Privacy & Information Security Law Blog

On March 22, 2024, the Cyberspace Administration of China (the “CAC”) issued the Provisions on Facilitation and Regulation of Cross-Border Data Flows (the “Provisions”), which were effective the same day. The CAC also held a press conference to introduce and explain the Provisions. The Provisions demonstrate that the regulation of cross-border transfers in China is focused on important data and critical information infrastructure operators (“CIIO”), and that the CAC aims to optimize business environment, stabilize foreign investment, and support the data flow between global companies with a Chinese presence.

On March 20, 2024, the U.S. House of Representatives passed legislation that will prohibit data brokers from transferring U.S. residents’ sensitive personal data to foreign adversaries, including China and Russia. The House bill HR 7520 (the “Bill”), also known as the Protecting Americans’ Data from Foreign Adversaries Act of 2024, marks a significant development in executive and legislative action related to foreign access to U.S. data. The Bill follows a similarly groundbreaking Executive Order and Department of Justice Notice of Proposed Rulemaking issued at the end of February that will establish strict protective measures against data exploitation by countries considered national security threats for U.S. sensitive personal data and U.S. government-related data. The Bill also comes after the House overwhelmingly passed HR 7521, (the Protecting Americans from Foreign Adversary Controlled Applications Act) resulting from concerns that the Chinese government would compel TikTok (or other foreign adversary-controlled apps) to turn over U.S. data. HR 7521 would effectively require TikTok to divest from parent company ByteDance in order to avoid a ban in the U.S.

On February 28, 2024, President Biden released an Executive Order (“EO”) “addressing the extraordinary and unusual national security threat posed by the continued effort of certain countries of concern to access Americans’ bulk sensitive personal data and certain U.S. Government-related data.” In tandem with the EO, the Department of Justice’s (“DOJ’s”) National Security Division is set to issue an advance notice of proposed rulemaking (“ANPRM”) pursuant to the EO, which directs the DOJ to “establish, implement and administer new and targeted national security programming” to address the threat. The DOJ regulations will identify specific categories of “data transactions” that are prohibited or restricted due to their “unacceptable risk to national security.” 

On February 20, 2024, The Centre for Information Policy Leadership at Hunton Andrews Kurth LLP  (“CIPL”) and Theodore Christakis, Professor of International, European and Digital Law at University Grenoble Alpes, released a comprehensive study titled The “Zero Risk” Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach. In the study, Prof. Christakis makes the case that the EU General Data Protection Regulation (“GDPR”), the Charter of Fundamental Rights of the European Union and EU law, more generally, allow a more nuanced and risk-based approach to data transfers than the restrictive approach often applied. CIPL and Prof. Christakis provide an approach that outlines data protection measures that are proportionate to the risks at hand, and takes into account the nature of the data, the likelihood of access by foreign governments, and the severity of the potential harm.

Recent developments in the Shanghai Pilot Free Trade Zone to facilitate cross-border data transfers are expected to provide greater flexibility in exporting data from China, which has been stymied by the Cyberspace Administration of China (“CAC”)’s strict cross-border data transfer regulations proposed in December 2023. In recent years, the legal framework and practical enforcement for cross-border data transfers in China have undergone significant developments, especially with respect to the CAC’s cross-border data transfer security reviews and standard contractual clauses. The lack of clarity around the CAC’s strict rules for security assessment reviews appears to have caused significant delays in the approval process for cross-border data transfers and concern among international companies who regularly transfer data outside of China. However, it appears that the Shanghai government is likely to permit international companies to transfer data offshore by leveraging its sprawling free trade zones. Shanghai, for example, has recently unveiled new measures aimed at accelerating cross-border data transfers.

On January 8, 2024, the French Data Protection Authority (the “CNIL”) opened a consultation on its draft guidance for the use of transfer impact assessments (“Guidance”). In describing the Guidance, the CNIL references the decision of the Court of Justice of the European Union in Schrems II and states that exporters relying on tools listed in Article 46(2) and Article 46(3) of the EU General Data Protection Regulation (“GDPR”) for personal data transfers are required to assess the level of protection in the designated third country and the need to put in place additional safeguards (i.e., conduct a transfer impact assessment (“TIA”)). The Guidance is intended to assist data exporters in carrying out TIAs. 

On November 9, 2023, the European Parliament adopted, by a majority of 481 votes in favor, 31 votes against and 71 abstentions, the final text of the Data Act. As explained in our previous blog, the Data Act aims to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all” and was initially proposed by the European Commission on February 23, 2022.

On September 28, 2023, the Cyberspace Administration of China (“CAC”) released the “Provisions on Regulating and Facilitating Cross-Border Data Flows” for public comment (the “Proposal”). The deadline for public comment on the Proposal was October 15, 2023.

On September 21, 2023, UK Secretary of State for Science, Innovation and Technology Michelle Donelan laid regulations in the UK Parliament, giving effect to a UK-U.S. Data Bridge. The regulations are supported by several documents, including a fact sheet and an “explainer.”  The regulations are due to take effect on October 12, 2023. U.S. companies approved to join the “UK Extension to the EU-US Data Privacy Framework” will be able to receive UK personal data under the new Data Bridge.

On July 19, 2023, the European Data Protection Board (“EDPB”) issued an Information Note regarding data transfers to the U.S. following the adoption of an adequacy decision on the EU-U.S. Data Privacy Framework (the “Data Privacy Framework”) on July 10, 2023 (the “Information Note”).

On July 10, 2023, the European Commission formally adopted a new adequacy decision on the EU-U.S. Data Privacy Framework (the “Adequacy Decision”). The adoption of this Adequacy Decision follows years of intense negotiations between the EU and the U.S., after the invalidation of the EU-U.S. Privacy Shield by the Court of Justice of the European Union (“CJEU”) in the Schrems II case.

On June 30, 2023, the European Data Protection Board (“EDPB”) published Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) (the “Recommendations”), which were adopted on June 20, 2023. Binding corporate rules (“BCRs”) are a mechanism for transferring personal data to third countries in accordance with Chapter V of the EU General Data Protection Regulation (“GDPR”), and must be approved by the relevant organization’s lead supervisory authority. BCRs create enforceable rights and set out commitments in order to create, for the personal data transferred under the BCRs, a level of protection essentially equivalent to that provided by the GDPR.

On June 26, 2023, the Centre for Information Policy Leadership (CIPL) published the third edition of its Frequently Asked Questions on Cross-Border Privacy Rules, Privacy Recognition for Processors, and Global CBPR and PRP (FAQs).

On May 30, 2023, the Cyberspace Administration of China (“CAC”) issued the Guideline for Filing the Standard Contract for Cross-border Transfer of Personal Information (“SC”). On June 1, 2023, the SC became an effective mechanism for transferring personal data outside of China. When using the SC as a transfer mechanism, it must be filed with the CAC and the new Guideline provides guidance for doing so. The key elements of the Guideline are summarized below.

On May 22, 2023, the Irish Data Protection Commission (the “DPC”) announced a €1.2 billion fine against Meta Ireland for unlawfully transferring personal data to the U.S.

This is an excerpt from Centre for Information Policy Leadership (“CIPL”) President Bojana Bellamy’s recently published piece in the IAPP “Privacy Perspectives” blog, and are the views of the author.

On February 14, 2023, in a Draft Motion for a Resolution on the adequacy of the protection afforded by the proposed EU-U.S. Data Privacy Framework (the “Framework”), the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the “Committee”) urged the European Commission not to adopt adequacy based on the Framework, on the basis that it “fails to create actual equivalence” with the EU in the level of data protection that it provides.

On January 20, 2023, The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published “Digital Assets and Privacy,” a discussion paper compiling insights from workshops with CIPL member companies that explored the intersection of privacy and digital assets, with a particular focus on blockchain technology. The paper includes recommendations for developing coherent, tech-friendly, future-focused, and pragmatic regulations and policies.

On January 10, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth  responded to a call for public comments from the European Data Protection Board (“EDPB”) regarding their Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) (“Recommendations 1/2022”). The Recommendations 1/2022 are intended to bring existing Controller Binding Corporate Rules (“BCR-C”) in line with the GDPR and the Schrems II ruling.

On  December 15, 2022, the UK government and the Dubai International Financial Centre Authority (“DIFC”) issued a joint statement on the shared commitment to deepening the UK-DIFC data partnership. The statement explains that “[t]here are over 5,000 UK companies operating in the UAE, many of which depend on the free and secure flow of safe data across borders.” Further, the UK and the DIFC have strong links in the financial sector, following the DIFC’s establishment in 2004, with 16% of the DIFC’s financial services companies originally based in the UK.

On December 12, 2022, at the “POLITICO Live” event presented in cooperation with Hunton Andrews Kurth LLP’s Centre for Information Policy Leadership ("CIPL")—titled “EU-U.S. Data Flows: Game Changer or More Legal Uncertainty?”—featured speakers from both sides of the Atlantic optimistic that the new EU-U.S. Data Privacy Framework will withstand an anticipated legal challenge.

On November 23, 2022, the UK government’s Department for Digital, Culture, Media & Sport (“DCMS”) announced that it had completed its assessment of South Korea’s personal data legislation, and concluded that sufficiently strong privacy laws are in place to protect UK personal data transferred to South Korea while upholding the rights and protections of UK citizens.

On November 17, 2022, the UK data protection regulator, the Information Commissioner’s Office (“ICO”), published updated guidance on international transfers that includes a new section on transfer risk assessments (“TRAs”) and a TRA tool.

In its statement regarding the updated guidance, the ICO describes the TRA guidance as “an alternative approach to the one put forward by the European Data Protection Board” and says its aim is “to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate.”

On October 7, 2022, President Biden signed Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which provides a new framework for legal data transfers between the European Union and the United States. The legal basis for transatlantic data transfers has been uncertain since 2020, when the European Court of Justice (“ECJ”) declared the previous framework, the EU-U.S. Privacy Shield, invalid under EU law. 

On July 7, 2022, the Cyberspace Administration of China (the “CAC”) issued the Measures on Security Assessment on Cross-border Transfer (the “Measures”), which became effective on September 1, 2022, and provide a six-month grace period to the relevant data handlers. On August 31, 2022, the CAC issued the Guidelines on Application for Security Assessment on Cross-border Transfer (the “Guidelines”), which further clarify certain issues and provide specific application documents for security assessments (including templates of application forms for security assessment on cross-border transfer and self-assessments report for risks of cross-border transfer).

On June 30, 2022, the Cyberspace Administration of China (the “CAC”) issued a draft Provision on the Standard Contract for Cross-border Transfer of Personal Information (“Draft Provisions”) and a draft of the Standard Contract for Cross-border Transfer of Personal Information (“Standard Contract”) for public comments. Per Article 38 of the Personal Information Protection Law (“PIPL”), if the data handler is not required to conduct a government security assessment, it may choose either to conduct certification by a qualified third institution or to execute the Standard Contract for cross-border transfer of personal information. Certification might be more commonly used for cross-border transfer within a group, whereas the Standard Contract may be more popular under other scenarios of cross-border transfers.

On June 3, 2022, House Energy and Commerce Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a new comprehensive federal privacy bill, the American Data Privacy and Protection Act (“ADPPA”).

On April 7, 2022, the European Data Protection Board (the “EDPB”) released a statement on the announcement of a new Trans-Atlantic Data Privacy Framework (the “Statement”).

On March 25, 2022, the European Commission and United States issued a joint statement announcing an agreement in principle on a new Trans-Atlantic Data Privacy Framework (the “Joint Statement”).

On February 22, 2022, the European Data Protection Board (the “EDPB”) adopted its final Guidelines 04/2021 on Codes of Conduct as tools for transfers (the “Guidelines”), following a public consultation that took place in 2021.

On March 16, 2022, Google announced the launch of its new analytics solution, “Google Analytics 4.” Google Analytics 4 aims, among other things, to address recent developments in the EU regarding the use of analytics cookies and data transfers resulting from such use.

On February 23, 2022, the European Commission adopted a Proposal for a Regulation designed to harmonize rules on the fair access to and use of data generated in the EU across all economic sectors (the “Data Act”). The Data Act is intended to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all.” Importantly, the Data Act applies to all data generated in the EU, not only personal data, which is regulated by the General Data Protection Regulation (“GDPR”).

On February 10, 2022, the French Data Protection Authority (the “CNIL”) ruled the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie to be unlawful. In its decision, the CNIL held that an organization using Google Analytics was in violation of the GDPR’s data transfer requirements. The CNIL ordered the organization to comply with the GDPR, and to stop using Google Analytics, if necessary.

On February 2, 2022, the Secretary of State placed the UK Information Commissioner’s Office's (“ICO's ”) final international data transfer agreement (“IDTA”) and international data transfer addendum to the European Commission’s standard contractual clauses (“SCCs”) for international data transfers (“Addendum”) before the European Parliament. The IDTA and Addendum are set to come into force on March 21, 2022, but the ICO advises that they are of use to organizations immediately. The ICO also has stated that it intends to publish additional guidance on use of the IDTA and Addendum.

View the ICO’s final drafts of the IDTA and Addendum.

The Austrian data protection authority (the “Austrian DPA”) recently published a decision in a case brought against an Austrian website provider and Google by the non-governmental organization co-founded by privacy activist Max Schrems, None of Your Business (“NOYB”). The Austrian DPA ruled that the use of Google Analytics cookies by the website operator violates both Chapter V of the EU General Data Protection Regulation (“GDPR”), which establishes rules on international data transfers, and the Schrems II judgment of the Court of Justice of the European Union.

On January 12, 2022, the French Data Protection Authority (the “CNIL”) published guidelines on the re-use of personal data by data processors for their own purposes (such as product improvement or the development of new products and services) under the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). This post outlines key takeaways from the Guidelines.

On January 5, 2022, the European Data Protection Supervisor (“EDPS”) issued a decision against the European Parliament (“EP”). The case resulted from a complaint submitted by certain Members of the European Parliament (“MEPs”) who alleged that the Parliament’s use of cookies violated data protection law, including requirements regarding the transfer of personal data outside of the EU. The EDPS is responsible for overseeing compliance of data protection rules by the EU institutions.

On December 17, 2021, the European Commission announced that it had adopted its adequacy decision on the Republic of Korea. The adequacy decision allows for the free flow of personal data between the EU and Korea, without any further need for authorization or additional transfer tool. The adequacy decision also covers transfers of personal data between public authorities.

On  November 27, 2021, the UAE Cabinet Office enacted its first federal Personal Data Protection Law (Federal Decree Law No. 45 of 2021, the “UAE Data Protection Law”). The UAE Data Protection Law will come into force on January 2, 2022.

On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 (the “Guidelines”) on the interplay between the application of Article 3 of the EU General Data Protection Regulation (“GDPR”), which sets forth the GDPR’s territorial scope, and the GDPR’s provisions on international data transfers. The Guidelines aim to assist organizations subject to the GDPR in identifying whether a data processing activity constitutes an international data transfer under the GDPR, as the GDPR does not define the term.

On September 10, 2021, the UK Government Department for Digital, Culture, Media & Sport (“DCMS”) launched a consultation on its proposed reforms to the UK data protection regime. The consultation reflects DCMS’s effort to deliver on Mission 2 of the National Data Strategy, which is “to secure a pro-growth and trusted data regime in the UK.” Organizations are encouraged to provide input on a range of data protection proposals, some of which are outlined below. The consultation will close on November 19, 2021, and the Centre for Information Policy Leadership (“CIPL”) will consult with members to prepare a formal response to the consultation.

On August 19, 2021, the Belgian Council of State confirmed a decision of the regional Flemish Authorities to contract with an EU branch of a U.S. company using Amazon Web Services (“AWS”).

This week, the United Arab Emirates (“UAE”) Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications (the “Minister”) announced that the UAE would introduce a new federal data protection law (“Data Protection Law”), the first federal law of its kind in the UAE. The Data Protection Law is one of the initiatives to be implemented under the recently published “Principles of the 50,” a charter of 10 strategic principles that will guide the political, economic and social development of the UAE for the next 50 years.

On August 27, 2021, the Federal Data Protection and Information Commissioner (“Swiss DPA”) announced that the new EU Standard Contractual Clauses (the “SCCs”) may be relied on to legitimize transfers of personal data from Switzerland to countries without an adequate level of data protection, provided that the necessary amendments and adaptations are made for use under Swiss data protection law.

On September 1, 2021, the South Korean Personal Information Protection Commission (“PIPC”) issued fines against Netflix and Facebook for violations of the Korean Personal Information Protection Act (“PIPA”).

On August 26, 2021, the UK Department of Culture, Media and Sport (“DCMS”) made news by publishing a document indicating its intent to begin making adequacy decisions for UK data transfers to foreign jurisdictions and by announcing its preferred candidate for the position of new UK Information Commissioner.

In an article originally published on Practical Law, and reproduced with the permission of the publishers, Hunton Andrews Kurth London partner Bridget Treacy discusses the European Commission’s long-awaited, and now finalized, standard contractual clauses (“SCCs”) for international transfers of personal data made under the EU General Data Protection Regulation (“GDPR”).

On June 28, 2021, the European Commission (the “Commission”) adopted two adequacy decisions for the United Kingdom, one under the General Data Protection Regulation (“GDPR”) and another under the Law Enforcement Directive. Their adoption means organizations in the EU can continue to transfer personal data to organizations in the UK without restriction, and will not need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection. The adoption comes just before the conditional interim regime under the EU-UK Trade and Cooperation Agreement, under which data could flow freely from the EU to the UK, was set to expire on June 30, 2021.

On June 21, 2021, following a public consultation, the European Data Protection Board (“EDPB”) published the final version of its recommendations on supplementary measures in the context of international transfer safeguards, such as Standard Contractual Clauses (“SCCs”) (the “Recommendations”).

After two rounds of public comments, the Data Security Law of the People’s Republic of China (the “DSL”) was formally issued on June 10, 2021, and will become effective on September 1, 2021.

Compared to previous drafts of the law, the final version of the DSL differs with respect to:

• establishing a work coordination mechanism and clarifying the duties of each governmental authority;
• establishing an administration system for state core data;
• encouraging data development and use to make public service more intelligent and requiring consideration of the needs of the elderly and people with disabilities when providing intelligent public services;
• protecting the security of government data; and
• increasing the punishment dynamics for violations of the law. 

On June 4, 2021, the European Commission published the final version of the implementing decision on standard contractual clauses for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”), as well as the final version of the new standard contractual clauses (the “SCCs”). The European Commission had previously published draft versions of the implementing decision and the SCCs in November 2020.

On May 25, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted its response (in English and in Mandarin) to the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China on the updated version of the Draft Personal Information Protection Law (“PIPL”).

On May 27, 2021, the European Data Protection Supervisor (the “EDPS”) announced that it has opened two investigations regarding (1) the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies; and (2) the use of Microsoft Office 365 by the European Commission.

On May 14, 2021, the Irish High Court dismissed Facebook Ireland’s (“Facebook”) challenge to the Irish Data Protection Commissioner’s (“DPC”) investigation into Facebook’s international transfers of personal data.

On May 11, 2021, the European Parliament issued a press release requesting that the European Commission amend its draft decisions on UK adequacy to more closely align with EU court rulings and the opinion of the European Data Protection Board (“EDPB”). The request came after the Parliament’s Civil Liberties Committee (the “Committee”) passed a resolution evaluating the Commission’s approach regarding the adequacy of the UK’s data protection regime. The Members of European Parliament (“MEPs”) stated that if the Commission’s implementing decisions are adopted without amendment, transfers of personal data to the UK should be suspended when there is the potential for indiscriminate access to personal data.

On April 29, 2021, China issued a second version of the draft Personal Information Protection Law (“Draft PIPL”). The Draft PIPL will be open for public comments until May 28, 2021.

While the framework of this version of the Draft PIPL is the same as the prior version issued on October 21, 2020, below we summarize the material changes in the second version of the Draft PIPL.

On April 29, 2021, China issued a second draft version of the Data Security Law (“Draft DSL”). The Draft DSL will be open for public comments until May 28, 2021.

While the framework of this version of the Draft DSL is the same as the prior version issued on July 3, 2020, below we summarize the material changes in the second version of the Draft DSL.

On April 27, 2021, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, the “CNPD”) ordered the National Institute of Statistics (the “INE”) to suspend, within 12 hours, any international transfers of personal data to the U.S. or other third countries that have not been recognized as providing an adequate level of data protection.

On April 14, 2021, the European Data Protection Board (“EDPB”) announced that it had adopted its Opinion on the draft UK adequacy decision issued by the European Commission on February 19, 2021. The EDPB’s Opinion is non-binding but will be persuasive. The adequacy decision will be formally adopted if it is approved by the EU Member States acting through the European Council. If the adequacy decision is adopted, transfers of personal data from the EU to the UK may continue following the end of the post-Brexit transition period without the implementation of a data transfer mechanism under the EU General Data Protection Regulation (“GDPR”), such as Standard Contractual Clauses.

On March 30, 2021, the European Commission (the “Commission”) announced the successful conclusion of the adequacy talks with the Republic of Korea.

On March 15, 2021, the state Data Protection Authority of Bavaria (“Bavarian DPA”) declared the use of U.S. e-mail marketing service Mailchimp by a fashion magazine (acting as controller) in Bavaria impermissible due to non-compliance with Schrems II mitigation steps in relation to the transfer of e-mail addresses to Mailchimp in the U.S.

On March 12, 2021, the European Data Protection Board (“EDPB”) published its Guidelines 01/2021 on Virtual Voice Assistants for consultation (the “Guidelines”). Virtual voice assistants (“VVAs”) understand and execute voice commands or coordinate with other IT systems. These tools are available on most smartphones and other devices and collect significant amounts of personal data, such as through user commands. In addition, VVAs require a terminal device equipped with a microphone and transfer data to remote service. These activities raise compliance issues under both the General Data Protection Regulation (“GDPR”) and the e-Privacy Directive.

On February 19, 2021, the European Commission published a draft data protection adequacy decision relating to the UK. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction, and will not need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection.

On January 26, 2021, BBB National Programs announced that it has been endorsed as an Accountability Agent for the APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) systems. This makes BBB National Programs the seventh CBPR and PRP Accountability Agent worldwide and the first ever U.S. non-profit to be approved by APEC.

On January 15, 2021, the European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”) released by the European Commission in November 2020, for both international transfers (“International SCCs”) and controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”). 

On January 13, 2021, the FTC announced that fertility-app developer Flo Health, Inc. (“Flo”) agreed to a settlement over allegations that the company shared app users’ health information with third-party data analytics providers despite representations that Flo would keep such information private.

On November 23, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on relevant and reasoned objections under the General Data Protection Regulation (“GDPR”) cooperation and consistency mechanisms (the “Guidelines). The consultation on the Guidelines took place a few weeks before the EDPB issued its first binding decision under the Article 65 GDPR dispute resolution mechanism.

The global privacy and cybersecurity team at Hunton Andrews Kurth has authored multiple chapters of the 2021 Data Protection & Privacy guide by Lexology’s Getting the Deal Through. Partner Aaron P. Simpson and practice chair Lisa J. Sotto served as contributing editors of the ninth edition of the annual guide, which provides summary and analysis in key areas of law, practice and regulation for 150 jurisdictions across the globe.

On December 24, 2020, the European Union and the United Kingdom reached an agreement in principle on the historic EU-UK Trade and Cooperation Agreement (the “Trade Agreement”). For data protection purposes, there is a further transition period of up to six months to enable the European Commission to complete its adequacy assessment of the UK’s data protection laws. For the time being, personal data can continue to be exported from the EU to the UK without implementing additional safeguards.

On December 21, 2020, the European Data Protection Board (the “EDPB”) released its 2021-2023 Strategy (the “Strategy”). The Strategy aims at setting out the four main pillars of the EDPB strategic objectives through 2023 and key actions to help achieve those objectives:

On December 9, 2020, the Senate Committee on Commerce, Science and Transportation held a hearing on the Invalidation of the EU-U.S. Privacy Shield and the Future of Transatlantic Data Flows. The hearing explored the policy issues that led to the Court of Justice of the European Union’s (“CJEU”) invalidation of the Privacy Shield framework in the Schrems II ruling. The hearing also discussed effects of the CJEU’s decision on U.S. businesses and what steps the U.S. government may take to develop a successor data transfer framework, including comprehensive federal privacy legislation.

On December 17, 2020, the UK Information Commissioner’s Office (“ICO”) published its Data Sharing Code of Practice (the “Code”), in accordance with its obligation to do so under the Data Protection Act 2018 (the “DPA”).

On December 10, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Commission’s invitation for comments on its draft implementing decision on standard contractual clauses (“SCCs”) to be used for the transfer of personal data from a controller or processor subject to the EU General Data Protection Regulation (“GDPR”) (i.e., a data exporter) to a controller or (sub-)processor not subject to the GDPR (i.e., a data importer).

Hunton attorneys Dora Luo and Yanchen Wang recently published a new Guidance Note for OneTrust DataGuidance on China’s data protection laws.

On December 10, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Commission’s invitation for comments on its draft implementing decision on standard contractual clauses (“SCCs”) between controllers and processors for purposes of Article 28 of the EU General Data Protection Regulation (the “GDPR”). Article 28 of the GDPR sets out specific provisions that must be executed between data controllers and processors when personal data is shared.

On December 2, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the UK Department for Digital, Culture, Media and Sport’s (“DCMS”) UK National Data Strategy  (“NDS”) consultation.

On November 26, 2020, the Conference of the German Data Protection Authorities (Datenschutzkonferenz, the “DSK”) issued a press release with conclusions from their 100th anniversary meeting.

On November 18, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China on the Draft Personal Information Protection Law (“PIPL”).

On November 12, 2020, somewhat in the shadow of the new standard contractual clauses for data transfers to recipients outside the European Economic Area (“EEA”), the European Commission also adopted draft standard contractual clauses to be used between controllers and processors in the EEA (“EEA Controller-Processor SCCs”).

On November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU General Data Protection Regulation (“GDPR”), along with its draft set of new standard contractual clauses (the “SCCs”).

On November 11, 2020, the European Data Protection Board (the “EDPB”) published its long-awaited recommendations following the Schrems II judgement regarding supplementary measures in the context of international transfer safeguards such as Standard Contractual Clauses (“SCCs”) (the “Recommendations”). In addition, the EDPB published recommendations on the European Essential Guarantees for surveillance measures (the “EEG Recommendations”), which complement the Recommendations. The Recommendations are subject to a public consultation, which closes on December 21, 2020.

On October 21, 2020, China issued a draft of Personal Information Protection Law (“Draft PIPL”) for public comments. The Draft PIPL marks the introduction of a comprehensive system for the protection of personal information in China.

On October 13, 2020, France’s highest administrative court (the “Conseil d’État”) issued a summary judgment that rejected a request for the suspension of France’s centralized health data platform, Health Data Hub (the “HDH”), currently hosted by Microsoft. However, the Conseil d’État recognized that there is a risk of U.S. intelligence services requesting the data and called for additional guarantees under the control of the French data protection authority (the “CNIL”).

On September 24, 2020, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) released a new paper (the “Paper”) on the Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision.

The Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) recently published a concept paper titled Why We Need Interstate Privacy Rules for the U.S.

The paper acknowledges the possibility that the U.S. may not implement a comprehensive federal privacy law in the near future, and that instead a growing patchwork of state laws will emerge. It proposes an interstate privacy interoperability code of conduct or certification as a solution to the possibility of inconsistent and disparate privacy requirements across the U.S. The paper outlines the benefits and key features of the code, as well as potential models and sources for its structure and substantive rules, such as the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (“APEC CBPR”), ISO standards, existing state privacy laws, the EU General Data Protection Regulation (“GDPR”) and key federal privacy proposals. It also discusses the process that could be used to develop the code.

On September 28, 2020, the U.S. Department of Commerce, along with the U.S. Department of Justice and the Office of the Director of National Intelligence, released a White Paper entitled Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (the “White Paper”). The White Paper outlines privacy safeguards in and updates to the U.S. surveillance provisions flagged by the Court of Justice of the European Union (“CJEU”) in its Schrems II decision. It is intended to serve as a resource for companies transferring personal data from the EU to the U.S. in the wake of the CJEU’s decision overturning the EU-U.S. Privacy Shield. Particularly, it focuses on companies relying on Standard Contractual Clauses (“SCCs”) for data transfers, and provides information to help them determine whether the U.S. ensures adequate privacy protections for companies’ data.

The Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) and the Data Security Council of India (“DSCI”) have published a report on Enabling Accountable Data Transfers from India to the United States under India’s Proposed Personal Data Protection Bill (the “Report”).

On September 8, 2020, the Swiss Data Protection Authority (the Federal Data Protection and Information Commissioner, “FDPIC”), announced in a position statement that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of transfers of personal data from Switzerland to the U.S. This decision follows the July 2020 ruling of the Court of Justice of the European Union (“CJEU”) in the Schrems II case, which invalidated the EU-U.S. Privacy Shield for EU-U.S. transfers of personal data. This ruling was considered as part of the annual review of the Swiss-U.S. Privacy Shield Framework by the FDPIC since, as Switzerland is not a member of the EU, it is not bound by the CJEU ruling.

On September 4, 2020, the European Data Protection Board (the “EDPB”) announced that it established two taskforces following the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case.

On September 3, 2020, the Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) of the European Parliament held a meeting to discuss the future of EU-U.S. data flows following the Schrems II judgment of the Court of Justice of the European Union (the “CJEU”). In addition to Members of the European Parliament (“MEPs”), the meeting’s participants included Justice Commissioner Didier Reynders, European Data Protection Board (“EDPB”) Chair Andrea Jelinek and Maximilian Schrems. Importantly, Commissioner Reynders stated during the meeting that the new Standard Contractual Clauses (“SCCs”) might be adopted by the end of 2020, at the earliest.

On August 24, 2020, the Data Protection Authority (“DPA”) of the German federal state of Baden-Württemberg issued guidance on international data transfers following the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case (decision C-311/18 of July 16, 2020). As we previously reported, the judgment of the CJEU invalidated the EU-U.S. Privacy Shield framework and confirmed the ongoing validity of the controller-to-processor EU Standard Contractual Clauses (“SCCs”), subject to an adequacy assessment and, if necessary, additional safeguards to protect the personal data transferred pursuant to the SCCs. The guidance is notable because it is the first substantive guidance from a DPA following the Schrems II judgment (although the guidance is only applicable to companies established in the federal state of Baden-Württemberg).

The U.S. Department of Commerce has issued two new sets of FAQs in light of the Court of Justice of the European Union’s (“CJEU’s”) recent decision to invalidate the EU-U.S. Privacy Shield in Schrems II. We previously reported on the Schrems II ruling and its implication for businesses that transfer personal data to the U.S. The new FAQs from the Department of Commerce address the impact of the decision on the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.

On July 28, 2020, German supervisory authorities (Datenschutzkonferenz, the “DSK”) issued a statement reiterating the requirement for additional safeguards when organizations rely on Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”) for the transfer of personal data to third countries in the wake of the Court of Justice of the European Union’s (the “CJEU”) invalidation of the Privacy Shield Framework. In its July 16, 2020 judgment, the CJEU concluded that SCCs issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, subject to the need to assess whether additional safeguards are required depending on the recipient jurisdiction. In this same decision, the CJEU struck down the EU-U.S. Privacy Shield Framework.

On July 22, 2020, the European Data Protection Board (the “EDPB”) adopted an information note (the “Note”) to assist organizations relying on Binding Corporate Rules (“BCRs”) for international personal data transfers, as well as supervisory authorities, in preparing for the end of the Brexit implementation period on December 31, 2020. The Note is provided specifically for those groups of undertakings and enterprises that have the UK Information Commissioner’s Office (“ICO”) as the competent supervisory authority for their BCRs.

On July 24, 2020, the European Data Protection Board (the “EDPB”) published a set of Frequently Asked Questions (the “FAQs”) on the judgment of the Court of Justice of the European Union (the “CJEU”) in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, but it struck down the EU-U.S. Privacy Shield framework. With its FAQs, the EDPB sought to provide responses to some of the many questions organizations are asking in the aftermath of the Schrems II ruling.

On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) invalidated the EU-U.S. Privacy Shield Framework as part of its judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, but it struck down the Privacy Shield framework on the basis that the limitations on U.S. public authorities’ access to EU personal data were not sufficient for the level of protection in the U.S. to be considered equivalent to that ensured in the EU, and that the framework does not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required under EU law.

On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued its landmark judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. Unexpectedly, the Court invalidated the EU-U.S. Privacy Shield framework.

On June 30, 2020, the Federal Trade Commission (“FTC”) announced it had entered into a consent agreement (the “Proposed Settlement”) with NTT Global Data Centers Americas, Inc. (“NTT”), a successor in interest to RagingWire Data Centers, Inc. (“RagingWire”), to settle allegations in a November 2019 Administrative Complaint that RagingWire misrepresented its participation in and compliance with the EU-U.S. Privacy Shield Framework (“Privacy Shield”), in violation of the FTC Act.

In one of the most important cases on global data transfers, the Court of Justice of the European Union (“CJEU”) will rule on the validity of the Standard Contractual Clauses (“SCCs”) in the Schrems II case (case C-311/18) on July 16, 2020. Invalidation of the SCCs would leave businesses scrambling to find an alternative data transfer mechanism. But there may be significant practical challenges for businesses even if the SCCs survive.

In a case that has garnered widespread interest, the Court of Justice of the European Union (“CJEU”) will deliver its judgment in the Schrems II case (case C-311/18) on July 16, 2020, determining the validity of the controller–to-processor Standard Contractual Clauses (“SCCs”) as a cross-border data transfer mechanism under the EU General Data Protection Regulation (“GDPR”). If the SCCs are invalidated, the judgment would deliver a significant blow to the numerous businesses that rely on them, leaving many scrambling to find a suitable alternative transfer mechanism. Even if the SCCs survive, they may become more cumbersome to use.