Meeting the Legal Challenges of International Data Transfers
Welcome! My aim with this blog is to help you understand the barriers to, and deal with the risks of, transferring personal data across national borders.
More about Cross-Border Privacy »
From the Blog
Not-So-Standard Contractual Clauses
Last week I attended the IAPP Global Summit (the IAPP’s annual privacy bash), featuring privacy luminaries as keynote speakers and dozens of privacy-focused sessions. One particularly good session was about the proliferation of standard contractual clauses (SCCs) that permit cross-border data transfers. This session coincided with the Future of Privacy Forum’s release of a report … Read More » about Not-So-Standard Contractual Clauses
What Is an “International Data Transfer” Anyway?
Chapter V of the GDPR lays down the requirements for transfers of personal data from the EU to a third country. The requirements are pretty straightforward. The transfer must be based on either: But before Chapter V is even applicable, there must be a “transfer.” What constitutes a “transfer” isn’t self-evident, as the GDPR doesn’t … Read More » about What Is an “International Data Transfer” Anyway?
Renaming the Data Privacy Framework . . . With Help From ChatGPT
In my previous blog post, I reviewed the recent opinion of the European Data Protection Board that considers whether the proposed Privacy Shield replacement – the EU-U.S. Data Privacy Framework – provides “adequate protection” for EU-U.S. data transfers as required under the GDPR. The merits of that proposed framework aside, it needs a catchier name. … Read More » about Renaming the Data Privacy Framework . . . With Help From ChatGPT
Don’t Start Your Engines Just Yet for Privacy Shield II
The latest development in the long road to a replacement for the Privacy Shield, which was shot down by the Court of Justice of the European Union in its Schrems II decision (2020), is the European Data Protection Board’s opinion adopted February 28, 2023 (Opinion 5/2023). That opinion looks at whether the newly proposed EU-U.S. … Read More » about Don’t Start Your Engines Just Yet for Privacy Shield II
Actual vs. Suspected Security Breaches Under DPAs
Pet peeve alert: it bugs me every time I see “personal data breach,” “security breach” or “security incident” defined in a DPA to include “suspected” as well as “actual” breaches or incidents. The GDPR definition of “personal data breach” is perfectly adequate: “personal data breach” means a breach of security leading to the accidental or … Read More » about Actual vs. Suspected Security Breaches Under DPAs
Drafting Robust TOMs
“TOMs,” for those unversed in GDPR acronyms, refers to the “technical and organizational measures” for keeping personal data secure required under the GDPR (Art. 32) as well as under the standard contractual clauses (Annex II). Compared with the EU Data Protection Directive it replaced, the GDPR takes a more granular approach to security requirements. While … Read More » about Drafting Robust TOMs