On 6 June 2016, the Hamburg Data Protection Commissioner issued fines against three international companies for failing to implement alternative data transfer mechanisms following the invalidation of Safe Harbor in October 2015.
Developments on the European data protection front continue at a fast pace. As the process of implementation of the now-final General Data Protection Regulation (GDPR) begins, the Article 29 Working Party (WP29) is announcing a workshop on implementation questions in Brussels in July. Meanwhile, uncertainty continues for trans-Atlantic data transfers as both the European Parliament and the European Data Protection Supervisor (EDPS) weigh in with views for negotiators on the EU-U.S. Privacy Shield, and the Irish Data Protection Commissioner (IDPC) announces the intention to initiate proceedings in the Irish High Court that may put before the Court of Justice of the European Union (CJEU) the validity of EU standard contractual clauses (or model contracts). (more…)
Senior legal, economic and privacy leadership from U.S. and European government joined Sidley partners and senior counsel as panel participants at the 2nd Annual Privacy and Cybersecurity Roundtable. An audience of more than 70 privacy professionals across financial, healthcare and technology industries heard from three panels that focused on the latest developments and prospective issues in cybersecurity, big data and EU privacy.
Today, alleged extracts from the impending Article 29 Working Party Opinion on the adequacy of the Privacy Shield were leaked. These extracts indicate that a number of clarifications on the Privacy Shield documents will be required before the Working Party can confirm that the Privacy Shield, in its view, ensures a level of protection that is essentially equivalent to that in the EU. The full opinion is due to be published on Wednesday 13 April, and will form part of the package for consideration by the European Commission.
*This post originally appeared in the Council on Foreign Relations’ Net Politics Blog on March 1, 2016.
When the Court of Justice of the European Union (CJEU) struck down Safe Harbor last year, it did so on the basis that the European Commission had not determined whether European data transferred to the United States enjoyed the same protections as in the European Union. Despite the fact a recent Sidley Austin report found that many U.S. privacy protections are essentially equivalent—if not stronger—than the European Union’s in national security matters and comparable in other areas, the Commission clearly needed to replace Safe Harbor with something else to satisfy the CJEU and domestic privacy activists.
On February 29, 2016, the European Commission released the legal texts that will implement the EU-U.S. Privacy Shield, as well as a communication summarizing the actions taken over the last few years to “restore trust in transatlantic data flows since the 2013 surveillance revelations.”
The documents include a draft adequacy decision, the Privacy Shield principles that companies will have to abide by, as well as written commitments by the U.S. government, to be published in the U.S. Federal Register, on the enforcement of the arrangement, including assurance on the safeguards and limitations concerning access to data by public authorities. On March 2, 2016, Sidley and DataGuidance presented a live webinar to investigate the latest details of the agreement featuring Sidley partners William Long, who advises on European privacy law, Maarten Meulenbelt, who advises on EU regulatory affairs, Alan Charles Raul, co-leader and founder of Sidley’s Privacy, Data Security and Information Law practice, and Cameron Kerry, Senior Counsel and former General Counsel and Acting Secretary of the United States Department of Commerce.
The much-anticipated documentation for the EU-U.S. Privacy Shield, a new framework on transatlantic data flows, was published by the European Commission on February 29, 2016. The framework now will undergo a process of review and approval, including by the EU’s Article 29 Working Party, which is due to finish its review by the end of March 2016. If approved, it will take effect after an implementation period, during which all companies that wish to use the Privacy Shield as a basis for data transfers will have to certify in accordance with the new framework.
On February 2, 2016, the European Commission announced that an agreement had been reached regarding a new framework for the transfer of data to the U.S.: the EU-U.S. Privacy Shield. According to Vice-President of the European Commission, Andrus Ansip, and Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, who made the announcement, the new arrangement reflects the requirements set out by the Court of Justice of the European Union in Maximillian Schrems v. Data Protection Commissioner (C-362-14), and is due to come into force within three months. On February 5, Sidley and DataGuidance presented a live webinar to investigate the new agreement featuring Sidley partners William Long, who advises on European privacy law, Maarten Meulenbelt, who advises on EU regulatory affairs, and Alan Charles Raul, co-leader and founder of Sidley’s Privacy, Data Security and Information Law practice.
The Article 29 Working Party has confirmed in a statement that EU Standard Contractual Clauses and Binding Corporate Rules are still valid data transfer mechanisms for the time being. The announcement was made following a meeting held to discuss the consequences of the Court of Justice of the European Union’s (“CJEU“) decision invalidating the US-EU Safe Harbor Framework and just one day after the European Commission announced that a political agreement had been reached on a new framework, the “EU-US Privacy Shield”.