Cross-Border Data Flow

Subscribe to Cross-Border Data Flow

On May 30, 2018, the European Data Protection Board (“EDPB”), replacing the Article 29 Working Party, published the final version of Guidelines 2/2018 on derogations in the context of international data transfers and draft Guidelines 1/2018 on certification under the EU General Data Protection Regulation (“GDPR”).  Continue Reading EDPB Published Guidelines on Certification and Derogations under the GDPR

On March 20, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued a factsheet outlining relevant GDPR provisions for negotiations surrounding the proposed ePrivacy Regulation (the “Factsheet”). Continue Reading CIPL Issues Factsheet on Key Issues Relating to the Relationship Between the Proposed ePrivacy Regulation and the GDPR

On March 26, 2018, the U.S. Department of Commerce posted an update on the actions it has taken between January 2017 and March 2018 to support the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”). The update details measures taken in support of commercial and national security issues relating to the Privacy Shield. Continue Reading U.S. Department of Commerce Posts Update of Actions to Support the Privacy Shield Frameworks

On March 26, 2018, the Centre for Information Policy Leadership at Hunton & Williams LLP and AvePoint released its second Global GDPR Readiness Report (the “Report”), detailing the results of a joint global survey launched in July 2017 concerning organizational preparedness for implementing the EU General Data Protection Regulation (“GDPR”). The Report tracks the GDPR implementation efforts of over 235 multinational organizations, and builds on the findings of the first Global GDPR Readiness Report by providing insights on key changes in readiness levels from 2016 to 2017. Continue Reading CIPL and AvePoint Release Second Global GDPR Readiness Report

On January 30, 2018, the UK Court of Appeal ruled that the Data Retention and Investigatory Powers Act (“DRIPA”) was inconsistent with EU law. The judgment, pertaining to the now-expired act, is relevant to current UK surveillance practices and is likely to result in major amendments to the Investigatory Powers Act (“IP Act”), the successor of DRIPA. Continue Reading UK Court of Appeal Rules DRIPA Inconsistent with EU Law

As we previously reported, this October, the EU Commission released its report and accompanying working document on the first annual review of the EU-U.S. Privacy Shield framework. On November 28, 2017, the Article 29 Data Protection Working Party (the “Working Party”) adopted an opinion on the review (the “Opinion”). While the Opinion notes that the Working Party “welcomes the various efforts made by US authorities to set up a comprehensive procedural framework to support the operation of the Privacy Shield,” the Opinion also identifies some remaining concerns and recommendations with respect to both the commercial and national security aspects of the Privacy Shield framework. The Opinion also indicates that, if the EU and U.S. do not, within specified time frames, adequately address the Working Party’s concerns about the Privacy Shield, the Working Party may bring legal action to challenge the Privacy Shield’s validity.

Read the full text of the Opinion.

On November 23, 2017, the Australian Attorney-General’s Department announced that it will move forward with an application to participate in the APEC Cross Border Privacy Rules (“CBPR”) system. The announcement follows comments received from a July 2017 consultation by the Australian Government regarding the implications of Australia’s possible participation in the system. Over the next months, the Attorney-General’s Department will work with the Office of the Australian Information Commissioner and businesses to implement the CBPR system requirements. Continue Reading Australia Announces Plans to Participate in APEC Cross-Border Privacy Rules

On November 20, 2017, the UK Information Commissioner’s Office (“ICO”) published an article on its blog containing advice on applications for Binding Corporate Rules (“BCRs”) to comply with requirements under the EU General Data Protection Regulation (“GDPR”). BCRs, which are one of the legal mechanisms available to support transfers of personal data outside the EEA, are codified under the GDPR, prompting a number of companies to explore the possibility of applying for BCR authorization. In its article, the ICO stressed that it will continue to accept applications for BCRs in the lead up to GDPR implementation on May 25, 2018, and beyond, and that the UK’s exit from the European Union, currently scheduled for the end of March 2019, will not result in the cancellation of any of the approximately 40 BCR applications currently being considered by the ICO.

Continue Reading UK Information Commissioner Publishes Advice on BCR Applications under the GDPR

On November 8, 2017, the United States District Court for the Northern District of California ordered German defendants in an ongoing patent suit, BrightEdge Technologies, Inc. v. Searchmetrics GmbH, to produce a particular database, despite the defendants’ claims that such production would violate German privacy laws. Continue Reading German Privacy Laws Intersect with Discovery in a Patent Case