminary adequacy ackno... Read More

International data transfers continue to be a top compliance and legal issue for both European and global organizations, requiring continuous reevaluation and increasing resources. In its recent guidance from December 2022, the European Data Protection Board provided draft guidance with updated interpretations and requirements regarding the use of the binding corporate rules transfer mechanism. In doing so, the EDPB missed an opportunity to address BCRs in a systematic, strategic and forward-th... Read More

The long-awaited Chinese standard contractual clauses and SCC Regulations were finally released by the Cyberspace Administration of China Feb. 24, effective June 1. This indicates that all three major legal mechanisms under China's Personal Information Protection Law, namely CAC-led security assessment, certification by licensed professional institutions, and Chinese SCCs, are all fully established with the necessary details for implementation. Application scope According to the SCC Regulation... Read More

Well-known and influential names entrenched in the ongoing discussions around EU-U.S. data flows made their presence felt in back-to-back breakout sessions to cap off the final day of the IAPP Europe Data Protection Congress in Brussels, Belgium. EU and U.S. government officials took the stage focused on further touting and cementing the pending EU-U.S. Data Privacy Framework's workability. NOYB Honorary Chairman Max Schrems threw cold water on those notions, all but announcing he will attempt ... Read More

The European Parliament Committee on Civil Liberties, Justice and Home Affairs does not want the European Commission to extend an adequacy decision to the U.S. based on the proposed EU-U.S. Data Privacy Framework. The committee made as much clear in its draft opinion on the EU-U.S. adequacy published Feb. 14. In their opinion, committee members concluded the proposed DPF "fails to create actual equivalence in the level of protection" offered under the EU General Data Protection Regulation and u... Read More

On Oct. 7, U.S. President Joe Biden issued an “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities,” and the Department of Justice supplemented it with a new regulation.  As explained by the Commission of the European Union, the executive order and regulation establish “a new two-layer redress mechanism, with independent and binding authority.” In the first layer, “EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protecti... Read More

Google Chief Privacy Officer Keith Enright, CIPP/G, CIPP/US, wrote a blog post explaining the company's plans to abide by the Global Cross-Border Privacy Rules system. Enright touted the CBPR system as "an important step toward enabling continued, trusted data flows between participating jurisdictions." He added that Google will partake in the Global CBPR Forum to discuss "practical realities of services facing fragmented privacy regulations" while imploring further consultation on "how to make ... Read More

Politico reports the U.S. is pushing forward with various countries on the proposal for Global Cross-Border Privacy Rules despite potential friction with the EU General Data Protection Regulation. A recent meeting between 20 nations in Hawaii sought to finalize details of a global CBPR framework, which existing participants hope will include Brazil and the U.K. by year's end as well as other nations, like Bermuda and Chile, by 2023. However, unnamed EU officials indicated the CBPR framework woul... Read More

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. The moment took place during a panel discussion among current and former U.S. Department of Commerce staff titled “The Evolution of International Privacy Policymaking in the U.S. Government.” Just as billed, the discussion ranged across data flow issues around the world, from the EU-U.S. Privacy Shield (“We’re almost done.”) to new privacy laws in Brazil and India. I... Read More

The Asia-Pacific Economic Cooperation approved the first U.S.-based nonprofit Accountability Agent in the APEC privacy certification systems. Following its approval by a joint oversight board and the 21 APEC economies, BBB National Programs announced it becomes one of seven worldwide recognized Accountability Agents in the APEC Cross Border Privacy Rules and Privacy Recognition for Processors systems. The nonprofit will work one-on-one with companies of all sizes doing business in the 21 econom... Read More

The Asia-Pacific Economic Cooperation is set to boost the status of its Cross-Border Privacy Rules program in the U.S. APEC has announced that certification firm Schellman & Company is the newest CBPR Accountability Agent in the U.S. following approval from a joint oversight panel. Accountability Agents work to ensure companies operating within the 21 APEC member economies have compliant privacy practices and policies in place. Schellman joins TrustArc subsidiary TRUSTe as the only U.S.-b... Read More

International data transfers continue to be a top compliance and legal issue for both European and global organizations, requiring continuous reevaluation and increasing resources. In its recent guidance from December 2022, the European Data Protection Board provided draft guidance with updated interpretations and requirements regarding the use of the binding corporate rules transfer mechanism. In doing so, the EDPB missed an opportunity to address BCRs in a systematic, strategic and forward-th... Read More

The U.K. Information Commissioner's Office published updated guidance for using binding corporate rules as a data transfer mechanism. The updates are geared toward a "simplified" approach for controllers and processors with the ICO noting it will "only request supporting documents and commitments once during the U.K. approval process." The regulator also called BCRs a "gold standard" transfer mechanism that "demonstrates your commitment to implementing appropriate safeguards."Full Story... Read More

Lithuania’s data protection authority, the State Data Protection Inspectorate, released an FAQ on binding corporate rules, stating they can be used as a basis for companies to transfer personal data to third countries in accordance with the EU General Data Protection Regulation. The DPA said companies cannot solely rely on the European Commission’s decision on an adequate level of protection as the main basis for data transfers. The document details who can transfer data to a third country on th... Read More

Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis. BCRs are also not in the scope of the "Schrems II" decision, and... Read More