The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (‘LIBE Committee’) and the European Data Protection Board (‘EDPB’) have recently issued opinions on the European Commission’s draft US adequacy decision (‘Draft Adequacy Decision‘) for the EU-US Data Privacy Framework (‘Framework‘). Both believe there is more
The EDPB makes its mind up about transfers
If you can remember as far back as December 2021, we published a blog post announcing that the European Data Protection Board (EDPB) published draft guidelines on the interplay between the territorial scope of the GDPR and the international transfer requirements. Following what must have been an extensive consultation, we are pleased to report that those guidelines were finally finalised on 14 February 2023 (here) and, are even more pleased to report that they contain some very useful illustrations to help you make sense of the concept of international data transfers.
Get your update on IT & data protection law in our newsletter (Winter 2023 edition)
The winter 2023 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:
Continue Reading Get your update on IT & data protection law in our newsletter (Winter 2023 edition)
A sigh of relief? EU-US data transfers
At the end of 2022, the European Commission published its draft adequacy decision on the EU-US transfers of personal data. The draft contains an assessment of the US legal framework around state surveillance. Once in place, EU data transfers to the US under the new Data Privacy Framework (“EU-US DPF”) will be free. However, there are still some steps to take.
ICO provides an alternative to the EDPB transfer impact assessment
On 17 November 2022, the UK Information Commissioner’s Office issued updated guidance on international personal data transfers. The guidance is to be used for transfers of personal data from the UK to third countries. The ICO added a template transfer risk assessment (TRA) to the guidance, which is required when organisations rely on a transfer tool under Article 46 of the UK GDPR, e.g. the ICO’s International Data Transfer Agreement (the UK version of the EU SCCs); the Addendum to the EU SCCs, or the Binding Corporate Rules. The requirement to carry out transfer impact assessments stems from Article 46(1) of the UK GDPR, which states that the transfer mechanisms can be used “on condition that enforceable data subject rights and effective legal remedies for data subjects are available” confirmed by the CJEU’s Schrems II judgement.
The ICO’s TRA offers an alternative approach to the EDPB’s transfer impact assessments (TIA), to assist data exporters with carrying out their analysis to check that that protections under the transfer tool are not undermined by the laws and practices of the recipient third country.
Continue Reading ICO provides an alternative to the EDPB transfer impact assessment
UK Government grants South Korea a data adequacy status
On 24 November 2022, the Data Protection (Adequacy) (Republic of Korea) Regulations were laid before the UK parliament for approval. The Regulations are due to come into force on 19 December 2022. From then onwards, transfers of personal data to South Korea by organisations in the UK may be made without the need to put UK International Data Transfer Agreements (UK versions of the Standard Contractual Clauses) or other transfer tools in place with recipients of personal data in South Korea.
Continue Reading UK Government grants South Korea a data adequacy status
Get your Update on IT & Data Protection Law in our Newsletter (Fall 2022 Edition)
The Fall 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:
English version
Continue Reading Get your Update on IT & Data Protection Law in our Newsletter (Fall 2022 Edition)
Does the UK-U.S. agreement under the U.S. CLOUD Act affect UK’s adequacy under the GDPR?
On October 3, 2022, the UK-U.S. agreement on Access to Electronic Data for the Purpose of Countering Serious Crime (the UK-U.S. Agreement) came into force. The UK and the U.S. governments signed the UK-U.S. Agreement on October 3, 2019 under the U.S. Clarifying Lawful Overseas Use of Data Act 2018 (“CLOUD Act”). The U.S. government is negotiating similar agreements with the governments of Canada, Australia and New Zealand, but notably, not with the European Union.
Time to change to the new EU and UK Standard Contractual Clauses (SCCs)
As you might know, the new EU SCCs were published last year. The UK has now issued new templates for data transfers that can be used from 21 March 2022. With the UK templates confirmed and available, many multinational organisations with presence in the EU and the UK are gearing up to transition their contracts to the new templates. There are some deadlines to be aware of, which you will find in the ‘key dates to note’ section below.
The main agreements that organisations will need to focus on as part of their transition programme are:
- template agreements with customers and vendors on processing personal data;
- existing agreements with customers and vendors; and
- existing agreements within the group companies.
Continue Reading Time to change to the new EU and UK Standard Contractual Clauses (SCCs)
Get your Update on IT & Data Protection Law in our Newsletter (Winter 2022 Edition)
The Winter 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:
Continue Reading Get your Update on IT & Data Protection Law in our Newsletter (Winter 2022 Edition)