Support Centre



On 30 June 2022, the Cyberspace Administration of China ('CAC') released the long-awaited draft Personal Information Export Standard Contract ('the Standard Contract'), together with the draft Rules on the Standard Contract ('the Rules'). An analysis of the application and requirements of the Standard Contract to a business' cross-border data transfer strategy is critical as signing a Standard Contract is anticipated to be the most popular approach enabling international transfers of personal information out of mainland China. Alex Roberts and Yang Fan, from Linklaters, and Tiantian Ke, from Zhao Sheng Law Firm, look at key aspects of the latest draft of the Standard Contract and draw comparisons with the EU 2021 Standard Contractual Clauses ('the EU SCCs').

The Working Group II ('WGII') of the Intergovernmental Panel on Climate Change ('IPCC') is tasked with evaluating the vulnerability of socio-economic and natural systems to climate change, its beneficial and detrimental effects, and adaptation strategies. As part of its work, the WGII published its contribution to the Sixth Assessment Report ('AR6'), titled 'Climate Change 2022: Impacts, Adaptation and Vulnerability'1, addressing the impact of climate change, by analysing ecosystems, biodiversity, and human communities both at the global and regional level. In its contribution to the AR6, the WGII places a particular focus on vulnerability assessment, capacity, and limits of the natural world and human societies in seeking to adapt to climate change and addressing the 'rapidly narrowing window of opportunity to enable climate resilient development' (p. 31).

This Insight article provides an overview over the drafting process of the WGII contribution to the AR6, its importance, and key findings.

The newest player in the Environmental, Social, and Governance ('ESG') standard-setting arena is the International Sustainability Standards Board ('ISSB'), established by the International Financial Reporting Standards Foundation ('IFRS') to become the first global standard-setting board. In this Insight article, OneTrust DataGuidance Research discusses the significance of the ISSB and the new standards for climate reporting that it has proposed.

In the aftermath of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), the requirement to carry out transfer impact assessments ('TIAs') before transferring data to third countries has become a major concern, not only for many businesses carrying out international activities, but also for any companies – including small to medium-sized enterprises ('SMEs') – relying on foreign providers. Sonia Cissé, Clémentine Richard, and Julie Favreau, from Linklaters, shed light on the specificities of this new but already well-known requirement and set out the legal, organisational, technical, and financial complications many companies are facing in implementing it.

The concept of 'training and awareness' within a security and privacy environment refers to the strategy implemented by firms to prevent and mitigate security breaches and leakage. In essence, 'training and awareness' is designed to assist employees in appreciating the important role they play in preserving data security and integrity within a working environment. Effective 'training and awareness' will enable employees to make a distinction between what would constitute a good privacy practice and what not, what the security risks are and how those relate or materialise on the basis of employee behaviour, and generally how employees can identify security threats they may encounter on a daily basis and what actions to take.     

Following part 8 of the implementation series, which looked at data protection audits, in this article Grigoris Sarlidis, Partner at A.G. Erotocritou LLC, explains the importance of security awareness training, sets out key types of training that firms may consider adopting in order to strengthen their data security, and shares some tips for making employees becoming more privacy aware.

Marketing is a fundamental part of a business, and encompasses a wide range of strategies and tactics designed to promote and sell products or services, and manage the brand reputation of the business. In part one of a two-part business function series, Joanna Kennedy, Director, Marketing & Communications and Data Protection Officer at the Performance Review Institute, discusses considerations and challenges in relation to marketing and data protection.

As discussed in the Insight article UK: COP26, carbon coins, and cockroaches - Can a new form of currency mitigate corporate liability climate risks?, the ways in which a company ensures that the appropriate disclosures are made in relation to climate-related risks are likely to become a key feature of corporate liability.

In this article, Ben Trust, Louise Pearce, and Tim Malloch, from CMS Cameron McKenna Nabarro Olswang LLP, look at recent developments in climate-related financial disclosure obligations in three key jurisdictions for business and investors, the US, the UK, and the EU, suggesting that the most logical progression of these developments is that central banks move from their current positions as observers and intervene to introduce a carbon coin, a digital currency disbursed on proof of carbon sequestration or the provision of climate stewardship services.

On 25 March 2022, the EU and the US announced that they had found an 'agreement in principle' for a new Trans-Atlantic Data Privacy Framework ('TADPF'), which would seek to restore the seamless flow of personal data between the EU and the US. However, at least until such time as an agreement is reached and the US adequacy status approved, organisations remain subject to the requirements of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') in respect of EU-US data transfers, including transfer impact assessments ('TIAs'). Precisely two months prior to the announcement, on 25 January 2022, the German Data Protection Conference ('DSK') published an expert opinion on the current state of US surveillance law and authorities, prepared under the initiative of the Berlin data protection authority ('Berlin Commissioner'), and authored by Professor Stephen I. Vladeck, one of the expert witnesses for Facebook in the Schrems II case. The expert opinion expresses Vladeck's views and is not binding on the DSK or other German data protection supervisory authorities.

The expert opinion outlines US surveillance laws and authorities that in some instances allow access to, and imposition of retention requirements on, data of non-US persons located outside the US. In this regard, the expert opinion focuses on Section 702 of the Foreign Intelligence Surveillance Act ('FISA') and analyses its scope, including which businesses/industries it may cover, its extraterritorial application, and the type of data Section 702 may capture. This Insight article aims to summarise the expert opinion and is accompanied by clarifications and comments on the impact of the expert opinion from Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, and Jimmy Orucevic, Data Protection Consultant at KPMG Switzerland.

Many jurisdictions are increasingly enacting laws and regulations governing how and where data must be stored either within their respective borders or abroad. What has resulted is a constantly evolving network of rules and restrictions for the location of data. In this three-part series, OneTrust DataGuidance provides an overview of key trends in data localisation and data residency, outlining underlining approaches to the same, as well as common trends associated with sector and categories of data.

Although Non-Fungible Tokens ('NFTs') existed long before, the first half of 2021 saw an increased interest in this type of digital assets. Vasilis Charalambous, Lawyer at George Z. Georgiou & Associates LLC, discusses NFTs, what they are, how they function, key-trends, the legal and regulatory landscape governing their use, as well as potential challenges lying ahead.

While the source, motivation, and networks behind cyber attacks oftentimes remain elusive, what is clear is that cyber crimes against critical infrastructure, and the manufacturing sector in particular, are on the rise. Vikram Jeet Singh, Partner at BTG Legal, discusses reasons and impact of cyber attacks on control systems in the manufacturing sector, as well as potential mitigation strategies.

Almost two years on from the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), and many transfer impact assessments ('TIAs') and supplementary measures later, the President of the European Commission, Ursula von der Leyen, announced in a statement alongside U.S. President, Joe Biden, on 25 March 2022, that the EU and the US had found an 'agreement in principle' on a new Trans-Atlantic Data Privacy Framework ('TADPF'). Shortly after, further statements arrived, with the transatlantic counterparties confirming an 'intensification of negotiations' over a framework that seeks to restore the seamless flow of personal data between the EU and US and purports to comply with the judgment in the Schrems II Case, accompanied by two fact sheets from the White House1 and the Commission2 respectively. In the days that have followed, several EU data protection authorities have since reacted, including the Norwegian data protection authority ('the Norwegian Datatilsynet'), the North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information ('LDI NRW'), and the Danish data protection authority ('the Danish Datatilsynet'). OneTrust DataGuidance breaks down what we know so far about the TADPF and gathers reactions from industry experts, with an eye on what comes next, and what companies should consider in the meantime.