Topic: Data Transfer

“Am I a CII operator?” – New regulation in China provides more clarity

Data Protection Report - Norton Rose Fulbright

China’s Cyber Security Law (CSL), enacted in 2016, requires operators of critical information infrastructure (CII) to follow a number of enhanced security obligations, including storing within China all personal information and important data collected or generated during their operations in China. Given the more onerous obligation on CII operators, we are constantly asked the same key question by our clients who do business in China: “Am I a CII operator?”. Now, a new regulation provides more clarity on this.

On 17 August 2021, the State Council of China published the Regulation on Protection of Security … Continue Reading

EU’s possible Data Act: What can we anticipate from the Inception Impact Assessment and the Consultation?

By Seiko Hidaka (UK) and Jay Modrall (BE) on July 5, 2021 Posted in Data Transfer, Enforcement, Regulatory response

The European Commission (EC) signalled plans for a new Data Act, to be published in late 2021, in its February 2020 Data Strategy Communication. The EC revealed more details in its 2021 Consultation and Inception Impact Assessment. The responses to the Consultation and Inception Impact Assessment are bound to shape the future of EU’s digital economy. The Data Act will complement other European Union (EU) measures to create a solid framework for digital trust, opening up public sector data, removing digital borders, encouraging trade in data, opening up competition and facilitating better security within the EU single market.… Continue Reading

EU – UK data transfers can continue: UK receives much welcome adequacy decision

By Marcus Evans (UK) and Janine Regan (UK) on June 28, 2021 Posted in Data Transfer, Regulatory response

Norton Rose Fulbright - Data Protection Report blog

The European Commission has today published a positive adequacy finding in respect of the UK’s data protection regime (the Decision). This means that personal data can continue to flow freely from the EU to the UK without the need for organisations to take further measures.

For the time-being, however, the Decision does not concern personal data transferred for United Kingdom immigration control purposes or which otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control (the Immigration Exemption). The Immigration Exemption has been widely criticised by … Continue Reading

The EDPB publishes its finalised version of the Recommendations on supplementary measures

By Marcus Evans (UK), Lara White (UK) and Christoph Ritzer (DE) on June 22, 2021 Posted in Data Transfer, Regulatory response

On 21 June 2021, the European Data Protection Board (EDPB) published its finalised version of the Recommendations on supplementary measures (the Recommendations) to assist companies comply with the Schrems II judgement.

This comes just a couple of weeks after the European Commission (the Commission) published new, revised Standard Contractual Clauses (New SCCs) (read our blog post for more information). Like the Recommendations, the New SCCs also aim to assist organisations with the complex Schrems II requirements.

The new SCCs and the Recommendations show that compromise between the Commission and the EDPB has been … Continue Reading

A deeper dive into the new Standard Contractual Clauses

By Janine Regan (UK), Marcus Evans (UK), Lara White (UK) and Christoph Ritzer (DE) on June 7, 2021 Posted in Data Transfer, Regulatory response

On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs). Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help address the complex requirements of the Schrems II case.

The good news is that the New SCCs allow companies to take a risk-based approach when making assessments on whether a third country’s access laws and practices provide adequate protection for personal data. This approach was … Continue Reading

European Commission publishes much anticipated finalised Standard Contractual Clauses

By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on June 4, 2021 Posted in Data Transfer, Regulatory response

The European Commission has today published the finalised version of the new Standard Contractual Clauses (the new SCCs). The purpose of the new SCCs are to help companies legalise transfers of personal data from outside of the EEA. They will also be a lawful mechanism for UK companies to use too.

The new SCCs were updated to:

allow for various types of transfers (in particular those between a processor and a sub-processor);
give the clauses a GDPR ‘face lift’; and
address the requirements of the Schrems II judgement.

Organisations may continue to use the current SCCs until 27 September … Continue Reading

Final Revised SCCs expected as early as next week with Final Revised EDPB Recommendations to follow after 15 June

By Marcus Evans (UK) and Christoph Ritzer (DE) on May 21, 2021 Posted in Data Transfer

It was reported yesterday that publication of revised final EU Standard Contractual Clauses may be as soon as next week and that revised final EDPB Recommendations possibly following the EDPB’s next plenary meeting on 15 June. This follows comments made by Ralf Sauer, EU Commission Deputy Head for International Data Flows, and Alexander Filip, Head of International Transfers at the Bavarian DPA at the DACH regional KnowldegeNet.

The initial draft documents can be found here. We will be providing updates on these documents and steps that exporters and importers should take once they are published in final form.… Continue Reading

Germany: Data protection authorities announce closer monitoring of data transfers to the US after Schrems II

By Ingemar Kartheuser and Natalia Filkina (DE) on February 18, 2021 Posted in Data Transfer, Regulatory response

Following the CJEU’s Schrems II ruling (case C-311/18 of July 16, 2020), transfers of personal data to the US are coming under close scrutiny by the German data protection authorities. Some German data protection authorities have announced that they will be taking a stricter approach against companies that fail to comply with the Schrems II requirements. The Hamburg data protection authority which is leading a working group focusing on cloud providers is reported to be considering regulatory sanctions should companies not be able to explain the legal grounds on which they rely to transfer personal data to the US. The … Continue Reading

Amendments to the Personal Data Protection Act In Force

By Stella Cramer (SG), Wilson Ang (SG), Jeremy Lua (SG) and Crystal Wong on February 1, 2021 Posted in Data breach, Data Transfer, PDPA

On 29 January 2021, the Personal Data Protection Commission (PDPC) announced that certain sections of the Personal Data Protection (Amendment) Act 2020 (the PDPA Amendments) will take effect from 1 February 2021 – please see PDPC’s announcement; the gazetted Commencement Notification. This legal update provides a high-level summary of the PDPA Amendments that have taken effect.

The changes introduced by the PDPA Amendments to the Personal Data Protection Act 2012 (the PDPA) are the most significant since the PDPA first came into force on 1 July 2014. Please see our earlier blog post, … Continue Reading

EU-UK Trade and Cooperation Agreement: Implications for data protection law

By Fiona Bundy-Clarke (UK) on January 4, 2021 Posted in Data Transfer, Enforcement

On Christmas Eve, the EU and UK announced that a Trade and Cooperation Agreement (TCA) had been finalised. With it, came a sigh of relief from data protection practitioners everywhere. This is because the TCA provides an extension period, of a sort, to allow the European Commission time to conclude its adequacy assessment of the UK. Without this, EEA-UK data transfers would otherwise have been restricted at the end of the Brexit transition period.

The main points of the TCA relating to data protection are set out below.

1.) Data transfers from the EEA to the UK…

COVID tracing & AI: Physically distant, socially together

By Daniel Daniele (CA) on November 18, 2020 Posted in Compliance and risk management, Data Transfer

As the second wave of COVID-19 spreads across Canada, the use of COVID-19 tracing apps is on the rise. For example, the Government of Canada released COVID Alert–an app using Bluetooth technology to help people report positive diagnoses, and control the spread of the virus. The success of the app depends on a high quantity of users, but concerns over privacy and the use of artificial intelligence (AI) in analyzing the data may hinder that objective.

COVID tracing apps

With the launch of COVID Alert, Canada joined 40 other countries that have launched tracing apps. The Bluetooth-based app … Continue Reading

European data export bonanza: revised SCCs and EDPB Schrems II guidance published

By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on November 13, 2020 Posted in Data Transfer, Regulatory response

On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision. A feedback period on the draft documents will run until 10 December. Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of the year.

The new SCCs aim to modernise the clauses in line with the GDPR and to cover a multitude of different types of transfers to cater for “the complexity of modern processing chains”. The clauses also aim to “provide for … Continue Reading

Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”

By Marcus Evans (UK) and Janine Regan (UK) on October 15, 2020 Posted in Data breach, Data Transfer, Regulatory response

On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data.

These decisions are relevant in two key areas:

Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” of third countries to which they are transferring personal data using the European Commission approved Standard Contractual Clauses (SCCs); and
Brexit: The judgement also gives some clues as to the standard to which the UK will be held as it

Schrems II: recent developments – waiting is harder

By Marcus Evans (UK) and Janine Regan (UK) on September 9, 2020 Posted in Compliance and risk management, Data Transfer, Enforcement, Regulatory response

In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”. There have been several major developments over the last couple of weeks (explained below) which show this to be an accurate assessment. Companies can no longer “do nothing” in the hope that the difficult implications will go away. Regulators are starting to investigate. Complaints are being submitted. A taskforce has been set up. The Swiss data protection authority (DPA) also thinks Privacy … Continue Reading

An “enhanced” Privacy Shield is being negotiated – third time a charm?

By Lara White (UK) and Janine Regan (UK) on August 13, 2020 Posted in Compliance and risk management, Data Transfer, Enforcement, General

On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield.

This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? We’re not so sure.

By way of recap, in Schrems II, the court made clear that Privacy Shield was invalid for three main reasons:

US surveillance rules are disproportionate
There is a lack of proper oversight over US surveillance programmes
EU individuals do not

Schrems II landmark ruling: our recommendations

By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK), Janine Regan (UK), David Kessler (US), Susan Ross (US) and Christoph Ritzer (DE) on July 27, 2020 Posted in Cybersecurity, Data Transfer, Vendor management and transactions

On 16 July 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case). While the EU-US Privacy Shield (Privacy Shield) has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but with strict conditions.

Our recent briefing provides a detailed analysis on the judgement, but here are our recommendations on what organisations should consider doing next:

Monitor guidance updates from the European Data Protection Board (EDPB)

Schrems II: The US Perspective and where do we go from here?

By David Kessler (US) and Anna Rudawski (US) on July 21, 2020 Posted in Cybersecurity, Data Transfer, Vendor management and transactions

Schrems II calls into question all transfers of personal information out of the EU that involve export to a country without an adequacy finding. While this affects countries in every region of the world, it does have particular ramifications for the US.

US companies are likely to bear the brunt of this decision. First, because the underlying complaint concerns how Facebook transferred personal data to the US, Schrems II takes particular umbrage with US “mass” surveillance laws, which are unlikely to change in the short term. Second, the US is still the largest economy in the world and information is … Continue Reading