Meeting the Legal Challenges of International Data Transfers
Welcome! My aim with this blog is to help you understand the barriers to, and deal with the risks of, transferring personal data across national borders.
More about Cross-Border Privacy »
From the Blog
The long-awaited successor to the Privacy Shield has finally arrived. Like the Privacy Shield, the new program, dubbed the Data Privacy Framework (DPF), provides for a self-certification process allowing U.S. companies to receive transfers of personal data from the European Union, the United Kingdom and Switzerland. The DPF emerged from three recent political developments: Some … Read More » about The Data Privacy Framework Has Landed! How to Reap the Benefits
Last week I attended the IAPP Global Summit (the IAPP’s annual privacy bash), featuring privacy luminaries as keynote speakers and dozens of privacy-focused sessions. One particularly good session was about the proliferation of standard contractual clauses (SCCs) that permit cross-border data transfers. This session coincided with the Future of Privacy Forum’s release of a report … Read More » about Not-So-Standard Contractual Clauses
Chapter V of the GDPR lays down the requirements for transfers of personal data from the EU to a third country. The requirements are pretty straightforward. The transfer must be based on either: But before Chapter V is even applicable, there must be a “transfer.” What constitutes a “transfer” isn’t self-evident, as the GDPR doesn’t … Read More » about What Is an “International Data Transfer” Anyway?
In my previous blog post, I reviewed the recent opinion of the European Data Protection Board that considers whether the proposed Privacy Shield replacement – the EU-U.S. Data Privacy Framework – provides “adequate protection” for EU-U.S. data transfers as required under the GDPR. The merits of that proposed framework aside, it needs a catchier name. … Read More » about Renaming the Data Privacy Framework . . . With Help From ChatGPT
The latest development in the long road to a replacement for the Privacy Shield, which was shot down by the Court of Justice of the European Union in its Schrems II decision (2020), is the European Data Protection Board’s opinion adopted February 28, 2023 (Opinion 5/2023). That opinion looks at whether the newly proposed EU-U.S. … Read More » about Don’t Start Your Engines Just Yet for Privacy Shield II
Pet peeve alert: it bugs me every time I see “personal data breach,” “security breach” or “security incident” defined in a DPA to include “suspected” as well as “actual” breaches or incidents. The GDPR definition of “personal data breach” is perfectly adequate: “personal data breach” means a breach of security leading to the accidental or … Read More » about Actual vs. Suspected Security Breaches Under DPAs