Adequacy Decisions

Subscribe to Adequacy Decisions

On February 28, 2023, the European Data Protection Board (“EDPB”) issued its opinion on the draft adequacy decision of the European Commission (the “Commission”) on the new EU-US Data Privacy Framework (“DPF”). The EDPB expressed reservations in connection with the DPF, which will now undergo scrutiny by other European institutions.

Who Should Read This Legal

On 13 December 2022, the European Commission published its draft adequacy decision for EU-U.S. data transfers. The draft decision follows the EU-U.S. announcement of an agreement on a new EU-U.S. Data Privacy Framework (“DPF”) in March 2022 as well as the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (“Executive Order”) signed

The UK Online Safety Bill was proposed by the UK government to establish a new regulatory framework to tackle harmful content online and usher in a new age of accountability for tech companies. The bill will impose a duty of care on companies that offer user-generated content, in addition to search engines, to protect users

On 18 November 2021, the European Data Protection Board (“EDPB”) adopted new guidelines which:

  1. Set out a three part criteria for identifying whether an action will be considered an international transfer of personal data; and
  2. Clarify that restrictions on international data transfers do apply to transfers to entities located in a third country, but which

Today, 28 June 2021, the European Commission formally adopted two adequacy decisions with respect of transferring personal data from the European Economic Area (the “EEA”) to the United Kingdom (the “UK”): one under the EU General Data Protection Regulation and one under the EU Law Enforcement Directive. The two decisions come into

On 13 April 2021, the European Data Protection Board (“EDPB“) adopted two opinions  (“Opinions“) concerning draft UK adequacy decisions published by the European Commission  which would permit the free flow of personal data from the European Economic Area (“EEA“) to the UK in the post-Brexit world.

The Opinions largely

Scenario

A US company is conducting a global internal investigation. To carry it out, the company plans to transfer documents and emails held by its French subsidiary to the company’s US servers for review and analysis. Aware that Europe has stringent data privacy rules, the US in-house counsel is looking for specific guidance on whether

On 12 November, the European Commission published draft standard contractual clauses for transfers of personal data from the European Union to third countries (“New SCCs“).

Once approved, the New SCCs will replace the previous standard contractual clauses which pre-date the implementation of the General Data Protection Regulation 2016/679 (“GDPR“). The draft

On 11 November 2020, the European Data Protection Board (the “EDPB”) published for public consultation new Recommendations 01/2020 on the measures to be taken to supplement the personal data transfer tools organisations currently rely upon to ensure compliance with EU data protection laws when transferring personal data from Europe (the “Recommendations”).

The Recommendations

On January 27, 2020, the US Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a 13-page report of observations from its examinations of market participants’ cybersecurity and operational resiliency practices.1 This Legal Update discusses the content and context of the report and its implications for entities subject to examination by