Three years after the European Commission’s (Commission) adoption of the updated Standard Contractual Clauses (SCCs), new clauses are on the horizon.

The Commission announced a recent initiative in which the SCCs would be open for public consultation beginning the fourth quarter of 2024, with potential updates to the SCCs being adopted by the Commission in the second quarter of 2025 (2025 Clauses). These 2025 Clauses offer the Commission the opportunity to address any gaps left by the current SCCs adopted on June 4, 2021.Continue Reading Another Update Already? New EU Standard Contractual Clauses on the Horizon to Further Safeguard Cross Border Data Transfers

Special thanks to Taft summer associate Tanner Wilburn for his significant contributions to this post. 

On July 12, 2024, the European Union’s Artificial Intelligence Act (AI Act) was published in the EU Official Journal.

This comprehensive legislation establishes the first risk-based regulatory framework for AI systems, with far-reaching implications for businesses using AI. The AI Act is effective August 2, 2024, with the enforcement of the majority of its provisions commencing on August 2, 2026.

Continue Reading The EU AI Act – What Businesses Need to Know

The EU is gearing up for massive reform concerning the use and accessibility of health data, and Germany is taking note. Recently, Germany proposed several draft legislation focusing on the use of health data. The Health Data Use Act, (Gesundheitsdatennutzungsgesetz, (GDNG)); The Digital Act, and A Law to Promote the Quality of Inpatient Care through Transparency (Hospital Transparency Act) are just a few of the newest pieces of proposed legislation designed to improve the use and accessibility of health data for German citizens. This move by the German Federal Ministry of Health is part of an EU-wide reform effort under the European Commission’s (“Commission”) European Health Data Space (EHDS).

Germany’s new legislation is designed to align with EHDS principles and these laws not only impact healthcare providers and hospitals in Germany but also companies that collect the health data of German residents. Below are the main takeaways of these proposed laws and what U.S. companies can expect moving forward.Continue Reading Germany’s Gearing up for European Health Data Space (EHDS) Compliance

On November 16, 2022, the Digital Services Act (DSA) took effect across the European Union (EU). The DSA establishes new regulations applicable to “online intermediaries,” such as online marketplaces, social network platforms, and internet service providers. The DSA was implemented to encourage market growth and establish clear and transparent accountability for digital spaces. Although the DSA has been in effect for nearly eight months, the European Parliament (“Parliament”) has allowed for a transitional period before full application. This transitional period ends on February 17, 2024. Beginning on this date, organizations must have the requisite procedures in place to address DSA requirements.Continue Reading Full Steam Ahead: EU’s Digital Services Act Creates Global Impact

Swiss Flag

Switzerland is implementing new legislation to better protect its citizens’ data (“revFADP”), replacing the longstanding Federal Act on Data Protection of 1992. The revFADP improves the processing of personal data and grants Swiss citizens new rights consistent with other comprehensive data protection laws, such as the General Data Protection Regulation (GPDR) and UK GDPR. This important legislative change also comes with a number of increased obligations for companies doing business in Switzerland. Companies must quickly get up to speed on the revFADP requirements because the Act takes effect on September 1, 2023. Companies should not assume that compliance with the GDPR and UK GDPR equals compliance under the revFADP. While this revised legislation has many similarities to the GDPR, there are a few stark differences companies should be aware of. Here is the breakdown of what companies should know.Continue Reading Nothing Neutral about the New Swiss Federal Act on Data Protection

On December 13, 2022, the European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF or DPF”) signaling the potential return of the framework allowing the flow of personal data between the EU and the United States. Although this is a draft decision, if approved, it will ease trans-Atlantic data flow and ease the restrictions that were placed after the 2020 Schrems II decision invalidated the EU-U.S. Privacy Shield framework for cross-border transfers. This draft adequacy decision ultimately concluded that the DPF provides an adequate level of protection of personal data.Continue Reading Don’t Call It A Comeback: EU-U.S. Data Privacy Framework Inches Closer to Implementation Following the European Commission’s Draft Adequacy Decision

Two weeks ago, the German Conference of the Independent Data Protection Authorities of Germany (Datenschutzkonferenz or “DSK”) released a report looking into Microsoft 365’s (Microsoft) compliance under the European Union’s General Data Protection Regulation (GDPR). DSK’s overarching conclusion of the report was that use of Microsoft 365 applications by businesses processing personal data runs afoul of GDPR requirements.

The DSK report alleged Microsoft’s policies and disclosures lack clarity with respect to how personal data is processed and which entity is processing that data. DSK was unable to conclusively determine the cases where Microsoft acts as a data controller rather than a data processor. The distinction between a data controller and a data processor is important because Article 5(2) of the GDPR imposes additional accountability requirements and responsibilities for data controllers. The DSK also expressed concerns regarding Microsoft’s lack of overall clarity and notification to users about subcontractors and sub-processors. The group determined that Microsoft’s lack of detail regarding subcontractors and sub-processors falls below the European Commission’s template on Standard Contractual Clauses.
Continue Reading Windows Pain? German Report Casts Doubt on Microsoft GDPR Compliance

In the past year, we have seen an increase in the number of countries developing/updating legal frameworks (such as model agreements) that permit the transfer of personal data abroad. Transfer mechanisms, such as the model agreements, are necessary because different countries’ data protection laws may offer different levels of protection to individuals’ personal data. Transfer mechanisms function as an “equalizer” by requiring a base level of protection that all entities must have in place when transferring personal data abroad. Accordingly, transfer mechanisms ensure that protections are in place to safeguard data that leaves a country with strong data protection laws to be transferred to a country that has no such laws. Last June, the European Commission updated its Standard Contractual Clauses (“EU SCCs”) permitting the transfer of data outside the European Economic Area (“EEA”) after a decade. Earlier this year the United Kingdom implemented the UK’s version of transfer clauses with the International Data Transfer Agreement (“UK IDTA”). Like Europe and the United Kingdom, China also has some transfer mechanisms in the works.
Continue Reading Data Transfers and Beyond: China Moves Closer to Finalizing Draft Provisions Permitting the Transfer of Personal Data Abroad

This week, the new rules for personal data transfers to countries outside the United Kingdom (“UK”) went into effect. As of March 21, 2022, businesses transferring personal data from the UK to countries outside the European Economic Area (“EEA”) need to analyze their data flows and update their agreements involving data transfer practices to reflect the UK Data Protection Authority’s (“ICO”) new standard contractual clauses.

Under both the European Union’s General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018, businesses are required to implement certain safeguards when transferring personal data outside the UK to countries “without an adequate level of data protection.” Standard contractual clauses (“SCCs”) are largely used to validate these types of transfers in the European Union as permitted under GDPR. However, following the “Brexit” transition period that concluded on December 31, 2020, GDPR no longer applied to the UK. Further, when the European Union revised SCCs in June 2021, the changes did not apply in the UK, and companies were left with confusion on how to effectuate personal data transfers outside the UK.
Continue Reading New Personal Data Transfers out of the UK: Like the GDPR, but Different

It is the end of an era: September 27, 2021, officially marks the termination date for the Standard Contractual Clauses (SCCs) grace period set forth by the European Commission (“Commission”). In June 2021, the Commission published two new sets of clauses (2021 SCCs), marking the first update to the SCCs in over a decade. Unlike prior iterations, which were created before the enactment of the European Union’s (EU) General Data Protection Regulation (GDPR), the 2021 SCCs reflect the GDPR’s data protection requirements for multiple variations of data exporter-importer relationships.
Continue Reading Out with the Old and In with The New: European Commission’s New Standard Contractual Clauses Grace Period is Ending