Photo of Charles Helleputte

Charles Helleputte

Contact:Read more about Charles Helleputte

According to the latest draft of the EU cybersecurity certification scheme for cloud services (EUCS), dated August 2023 (leaked by POLITICO), the data localisation requirement, which was heavily criticised by the industry, will now apply only to the highly critical “high+” level. Data localisation would, should the EUCS be approved as such, not apply to the category 3 (“high”) level. This might not be the end of a debate that has run wild between industry (with major cloud providers unkeen with the idea) on one side and some member states defending some level of sovereignty, such as France, Italy and Spain, and EU institutions (such as the European Data Protection Board and ENISA) on the other one.

Continue Reading Fewer Clouds on … Cloud: The EU to (Finally) Drop Most Data Localisation Requirements in the EUCS

On July 10, the European Commission formally adopted the EU-U.S. Data Privacy Framework (DPF). The Commission’s adequacy decision (and the documentation package accompanying it, including the FAQ) brings welcome news: for certified DPF participants, personal data can flow between the European Economic Area (EEA) and the United States (U.S.

Our global data team has prepared a practical guide that compares three standard contracts, as a means of facilitating international data transfers, namely:

  • The EU’s standard contractual clauses (effective since June 2021)
  • The People’s Republic of China’s (PRC) standard contract (issued in March 2023)
  • The Association of Southeast Asian Nations’ (ASEAN) model contractual clauses (published in January 2021).


Continue Reading A Guide Comparing EU, China, ASEAN Standard Contracts for Data Transfers

The regulation of artificial intelligence (AI) has been a hot topic in recent months, fueled by the disruption caused by Generative AI  and the privacy and security concerns it raised. Numerous regional and national initiatives around the globe are part of a race to define a regulatory approach with many challengers (ethical use, product safety, risk-based, human-centered) and no clear winners. What is certain, however, is that even within the EU Commission itself, many want to trophy AI regulation. Here is a brief roundup of the main four contenders.
Continue Reading The EU Approach to AI Regulation: Texts That Generative AI  Will Not Come Up With

The European Commission and the Association of Southeast Asian Nations (ASEAN) have published a first-of-its-kind guide[1] that identifies the similarities and differences between the ASEAN model contractual clauses (ASEAN MCCs) and the EU standard contractual clauses (EU SCCs).

A second guide will be issued in due course, which will provide best practices for meeting

The EU adequacy decision in favour of the UK allows the free flow of personal data between the UK and the European Economic Area (the EU member states plus Iceland, Liechtenstein and Norway). Both before and since expiry of the Brexit implementation period businesses have emphasised the crucial importance of maintaining that adequacy decision, pointing

The French government has decided to act in the fight against the resurgence of cyberattacks, together with ransom demands, which have a significant impact on the economy. By anticipating the development of the cyber risk insurance market in France, the French government has decided to make the payment of insurance compensation conditional on the filing

The start of a new year always brings New Year’s resolutions. If privacy by design is one of yours (just months after the Irish watchdog announced a €265 million fine for a breach of this concept, it seems reasonable to have it on your radar), 2023 is off to a good start with a new

The European Commission (the “Commission”) published today its draft adequacy decision for the US (the “Draft Decision”). This paves the way for an institutionalized personal data transfer mechanism across the Atlantic to emerge (and already raises the prospects of it being under scrutiny again).

If your pre- holidays’ workload (that also includes the transition of your old SCCs to the new ones, another transfer duty, does not allow you to read the full 134-page Draft Decision, here is a little tour of what you need to know before it becomes final (and this might still take some time).
Continue Reading Third Time Lucky or Schrems III? The European Union Data Pact with the US Moves One Step Closer (To Be Challenged – Again)