On Feb. 2, 2016, representatives of the European Commission and the United States agreed on a new framework for transatlantic data flow: the EU-US Privacy Shield, a new framework intended to replace the EU-US Safe Harbor that was invalidated as a result of a decision of the EU Court of Justice.
In our first article on the European Union General Data Protection Regulation (Regulation (EU) 2016/679 or ‘GDPR’) we focused on the global territorial scope of the new rules and how they could affect businesses based in Asia. In particular, we highlighted how the enhanced rights of data subjects in the EU and the expanded obligations on data controllers and data processors — even if they are located outside the EU — provide much for businesses to consider as they become compliant with the new rules. In this second article, we will focus on the new regulatory-enforcement regime and international data transfers, and then draw comparisons with the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.
The exit of the United Kingdom from the EU has caused turmoil in world markets and has far reaching consequences for those companies in the European Union doing business with the country – and vice versa. There has also been some uncertainty about how the authorities based in London will be treating data security and privacy issues. The consensus seems to be that companies doing business with the second largest economy in Europe (after Germany) should be adopting a ‘business as usual’ approach. However, will this necessarily be the case in the future? Will global companies with a British connection (including those in Asia) be forced to revisit how they treat data security and privacy issues when dealing with the United Kingdom – and will British companies move away from the rules that have been set in place by Brussels? We take a closer look.
Estonia takes over presidency of EU and hosts major Digital Single Market conference on free movement of data, touching on data flow and data localization.
U.S. doing an “adequate” job for Privacy Shield but could be doing more to protect the data transfer of EU users, including reform of the FISA regulations.
Personal data protection is a fundamental EU right and is not negotiable in trade deals, The European Commission has provided four conditions for international data flows to comply with the GDPR. Yet, there is a “get out of jail free card,” allowing restrictions to be reviewed and accorded "sympathetic" consideration.
Many are confused how data transfers should be managed under GDPR, some even believed it’s no longer allowed outside EU. What are the requirements for personal data processing to comply with GDPR data transfer rules?