Data Dive

On Tuesday, December 13, the European Commission initiated its long-awaited process towards the adoption of an adequacy decision for the European Union (EU)-U.S. Data Privacy Framework (EU-U.S. DPF), which aims to address the concerns raised by the Court of Justice of the EU when it struck down the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield framework in 2020.

An executive order implementing U.S. commitments to the new successor agreement to the Privacy Shield, the EU-U.S. Data Privacy Framework was signed by President Biden in October 2022. The order marks a historic step in respect of trans-Atlantic data transfers and creates a new two-tier redress mechanism for individuals in the EU. The order also establishes a number of additional safeguards that constitute a substantive limitation on the U.S. intelligence communities access to and handling of data. 

Last week the Biden administration and the European Commission jointly announced a new trans-Atlantic data flow agreement. While no specifics have yet been made public, a recent press release gives the high-level facts of this pivotal economic agreement, which is the product of more than a year’s worth of negotiations that will “enable the continued flow of data that underpins more than $1 trillion in cross-border commerce every year” (find our previous articles on cross-border data transfer here, and here). This “agreement in principle” would reinstate a framework to allow the free exchange of data between the United States and the European Union (EU) without violating the General Data Protection Regulation (GDPR).

Akin Gump published a client alert on how new contracts involving cross-border personal data transfers must now incorporate the updated standard contractual clauses (“New SCCs”) for controllers and processors. as of September 27, 2021 for new contracts the New SCCs must be used. Businesses with cross-border personal data transfers out of the EEA should begin reviewing their existing contractual arrangements and data processing operations now, because the transition period is short, by December 27, 2022 all existing contracts need to be updated. To read the full alert, please click here.

In response to a request from the SEC, the U.K. Information Commissioner’s Officer, U.K.’s data protection regulator (ICO), has published its letter to the SEC setting out the ICO’s views on regulating relevant transfers of personal data, which will assist firms to understand how they can comply with both their SEC obligations and the U.K. GDPR. A U.K. firm is likely to be able to provide requested documents containing personal data in reliance on the “public interest” derogation in Article 49(1)(d) U.K. GDPR, but firms will have to consider whether the transfer is “necessary and proportionate”, provide the appropriate disclosures to customers and staff and document their decision making process. To read the full alert, please click here.

Akin Gump published a client alert on the Taskforce of the European Data Protection Board (EDPB) adopting two sets of Recommendations addressing the aftermath of the landmark Schrems II decision of the Court of Justice of the European Union (CJEU), which had scrutinised international personal data transfers under the General Data Protection Regulation (GDPR). The first set of Recommendations is in draft and sets out a proposed six-step plan aimed at helping EEA data exporters to assess if they need to put in place supplementary measures in order to transfer personal data outside the EEA in compliance with Schrems II. The second set of Recommendations are an update to the Article 29 Working Party’s Working Document 01/2016, published in April 2016, concerning European Essential Guarantees for surveillance measures. To read the full alert, please click here.