Data transfer scene evolves but a global solution is needed

In this issue, we report on some practical points for organisations to consider regarding the EU-US Data Privacy Framework. Late September, the UK finally announced that from 12 October 2023, UK organisations can transfer personal data to US organisations certified to the “UK Extension to the EU-US Data Privacy Framework”.

However, in the long term, a global solution is needed. The G7 DPAs have been discussing data flows in their meetings and promote ‘Data Free Flow with Trust’. The G7 digital ministers also work on AI and are expected to meet at some time before the end of the year to issue a paper on generative AI. The aim is to develop international guiding principles alongside a code of conduct.

DPAs are looking into how AI can help them in their work. We at PL&B are currently planning a one-day workshop to identify benefits for the busy DPO in terms of managing the role with the help of AI. Please register your interest at for this one-day seminar on 23 January 2024, to be hosted by the Macquarie Group in London.

As we were preparing to go to print, the US State of Delaware enacted a privacy law. This is now a trend in the US – but there is still no progress on a privacy law at the federal level. India, on the other hand, suddenly ended its long legislative process by adopting a law. Read a detailed analysis of this Act by Professor Graham Greenleaf, PL&B Report’s Asia-Pacific Editor.

A category of its own are countries that a long time ago gained an adequacy status according to the European Union 1995 Data Protection Directive, and now need to modernise their laws to meet the higher EU GDPR standard. Israel is one of them. What is puzzling is why is takes the EU Commission such a long time to issue its evaluation of the countries that have an old adequacy decision.

Other developments include Saudi Arabia’s 2021 privacy law, now in force since 14 September.

Laura Linkomies
Editor, Privacy Laws & Business

October 2023