On 24 September 2021, the European Data Protection Board (EDPB) issued its opinion on the European Commission’s (EC) draft adequacy decision in respect of South Korea.

On 16 June 2021, the EC launched the procedure for the adoption of an adequacy decision for South Korea under the General Data Protection Regulation (GDPR), which would allow free transfers of personal data from the European Economic Area (EEA) to South Korea’s commercial operators and public authorities.

Overall, the EDPB found the central aspects of South Korea’s data protection framework to be essentially equivalent to the European data protection framework. The EDPB’s review focused on both the general aspects of the GDPR (such as data protection concepts, transparency, data retention and grounds for lawful processing for a legitimate purpose) and also on the local laws allowing access by public authorities to personal data transferred from the EEA for law enforcement and national security purposes. The EDPB also reviewed the Notification adopted by the South Korean data protection authority that was designed to fill gaps between the GDPR and Korean framework (Notification).

Continue Reading South Korea – EDPB adopts an opinion on the Commission’s draft adequacy decision

Today the European Commission issued the new and long-awaited Standard Contractual Clauses, available here (SCCs). These new SCCs contain updates for the GDPR, and replace the three sets of SCCs that were adopted under the previous Data Protection Directive. The SCCs released today include the following modules:

  • Controller to controller transfers,
  • Controller to processor transfers,
  • Processor to processor transfers, and
  • Processor to controller transfers.

The draft SCCs had been open to consultation in December of 2020 (more on our previous blog here). The final drafts issued today will come into effect 20 days after publication on the Official Journal of the European Union, which should be sometime between the 25th and 30th of June 2021.
Continue Reading European Commission issues New Standard Clauses for data transfers outside the EEA: Act within 18 months

On March 12, 2021, the French Council of State (Conseil d’Etat), the highest French administrative court, handed down a ruling (ordonnance des référés) allowing Doctolib, a company in charge of booking COVID-19 vaccination appointments, to rely on a U.S.-based health data host.

In the present case, the servers of Doctolib – whose platform had been entrusted by the French government for booking COVID-19 vaccinations – were hosted by the Luxembourg subsidiary of AWS, a U.S. company. Specifically, in this case, the AWS data was stored in data centers located in the European Union (specifically, in France and Germany).

The French government’s decision to use a platform hosted by the subsidiary of a U.S.-based company raised significant concerns among French associations and trade unions because of the Schrems II decision rendered by the Court of Justice of the European Union (CJEU July 16, 2020, Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd. and Maximilian Schrems), which shed light on the risks that U.S. surveillance laws might pose to data subjects in the event of access requests by U.S. agencies.
Continue Reading Aftermath of Schrems II decision in France: The French Council of State provides significant clarification on the U.S. based data host to provide services in the French health care sector

In this episode, Sarah Bruno and LiLing Poh discuss recent trends as organizations invest more in technology through the acquisition of new platforms or programs, or by working with a vendor to bring a product to market. Exploring a case study involving a global pharmaceutical company on the rollout of a health-related digital app,

The Singapore government introduced a bill into parliament to amend the Electronic Transactions Act (ETA) (Cap. 88) (ETA) on January 4, 2021. The amendments set out in the Electronic Transactions (Amendment) Bill will be of relevance to the trade and commodities finance and fintech sectors as their primary object is to achieve recognition and equivalence

The German data protection authority of the federal state of Baden-Württemberg (LfDI BW) has issued detailed guidance (Guidance) on international data transfers this August and September. This is the first official guidance by a data protection authority following the decision of the Court of Justice of the European Union (CJEU) in the Schrems II case (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) that contains some solid guidance and suggestions for next steps.

Summary of the Guidance: (i) Checklist plus (ii) action items

The LfDI BW iterates that international data transfers shall be subject to an adequacy assessment and, where necessary, additional safeguards must be implemented that supplement the transfer mechanism relied upon. For this assessment, the LfDI BW proposes a checklist and specific action items for the amendment of the SCCs and potentially other data transfers mechanisms.
Continue Reading First official guidance on international data transfers post Schrems II – German data protection authority publishes checklist and action items on international data transfers

In August 2018, Brazil passed its General Data Protection Law (LGPD), which could become effective as soon as September 16, 2020. Now is the time for organizations that collect personal data of individuals in Brazil or process personal data in Brazil to assess their processing activities and consider how to comply with the new law,

Michael R. Pompeo, the U.S. Secretary of State, announced the “Clean Network Program” which aims to ban the so-called “untrusted” carriers, applications, mobile application stores, cloud service providers, operators of undersea cables connecting the United States and the global internet on August 5, 2020. Companies that are involved in these businesses, or entities that transact

The Court of Justice of the European Union (CJEU) handed down its judgment on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II) yesterday, July 16, 2020. The case concerned the transfer of personal data to recipients in the United States via the

On 4 June 2020, Singapore’s Personal Data Protection Regulations 2014 (Regulations) were amended to specify that recipients of personal data located outside Singapore which are certified under the Asia‑Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) System, would satisfy the cross-border data transfer requirements under Singapore’s data protection law.

The same outcome would be achieved if the recipient is a data intermediary (i.e., processes personal data on behalf of another), and is certified under the Asia‑Pacific Economic Cooperation Privacy Recognition for Processors (APEC PRP) System.
Continue Reading Singapore’s data transfer rules amended to recognise APEC CBPR and PRP certifications