Call My Bluff

This post originally appeared in the Kluwer Competition Law Blog on October 20, 2015.

The European Commission (or to be more precise, and to point the finger in the right direction, DG Competition) has sweeping powers of investigation in cases of suspected infringement. Indeed, it has even sought and obtained powers that it then seems reluctant to use, such as the right to enter private homes in search of evidence. We still await in eager anticipation to see how it manages the first such intrusion into a domestic scene. In addition, it can call on the assistance of national authorities, some of whom have powers to go even further including bugging phones.

Why, then, does it on occasion pretend, or at least imply, to have powers that it does not possess?

European Data Protection Authorities Give Companies Three Months to Assess New International Data Transfer Solutions and Call “Urgently” for Safe Harbor 2.0 – Model Contracts and Binding Corporate Rules Remain Viable

The Article 29 Working Party, which includes representatives from all EU Data Protection Authorities, released its much-awaited guidance on the judgment by the European Court of Justice declaring the European Commission’s decision on the Safe Harbor to be invalid. Described as “a collective and common position on the judgment,” the “first consequences to be drawn at European and national level” are as follows:


Safe Harbor: Your Questions Answered

The webinar “Safe Harbor Briefing: Your Questions Answered,” took place on October 8, 2015 at 4:30 pm BST through a partnership with Sidley Austin LLP and DataGuidance. Speakers for the briefing panel were Cameron Kerry, Senior Counsel, who as General Counsel of the U.S. Commerce Department led U.S. discussions with the EU on Safe Harbor, William Long, Partner, who advises on European privacy law and Maarten Meulenbelt, Partner, who advises on the EU regulatory affairs. Panelists discussed and answered attendees questions on the CJEU’s judgment, its impact on companies that have relied on Safe Harbor to transfer data, and what to do in response. See more:

The U.S. Government Largely Has Itself to Blame for the EU Court’s Safe Harbor Decision

Originally posted by the Council on Foreign Relations Net Politics Blog on October 8, 2015.

In a decision Tuesday that was as shocking as it was predictable, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor for westward bound international transfers of personal data. The companies whose information flows to the United States will be impeded by the EU decision need to look to the U.S. government and not just the EU for letting this mess happen.

The case stems from a complaint Max Schrems filed with the Irish Data Protection Authority about the privacy risks of using Facebook. He was concerned that electronic communications transferred to the United States would end up in the hands of the NSA’s PRISM program. PRISM involves the NSA’s use of a provision in the Foreign Intelligence Surveillance Act, section 702, that allows it to target non-U.S. persons located outside the United States for foreign intelligence purposes. This section only applies to collections from electronic communication service providers located in the United States.

Alan Charles Raul

Washington, D.C., New York

Safe Harbor Declared Invalid by European Court of Justice

Today the European Court of Justice (“ECJ”) issued its judgment in the Max Schrems case in which it declared the European Commission’s decision on Safe Harbor as invalid. The Commission’s decision in 2000 found that companies participating in the US Department of Commerce Safe Harbor framework were operating under an “adequate” data protection regime and could thus rely on the Safe Harbor as a permissible basis to transfer personal information from the EU to the US.  The judgment comes less than two weeks after the publication of the opinion from Advocate General Bot in which he advised that national Data Protection Authorities (“DPAs”) must be able to investigate an individual request to suspend data flows to the US by a company certified under the Safe Harbor scheme, and in which he also found the Safe Harbor scheme to be invalid.


Dawn Raids in the EU: Commission Asserts Power to Search Private Devices and Collect Personal Data in EU Antitrust Investigations

The European Commission has announced its intention to make broader use of its wide-ranging investigative powers, including that it intends to search and seize private devices found on company premises and gather personal data of company employees in the context of antitrust investigations. To prepare for such exercise of powers, companies should consider updates to internal IT policies, dawn raid manuals and dawn raid checklists, and training their staff for potentially expanded data requests.


Expanding the Digital Economy Through Data

Originally posted by the U.S. Chamber Foundation, Sept. 22, 2015, as part of a series of articles relating to the Internet of Everything project. Read more at

The reverberations throughout global markets of China’s economic slowdown and stock market fall remind us once again how much the world’s major economies depend on each other.

Nowhere is this more true than between the European Union and the United States, the world’s two largest economic entities.  Together, they account for one-half of the world’s GDP and about one-third of its trade flows.  So the United States has a significant stake in the success of the European Commission’s Digital Single Market Strategy. Its promise of economic growth for Europe will help to lift the American economy as well, and Americans share the Commission’s vision of information and communications technology as “the foundation of all modern innovative economic systems.” Read More

Opinion by ECJ Advocate General Finds Safe Harbor Invalid

In a seismic recommendation, Advocate General Yves Bot at the European Court of Justice (ECJ) issued his opinion in the closely watched Max Schrems case challenging the U.S.-EU Safe Harbor Agreement and has found Safe Harbor to be invalid. The opinion is not legally binding on the ECJ, although the Court most often follows the opinions of the Advocate General. The Advocate General recommendation makes the status of the existing Safe Harbor agreement even more uncertain, but acknowledges negotiations between the European Commission and the U.S. for an updated agreement and may leave room for a different result if such an agreement addresses concerns in the opinion about U.S. bulk surveillance.


EU-US Data Protection “Umbrella Agreement” Finalised

A new EU-US data protection “Umbrella Agreement” has been finalized which once in force will implement a high-level data protection framework to cover the transfer of personal data from the EU to US authorities for the purposes of law enforcement.  Although this new agreement relates only to the transfer of information for law enforcement purposes, those issues have been particularly sensitive post-Snowden.  Accordingly, the finalization of this agreement may alleviate a particular point of contention and suggest that the overall discussions on the EU-US Safe Harbor are more likely to result in the continuation of that broader agreement.


ICO Orders Google to Remove Links

On August 18, 2015, the UK Information Commissioner’s Office (ICO) issued an enforcement notice against Google ordering the removal of nine search results that linked to information about a certain individual’s criminal offence.