Data processing agreements are a standard part of business arrangements involving personal data due to the European Union’s General Data Protection Regulation as well as the ever-expanding number of U.S. consumer privacy statutes.

Amendments have recently been proposed to two of the three statutes to be enacted under Canada’s Bill C-27: The Digital Charter Implementation Act. The statutes that may be amended are the Consumer Privacy Protection Act and the Artificial Intelligence and Data Act. The proposed amendments would beef up the protections in both statutes.

The United Kingdom has announced its decision to establish the UK-U.S. Data Bridge. The UK-U.S. Data Bridge will allow UK businesses and organizations to transfer personal data to organizations in the United States that have certified compliance with the UK Extension to the EU-U.S. Data Privacy Framework.

The new Swiss Federal Act on Data Protection, known by the acronym “nFADP,” took effect on September 1. The law was enacted by the Swiss parliament in 2020.

The law introduces new rights for Swiss citizens, but also corresponding obligations for businesses that process personal data subject to the law. The law is intended to be more closely aligned to the European Union’s General Data Protection Regulation and allows for a free flow of information between EU and Swiss companies.

On July 10, 2023, the European Commission (“EC”) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”).

The European Court of Justice has issued two important decisions interpreting the European Union’s General Data Protection Regulation. One addresses the right to compensation for GDPR violations, and the other addresses the scope of an individual’s right of access when his or her data has been provided by a controller to other recipients. Each decision is discussed below.