Safe Harbor Data Privacy Briefing: Your Questions Answered by Giovanni Buttarelli
Everyone is talking about the European Court of Justice’s landmark judgment that declared the EU-U.S. Safe Harbor invalid.
As a follow-up to our webinar on October 8, “What Safe Harbor’s Invalidation Means for Your Business” took place on October 20, 2015 through a partnership with Sidley Austin LLP and DataGuidance. The European Data Protection Supervisor, Giovanni Buttarelli, held a special Q&A session where he shared his invaluable perspective on how the CJEU’s recent judgment will impact the business landscape. Mr. Buttarelli was joined by Sidley partners William Long, who advises on European privacy law, Maarten Meulenbelt, who advises on the EU regulatory affairs, and Alan Charles Raul, co-leader and founder of Sidley’s Privacy, Data Security and Information Law practice.
European Data Protection Authorities Give Companies Three Months to Assess New International Data Transfer Solutions and Call “Urgently” for Safe Harbor 2.0 – Model Contracts and Binding Corporate Rules Remain Viable
The Article 29 Working Party, which includes representatives from all EU Data Protection Authorities, released its much-awaited guidance on the judgment by the European Court of Justice declaring the European Commission’s decision on the Safe Harbor to be invalid. Described as “a collective and common position on the judgment,” the “first consequences to be drawn at European and national level” are as follows:
Safe Harbor: Your Questions Answered
The webinar “Safe Harbor Briefing: Your Questions Answered,” took place on October 8, 2015 at 4:30 pm BST through a partnership with Sidley Austin LLP and DataGuidance. Speakers for the briefing panel were Cameron Kerry, Senior Counsel, who as General Counsel of the U.S. Commerce Department led U.S. discussions with the EU on Safe Harbor, William Long, Partner, who advises on European privacy law and Maarten Meulenbelt, Partner, who advises on the EU regulatory affairs. Panelists discussed and answered attendees questions on the CJEU’s judgment, its impact on companies that have relied on Safe Harbor to transfer data, and what to do in response. See more:
The U.S. Government Largely Has Itself to Blame for the EU Court’s Safe Harbor Decision
Originally posted by the Council on Foreign Relations Net Politics Blog on October 8, 2015.
In a decision Tuesday that was as shocking as it was predictable, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor for westward bound international transfers of personal data. The companies whose information flows to the United States will be impeded by the EU decision need to look to the U.S. government and not just the EU for letting this mess happen.
The case stems from a complaint Max Schrems filed with the Irish Data Protection Authority about the privacy risks of using Facebook. He was concerned that electronic communications transferred to the United States would end up in the hands of the NSA’s PRISM program. PRISM involves the NSA’s use of a provision in the Foreign Intelligence Surveillance Act, section 702, that allows it to target non-U.S. persons located outside the United States for foreign intelligence purposes. This section only applies to collections from electronic communication service providers located in the United States.
Safe Harbor Declared Invalid by European Court of Justice
Today the European Court of Justice (“ECJ”) issued its judgment in the Max Schrems case in which it declared the European Commission’s decision on Safe Harbor as invalid. The Commission’s decision in 2000 found that companies participating in the US Department of Commerce Safe Harbor framework were operating under an “adequate” data protection regime and could thus rely on the Safe Harbor as a permissible basis to transfer personal information from the EU to the US. The judgment comes less than two weeks after the publication of the opinion from Advocate General Bot in which he advised that national Data Protection Authorities (“DPAs”) must be able to investigate an individual request to suspend data flows to the US by a company certified under the Safe Harbor scheme, and in which he also found the Safe Harbor scheme to be invalid.
Expanding the Digital Economy Through Data
Originally posted by the U.S. Chamber Foundation, Sept. 22, 2015, as part of a series of articles relating to the Internet of Everything project. Read more at uschamberfoundation.org/ioe.
The reverberations throughout global markets of China’s economic slowdown and stock market fall remind us once again how much the world’s major economies depend on each other.
Nowhere is this more true than between the European Union and the United States, the world’s two largest economic entities. Together, they account for one-half of the world’s GDP and about one-third of its trade flows. So the United States has a significant stake in the success of the European Commission’s Digital Single Market Strategy. Its promise of economic growth for Europe will help to lift the American economy as well, and Americans share the Commission’s vision of information and communications technology as “the foundation of all modern innovative economic systems.” Read More
Opinion by ECJ Advocate General Finds Safe Harbor Invalid
In a seismic recommendation, Advocate General Yves Bot at the European Court of Justice (ECJ) issued his opinion in the closely watched Max Schrems case challenging the U.S.-EU Safe Harbor Agreement and has found Safe Harbor to be invalid. The opinion is not legally binding on the ECJ, although the Court most often follows the opinions of the Advocate General. The Advocate General recommendation makes the status of the existing Safe Harbor agreement even more uncertain, but acknowledges negotiations between the European Commission and the U.S. for an updated agreement and may leave room for a different result if such an agreement addresses concerns in the opinion about U.S. bulk surveillance.
PLI Issues Cybersecurity Treatise
The Practising Legal Institute has published “Cybersecurity: A Practical Guide to the Law of Cyber Risk,” a treatise edited by Ed McNicholas and Vivek Mohan of Sidley Austin LLP. This “Sidley on Cybersecurity” treatise sets out in a clear and readable manner the complex legal framework for cybersecurity in the United States. We hope that it will be a practical legal guide for in-house attorneys, IT leaders, senior executives, and corporate directors concerned about cybersecurity risk.
Privacy advocates abandon Commerce Department multistakeholder process on facial recognition technology code of conduct
The National Telecommunications and Information Administration (“NTIA”), housed within the U.S. Commerce Department, has been facilitating a multistakeholder process to develop privacy safeguards for the commercial use of facial recognition technology since December of 2013—with the first in person meeting held in February 2014. NTIA seeks to create a voluntary, enforceable code of conduct applying the administration’s privacy framework, including its proposed Consumer Privacy Bill of Rights, to facial recognition technology in a commercial context. After a little over a year in talks, and shortly after the NTIA’s 12th meeting, the process has broken down. On Monday, June 15, a joint statement signed by representatives of multiple privacy advocacy groups, including the Center for Democracy and Technology, the Electronic Frontier Foundation, Consumer Watchdog and the ACLU, declared that they “have decided to withdraw from further negotiations” because the process has been unable to elicit agreement “on any concrete scenario where companies should employ facial recognition only with a consumer’s permission.” The joint statement further argues that “[t]he position that companies never need to ask permission to use biometric identification is at odds with consumer expectations, current industry practices, as well as existing state law.”
Google Inc. v. Vidal-Hall: Opening the Doors to EU Data Protection Litigation?
The English Court of Appeal has recently issued a landmark judgment against Google which could open the door to data privacy litigation in the EU.
The case concerned the collection by Google of Safari users’ browser information, allegedly without their knowledge or consent. In its opinion, the Court of Appeal held that four individuals who used Safari browsers can bring a claim for breach of privacy and that the damages claimed can include distress – even in circumstances where there is no financial loss, as this had been the intention of the EU’s Data Protection Directive. To reach this result, the Court relied on EU legal authorities to override and displace limitations on recovery under the UK Data Protection Act.