The 14th Annual Sedona Conference International Programme on Cross-Border Data Transfers and Data Protection Laws

Tuesday, June 13, 2023 - 8:30am to Wednesday, June 14, 2023 - 1:00pm

The Westin Valencia
Valencia, Spain

The 14th Annual Sedona Conference International Programme on Cross-Border Data Transfers and Data Protection Laws will be held on 13-14 June 2023 at The Westin Valencia in Valencia, Spain. There will be a welcome reception at the hotel in the evening of 12 June, from 18:00 - 20:00.

The Programme will address cross-border data transfers relating to commercial operations, government investigations, and discovery in litigation, and the related compliance, privacy and security issues.

Unlike other continuing legal education programs, all faculty members are present for the entire Programme and participate in all aspects of the Programme. The format involves dialogue not only among faculty members, but also with the Programme participants, who are invited and encouraged to contribute their comments and perspectives to the dialogue.

Attendance at the Programme is by invitation only to ensure a proper balance of participants and is limited in size to ensure that we have an intimate environment for meaningful dialogue.

Working Group Meetings

In the afternoon of 14 June, from 13:30-17:30, there will be a members' meeting of The Sedona Conference Working Group 6 on International Electronic Information Management, Discovery and Disclosure (WG6). In the morning of 15 June, from 9:00-12:30, there will be a members' meeting of The Sedona Conference Working Group 11 on Data Security and Privacy Liability (WG11).

You must be a Working Group Series (WGS) member to attend the WG6 and WG11 meetings.

If you are a WGS member who would like to attend either or both of the meetings, please indicate this during the application process for the International Programme – you will be prompted to select which meeting(s) you plan to attend.

If you are not a WGS member, you can sign up for a WGS membership here. Once a WGS member, one is eligible to become a member and take part in the activities of all Working Groups, including WG6 and WG11. If you have any questions about how to sign up for a membership or encounter any difficulties while doing so, please contact our office at [email protected].

Corparate Counsel Meeting

There will be a meeting of corporate counsel, with the date and location to be determined. The meeting is limited to corporate counsel and The Sedona Conference leadership to discuss and benchmark cross-border transfer best practices in a more relaxed and informal setting. This intimate forum will allow for a discussion of issues of specific importance to in-house counsel. If you are invited to participate in the Programme, the organizers of this meeting will contact you separately with more details.

Hotel Reservation Information

We have arranged for a very favorable group room rate at The Westin Valencia of EUR 180 (single) and EUR 200 (double) per night (plus 10% VAT) for a limited block of Deluxe rooms on the evenings of 12 - 14 June 2023. The group rate includes the breakfast buffet at The Rosmarino restaurant. The group rate will be available for 3 nights preceding and 3 nights following the dates of the room block, but subject to availability of Deluxe rooms. The Westin will be holding the block of rooms until 15 May 2023, after which any unsold rooms will be released for sale to the general public. After 15 May 2023, rooms will be subject to availability. Reservation information will be provided in your registration confirmation email.


The Sedona Conference will seek CLE accreditation for this programme in selected jurisdictions, as dictated by attendance.  



Norton Rose Fulbright US LLP

New York, NY, USA

SafeGuard Privacy Inc.

Sarasota, FL, USA


Spring, TX, USA

Confirmed Faculty


Madrid, Spain

U.S. District Court, Eastern District of Pennsylvania

Philadelphia, PA, USA

Volkswagen Group of America

Herndon, VA, USA

FTI Consulting

London, United Kingdom

European Data Protection Supervisor

Brussels, Belgium


Birmingham, AL, USA

Han Kun Law Offices

Beijing, China

Studio Legale Fabiano

Milan, Italy

IAB Europe

Brussels, Belgium

Center for Information Policy Leadership

Brussels, Belgium

Data Protection Commission

Dublin, Ireland

The Sylint Group

Sarasota, FL, USA


Waterloo, Belgium

Bennett Jones LLP

Toronto, ON, Canada

European Academy for Freedom of Information & Data Protection

Berlin, Germany

Redgrave LLP

Chantilly, VA, USA

Crowell & Moring LLC

San Francisco, CA, USA

IAB Europe

Brussels, Belgium


Milan, Italy

Sidley Austin LLP

Washington, DC, USA

Clyde & Co

Abu Dhabi, United Arab Emirates

Brazilian Data Protection Authority (ANPD)

Brasilia, Brazil

The Sedona Conference

Phoenix, AZ, USA

AlixPartners LLP

Shanghai, China

14th Annual International Programme Agenda

Time Session Panelists
  Monday, 12 June 2023  
18:00 — 20:00 Welcome Reception (guests invited)  
  Tuesday, 13 June 2023  
7:30 — 8:30 Sign-in  
8:30 — 8:45 Welcome and overview D'Ambra, Matus, Moncure, Weinlein
8:45 — 10:00 EU-U.S. data transfers and the EU-U.S. Data Privacy Framework: What's next? Alvarez, Brady, Gerlach*, Koning, Promislow
  In the wake of the July 2020 landmark decision of the European Court of Justice (ECJ), Schrems II, that struck down the EU-U.S. Privacy Shield, parties on both sides of the Atlantic began work in earnest on a new framework for data transfers between the EU and U.S. that could withstand ECJ scrutiny. In March 2022, an “agreement in principle” was reached on such a framework – the EU-U.S. Data Privacy Framework (“Framework”). Subsequent efforts to turn that “agreement in principle” into a legal framework, including the October 2022 White House Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities, resulted in the European Commission releasing a draft adequacy decision for the Framework in December 2022. The panel will lead a dialogue on the structure and contents of the Framework; the efficacy of the Commission’s draft adequacy decision; the likelihood of avoiding a potential Schrems III; what the ideal mechanism for EU-U.S. data transfers would look like; and the broader context of international efforts to achieve free data flows with trust.  
10:00 — 10:15 Morning Break  
10:15 — 11:15 Global approaches to regulating AI: Convergence or divergence? Promislow*, State, Tommasone, Wilkinson, Wimmer
  In early 2021, the European Commission proposed the first-ever legal framework for AI, the “Proposal for a Regulation laying down harmonised rules on artificial intelligence” (or the “Artificial Intelligence Act”). The regulation’s main focus is on specific risks surrounding AI and the categorization of such risks. Around the same time, the U.S. Federal Trade Commission (FTC) released Business Guidance noting the FTC’s perception that AI could inadvertently introduce bias or other unfair outcomes and warned of the potential applicability of Section 5 of the FTC Act, the Fair Credit Reporting Act, and the Equal Credit Opportunity Act. The Artificial Intelligence Act and the FTC’s Business Guidance appear to suggest a more restrictive approach to AI on the part of regulators in the EU and the U.S. The government of the United Kingdom, however, may be headed in a different direction – with innovation as a priority. In June 2022, the Secretary of State for Digital, Culture, Media and Sport (DCMS) presented to the UK Parliament a policy paper entitled, “Establishing a pro-innovation approach to regulating AI.” The panel will lead a dialogue on the strengths and weaknesses of these varying jurisdictional approaches in the infancy of AI regulation. The panel will also consider whether AI is the new battleground for international commercial supremacy, and if so, how that can be expected to impact the evolution of regulation of AI across the globe.  
11:15 — 12:15 What does the future hold for online advertising under the GDPR, in California and elsewhere? Alvarez, Feehan, Gerlach, Jorgensen, Matus*, Talavera de la Esperanza
  In February 2022, the Litigation Chamber of the Belgian Data Protection Authority (APD) found that the Internet Advertising Bureau Europe’s (IAB Europe) Transparency and Consent Framework (TCF) violated several GDPR provisions and, accordingly, imposed a €250,000 fine. Under the TCF, consent management platforms (CMPs) capture the preferences of online users in TC Strings (digital strings containing user preferences). The APD held that IAB Europe – as well as CMPs, publishers and participating ad tech vendors – lacked a valid legal basis for the processing of personal data through the TCF. In January 2023, APD approved IAB Europe’s action plan to bring processing of personal data under the TCF into compliance with the GDPR. The implementation of the action plan, however, will entail operating changes for TCF participants that may ultimately be found inadequate by the ECJ. Meanwhile, in California, the CCPA was amended specifically to capture the practice of “sharing” personal information in online advertising, as opposed to merely its “sale,” leading to new contractual requirements. The CCPA also now includes new provisions specifically to "target" targeted advertising. Finally, in November 2022, the UK Competition and Markets Authority (CMA) announced a new effort to look into Business to Consumer (B2C) online sales practices. The panel will compare and contrast the aforementioned developments in the EU, California, and the UK, and assess the trends lines for online internet advertising vis-à-vis data protection regulations globally.  
12:15 — 13:15 Lunch  
13:15 — 14:30 Data protection authority (DPA) roundtable Cervera Navas, Hurley, Moncure*, Wimmer
  Global DPAs will lead a dialogue on their respective challenges and priorities in both their enforcement and advisory roles under global data protection regimes. The dialogue will also address technological developments and data transfer mechanisms (e.g., SCCs; EU-U.S. Data Privacy Framework).  
14:30 — 14:45 Afternoon Break  
14:45 — 16:00 Insights from former DPAs Fabiano, Matus*, Schaar, Shonka
  Examining issues of cross-border data transfers and data protection can look very different for a regulator than a business or other organization. How does being a DPA shape one’s view of the issues? This panel brings together former DPAs from across the globe who have experience on both sides of the regulatory divide to dialogue on what they see as the most important trends in the data protection field, how working in a regulatory capacity has changed how they speak with organizations about data protection, and what they see as the critical foci for DPAs.  
16:00 — 17:00 Operating under China's Personal Information Protection Law (PIPL) D'Ambra*, Duan, State, Wilan, Yu
  China’s PIPL went into effect on November 1, 2021, and in June 2022, China issued administrative rules fleshing out the restrictions on cross-border data transfers in addition to the requisite steps required to obtain regulatory approval of such transfers. These steps include (1) clearing a security assessment approved by the Cyberspace Administration of China (CAC) and (2) either obtaining a personal information protection certification from a professional institution designated by the CAC or entering into a standard format data transfer agreement with the foreign recipient of the data. Unfortunately, the exact metes and bounds of this complex process remains largely unclear, leaving multinational companies in a difficult position when conducting investigations or cross-border discovery of data in China. Our panel will share first-hand experience with navigating the challenges of the PIPL and other Chinese data protection laws and will provide practical tips on addressing these challenges.  
17:00 — 19:00 Reception (guests invited)  
  Wednesday, 14 June 2023  
8:00 — 9:00 Sign-in  
9:00 — 10:15 Cross-border data transfers regulatory action and case law update Baylson, Brady, Drum, Scorza, Withers*
  Each year, the International Programme features a detailed discussion of recent regulatory actions and court decisions on privacy, data security, and cross-border data transfer issues. This year’s panel of privacy and data security legal scholars will lead a dialogue on the most instructive actions and cases from the past year.  
10:15 — 10:30 Morning Break  
10:30 — 11:45 Data security and breach regulation and litigation, including responding to regulators across jurisdictions in an ever-expanding breach notification environment Bryant, D'Ambra, Shonka, Wilan*, Wilkinson
  New or revised privacy laws and regulations globally now usually include data breach notification requirements. When faced with a potential data breach, companies must determine how to respond to divergent notification requirements across jurisdictions. Companies also face an ever-increasing risk of litigation from regulators, individuals, or organizations. This panel will explore best practices associated with data breach response as related to notification requirements and preparing for potential litigation. Panelists will also lead a dialogue on the nuances of cross-border data transfers in the context of data breach litigation.  
11:45 — 13:00 Data protection and security audit 101: Practical realities for audit preparation and response Bryant, Jorgensen, Koning, Moncure*
  Data protection and security audit provisions are increasingly a part of new data protection laws and regulations, turning what was once a best practice into a mandatory legal requirement. This panel will examine how companies should prepare for and respond to such audits. Who should be involved in the audit? What exactly should be audited? Depending on the jurisdiction and situation, can privilege protections be applied to the audit? Panelists will lead a dialogue on these questions and other key points related to data protection and security audits.  
13:00 — 14:00 Lunch (provided)  

Panel Moderator*

Tuesday, June 13, 2023 - 7:30am to Wednesday, June 14, 2023 - 2:15pm