Appendix 2: Available Mechanisms to Ensure Data Protection in Cross-Border Data Flows

	Statutory Criteria for cross-border data flows	Standard Contractual Clauses	Model Contractual Clauses	Binding Scheme	Adequacy Assessment
CPPA	No. Cross-border data flows are not specifically addressed in the legislation.	No.	Not specifically mentioned but possible via Commissioner Guidance under s. 109(b).	Not specifically mentioned for cross border data flows, but provisions for Codes of Practice (s. 76) and Certification Programs (s. 77) could apply in the context of cross-border transfers.	No.
GDPR	Arts. 44-50 set out detailed criteria for cross-border transfers.	Art. 46(2)(c) and (d) provide for Standard Contractual Clauses.	GDPR 46(3)(a) – contractual clauses approved by the supervisory authority.	Article 47 provides for binding corporate rules Article 46(2)(e) provides for Codes of Practice Article 46(2)(f) provides for Certification Programs.	Article 45 provides for transfers on the basis of adequacy decisions.
Australia	Australian Privacy Principle 8 governs cross-border data transfers.	No.	OAIC guidance provided in the form of a list of considerations for contractual arrangements.	Australian Privacy Principle 8.2(a) – could be an enforceable privacy code or a set of binding corporate rules.	Accountability shifts to overseas organization where the Australian entity can demonstrate a “reasonable belief” that the offshore entity is subject to a law or binding scheme that offers “substantially similar protection”. Factors for assessing substantial similarity are provided in OAIC Guidance.
New Zealand	Information Privacy Principle 12 addresses “Disclosure of Personal Information outside New Zealand”.	No.	Model Clauses are provided in Guidance by the Privacy Commissioner.	Prescribed binding schemes are ones specified by regulations. No regulations have been made at the time of writing.	Overseas disclosures are permitted where an organization “believes on reasonable grounds” that the recipient organization is “subject to privacy laws that, overall, provide comparable safeguards”. Guidance is provided by Privacy Commissioner as to how to assess “comparable safeguards”.
Quebec (Bill 64)	Section 17Footnote * sets out factors to consider in assessing adequacy of protection in destination jurisdiction and to aid in addressing any deficiencies in the contract between the parties.	No.	No specific provision is made for these.	No.	Organizations are obligated to consider the equivalency of the legal framework in the country of transfer. Section 17.1 provides for the government to publish a list of jurisdictions considered to offer an equivalent level of protection.