International Data Transfers: Clarity on Timing of U.K. Transfer Mechanisms

Share

The U.K. Information Commissioner’s Office recently confirmed the options and clarified the timing of new data transfer agreements for transfers of personal data out of the U.K. The situation has been somewhat confusing, even to those relatively familiar with international data transfers. Organizations can now review their data transfer arrangements with greater certainty, and this will be a key priority for 2022.

Continue reading “International Data Transfers: Clarity on Timing of U.K. Transfer Mechanisms”

Significant Changes Proposed to UK GDPR

Share

The U.K. government recently launched a consultation proposing significant changes to the U.K. General Data Protection Regulation (UK GDPR). The U.K. aims to craft a bespoke “pro-growth and pro-innovation regime whilst maintaining…world-leading data protection standards.” The Consultation sets out in detail the significant reforms which the U.K. government seeks to implement – at the potential risk of losing its adequacy status for data transfers from the EU.

Continue reading “Significant Changes Proposed to UK GDPR”

New Tools for International Data Transfers: European Commission Adopts New Standard Contractual Clauses

Share

The European Commission recently adopted a new set of Standard Contractual Clauses (SCCs) for organizations to use in compliance with the EU General Data Protection Regulation requirements for transfers of personal data from the European Economic Area. The previous SCCs were outdated and did not cover many common data processing scenarios. Organizations will have an 18-month transition period to adopt the new SCCs, but many parties will need this time to re-examine their dataflows and review their internal compliance procedures to meet the exacting new standards.

Continue reading “New Tools for International Data Transfers: European Commission Adopts New Standard Contractual Clauses”

Draft Standard Contractual Clauses Released by European Commission: New Clause Cause for Applause?

Share

Following on from last week’s big announcement by the European Data Protection Board (EDPB) on its expectations for international data transfers after the European Court of Justice’s July 16 Schrems II decision, the European Commission released a draft set of new Standard Contractual Clauses (SCCs) and a draft implementing decision. The Commission’s draft set of clauses allows for two new types of transfer and contains important updates to bring the text of the clauses in line with the General Data Protection Regulation. The draft documents are now available for public consultation, and both the EDPB and the European Data Protection Supervisor will be asked for their opinions on the documents. Following the Schrems II decision, many organizations have been waiting for guidance on additional safeguards and for the (long overdue) arrival of updated Standard Contractual Clauses. While the last few days have seen some welcome developments after a period of hiatus, organizations will likely need some time to assess the practical implications before making radical changes to international data transfer arrangements.

For the full alert, visit the Faegre Drinker website.

European Data Protection Board Issues New Recommendations for International Data Transfers: Essential Guarantees, Supplemental Measures, and False Warrant Canaries

Share

A pair of highly anticipated guidance documents outline the European Data Protection Board’s (EDPB) expectations for organizations transferring data out of the EU. While the detailed process for evaluating data transfers brings welcomed guidance and clarity, some aspects of the EDPB’s framework present significant obstacles for those working with non-EU service providers or moving data for routine business purposes.

For the full alert, visit the Faegre Drinker website.

Marriott Cyberattack Fine Reduced as ICO Shifts Penalty Policy

Share

More than two years after receiving a massive initial fine, hotel chain Marriott International, Inc. reduces a cyberattack penalty by more than 80%. A shift in the United Kingdom’s Information Commissioner’s Office (ICO) calculation policy, along with other mitigating factors, led to the significant decrease. While the ICO reinforces the importance of responsibilities of data controllers in managing sophisticated cyberattacks, this latest development marks a continued shift away from turnover-centric penalty policies.

For the full alert, visit Faegre Drinker’s website.