On September 10, 2021, the UK Government Department for Digital, Culture, Media & Sport launched a consultation on its proposed reforms to the UK data protection regime to reflect DCMS’s effort to deliver on Mission 2 of the National Data Strategy. The consultation will close on November 19, 2021, and CIPL will consult with members to prepare a formal response to the consultation.
Continue Reading DCMS Consults on National Data Strategy

The Belgian Council of State recently confirmed a decision of the regional Flemish Authorities to contract with an EU branch of a U.S. company using Amazon Web Services, stating that the use of U.S. cloud services in itself does not infringe on the GDPR.
Continue Reading Belgian Council of State Considers Encryption a Sufficient Measure for U.S. Data Transfers

On August 27, 2021, the Federal Data Protection and Information Commissioner announced that the new EU Standard Contractual Clauses may be relied on to legitimize transfers of personal data from Switzerland to countries without an adequate level of data protection, provided that the necessary amendments and adaptations are made for use under Swiss data protection law.
Continue Reading Swiss DPA Recognizes the New EU Standard Contractual Clauses

On August 26, 2021, the UK Department of Culture, Media and Sport made news by publishing a document indicating its intent to begin making adequacy decisions for UK data transfers to foreign jurisdictions and by announcing its preferred candidate for the position of new UK Information Commissioner.
Continue Reading UK DCMS Identifies Priority Jurisdictions for UK Adequacy Recognition and Proposes New UK Information Commissioner

On August 11, 2021, the UK Information Commissioner’s Office launched a consultation on its draft international data transfer agreement and guidance for organizations on international transfers. Once finalized, the agreement will replace the existing EU Standard Contractual Clauses in the UK.
Continue Reading ICO Consultation on International Data Transfer Agreement to Replace SCCs

On June 28, 2021, the European Commission adopted two adequacy decisions for the United Kingdom, one under the GDPR and another under the Law Enforcement Directive. Their adoption means organizations in the EU can continue to transfer personal data to organizations in the UK without restriction, and will not need to rely upon data transfer mechanisms, such as the SCCs, to ensure an adequate level of protection.
Continue Reading European Commission Adopts UK Adequacy Decision

On May 26, 2021, the Court of Appeal handed down its judgment in the case of R (Open Rights Group and the3million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 800, finding that the UK 2018 Data Protection Act’s “immigration exemption” is unlawful.
Continue Reading UK Court of Appeal Signals It Will Closely Scrutinize UK DPA Exemptions

On May 11, 2021, the European Parliament issued a press release requesting that the European Commission amend its draft decisions on UK adequacy to more closely align with EU court rulings and the opinion of the European Data Protection Board. The request came after the Parliament’s Civil Liberties Committee passed a resolution evaluating the Commission’s approach regarding the adequacy of the UK’s data protection regime.
Continue Reading MEPs Urge European Commission to Amend Draft UK Adequacy Decision

On April 27, 2021, the Portuguese Data Protection Authority ordered the National Institute of Statistics to suspend, within 12 hours, any international transfers of personal data to the U.S. or other third countries that have not been recognized as providing an adequate level of data protection.
Continue Reading Portuguese DPA Orders Suspension of U.S. Data Transfers by Agency That Relied on SCCs