Cross-Border Privacy

Meeting the Legal Challenges of International Data Transfers

Privacy

The Data Privacy Framework Has Landed! How to Reap the Benefits

by

The long-awaited successor to the Privacy Shield has finally arrived. Like the Privacy Shield, the new program, dubbed the Data Privacy Framework (DPF), provides for a self-certification process allowing U.S. companies to receive transfers of personal data from the European Union, the United Kingdom and Switzerland. The DPF emerged from three recent political developments: Some … Read More » about The Data Privacy Framework Has Landed! How to Reap the Benefits

Not-So-Standard Contractual Clauses

by

Last week I attended the IAPP Global Summit (the IAPP’s annual privacy bash), featuring privacy luminaries as keynote speakers and dozens of privacy-focused sessions. One particularly good session was about the proliferation of standard contractual clauses (SCCs) that permit cross-border data transfers. This session coincided with the Future of Privacy Forum’s release of a report … Read More » about Not-So-Standard Contractual Clauses

Renaming the Data Privacy Framework . . . With Help From ChatGPT

by

In my previous blog post, I reviewed the recent opinion of the European Data Protection Board that considers whether the proposed Privacy Shield replacement – the EU-U.S. Data Privacy Framework – provides “adequate protection” for EU-U.S. data transfers as required under the GDPR. The merits of that proposed framework aside, it needs a catchier name. … Read More » about Renaming the Data Privacy Framework . . . With Help From ChatGPT

Don’t Start Your Engines Just Yet for Privacy Shield II

by

The latest development in the long road to a replacement for the Privacy Shield, which was shot down by the Court of Justice of the European Union in its Schrems II decision (2020), is the European Data Protection Board’s opinion adopted February 28, 2023 (Opinion 5/2023). That opinion looks at whether the newly proposed EU-U.S. … Read More » about Don’t Start Your Engines Just Yet for Privacy Shield II

Drafting Robust TOMs

by

“TOMs,” for those unversed in GDPR acronyms, refers to the “technical and organizational measures” for keeping personal data secure required under the GDPR (Art. 32) as well as under the standard contractual clauses (Annex II). Compared with the EU Data Protection Directive it replaced, the GDPR takes a more granular approach to security requirements. While … Read More » about Drafting Robust TOMs

Top Five Pain Points in Data Processing Agreements

by

Drafting a GDPR-compliant data processing agreement (DPA) should be dead simple. After all, GDPR Art. 28 provides a specific roadmap of what to include. Yet DPAs – which are required under the GDPR whenever a processor is processing personal data on behalf of a controller – can sometimes be the tail that wags the dog … Read More » about Top Five Pain Points in Data Processing Agreements