Mastering Data Transfers Across Borders (EU, U.S., Israel)

Past Event | June.04.2024 | 10am - 11am (Eastern Daylight Time)

Zoom

Orrick attorneys Christian Schröder, Shannon Yavorsky and Matthew Coleman partnered with Avishay Klein from Barnea for a dynamic webinar unravelling the complexities of international data transfers.

The webinar began with a brief introduction on the requirements for international data transfers under the GDPR. A key focus was on the various transfer tools, including adequacy decisions, the binding corporate rules and the Standard Contractual Clauses (SCC).

Regarding recent developments for international data transfers in Europe, the webinar highlighted the EU-U.S. Data Privacy Framework (DPF). In this context, the new guidance from the German Data Protection Conference (Datenschutzkonferenz) on the DPF was examined. Specifically, the requirements for the transfer of HR data were discussed.

As for recent development in the U.S., the speakers noted the emergence of restrictions on cross border data transfer from the U.S. to certain “countries of concern” pursuant to a recent Executive Order issued by President Biden. The panel also noted the rapid evolution of comprehensive state privacy laws in the U.S. and the fact that there are now 18 different state privacy laws.

The discussion on whether to certify under the DPF concluded that there are many arguments in favor of certification, such as the simplicity of certifying and the marketing benefits conferred by certification. However, the panel noted that companies should not rely solely on the DPF, especially for long-term data transfers to the U.S. and should have additional SCCs in place due to the risk of the DPF being invalidated.

The panel also discussed the European Data Protection Board’s (EDPB) presentation of the final version of recommendations 01/2022 on the application for approval and on the elements and principles to be found in the Controller Binding Corporate Rules (C-BCR) on 20 June 2023. The original draft from 2022 was only slightly revised, with additions such as examples or clarifications. The recommendations contain an application form to be completed by the applicant and submitted to the responsible BCR-Authority, as well as a tabular overview of the elements and principles to be found in C-BCR, which define the binding minimum content of C-BCR. These recommendations are intended to serve as guidance and to replace the previously existing working documents on C-BCR.

The panel noted recent confirmation of the adequacy decision for Israel ensures the continuance of an easy transfer from the EU to Israel. However, companies should be aware of the scope of adequacy decision in terms of subject matter and territory and make sure their data transfers are covered.

There have been two other major changes in Israel recently. On the one hand, there are restrictions in Israel on the international transfer of data to other countries that are similar to the requirements of the GDPR. For example, it must be ensured that the country to which the data is sent from Israel guarantees a similar level of protection as Israel. Additionally, Israel is currently drafting amendments to its data protection law, with Amendment No. 14 adding significant enforcement powers (including administrative fines) to the data protection authority.

Finally, it was also discussed that the new Data Act in Art. 32 for the first time imposes requirements on companies to protect non-personal data from access by authorities of third countries and obliges companies to object to disclosure requests from these authorities if necessary.

Please feel free to contact any of the speakers if you have questions or comments.

Speakers

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU Artificial Intelligence Act
EU e-Privacy Directive
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Shannon also helps clients undertake comprehensive privacy, cybersecurity and artificial intelligence risk assessments, evaluates privacy, security and artificial intelligence risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and artificial intelligence compliance programs.

Matthew E.S. Coleman Senior Associate, Cyber, Privacy & Data Innovation, Technology Transactions

New York; Boston

See my bio

D:+1 212 506 3569
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Mergers & Acquisitions
Artificial Intelligence & Machine Learning
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Matthew E.S. Coleman Senior Associate

New York; Boston

Matthew helps clients comply with the Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act of 2018 (CCPA), the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the General Data Protection Regulation (GDPR), the Telephone Consumer Protection Act (TCPA), and state breach notification, biometric privacy, and cybersecurity laws. He counsels on self-regulatory privacy programs, including Binding Corporate Rules, the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPRs); programs covering online behavioral advertising, including the Digital Advertising Alliance (DAA), the European Interactive Digital Advertising Alliance (EDAA), the Interactive Advertising Bureau (IAB), and the Network Advertising Initiative (NAI); and programs covering payment card processing. Matthew also provides compliance solutions for emerging technologies, including artificial intelligence and blockchain.

Matthew’s federal regulatory experience helps clients stay compliant and avoid regulatory scrutiny. His comprehensive data management knowledge helps him counsel beyond the letter of the law and facilitates worldwide expansion, interoperable business processes, and innovative uses of consumer data while maintaining user trust. His all-encompassing, risk-based approach involves developing and executing internal and external policies for the collection, use, disclosure, sharing, retaining, transferring, and destruction of personal information. This includes managing contractual relationships with vendors, employees, acquired entities, and creditors as well as building privacy into companies’ product development life cycle and change management strategies.

Prior to joining Orrick, Matthew was an Enterprise Privacy Solutions Manager for TrustArc (formerly TRUSTe), a San Francisco-based privacy consulting and certification firm, and an adjunct law professor of Privacy Law at Santa Clara University. Matthew is a Certified Information Privacy Manager and a Certified Information Privacy Professional with a specialization in United States privacy law.

Related Areas

Cyber, Privacy & Data Innovation