International data transfer

The options available to EU organisations for lawfully transferring personal data from Europe to the United States appear to be dwindling. In particular, there have been further setbacks to the approval of the Privacy Shield and, separately, a new legal challenge to the validity of EU model contract clauses. For more information click here to

We previously issued a briefing on the Court of Justice of the European Union’s (CJEU) ruling that declared all transfers of personal data from the EU to the United States under the U.S.-EU Safe Harbor Framework, including those conducted by vendors or suppliers, immediately invalid.  On 14 October 2015, we presented a webinar on this topic, including a practical discussion of the impact and potential solutions.  Moving forward, companies should evaluate the following frequently asked questions to help mitigate the potential risk of exposure when transferring data internationally.
Continue Reading The Safe Harbor Ruling – FAQs and What Your Business Should Do Now

Recent headlines continue to explore the ramifications of the Court of Justice of the European Union’s ruling declaring the long-standing EU U.S. Safe Harbor framework invalid. The decision will have widespread implications on how global corporations manage the international transfer of data.

Please join Reed Smith on October 14, 2015 at 9:00 a.m. PT |

In July 2015, China released its new draft cybersecurity law (the ‘Law’), which will potentially have far-reaching consequences for network operators and companies doing business in China.

The Law regulates cross-border data transfers and gives individuals greater protection over their personal data, including granting them increased rights to access and amend their personal information. The Law also imposes a range of stringent new obligations, while awarding the government added powers to access and block dissemination of private information which would be deemed illegal under Chinese law.

Under the Law, the PRC government will be able to:

  • Restrict the transmission of information over the Internet to certain places where privacy incidents have occurred previously in order to protect national security
  • Introduce a new ‘localization law’ which will oblige certain entities to store any information deemed by the government as “important” or “critical” within China. If there is a legitimate business reason to store or otherwise transfer such data abroad, the transferring organisation will be required to complete a security evaluation which meets government requirements before any such data can be transferred. This obligation is intended to apply only to organisations in “key information infrastructure sectors,” but it is unclear exactly how this term will be interpreted.

Continue Reading New challenges created by China’s new draft cybersecurity law

In June, the Article 29 Working Party (‘Working Party’) wrote to the President of the European Commission, setting out its case for including a reference to Binding Corporate Rules for data processors (‘BCR-P’) in the forthcoming Data Protection Regulation.

Binding Corporate Rules are one way in which data controllers or data processors in Europe