The Summer 2023 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:
On 8 June 2023, the UK Secretary of State for Science, Innovation, and Technology, and US Commerce Secretary jointly announced the intention to establish a UK-US data bridge.
The proposed data bridge between the UK and the US would build upon the EU-US Data Privacy Framework (DPF) as the UK Extension allowing free transfers of…
On 13 April 2023, the EU’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) passed a resolution to stop the debate over the draft adequacy decision stating that the new EU-US Data Privacy Framework (DPF) and the Executive Order on Enhancing Safeguards for US Signals Intelligence Activities issued by the US President do not provide sufficient privacy safeguards. The DPF was originally predicted to pass in early 2023 but putting a resolution to Parliament’s vote suggests looming delays.Continue Reading EU-US data transfers: LIBE Committee to stop debate over adequacy decision due to concerns over insufficient privacy safeguards
On 4 April 2023, the Personal Information Protection Commission of Japan (PPC) and European Commissioner for Justice issued a joint Press Statement on the conclusion of the first review of the Japan-EU Mutual Adequacy Decision. Both sides reiterated the importance of cooperation in the data protection regulation sphere that is becoming increasingly complex to navigate.Continue Reading EU may expand the scope of the adequacy decision for Japan following its first review
The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (‘LIBE Committee’) and the European Data Protection Board (‘EDPB’) have recently issued opinions on the European Commission’s draft US adequacy decision (‘Draft Adequacy Decision‘) for the EU-US Data Privacy Framework (‘Framework‘). Both believe there is more…
The winter 2023 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:
On October 3, 2022, the UK-U.S. agreement on Access to Electronic Data for the Purpose of Countering Serious Crime (the UK-U.S. Agreement) came into force. The UK and the U.S. governments signed the UK-U.S. Agreement on October 3, 2019 under the U.S. Clarifying Lawful Overseas Use of Data Act 2018 (“CLOUD Act”). The U.S. government is negotiating similar agreements with the governments of Canada, Australia and New Zealand, but notably, not with the European Union.Continue Reading Does the UK-U.S. agreement under the U.S. CLOUD Act affect UK’s adequacy under the GDPR?
On 17 June 2022, in response to its consultation in 2021 on the same topic (which we wrote about here), the UK government published more detailed proposals to reform data protection laws in the UK. The response to the consultation can be found here. The intention of the reforms is to achieve greater personal data use enabling economic growth by removing barriers and reducing obstacles for organisations whilst maintaining high standards of personal data protection and EU adequacy.Continue Reading Government releases proposals to reform UK data protection laws
As you might know, the new EU SCCs were published last year. The UK has now issued new templates for data transfers that can be used from 21 March 2022. With the UK templates confirmed and available, many multinational organisations with presence in the EU and the UK are gearing up to transition their contracts to the new templates. There are some deadlines to be aware of, which you will find in the ‘key dates to note’ section below.
The main agreements that organisations will need to focus on as part of their transition programme are:
- template agreements with customers and vendors on processing personal data;
- existing agreements with customers and vendors; and
- existing agreements within the group companies.
The arrival of the new EU Standard Contractual Clauses (“EU SCCs”) for international transfers in June 2021 was widely awaited to better understand the new requirements to assess the third-country laws for government access to data prior to using the SCCs following the Court of Justice of the European Union’s (“CJEU”) decision on Schrems II. As a value add, the EU SCCs were updated to reflect the GDPR requirements and also enabled organisations to cover a wider range of data flows than their previous versions due to the addition of ‘processor-to-processor’ and ‘processor-to-controller’ scenarios. Binding Corporate Rules (“BCRs”), another transfer tool available under the EU General Data Protection Regulation (“GDPR”), have not yet been updated to reflect the same flexibility in reflecting the diversity of data flows and presently appear to be limited in use in comparison. It is expected that the European Data Protection Board (“EDPB”) will publish updated BCR requirements in 2022.
Continue Reading So you have got BCRs? You may still need to use the new EU SCCs