International Data Flows - Cross Border Privacy Rules, Privacy Recognition for Processors, and Global CBPR and PRPJuly 7, 2023
This document addresses commonly asked questions about the Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems, which are data transfer mechanisms developed by the Asia-Pacific Economic Cooperation (APEC) member economies. CBPR and PRP operationalize the nine Privacy Principles set forth in the 2005 APEC Privacy Framework.
CIPL anticipates that the elements of the current CBPR and PRP systems will transition seamlessly to the global framework. Accordingly, our responses to Questions 9-22 (which pertain to the current systems) will likely apply to the Global CBPR. We will update these FAQs as developments warrant. |
CIPL-TLS Discussion Paper II: Data Localization and Government Access to Data Stored AbroadMarch 29, 2023
In this paper, TLS explores one rationale that some proponents of localization have advanced: that localization will insulate companies from foreign governments’ ability to legally compel access to their data. We examine not only the legal framework in the United States (U.S.), but also those of other countries, and conclude that legal systems, in general, provide avenues for governments to require companies to respond to data requests, even if data is localized in a different country, and that localization will therefore be ineffective at insulating data from cross-border reach. We begin with a brief (and simplified) overview of applicable U.S. legal principles for law enforcement access to data stored abroad, and then review how other legal frameworks address cross-border data access.
|
CIPL-TLS Discussion Paper I: The Real Life Harms of Data Localization PoliciesMarch 29, 2023
Data underpins the digital transformation of our economies and society. It can be considered one of the most valuable economic assets – responsible use of data enables economic growth and brings benefits and progress to people, governments, and societies at large. Data is also central to governmental and societal interests, such as national security, cyber security, data protection, privacy, and other individual rights.
This is the first in a series of CIPL papers that we expect to publish in 2023 that discusses the impacts of data localization approaches, the motivations behind them, and how to respond to and move beyond them. |
Local Law Assessments and Online Services - Refining the Approach to Beneficial and Protective Cross-Border Data Flows: A Case Study from British ColumbiaJune 9, 2022
Cross-border data flows foster innovation and growth, support cybersecurity, and enable access to essential services. They are important for delivering public services and empowering individuals to access them, including healthcare and education. Cross-border data flows make access to transformational technologies like AI equally available to individuals and public and private sector organizations who might otherwise be foreclosed from participating in this crucial aspect of the digital economy. They foster collaboration and innovation using public data and data that is shared between organizations and between the public and private sectors, and they are crucial to the coordination of cybersecurity frameworks as well as the international effort to combat fraudulent and criminal activity in a number of sectors. In short, cross-border access to data is critical to enabling our modern digital ecosystem.
This paper examines a “case study” of recent developments in British Columbia that appear to require a local law assessment (similar to a TRA) when using non-Canadian cloud services. |
CIPL Q&A on Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) 2nd EditionOctober 8, 2020
This document addresses some commonly asked questions about the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems.
|
A Path Forward for International Data Transfers under the GDPR After the CJEU Schrems II DecisionSeptember 24, 2020
On July 16th 2020, the Court of Justice of the European Union (CJEU) confirmed, in the case known as “Schrems II”, that Standard Contractual Clauses (SCCs) are a valid mechanism for the transfer of personal data outside of the EU, while invalidating the EU Commission’s adequacy decision on the EU-US Privacy Shield. The Judgment substantially impacts organizations engaging in international data transfers under Chapter V of the GDPR (Transfer of Personal Data to Third Countries or International Organizations). Organizations are currently working hard to implement the requirements of the Judgment by assessing and revisiting current data transfer practices, switching or reinforcing data transfer mechanisms, introducing new organizational and technical controls and strengthening existing policies.
CIPL strongly believes that the EDPB guidelines must be informed by the reality of data transfers, global interconnected business processes and services, and best practices that companies are implementing to address the CJEU requirements. It is essential that the EDPB engages proactively with stakeholders and open these guidelines to public consultation during their development phase. This paper highlights that the Judgment impacts not only transfers to the US, but also all data transfers from the EU to the rest of the world. |
CIPL-DSCI Report on Enabling Accountable Data Transfers from India to the United States under India's Proposed Personal Data Protection BillSeptember 8, 2020
Personal data relating to children are processed for many purposes by private and public sector organizations, including the provision of online and offline services, education, social care, healthcare and personal welfare, and as part of information on family circumstances. In some cases, the processing will include special categories of personal data. CIPL recognizes that the processing of children’s personal data may be regarded as high risk in some cases and require particular levels of care. Indeed, the importance of protecting the rights of children has been highlighted by Article 24 of the EU Charter of Fundamental Rights.
In this paper CIPL addresses issues raised by the processing of personal data relating to children by private sector organizations, such as service providers in the online environment, typically for activities such as social media, the use of some online games or certain IoT products, online advertising services or e-commerce sites which can be used by children, for example by the use of pre-paid debit or gift cards. |
Essential Legislative Approaches for Enabling Cross-Border Data Transfers in a Global EconomySeptember 25, 2017
This white paper by the Centre for Information Policy Leadership (CIPL) is directed at all policymakers and legislators who are drafting privacy laws that regulate and contain restrictions for cross-border transfers of personal data.
While an approach to cross-border data transfers that relies on “accountability” for transferred data, rather than transfer restrictions, is both viable and preferable, an increasing number of countries are still including cross-border transfer restrictions modeled on the EU example. Given this trend, it becomes essential to ensure consistency and convergence and build on existing and accepted business and regulatory practices to enable benefits from cross-border data flows while ensuring protection from harms and risks for individuals. Therefore, privacy laws that do contain cross-border data transfer restrictions should also include the full range of existing and accepted exceptions and derogations to such restrictions, as well as a comprehensive set of available cross-border transfer mechanisms to enable accountable global data flows despite any transfer restrictions. |
Cross-Border Data Transfer MechanismsAugust 20, 2015
Legislatures in many countries currently are drafting or amending data protection laws. Often, these drafts and amendments attempt to regulate cross-border data transfers by imposing restrictions on transfers of personal data to other countries that do not have similar data privacy laws. Sometimes they also include so-called data localization provisions that require data or copies of data to remain in the country of origin. Yet, global data flows are the product of the increasing globalization and digitalization of business processes and society and are foundational to the modern economy. The ability to use, share and access information across borders stimulates innovation, enables data-driven products and services and fuels economic growth and ideas, and is often the lifeline for remote communities. Any limitation on cross-border data flows, therefore, presents serious challenges to these key attributes and benefits of the global movement of data.
This paper does not attempt to prove this particular point, however, as it has been discussed extensively elsewhere. Instead, the paper enumerates important cross-border transfer mechanisms that should be included in any law that regulates or limits data transfers to other countries. |
Copyright © 2024 by the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP.
|