Applications to Intervene in Privacy Shield Challenge
Last week, we posted a brief account of the two challenges that have been filed in the General Court of the Court of Justice of the European Union challenging the Privacy Shield, first by Digital Rights Ireland in September and then by La Quadrature du Net last Monday. Today, the Official Journal of the European Union published notice of the Digital Rights Ireland pleading, the first time it has been publicly available.
This posting means the clock has started running on applications to intervene. Applications to intervene are due in 60 days, or January 6, 2016. To establish a right to intervene, an application must include a statement of the circumstances showing “an interest in the result” of the case.
EU-U.S. Privacy Shield challenged in CJEU
Two legal challenges have been filed at the Court of Justice of the European Union (“CJEU”) against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield. Privacy Shield was adopted on July 12, 2016 after the CJEU struck down the earlier Safe Harbour agreement in October 2015 over concerns about U.S. surveillance techniques.
European Commission Considering Amendments to Standard Contractual Clauses for International Data Transfers
The European Commission has drafted amendments to the adequacy decisions that underpin the European Union’s Standard Contractual Clauses (“SCCs”) that allow businesses to transfer personal data originating in the European Economic Area (“EEA”) outside of the EEA. While the Commission has not published the full text of its proposals, they may have a significant practical impact on all businesses that rely on SCCs for international data transfers, including to the United States.
Evaluating the Dwindling Privacy Shield Grace Period
Now that we are into September, you may be hearing more about the Privacy Shield for transfers of personal data from the EU to the U.S., and in particular the 9 month “grace period” to fully implement the Privacy Shield for companies that certify within the first two months that the Privacy Shield is available for certification. The Department of Commerce began accepting certifications on August 1, 2016, and so the opportunity to take advantage of the grace period closes on September 30, 2016. This grace period does not, however, absolve companies of the responsibility to implement Privacy Shield principles and substantive obligations upon certification. Rather, it permits companies nine months from the date they certify to the Privacy Shield to negotiate amendments to their third party contracts with all vendors or other business partners that receive personal data from the certifying company.
Privacy Shield Now Available for Certification
From Monday August 1, 2016, companies will be able to self-certify under the EU-US Privacy Shield (www.privacyshield.gov). The Privacy Shield was adopted on July 12, 2016 and is intended as a replacement to the now invalidated Safe Harbor framework. Companies preparing to self-certify their adherence to the Privacy Shield Principles should carefully review the associated documentation to understand the new requirements and consider carrying out a gap analysis against their existing privacy program. This is particularly important given the potential for increased enforcement action from the US Federal Trade Commission against participating companies that fail to comply with the Principles. (more…)
EU Data Protection Authorities Adopt One-Year “Wait and See” Position On Privacy Shield
The Article 29 Working Party, on July 26, 2016 issued a statement on the final form of the EU-US Privacy Shield, which was formally adopted on July 12, 2016. Speaking at a press conference, Isabelle Falque-Pierrotin, chairman of the Article 29 Working Party, stated that the EU data protection authorities would not launch legal action of their own initiative in the next year but instead will wait until after the first annual review: “the first joint review will be a time in which we will make an evaluation of the Privacy Shield and also a time where additional propositions could be made … we want to be provided with additional clarification, additional evidence, possibly changes in the legislation.” (more…)
Privacy Shield: Essentially Equivalent
With the final Privacy Shield decision, the European Commission and United States Government have concluded several years of discussion and negotiation concerning the Safe Harbour framework and the new Privacy Shield. The effort and thought by negotiators, EU institutions, and stakeholders alike to reach this point reflect the importance of private life and data protection in EU society and the significance of data flows to transatlantic commerce and discourse. Sidley Senior Counsel Cam Kerry and Sidley Partner Maarten Meulenbelt discuss how the Privacy Shield meets the requirements of EU law and answer criticisms in Privacy Shield: Essentially Equivalent. For more, click here.
Formal Adoption of EU-US Privacy Shield
After many months of negotiation and review the EU-US Privacy Shield was formally adopted by the European Commission on July 12, 2016. This came just a few days after the Article 31 Committee approved the updated text of the EU-US Privacy Shield on July 8, 2016.
Privacy Shield Text Updated
The final text of the much anticipated EU-US Privacy Shield has been sent by the European Commission for review and approval to the Article 31 Committee, which includes representatives from all 28 Member States. Approval by the Article 31 Committee will pave the way for a final decision by the Commission adopting the Privacy Shield, expected on 11 July, 2016. If approved, the Privacy Shield will take effect as soon as the US Department of Commerce establishes a new process for US companies that wish to use the Privacy Shield as a legal basis for data transfers of personal data from the EU to certify in accordance with the new framework. Businesses should examine the final Privacy Shield documents and requirements and determine whether to proceed with certification once the Privacy Shield is approved.
Post-Brexit EU May Be Stranded By Its Own Data Rules
*This article first appeared in Forbes on July 1, 2016.
So now the European Union’s “sceptered isle” has voted to sever its bonds with its continental partners – with the wish that (as described in a Shakespeare passage memorized by every English schoolchild for generations) it can be set off by the sea “against the envy of less happier lands.” The outcome demonstrates the depth of dissatisfaction with a world that has become interconnected.
In the meantime, the EU is facing its own tensions with global interconnectedness that threaten to turn it into a virtual island as it heads further down the path of cutting off the flow of data to “third countries” outside the EU.