International Data Transfers

Swiss Data Protection Regulator Is Latest to Outline Framework for Transferring Data to the SEC

August 17, 2021 By Daniel Felz and Wim Nauwelaerts

Entities registered with the U.S. Securities & Exchange Commission (SEC) must maintain certain books and records and can be subject to the SEC’s examination, inspection, and enforcement authority. Responding to SEC requests can require cross-border transfers of personal data, and this has historically risked non-compliance under foreign data protection law. The SEC has been proactive […]

U.S. Department of Commerce Releases White Paper to Assist Organizations in Conducting Schrems II Assessments

September 28, 2020 By James Harvey

In a letter from Deputy Assistant Secretary James Sullivan, the U.S. Department of Commerce introduced a white paper, “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II,” to assist organizations in conducting independent analyses of data transfers in light of the July 16, 2020 […]

German DPA Publishes Schrems II Transfer Compliance Checklist and Suggested Modifications to SCCs

August 26, 2020 By Daniel Felz and Paul Greaves

On August 24, 2020, the data protection authority of the German state of Baden-Württemberg (the “DPA”) published guidance (the “Guidance”) on international transfers of personal data following the Schrems II judgment (which we have previously covered here). This represents the first comprehensive guidance by a European privacy supervisor indicating how it intends to enforce the […]

After Schrems II: A Proposal to Meet the Individual Redress Challenge

August 18, 2020 By Paul Greaves

On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield in the Schrems II case. In an article written by Georgia Tech professor and Alston & Bird Senior Counsel Peter Swire with co-author Kenneth Propp, entitled ‘After Schrems II: A Proposal to Meet the Individual Redress Challenge’, […]

Schrems 2.0: CJEU invalidates EU-US Privacy Shield and emphasizes exporter obligations when using Standard Contractual Clauses

July 16, 2020 By Paul Greaves and Wim Nauwelaerts

Executive Summary Today, the Court of Justice of the European Union (‘CJEU’) handed down its long-awaited judgment in the ‘Schrems 2.0’ case (Facebook Ireland and Schrems (Case C-311/18)), about the validity of two means of legitimizing transfers of personal data outside the EEA under the EU General Data Protection Regulation (‘GDPR’)[1]. In somewhat of a […]