The 14th Annual Sedona Conference International Programme on Cross-Border Data Transfers and Data Protection Laws

Date:

Tuesday, June 13, 2023 - 8:30am to Wednesday, June 14, 2023 - 1:00pm

Location:
The Westin Valencia
Valencia, Spain

The 14th Annual Sedona Conference International Programme on Cross-Border Data Transfers and Data Protection Laws will be held on 13-14 June 2023 at The Westin Valencia in Valencia, Spain. There will be a welcome reception at the hotel in the evening of 12 June, from 18:00 - 20:00.

The Programme will address cross-border data transfers relating to commercial operations, government investigations, and discovery in litigation, and the related compliance, privacy and security issues.

Unlike other continuing legal education programs, all faculty members are present for the entire Programme and participate in all aspects of the Programme. The format involves dialogue not only among faculty members, but also with the Programme participants, who are invited and encouraged to contribute their comments and perspectives to the dialogue.

Attendance at the Programme is by invitation only to ensure a proper balance of participants and is limited in size to ensure that we have an intimate environment for meaningful dialogue.

Working Group Meetings

In the afternoon of 14 June, from 13:30-17:30, there will be a members' meeting of The Sedona Conference Working Group 6 on International Electronic Information Management, Discovery and Disclosure (WG6). In the morning of 15 June, from 9:00-12:30, there will be a members' meeting of The Sedona Conference Working Group 11 on Data Security and Privacy Liability (WG11).

You must be a Working Group Series (WGS) member to attend the WG6 and WG11 meetings.

If you are a WGS member who would like to attend either or both of the meetings, please indicate this during the application process for the International Programme – you will be prompted to select which meeting(s) you plan to attend.

If you are not a WGS member, you can sign up for a WGS membership here. Once a WGS member, one is eligible to become a member and take part in the activities of all Working Groups, including WG6 and WG11. If you have any questions about how to sign up for a membership or encounter any difficulties while doing so, please contact our office at [email protected].

Corparate Counsel Meeting

There will be a meeting of corporate counsel, with the date and location to be determined. The meeting is limited to corporate counsel and The Sedona Conference leadership to discuss and benchmark cross-border transfer best practices in a more relaxed and informal setting. This intimate forum will allow for a discussion of issues of specific importance to in-house counsel. If you are invited to participate in the Programme, the organizers of this meeting will contact you separately with more details.

Hotel Reservation Information

We have arranged for a very favorable group room rate at The Westin Valencia of EUR 180 (single) and EUR 200 (double) per night (plus 10% VAT) for a limited block of Deluxe rooms on the evenings of 12 - 14 June 2023. The group rate includes the breakfast buffet at The Rosmarino restaurant. The group rate will be available for 3 nights preceding and 3 nights following the dates of the room block, but subject to availability of Deluxe rooms. The Westin will be holding the block of rooms until 15 May 2023, after which any unsold rooms will be released for sale to the general public. After 15 May 2023, rooms will be subject to availability. Reservation information will be provided in your registration confirmation email.

CLE

The Sedona Conference will seek CLE accreditation for this programme in selected jurisdictions, as dictated by attendance.

Co-Chairs

Andrea L. D'Ambra

Norton Rose Fulbright US LLP

New York, NY, USA

Wayne Matus

SafeGuard Privacy Inc.

Purchase, NY, USA

David Moncure

DaVita

Denver, CO, USA

Confirmed Faculty

Cecilia Álvarez Meta Madrid, Spain	Hon. Michael M. Baylson U.S. District Court, Eastern District of Pennsylvania Philadelphia, PA, USA	Kevin F. Brady Volkswagen Group of America Herndon, VA, USA	Nina Bryant FTI Consulting London, United Kingdom
Leonardo Cervera Navas European Data Protection Supervisor Brussels, Belgium	Starr Turner Drum Maynard Nexsen Birmingham, AL, USA	Kevin Duan Han Kun Law Offices Beijing, China	Nicola Fabiano Studio Legale Fabiano Milan, Italy
Townsend Feehan IAB Europe Brussels, Belgium	Natascha Gerlach Center for Information Policy Leadership Brussels, Belgium	Seán Hurley Data Protection Commission Dublin, Ireland	Serge D. Jorgensen The Sylint Group Sarasota, FL, USA
Helena Koning Mastercard Waterloo, Belgium	Ruth Elizabeth Promislow Bennett Jones LLP Toronto, ON, Canada	Peter Schaar European Academy for Freedom of Information & Data Protection Berlin, Germany	David C. Shonka Redgrave LLP Chantilly, VA, USA
Christiana State Crowell & Moring LLC San Francisco, CA, USA	Inés Talavera de la Esperanza IAB Europe Brussels, Belgium	Vittorio Tommasone IBM Milan, Italy	Jonathan M. Wilan Sidley Austin LLP Washington, DC, USA
Dino Wilkinson Clyde & Co Abu Dhabi, United Arab Emirates	Miriam Wimmer Brazilian Data Protection Authority (ANPD) Brasilia, Brazil	Kenneth J. Withers The Sedona Conference Phoenix, AZ, USA	Stephen Yu AlixPartners LLP Shanghai, China

14th Annual International Programme Agenda

Time	Session	Panelists
	Monday, 12 June 2023
18:00 — 20:00	Welcome Reception (guests invited)
	Tuesday, 13 June 2023
7:30 — 8:30	Sign-in
8:30 — 8:45	Welcome and overview	D'Ambra, Matus, Moncure, Weinlein
8:45 — 10:00	EU-U.S. data transfers and the EU-U.S. Data Privacy Framework: What's next?	Alvarez, Brady, Gerlach*, Koning, Promislow
	In the wake of the July 2020 landmark decision of the European Court of Justice (ECJ), Schrems II, that struck down the EU-U.S. Privacy Shield, parties on both sides of the Atlantic began work in earnest on a new framework for data transfers between the EU and U.S. that could withstand ECJ scrutiny. In March 2022, an “agreement in principle” was reached on such a framework – the EU-U.S. Data Privacy Framework (“Framework”). Subsequent efforts to turn that “agreement in principle” into a legal framework, including the October 2022 White House Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities, resulted in the European Commission releasing a draft adequacy decision for the Framework in December 2022. The panel will lead a dialogue on the structure and contents of the Framework; the efficacy of the Commission’s draft adequacy decision; the likelihood of avoiding a potential Schrems III; what the ideal mechanism for EU-U.S. data transfers would look like; and the broader context of international efforts to achieve free data flows with trust.
10:00 — 10:15	Morning Break
10:15 — 11:15	Global approaches to regulating AI: Convergence or divergence?	Promislow*, State, Tommasone, Wilkinson, Wimmer
	In early 2021, the European Commission proposed the first-ever legal framework for AI, the “Proposal for a Regulation laying down harmonised rules on artificial intelligence” (or the “Artificial Intelligence Act”). The regulation’s main focus is on specific risks surrounding AI and the categorization of such risks. Around the same time, the U.S. Federal Trade Commission (FTC) released Business Guidance noting the FTC’s perception that AI could inadvertently introduce bias or other unfair outcomes and warned of the potential applicability of Section 5 of the FTC Act, the Fair Credit Reporting Act, and the Equal Credit Opportunity Act. The Artificial Intelligence Act and the FTC’s Business Guidance appear to suggest a more restrictive approach to AI on the part of regulators in the EU and the U.S. The government of the United Kingdom, however, may be headed in a different direction – with innovation as a priority. In June 2022, the Secretary of State for Digital, Culture, Media and Sport (DCMS) presented to the UK Parliament a policy paper entitled, “Establishing a pro-innovation approach to regulating AI.” The panel will lead a dialogue on the strengths and weaknesses of these varying jurisdictional approaches in the infancy of AI regulation. The panel will also consider whether AI is the new battleground for international commercial supremacy, and if so, how that can be expected to impact the evolution of regulation of AI across the globe.
11:15 — 12:15	What does the future hold for online advertising under the GDPR, in California and elsewhere?	Alvarez, Feehan, Gerlach, Jorgensen, Matus*, Talavera de la Esperanza
	In February 2022, the Litigation Chamber of the Belgian Data Protection Authority (APD) found that the Internet Advertising Bureau Europe’s (IAB Europe) Transparency and Consent Framework (TCF) violated several GDPR provisions and, accordingly, imposed a €250,000 fine. Under the TCF, consent management platforms (CMPs) capture the preferences of online users in TC Strings (digital strings containing user preferences). The APD held that IAB Europe – as well as CMPs, publishers and participating ad tech vendors – lacked a valid legal basis for the processing of personal data through the TCF. In January 2023, APD approved IAB Europe’s action plan to bring processing of personal data under the TCF into compliance with the GDPR. The implementation of the action plan, however, will entail operating changes for TCF participants that may ultimately be found inadequate by the ECJ. Meanwhile, in California, the CCPA was amended specifically to capture the practice of “sharing” personal information in online advertising, as opposed to merely its “sale,” leading to new contractual requirements. The CCPA also now includes new provisions specifically to "target" targeted advertising. Finally, in November 2022, the UK Competition and Markets Authority (CMA) announced a new effort to look into Business to Consumer (B2C) online sales practices. The panel will compare and contrast the aforementioned developments in the EU, California, and the UK, and assess the trends lines for online internet advertising vis-à-vis data protection regulations globally.
12:15 — 13:15	Lunch
13:15 — 14:30	Data protection authority (DPA) roundtable	Cervera Navas, Hurley, Moncure*, Wimmer
	Global DPAs will lead a dialogue on their respective challenges and priorities in both their enforcement and advisory roles under global data protection regimes. The dialogue will also address technological developments and data transfer mechanisms (e.g., SCCs; EU-U.S. Data Privacy Framework).
14:30 — 14:45	Afternoon Break
14:45 — 16:00	Insights from former DPAs	Fabiano, Matus*, Schaar, Shonka
	Examining issues of cross-border data transfers and data protection can look very different for a regulator than a business or other organization. How does being a DPA shape one’s view of the issues? This panel brings together former DPAs from across the globe who have experience on both sides of the regulatory divide to dialogue on what they see as the most important trends in the data protection field, how working in a regulatory capacity has changed how they speak with organizations about data protection, and what they see as the critical foci for DPAs.
16:00 — 17:00	Operating under China's Personal Information Protection Law (PIPL)	D'Ambra*, Duan, State, Wilan, Yu
	China’s PIPL went into effect on November 1, 2021, and in June 2022, China issued administrative rules fleshing out the restrictions on cross-border data transfers in addition to the requisite steps required to obtain regulatory approval of such transfers. These steps include (1) clearing a security assessment approved by the Cyberspace Administration of China (CAC) and (2) either obtaining a personal information protection certification from a professional institution designated by the CAC or entering into a standard format data transfer agreement with the foreign recipient of the data. Unfortunately, the exact metes and bounds of this complex process remains largely unclear, leaving multinational companies in a difficult position when conducting investigations or cross-border discovery of data in China. Our panel will share first-hand experience with navigating the challenges of the PIPL and other Chinese data protection laws and will provide practical tips on addressing these challenges.
17:00 — 19:00	Reception (guests invited)

	Wednesday, 14 June 2023
8:00 — 9:00	Sign-in
9:00 — 10:15	Cross-border data transfers regulatory action and case law update	Baylson, Brady, Drum, Scorza, Withers*
	Each year, the International Programme features a detailed discussion of recent regulatory actions and court decisions on privacy, data security, and cross-border data transfer issues. This year’s panel of privacy and data security legal scholars will lead a dialogue on the most instructive actions and cases from the past year.
10:15 — 10:30	Morning Break
10:30 — 11:45	Data security and breach regulation and litigation, including responding to regulators across jurisdictions in an ever-expanding breach notification environment	Bryant, D'Ambra, Shonka, Wilan*, Wilkinson
	New or revised privacy laws and regulations globally now usually include data breach notification requirements. When faced with a potential data breach, companies must determine how to respond to divergent notification requirements across jurisdictions. Companies also face an ever-increasing risk of litigation from regulators, individuals, or organizations. This panel will explore best practices associated with data breach response as related to notification requirements and preparing for potential litigation. Panelists will also lead a dialogue on the nuances of cross-border data transfers in the context of data breach litigation.
11:45 — 13:00	Data protection and security audit 101: Practical realities for audit preparation and response	Bryant, Jorgensen, Koning, Moncure*
	Data protection and security audit provisions are increasingly a part of new data protection laws and regulations, turning what was once a best practice into a mandatory legal requirement. This panel will examine how companies should prepare for and respond to such audits. Who should be involved in the audit? What exactly should be audited? Depending on the jurisdiction and situation, can privilege protections be applied to the audit? Panelists will lead a dialogue on these questions and other key points related to data protection and security audits.
13:00 — 14:00	Lunch (provided)

Panel Moderator*

Date:

Tuesday, June 13, 2023 - 7:30am to Wednesday, June 14, 2023 - 2:15pm

User login

Apply for an Invitation - International 2023

To apply for an invitation to the Program, click on “Apply Now” below. You will be directed to a new webpage. Once there, please complete the “Your Registration Info” section. Next, answer the questions under “Application Questionnaire” to provide some information on your background and experience. Then, continue through with the website prompts as though you are completing registration for the Program. You will not be charged unless and until your application has been accepted. If accepted to the Program, you will be charged registration fees as follows:

Regular Registration Fee:	$1895 USD
Government & Non-Profit Employee Registration Fee:	$1395 USD

Apply Now

Please contact our office at [email protected] for assistance or with any questions you may have.

Our financial aid policy is available upon request.

2023 International Programme Sponsorship Opportunities

Refund Policy

Refunds are available for cancellations made at least 21 days before the program is scheduled, less any credit card processing fees charged to The Sedona Conference. For cancellations made within 21 days of the program, no refunds are available but substitution of another individual from the same organization is permitted or a credit can be requested to be applied to a future Sedona program.