The long-awaited successor to the Privacy Shield has finally arrived. Like the Privacy Shield, the new program, dubbed the Data Privacy Framework (DPF), provides for a self-certification process allowing U.S. companies to receive transfers of personal data from the European Union, the United Kingdom and Switzerland. The DPF emerged from three recent political developments: Some … Read More » about The Data Privacy Framework Has Landed! How to Reap the Benefits
GDPR
What Is an “International Data Transfer” Anyway?
Chapter V of the GDPR lays down the requirements for transfers of personal data from the EU to a third country. The requirements are pretty straightforward. The transfer must be based on either: But before Chapter V is even applicable, there must be a “transfer.” What constitutes a “transfer” isn’t self-evident, as the GDPR doesn’t … Read More » about What Is an “International Data Transfer” Anyway?
Renaming the Data Privacy Framework . . . With Help From ChatGPT
In my previous blog post, I reviewed the recent opinion of the European Data Protection Board that considers whether the proposed Privacy Shield replacement – the EU-U.S. Data Privacy Framework – provides “adequate protection” for EU-U.S. data transfers as required under the GDPR. The merits of that proposed framework aside, it needs a catchier name. … Read More » about Renaming the Data Privacy Framework . . . With Help From ChatGPT
Don’t Start Your Engines Just Yet for Privacy Shield II
The latest development in the long road to a replacement for the Privacy Shield, which was shot down by the Court of Justice of the European Union in its Schrems II decision (2020), is the European Data Protection Board’s opinion adopted February 28, 2023 (Opinion 5/2023). That opinion looks at whether the newly proposed EU-U.S. … Read More » about Don’t Start Your Engines Just Yet for Privacy Shield II
Actual vs. Suspected Security Breaches Under DPAs
Pet peeve alert: it bugs me every time I see “personal data breach,” “security breach” or “security incident” defined in a DPA to include “suspected” as well as “actual” breaches or incidents. The GDPR definition of “personal data breach” is perfectly adequate: “personal data breach” means a breach of security leading to the accidental or … Read More » about Actual vs. Suspected Security Breaches Under DPAs
Drafting Robust TOMs
“TOMs,” for those unversed in GDPR acronyms, refers to the “technical and organizational measures” for keeping personal data secure required under the GDPR (Art. 32) as well as under the standard contractual clauses (Annex II). Compared with the EU Data Protection Directive it replaced, the GDPR takes a more granular approach to security requirements. While … Read More » about Drafting Robust TOMs
