A few weeks ago, on 24 September 2023, the Data Governance Act (Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance) (“DGA”) came into force.
The DGA aims to...more
11/14/2023
/ Administrative Authority ,
Best Practices ,
Data Collection ,
Data Management ,
Data Protection ,
EU ,
European Commission ,
General Data Protection Regulation (GDPR) ,
Information Governance ,
Information Management ,
International Data Transfers ,
Member State ,
Public Sector ,
Third-Party Service Provider
On 12 October the UK–U.S. “data bridge” becomes operational, providing an additional, compliant route for UK-outbound transfers of personal data to U.S. organisations that are EU-U.S. Data Privacy Framework members. UK...more
10/12/2023
/ Adequacy Requirement ,
Biden Administration ,
Data Protection ,
Data Subjects Rights ,
Executive Orders ,
Federal Trade Commission (FTC) ,
International Data Transfers ,
Personal Data ,
Popular ,
Privacy Framework ,
Regulatory Oversight ,
UK
Updated June 2023 -
The BCLP Data Privacy & Security team is tracking EU law developments relevant to data and cyber security. This tracker summarizes the effect and status of the following: the Digital Services Act, the...more
6/19/2023
/ Cybersecurity ,
Data Privacy ,
Data Protection ,
Data Security ,
Data Transfers ,
Digital Marketplace ,
Digital Service Providers ,
Digital Services ,
EU ,
EU Data Protection Laws ,
Information Governance ,
International Data Transfers ,
New Legislation ,
Pending Legislation ,
Personal Data ,
Popular
The updated guidelines (05/2021) from the European Data Protection Board (“EDPB”) issued on 14 February 2023 (the “New Guidelines”) look at the interplay of two fundamental, protective mechanisms contained in the EU GDPR....more
3/17/2023
/ Data Controller ,
Data Processors ,
Data Protection ,
Draft Guidance ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Guidance Update ,
International Data Transfers ,
Personal Data
Two and a half years after the Schrems II decision invalidated the EU-US Privacy Shield, the EU and US are inching closer to a replacement data transfer mechanism for EU to US personal data transfers. On 13 December 2022, the...more
With the 27 December 2022 deadline for updating data transfer contracts with the EU SCCs fast approaching, this alert mines European Commission guidance, as well as the team’s experience, and offers some tips for successful...more
Since the Schrems II 2020 judgment famously “cancelled” the EU/U.S. Privacy Shield program for personal data flows from the EU to the United States, it would be an understatement to say that U.S.-bound personal data flows...more
On 28 January 2022 (Data Protection Day), the UK’s International Data Transfer Agreement (“IDTA”) and International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (the “EU Addendum”) were...more
It is well known that the EU GDPR (specifically, Chapter V) restricts transfers of personal data from the EU to a “third country” (i.e. a jurisdiction outside the EEA) or to an international organisation. But what is meant by...more
12/2/2021
/ Consultation ,
Corporate Counsel ,
Data Controller ,
Data Processors ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Multinationals ,
New Guidance ,
Personal Data ,
Standard Contractual Clauses ,
Third Country Entities (TCEs)
On 11 August, the UK Information Commissioner’s Office launched a consultation paper on “International transfers under UK GDPR”. The documents released alongside the paper include a draft International Data Transfer Agreement...more
8/16/2021
/ Consultation ,
Corporate Counsel ,
EU ,
European Commission ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
International Data Transfers ,
Personal Data ,
Risk Assessment ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
UK
This depends on whether you are looking at (a) entering into new data transfer agreements or (b) repapering existing ones. The longstop date for repapering existing agreements is 27 December 2022; however, the new EU SCCs...more
The European Commission recently adopted new standard contractual clauses (SCCs) for transfers of personal data from the EU to “third countries” (the “new SCCs”). In this post, we highlight key developments in the UK’s data...more
7/9/2021
/ Data Controller ,
Data Processors ,
EU ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
International Data Transfers ,
Member State ,
Personal Data ,
Standard Contractual Clauses ,
UK ,
UK Brexit
On 28 June, the European Commission adopted its Adequacy Decision for the UK, putting to an end (at least for now), the uncertainty surrounding EU to UK personal data flows. This averted a “cliff edge” in the shape of the 30...more
According to a press release of the data protection authority (DPA) of Lower Saxony earlier this month, nine German DPAs will participate in a coordinated audit of companies in Germany regarding their transfers of personal...more
6/30/2021
/ Audits ,
Court of Justice of the European Union (CJEU) ,
Data Controller ,
Data Processors ,
Data Protection Authority ,
EU ,
European Economic Area (EEA) ,
FISA ,
General Data Protection Regulation (GDPR) ,
Germany ,
International Data Transfers ,
Personal Data ,
Schrems I & Schrems II ,
Standard Contractual Clauses
The European Commission published a draft Adequacy Decision for the UK on 19 February. That document remains in draft, though it is understood to have successfully cleared the last formal approval stage required....more
6/21/2021
/ Adequacy Requirement ,
Data Protection ,
EU ,
European Commission ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Member State ,
Personal Data ,
Standard Contractual Clauses ,
UK
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated in “Schrems II” the EU–U.S. Privacy Shield framework, while upholding the Standard Contractual Clauses (SCCs) as a valid mechanism for...more
6/16/2021
/ Binding Corporate Rules ,
Court of Justice of the European Union (CJEU) ,
EU ,
EU-US Privacy Shield ,
European Commission ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
Trade Agreements
The European Commission adopted revised standard contractual clauses for international transfers (the “new SCCs”) on Friday, 4 June 2021. The new SCCs incorporate a number of additional provisions intended to strengthen the...more
The current expectation is that the European Commission will issue the new SCCs in two weeks’ time (though this could be subject to delay).
On 12 November 2020, the European Commission published a revised set of draft...more
The last few years have witnessed remarkable changes in the privacy world. The GDPR, the CCPA, the invalidation of the EU-US Privacy Shield framework and the related obligations resulting from the Schrems II decision - to...more
5/7/2021
/ Binding Corporate Rules ,
California Consumer Privacy Act (CCPA) ,
Data Controller ,
Data Processors ,
EU ,
EU-US Privacy Shield ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Importers ,
International Data Transfers ,
Privacy Laws ,
Risk Assessment ,
Schrems I & Schrems II ,
Standard Contractual Clauses
With the UK now unambiguously out of the EU, the EU General Data Protection Regulation (2016/679) (“EU GDPR”) has been replaced by the United Kingdom General Data Protection Regulation (“UK GDPR”). In this third instalment of...more
1/28/2021
/ Commercial Contracts ,
Contract Drafting ,
Data Breach ,
Data Protection ,
Data Security ,
EU ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
International Data Transfers ,
Notice Requirements ,
Privacy Policy ,
Regulatory Requirements ,
UK ,
UK Brexit ,
UK GDPR
This second instalment of our Brexit & Data Digest outlines the main sources of data protection law in the UK following the end of the Brexit transition period, and how the EU GDPR may continue to have relevance for companies...more
In spite of the holiday period, few will have missed the fact that the UK and the EU concluded a Trade and Cooperation Agreement on 24 December 2020. The Agreement provides a framework under which trade will take place...more
12/30/2020
/ EU ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
International Data Transfers ,
Member State ,
Personal Data ,
Trade Agreements ,
Transitional Arrangements ,
UK ,
UK Brexit ,
Withdrawal Agreement
Recent M&A deals the teams have worked on involving insolvent corporates have highlighted the challenges which exist around the transfer of customer lists and databases, which are often a significant asset for the...more
11/16/2020
/ Change in Control ,
Data Controller ,
Data Transfers ,
Direct Marketing ,
Electronic Communications ,
Email ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
Insolvency ,
International Data Transfers ,
Marketing ,
Privacy and Electronic Communications Regulation 2003 (PECR). ,
Reorganizations ,
Sale of Assets ,
Text Messages ,
UK
The judgment by the Court of Justice of the European Union (CJEU) in the case known as “Schrems II” has far-reaching impact for businesses looking to ensure continuity of personal data flows between the EU and the US and...more
7/17/2020
/ Court of Justice of the European Union (CJEU) ,
EU ,
EU-US Privacy Shield ,
European Commission ,
Facebook ,
International Data Transfers ,
Personal Data ,
Safe Harbors ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
Surveillance