Switzerland Recognizes New EU Standard Contractual Clauses and Issues Guidance on International Data Transfers
On August 27, 2021, the Swiss Federal Data Protection and Information Commissioner (FDPIC) formally recognized the new EU Standard Contractual Clauses published by the European Commission on June 4, 2021 (New SCCs). The New SCCs are intended to legitimize transfers of personal data from Switzerland to countries not deemed by the FDPIC as providing an adequate level of protection for personal data (cf. official statement) — thereby completing its guidance on international data transfers published on June 18, 2021. The aim of these documents is to reduce uncertainties in a post-Schrems II era and to help companies ensure the ongoing lawful transfer of personal data.
Five Key Considerations Regarding New U.S. Sanctions to Address Ransomware Threats
On September 21, 2021, the U.S. Department of the Treasury (Treasury) Office of Foreign Asset Control (OFAC) imposed sanctions on a virtual currency exchange called Suex OTC, S.R.O. (Suex), and published an updated advisory on potential risks for those who facilitate ransomware payments. These coordinated actions represent significant moves by OFAC to target key aspects of the global ransomware ecosystem and to advance the U.S. government’s broader counter-ransomware strategy. By recommending strengthened cybersecurity measures and emphasizing reporting to law enforcement, OFAC’s updated advisory also reflects increasingly tighter collaboration among federal government agencies in their fight against the ransomware threat.
Get Prepared for Data Privacy Compliance Under China PIPL
On August 20, 2021, China’s National People’s Congress passed the Personal Information Protection Law (PIPL), which will become effective starting November 1, 2021. As an overarching law in China with respect to data privacy, PIPL shares many similarities with the EU General Data Protection Regulation (GDPR). If a company has already been GDPR compliant, its data privacy compliance system can basically work in China, while certain localizations are necessary in response to unique requirements under PIPL. In particular, a company should pay attention to the following differences between PIPL and GDPR:
Digital Health in the UK: MHRA Bold New (Regulatory) World?
In his statement to the House of Lords on September 16, Lord Frost announced that “we will use the provisions of the Medicines and Medical Devices Act 2021 to overhaul our clinical trial frameworks, based on outdated EU legislation, giving a major boost to the UK’s world-class R&D sector and getting patients access to new lifesaving medicines more quickly. The MHRA which is a world class regulator as we know, is already reforming the medical devices regulations to create a world-leading regime in this area.” This provided a timely back-drop to the MHRA’s new publications on medical device software, and part of a broader agenda for regulatory change in the UK.
Fintech and Blockchain 2021
Please join us for a program focused on the latest 2021 FinTech and blockchain developments. Sidley lawyers in the banking, white collar, and FinTech groups will discuss the key regulatory and enforcement issues related to enhanced focus by the DOJ, SEC, CFTC, FinCEN, CFPB, OCC, and Federal Reserve on FinTech, blockchain, and cryptocurrencies from both the criminal and civil enforcement perspectives.
Regulatory Update: NAIC Summer 2021 National Meeting
The National Association of Insurance Commissioners (NAIC) held its Summer 2021 National Meeting (Summer Meeting) August 14-17, 2021. As a result of the continuing COVID-19 pandemic, the NAIC met in a hybrid format with attendees participating both in person and virtually. This post summarizes the highlights from this meeting in addition to interim meetings that were held during July in lieu of taking place during the Summer Meeting. Highlights include, among others, adoption of revised risk-based capital bond factors for life insurers, amendments to SSAP No. 71, and an amendment to the purposes and procedures manual to add instructions for review of funds.
Sidley Privacy and Cybersecurity Roundtable
Please join Sidley’s Privacy and Cybersecurity Group for a two-part discussion with UK government officials with a focus on data transfer and innovation.
UK Data Protection and Data Transfers – New Directions
In this Chatham House discussion, our panelists will cover:
- Data Transfers to the U.S. and Developments on “Adequacy”
- G7 and OECD Data Protection Initiatives
- UK Regulation of Data and Promotion of Innovation
UK Government Publishes UK Approach to International Transfers, Including Data Adequacy
On August 26, 2021, the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) published its mission statement setting out the UK approach to adequacy assessments and international data transfers, alongside a Manual Template and Manual Guidance for undertaking adequacy assessments and an infographic map illustrating ten priority countries forming part of that process. This release forms part of a broader package of measures announced by DCMS to “seize the opportunities of data to boost growth, trade and improve its public services” following the UK’s exit from the EU, which included an announcement that John Edwards (the current New Zealand Privacy Commissioner) is the Government’s preferred nominee to be the next UK Information Commissioner. (more…)
UK ICO Opens Consultation on Data Transfer Agreements and Guidance
On 11 August 2021, the UK Information Commissioner’s Office (ICO) launched a public consultation on its draft international data transfer agreement and guidance (Consultation). The Consultation comes two months after the European Commission’s adoption of new EU Standard Contractual Clauses (EU SCCs) and the European Data Protection Board’s publication of the final Schrems II guidance. The EU SCCs do not automatically apply in the UK since its exit from the EU. Moreover, the ICO has not yet formally acknowledged the EU SCCs, i.e., as a valid data transfer mechanism under the UK GDPR.
European Commission Adopts UK Adequacy Decisions Allowing Personal Data to Freely Flow from the EU to the UK
On 28 June 2021, the European Commission announced that it has adopted two adequacy decisions for the UK, one under the General Data Protection Regulation (GDPR) and one under the Data Protection Directive with Respect to Law Enforcement (Law Enforcement Directive) (Adequacy Decisions). The announcement comes just two days before the bridging period for data transfers between the EU and the UK was set to expire. In its assessment, the European Commission has determined the UK’s data protection laws are “essentially equivalent” to the data protection laws ensured within the EU. As a result of the Adequacy Decisions, personal data can continue to freely flow between the EU to the UK without the need for a data transfer safeguard (e.g., Standard Contractual Clauses or SCCs) in place. This announcement comes as very welcome news to many organisations transferring data between the EU and the UK.
