In this #30 issue of “Lexing Insights,” the members of the network focus on “International data transfers”.

What are the rules on international data transfers?

Commercial exchanges rely increasingly on personal data flows. The privacy and security of such data have become central factors of trust.

In the European Union, the GDPR authorizes transfers of data to third countries provided that they ensure an adequate level of data protection using various tools (such as adequacy decisions, standard contractual clauses, BCRs, derogations). In China, the Personal Information Protection Law (PIPL), which will take effect on 1st November 2021, also sets strict rules for data transfers outside the country.

The Lexing® network members provide a snapshot of the current state of play worldwide:

  • What transfer tools are available under the GDPR?
  • How to transfer data to the USA after the Privacy Shield was declared invalid by the CJEU’s Schrems II ruling?
  • How to transfer data to the UK after the Brexit?
  • What are the penalties for unlawful transfers?
  • What are the rules outside the EU, such as in China, Canada, or South Africa?
A world tour of international data transfers

We start our world tour in South Africa, where our Lexing member presents the roadmap for transferring personal data to and from South Africa in compliance with the Protection of Personal Information Act (POPIA).

Then, our member for Belgium reviews a recent case in which the Belgian Council of State had to decide on the compliance of a public procurement contract involving the transfer of data to the United States with regard to the CJEU’s Schrems II judgment and the associated EDPB’s recommendations.

We then move on to Canada, where our Lexing member explains the rules that will soon be applicable to the communication of personal information outside Quebec following the adoption of the Act to modernize legislative provisions as regards the protection of personal information on 21 September 2021.

Our world tour also takes us to China to examine the conditions for transferring data outside the Chinese territory under the Cyber-security Law (CSL) and the Personal Information Protection Law (PIPL).

Back to Europe, with our member for Spain providing an update on the applicable legal framework under the Organic Law 3/2018 on Personal Data Protection (LOPD) and the position of the national supervisory authority, the AEPD.

Next step: France. Our member describes the various transfer tools available, with focus on the standard contractual clauses (SCC), with regard to the recommendations of the EDPB and the position of the CNIL.

Finally, our world tour ends in Luxembourg, where our correspondent summarizes the situation of international data transfers from the EU in the aftermath of the Brexit and the Schrems II ruling of the CJEU.

The following countries have contributed to this issue: Belgium, Canada, China, France, Luxembourg, Spain, South Africa.

Lexing International Newsletter “Lexing Insights” No. 30 – October 2021