Oct 62015

Safe Harbor Declared Invalid by European Court of Justice

William RM Long, Cameron F. Kerry and Maarten Meulenbelt
, , , ,

Today the European Court of Justice (“ECJ”) issued its judgment in the Max Schrems case in which it declared the European Commission’s decision on Safe Harbor as invalid. The Commission’s decision in 2000 found that companies participating in the US Department of Commerce Safe Harbor framework were operating under an “adequate” data protection regime and could thus rely on the Safe Harbor as a permissible basis to transfer personal information from the EU to the US.  The judgment comes less than two weeks after the publication of the opinion from Advocate General Bot in which he advised that national Data Protection Authorities (“DPAs”) must be able to investigate an individual request to suspend data flows to the US by a company certified under the Safe Harbor scheme, and in which he also found the Safe Harbor scheme to be invalid.

In a press conference held following the publication of the judgment, the Commission confirmed that its objectives are: (i) to guarantee the protection of individuals’ personal data when transferred to the US; (ii) to step-up ongoing talks with US authorities about continuing transatlantic data flows and in particular, in respect of finalising a new Safe Harbor version 2.0; and (iii) to issue guidance to national DPAs to ensure a coordinated response to the ECJ’s judgment during this transitional period. Commissioner Vera Jourová said that transatlantic data transfers can continue under legal basis other than Safe Harbor.

Businesses relying on the US-EU Safe Harbor scheme, whether for intra-group transfers or for transfers from or to third parties, will need to reassess their international data transfer solution and decide whether to adopt alternative solutions such as Binding Corporate Rules or EU standard contractual clauses, or whether to rely on one of various derogations such as where the transfer is necessary to perform a contract or based on the individuals’ consent. Also, the Court’s judgment implies that DPAs will need to assess whether the level of protection in the US for a specific type of data transfer is “essentially equivalent” to the level of protection in the EU.

William RM Long

London

wlong@sidley.com

Cameron F. Kerry

ckerry@sidley.com

Maarten Meulenbelt

Brussels

mmeulenbelt@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.