I
L
T
A
W
H
I
T
E
P
A
P
E
R
&
S
U
R
V
E
Y
R
E
S
U
L
T
S
|
L
I
T
I
G
A
T
I
O
N
&
P
R
A
C
T
I
C
E
S
U
P
P
O
R
T
19
I L T A ' S 2 0 2 3 L I T I G A T I O N & P R A C T I C E S U P P O R T S U R V E Y R E S U L T S
New Regulations for UK and EU
Cross-Border Data Transfers
by Mike Quartararo
Legal professionals in the United States who work in e-discovery,
particularly those working with international clients, have always had a
need to move electronically stored information (ESI) across international
borders to comply with discovery obligations. In the early days of e-discovery,
litigants simply transferred the data across borders, and no one asked questions.
Then came a wave of data privacy laws and regulations that changed the stakes—and the stakes
changed for anyone moving data across borders, not just litigants and e-discovery professionals.
Companies doing business internationally have in recent years paid massive regulatory fines under
the European Union's General Data Protection Regulation (GDPR), enacted in 2016, and litigants
with legal matters that span the globe have had to navigate a web of rules and processes governing
the movement and disclosure of information.
Regulations enacted in Europe pre- and post-GDPR made provision for cross-border data
transfers, but in response to lawsuits in 2015 and 2020, the European Court of Justice struck down
those regulations. And then, the United Kingdom left the European Union adding a layer of complexity
to cross-border data transfers.
Now, recent actions by the European Commission, and the governments of the United States and
the United Kingdom have established new mechanisms for cross-border data transfers, specifically
data transfers to the United States. The new data transfer mechanisms contribute to the more than $7
trillion in economic activity between the EU, the UK, and the US.
In July of 2023, the European Union approved the EU-US Data Privacy Framework (DPF).
This means that the European Commission has made an "adequacy" decision that recognizes US laws
and privacy practices as adequate to protect the personal information of a data subject and allows data
transfers from the European Economic Area (EEA), which includes all EU countries, plus Iceland,
Liechtenstein, and Norway. Readers may review the EC adequacy decision here.
