Needless to say, 2020 was a notable year for everyone, especially considering the COVID-19 pandemic. For privacy pros, however, it was (also) notable for the Schrems II judgment of the Court of Justice of the European Union, issued on 16 July of that year.
Starting from that date, European entities transferring personal data outside the EU had to implement supplementary measures aimed at ensuring that the destination country of the personal data would essentially provide the same level of protection as that guaranteed in the EU. In addition, the European Commission issued updated standard contractual clauses, and in turn many countries followed suit, updating their local data transfer rules as well as providing their own sets of standard contractual clauses.
Lastly, how could we not mention the big changes for EU-US data transfers? The White House has indeed released on 7 October 2022 an executive order implementing the EU-US Data Privacy Framework and the European Commission has announced it will prepare a draft adequacy decision and then launch its adoption procedure.
What are you waiting for? Buckle up! In this issue, we will drive you into the most recent developments in legal frameworks for data transfers, starting from Europe and then heading to the US, China, Africa and South America.
Quick off-topic: the second annual Dentons Global Artificial Intelligence Survey has just been released – go check it out at this link! We would love to receive your contributions!
Personal data transfers to the US – still an issue?
The new Standard Contractual Clauses provide European data exporters with clear requirements regarding international data transfers, but the new legal certainty comes with the price of additional assessment and documentation requirements. Will the upcoming Trans-Atlantic Data Privacy Framework be the easier solution for US data transfers?
UK perspective – data transfers / data sharing in a global environment
Transfers of personal data out of the UK, to “third countries” or international organizations, are restricted by the UK GDPR (as per the UK Data Protection Act 2018 and related regulations).
Post-Brexit, the UK transfers regime still largely tracks the EU GDPR’s rules. That includes the July 2020 Schrems II requirements, which also apply to transfers from the United Kingdom. However, there are some differences, and possible changes to come.
The debate over data monetization – an EU (and Italian) perspective
Directive (EU) 2019/770, otherwise known as the Digital Content Directive (DCD), has recently been implemented in Italy within the Chapter I-bis of the Italian Consumer Code. Among other things, the implementation reignited the debate over personal data monetization (i.e. the possibility for data subjects (and entities) to sell and share personal data as assets with an intrinsic economic value). Many commentators viewed the DCD as an opening to the practice of providing digital content or services in exchange for personal data (instead of a price payment). In this regard, Recital 24 of the DCD explicitly states that “digital content or digital services are often also supplied where the consumer does not pay a price but provides personal data to the trader” and that “such business models are used in different forms in a considerable part of the market.”
Data transfers under the Turkish data protection law
The rapid development of information, communication and data processing technologies in today’s globalized world brings its own challenges with regard to the governance of personal data. In this connected world, personal data can flow between entities and across borders effortlessly. This leads governments to take regulatory measures focusing on data transfers. Turkey is no exception when it comes to regulating data transfers strictly. Furthermore, various amendments in this respect have yet to be passed, potentially easing compliance requirements of the data controllers.
More information here.