The new framework provides an additional route for personal data transfers from the EEA to the US.

By Robert Blamires, Gail E. Crawford, James Lloyd, Clayton Northouse, Alice Brunning, Alexander Ford-Cox, and Jennifer Howes

On 10 July 2023, the European Commission (EC) took the final step to enable businesses to start relying on the new EU-US Data Privacy Framework (DPF) for transfers of data from the European Economic Area (EEA) to the US. The EC adopted an adequacy decision following the fulfilment by the US of its implementation commitments under the DPF. The adequacy decision enables organisations to transfer personal data from the EEA to organisations in the US that have self-certified under the DPF with immediate effect. As of 10 July 2023, organisations that were certified under the EU-US Privacy Shield (Privacy Shield) are now certified under the DPF and can begin receiving data from the EEA via the DPF.

Companies have three months to prepare to use the latest standard contractual clauses for new data transfers, and 18 months to migrate existing arrangements.

By Gail Crawford, Fiona Maclean, Danielle van der Merwe, and Amy Smyth

On 4 June 2021, the European Commission released its much-anticipated final Implementing Decision containing the new standard contractual clauses (SCCs) for the transfer of personal data to third countries, which will enter into effect on 27 June 2021. Organisations may continue to use the existing SCCs until 27 September 2021, after which time the new SCCs must be used for relevant new data transfers. Organisations have an 18-month grace period (until 27 December 2022) during which they must migrate any existing SCC arrangements to the new SCCs.

The European Commission has published draft updated standard contractual clauses in light of the Schrems II decision.

By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan, and Amy Smyth

On 12 November 2020, the European Commission (the Commission) published a draft implementing decision, annexing a draft set of updated standard contractual clauses (SCCs) for the transfer of personal data from the European Union to third countries (the New SCCs). The New SCCs were published two days after the European Data Protection Board (EDPB) released its draft recommendations on supplementary measures (the Recommendations). (For more information, see Latham’s blog post The EDPB’s Draft Data Transfer Guidance Following Schrems II — A Close Look.)

In the New SCCs, the Commission has substantially updated the SCC terms. The New SCCs provide for new types of data transfer (i.e., processor-to-processor and processor-to-controller transfers, in addition to the controller-to-controller and controller-to-processor transfers covered in the current SCCs) and, to a limited extent, address matters arising from the CJEU Schrems II decision.

Speakers: Gail Crawford, Jennifer Archie, Ulrich Wuermeling

On October 6, 2015, the European Court of Justice invalidated the EU Commission’s decision that had allowed companies to transfer personal data from the EU to the United States under the EU-US Safe Harbor Framework. Two months on, various bodies and EU privacy regulators have issued guidance, including a statement by the Article 29 Working Party effectively making clear that there will be a grace period in enforcement concluding at the

A day-long conference on European data protection will be held in Berlin on May 7. Representatives of the European Commission and the Parliament, as well as EU member countries and legal practitioners will be taking part in the 2nd European Data Protection Day, organized by Euroforum. Privacy partner Ulrich Wuermeling, based in Latham’s Frankfurt office, is chairing the conference that will focus specifically on the planned reform of Europe’s data protection law.

The European Commission will

By Justin Cornish, Alice Marsden, Brian Meenagh

On February 26, 2012 the Office of the Commissioner of Data Protection (OCDP) for the Dubai International Financial Centre (DIFC) published its Strategic Plan for 2012-14. One of the key statements in the Strategic Plan is the statement of the OCDP’s intention to apply to the European Commission for acceptance of the DIFC as a jurisdiction with an adequate data protection regime. If the DIFC is officially declared ‘adequate’ by the European Commission