On February 28, 2024, President Joe Biden issued Executive Order (“EO”) 14117, empowering the Department of Justice (DOJ) to regulate the export of certain consumer data, in order to prevent certain countries’ governments from obtaining bulk sets of especially sensitive personal data. The EO, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United

On the eve of the “Golden Week” in China, the Cyberspace Administration of China (CAC) published the draft Provisions on Regulating and Promoting Cross-Border Data Transfers (the “Draft Provisions”) on 28 September 2023.1

The Draft Provisions provide a welcome rollback of some of the onerous cross-border data transfer regime, first introduced by the Personal

On July 10, 2023, the European Commission (“Commission”) adopted an adequacy decision for the EU-US Data Privacy Framework (“DPF”). The DPF is the successor to the EU-US Privacy Shield, which the Court of Justice of the European Union (“CJEU”) declared invalid in 2020.

This adequacy decision reflects agreement by the Commission that the DPF offers

The European Parliament adopted a Resolution on 11 May 2023 against the adoption of an EU adequacy decision for the US based on the EU-US Data Privacy Framework (DPF). The Resolution comes after an analysis by the European Parliament of the Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities (EO 14086), which

On February 28, 2023, the European Data Protection Board (“EDPB”) issued its opinion on the draft adequacy decision of the European Commission (the “Commission”) on the new EU-US Data Privacy Framework (“DPF”). The EDPB expressed reservations in connection with the DPF, which will now undergo scrutiny by other European institutions.

Who Should Read This Legal

Following on from our alert in relation to technology, data privacy, cybersecurity and IP legal developments to look out for in 2023, this update outlines some of the potential developments and trends in the UK cyber incident response landscape for 2023.

Increased litigation risk for cyber breach victims – the Information Commissioner’s Office begins naming

On 13 December 2022, the European Commission published its draft adequacy decision for EU-U.S. data transfers. The draft decision follows the EU-U.S. announcement of an agreement on a new EU-U.S. Data Privacy Framework (“DPF”) in March 2022 as well as the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (“Executive Order”) signed

Companies that rely on standard contractual clauses (“SCCs”) for transferring personal data from the European Economic Area (“EEA”) to jurisdictions not considered to offer an adequate level of data protection under the EU General Data Protection Regulation must ensure that none of their existing contracts use the old SCCs after 27 December 2022.

Businesses are

The Secretariat of the National Information Security Standardisation Technical Committee (TC260) released a draft revision of the Technical Specification for Certification of Cross-Border Transfers of Personal Information (Certification Specification V2.0) on 8 November 2022, nearly five months after it issued the finalised specification of the same name (Certification Specification V1.0) (see our previous Legal Update

The UK Information Commissioner’s Office (the “ICO”) published new guidance on transfer risk assessments (“TRAs”) and a template for carrying out a TRA.

All businesses are required to carry out TRAs, also known as local law assessments or transfer impact assessments, when transferring personal data subject to the UK GDPR outside the United Kingdom using