Global Data Transfers

Subscribe to Global Data Transfers

The German data protection authority of the federal state of Baden-Württemberg (LfDI BW) has issued detailed guidance (Guidance) on international data transfers this August and September. This is the first official guidance by a data protection authority following the decision of the Court of Justice of the European Union (CJEU) in the Schrems II case (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) that contains some solid guidance and suggestions for next steps.

Summary of the Guidance: (i) Checklist plus (ii) action items

The LfDI BW iterates that international data transfers shall be subject to an adequacy assessment and, where necessary, additional safeguards must be implemented that supplement the transfer mechanism relied upon. For this assessment, the LfDI BW proposes a checklist and specific action items for the amendment of the SCCs and potentially other data transfers mechanisms.
Continue Reading First official guidance on international data transfers post Schrems II – German data protection authority publishes checklist and action items on international data transfers

In August 2018, Brazil passed its General Data Protection Law (LGPD), which could become effective as soon as September 16, 2020. Now is the time for organizations that collect personal data of individuals in Brazil or process personal data in Brazil to assess their processing activities and consider how to comply with the new law,

Michael R. Pompeo, the U.S. Secretary of State, announced the “Clean Network Program” which aims to ban the so-called “untrusted” carriers, applications, mobile application stores, cloud service providers, operators of undersea cables connecting the United States and the global internet on August 5, 2020. Companies that are involved in these businesses, or entities that transact

The Court of Justice of the European Union (CJEU) handed down its judgment on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II) yesterday, July 16, 2020. The case concerned the transfer of personal data to recipients in the United States via the

On 4 June 2020, Singapore’s Personal Data Protection Regulations 2014 (Regulations) were amended to specify that recipients of personal data located outside Singapore which are certified under the Asia‑Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) System, would satisfy the cross-border data transfer requirements under Singapore’s data protection law.

The same outcome would be achieved if the recipient is a data intermediary (i.e., processes personal data on behalf of another), and is certified under the Asia‑Pacific Economic Cooperation Privacy Recognition for Processors (APEC PRP) System.
Continue Reading Singapore’s data transfer rules amended to recognise APEC CBPR and PRP certifications

Background

On October 23, 2019, the European Commission (EC) released its report on a third annual review of the EU-U.S. Privacy Shield. While the report confirms that the U.S. continues to provide an adequate level of protection for personal data transfers in the context of the Privacy Shield, there are some gaps between the expectations of the EC and U.S. authorities, particularly in relation to the lack of transparency concerning U.S. enforcement activities and a lack of co-operation between regulators. You can read our summary on the report via this link.

On Thursday, January 9, 2020, members of the Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) met representatives of the EC and European Data Protection Board to discuss the EC’s 2019 report on the Privacy Shield (link accessible here). An interesting question was raised: Would it be possible for the EC to recognize a single state, e.g., a U.S. state such as California, as an adequate territory for transfers of personal data?Continue Reading The EU-U.S. Privacy Shield: feedback, and potential EU recognition of privacy laws of California and other U.S. states?

Increasingly, businesses are looking to adopt data protection certifications and standards for myriad reasons, including enhancing consumer trust, demonstrating compliance when contracting with partners and managing regulatory risk.

We have prepared a high-level comparison to guide Singapore businesses in determining which certification or certifications could be the best fit.

ISO/IEC 27701:2019

Who can apply: All organisations, private or public, regardless of size and for-profit status. Data controllers and processors/intermediaries are eligible to apply.

Features: The ISO/IEC 27701:2019 standard provides a data privacy extension to ISO/IEC 27001:2013 Information Security Management and ISO/IEC 27002:2013 Security Controls. It extends their requirements to take into account, in addition to information security, the protection of privacy of individual consumers as potentially affected by the processing of personal data.

The annexes to the standard list the applicable controls for data controllers and processors, and map the provisions of the standard against the EU General Data Protection Regulation (GDPR), amongst other things.Continue Reading A snapshot comparison of data protection certifications in Singapore

In Singapore, private sector organisations must generally comply with the transfer limitation obligation in the Personal Data Protection Act (the Act). Any transfer of personal data outside Singapore must be in accordance with the Act’s requirements, to ensure that a comparable standard of protection is accorded to that data.

However, where an organisation is a data intermediary, i.e., it processes personal data on behalf of and for the purposes of another pursuant to a written contract, that intermediary is not subject to the transfer limitation obligation, as specified in section 4(2) of the Act.Continue Reading Guidance given on Singapore cross-border data transfer obligation for intermediaries and cloud providers

The Federal Trade Commission’s (FTC) recently announced settlement with background check provider SecurTest, Inc. shows the agency remains vigilant regarding businesses’ claims that they comply with the EU-U.S. Privacy Shield Framework (Privacy Shield). Privacy Shield provides U.S. businesses with a legally recognized mechanism for receiving personal data in the United States from the EU. In its complaint against SecurTest, the FTC alleges that for several months SecurTest falsely claimed on its website that it complied with Privacy Shield when in fact it had not self-certified its Privacy Shield compliance with the U.S. Department of Commerce. The terms of the FTC’s decision and order prohibit SecurTest from misrepresenting its Privacy Shield compliance status and require it to submit to compliance monitoring and recordkeeping requirements.

Along with announcing its settlement with SecurTest, the FTC noted that, rather than beginning enforcement proceedings, it has issued a number of warning letters to businesses over similar alleged inaccurate statements about compliance with cross-border privacy and data security transfer programs like Privacy Shield:Continue Reading FTC settlement and warning letters over cross-border personal data transfers

The Winter 2019 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.

We provide updates on Facebook Custom Audiences, social plug-ins, influencer advertising, withdrawal right information, the EU copyright law reform and more. The newsletter also includes multiple recommended reads on the GDPR.

We hope you enjoy