Today the European Court of Justice (“ECJ”) issued its judgment in the Max Schrems case in which it declared the European Commission’s decision on Safe Harbor as invalid. The Commission’s decision in 2000 found that companies participating in the US Department of Commerce Safe Harbor framework were operating under an “adequate” data protection regime and could thus rely on the Safe Harbor as a permissible basis to transfer personal information from the EU to the US. The judgment comes less than two weeks after the publication of the opinion from Advocate General Bot in which he advised that national Data Protection Authorities (“DPAs”) must be able to investigate an individual request to suspend data flows to the US by a company certified under the Safe Harbor scheme, and in which he also found the Safe Harbor scheme to be invalid.
In a seismic recommendation, Advocate General Yves Bot at the European Court of Justice (ECJ) issued his opinion in the closely watched Max Schrems case challenging the U.S.-EU Safe Harbor Agreement and has found Safe Harbor to be invalid. The opinion is not legally binding on the ECJ, although the Court most often follows the opinions of the Advocate General. The Advocate General recommendation makes the status of the existing Safe Harbor agreement even more uncertain, but acknowledges negotiations between the European Commission and the U.S. for an updated agreement and may leave room for a different result if such an agreement addresses concerns in the opinion about U.S. bulk surveillance.
A new EU-US data protection “Umbrella Agreement” has been finalized which once in force will implement a high-level data protection framework to cover the transfer of personal data from the EU to US authorities for the purposes of law enforcement. Although this new agreement relates only to the transfer of information for law enforcement purposes, those issues have been particularly sensitive post-Snowden. Accordingly, the finalization of this agreement may alleviate a particular point of contention and suggest that the overall discussions on the EU-US Safe Harbor are more likely to result in the continuation of that broader agreement.
On August 18, 2015, the UK Information Commissioner’s Office (ICO) issued an enforcement notice against Google ordering the removal of nine search results that linked to information about a certain individual’s criminal offence.
One year after the Data Retention and Investigatory Powers Act 2014 (“DRIPA”) received royal assent on 17 July 2014, the English High Court issued a landmark judgment in David & Ors v Secretary of State for the Home Department  EWHC 2092 (Admin) declaring DRIPA to be unlawful.
Following the adoption of the EU Data Protection Regulation by the Council of Ministers last week, today saw the first meeting of the European Commission, European Parliament and Council of Ministers under what is known as the trilogue process, with the aim of negotiating the final wording of the Regulation.
More than three years after the initial proposal for the EU Data Protection Regulation was published by the European Commission, it has been agreed by Europe’s Council of Ministers. The negotiations will now start between the commission, the European Parliament and the Council, in what is known as the “Trilogue” process, to agree the final text of the regulation, which is widely expected to be adopted by the end of 2015 or early 2016. The regulation, once adopted, will have a significant impact not only on EU companies but also on U.S. and other international companies that conduct business in the EU.
This week we moved one step closer to the adoption of the proposed EU Data Protection Regulation with the agreement by the Council of Ministers on its proposals for the draft Regulation. The Regulation has been described as the most lobbied piece of European legislation in history and, once adopted, will have a significant impact on governments, businesses and individuals.
Data Protection Law & Policy
In the last few years, privacy has evolved to become a topic of concern for more and more people. Recent studies have also shown that people have stopped using a particular product or service because they were worried about how it used their personal data. However, what is less clear is whether this is a concern for all generations or does the common perception that young people do not care about their privacy hold some element of truth? William Long, Geraldine Scali and Francesca Blythe, Partner, Senior Associate and Associate respectively at Sidley Austin LLP, explore this question.
The first edition of The Privacy, Data Protection and Cybersecurity Law Review appears at a time of extraordinary policy change and practical challenge for this field of law and regulation. Several Sidley lawyers in the Privacy, Data Security and Information Law practice have contributed to this publication.
Editor’s Preface, Alan Charles Raul
- Chapter 1, “European Union Overview,” William Long, Geraldine Scali and Alan Charles Raul
- Chapter 2, “APEC Overview,” Catherine Valerio Barrad and Alan Charles Raul
- Chapter 9, “Hong Kong,” Yuet Ming Tham and Joanne Mok
- Chapter 12, “Japan,” Takahiro Nonaka
- Chapter 16, “Singapore,” Yuet Ming Tham, Ijin Tan and Teena Zhang
- Chapter 20, “United Kingdom,” William Long and Geraldine Scali
- Chapter 21, “United States,” Alan Charles Raul, Tasha D Manoranjan and Vivek Mohan