Mastering Data Transfers Across Borders (EU, U.S., Israel)

Past Event | June.04.2024 | 10am - 11am (Eastern Daylight Time)

Zoom

Orrick attorneys Christian Schröder, Shannon Yavorsky and Matthew Coleman partnered with Avishay Klein from Barnea for a dynamic webinar unravelling the complexities of international data transfers.

The webinar began with a brief introduction on the requirements for international data transfers under the GDPR. A key focus was on the various transfer tools, including adequacy decisions, the binding corporate rules and the Standard Contractual Clauses (SCC).

Regarding recent developments for international data transfers in Europe, the webinar highlighted the EU-U.S. Data Privacy Framework (DPF). In this context, the new guidance from the German Data Protection Conference (Datenschutzkonferenz) on the DPF was examined. Specifically, the requirements for the transfer of HR data were discussed. 

As for recent development in the U.S., the speakers noted the emergence of restrictions on cross border data transfer from the U.S. to certain “countries of concern” pursuant to a recent Executive Order issued by President Biden. The panel also noted the rapid evolution of comprehensive state privacy laws in the U.S. and the fact that there are now 18 different state privacy laws.

The discussion on whether to certify under the DPF concluded that there are many arguments in favor of certification, such as the simplicity of certifying and the marketing benefits conferred by certification. However, the panel noted that companies should not rely solely on the DPF, especially for long-term data transfers to the U.S. and should have additional SCCs in place due to the risk of the DPF being invalidated.

The panel also discussed the European Data Protection Board’s (EDPB) presentation of the final version of recommendations 01/2022 on the application for approval and on the elements and principles to be found in the Controller Binding Corporate Rules (C-BCR) on 20 June 2023. The original draft from 2022 was only slightly revised, with additions such as examples or clarifications. The recommendations contain an application form to be completed by the applicant and submitted to the responsible BCR-Authority, as well as a tabular overview of the elements and principles to be found in C-BCR, which define the binding minimum content of C-BCR. These recommendations are intended to serve as guidance and to replace the previously existing working documents on C-BCR.

The panel noted recent confirmation of the adequacy decision for Israel ensures the continuance of an easy transfer from the EU to Israel. However, companies should be aware of the scope of adequacy decision in terms of subject matter and territory and make sure their data transfers are covered.

There have been two other major changes in Israel recently. On the one hand, there are restrictions in Israel on the international transfer of data to other countries that are similar to the requirements of the GDPR. For example, it must be ensured that the country to which the data is sent from Israel guarantees a similar level of protection as Israel. Additionally, Israel is currently drafting amendments to its data protection law, with Amendment No. 14 adding significant enforcement powers (including administrative fines) to the data protection authority.

Finally, it was also discussed that the new Data Act in Art. 32 for the first time imposes requirements on companies to protect non-personal data from access by authorities of third countries and obliges companies to object to disclosure requests from these authorities if necessary.

Please feel free to contact any of the speakers if you have questions or comments.