Article 29 Working Party Confirms that EU Standard Contractual Clauses and Binding Corporate Rules are Still Valid – for the Time-Being
The Article 29 Working Party has confirmed in a statement that EU Standard Contractual Clauses and Binding Corporate Rules are still valid data transfer mechanisms for the time being. The announcement was made following a meeting held to discuss the consequences of the Court of Justice of the European Union’s (“CJEU“) decision invalidating the US-EU Safe Harbor Framework and just one day after the European Commission announced that a political agreement had been reached on a new framework, the “EU-US Privacy Shield”.
New Framework on Transatlantic Data Flows Agreed – the “EU-US Privacy Shield”
The European Commission has announced that a political agreement has been reached on a new framework on transatlantic data flows. The announcement was made in a press conference on February 2nd by Vice President Ansip and Commissioner Jourová , in which the Commissioner expressed the hope that the new framework, dubbed the “EU-US Privacy Shield,” will be in force within three months. The Commissioner identified three key elements of this new framework: (i) strong obligations on companies handling the personal data of Europeans and robust enforcement; (ii) clear safeguards and transparency obligations on US government access; and (iii) effective protection of the rights of EU citizens, with several redress possibilities.
Essentially Equivalent: A Comparison of the Legal Orders for Privacy and Data Protection in the European Union and United States
In a milestone decision on transatlantic data protection, the Court of Justice of the European Union (CJEU) issued its judgment in the Schrems case, declaring the Commission decision on the EU-U.S. Safe Harbor agreement invalid. The CJEU declared that such a decision requires a finding that the level of protection of fundamental rights and freedoms in the laws and practices of the third country is “essentially equivalent” to that guaranteed within the EU. Given the CJEU’s decision, the Commission and data protection authorities are now called upon to examine the legal order in the U.S. and compare its level of protection to that within the EU.
This report provides a roadmap and resource for this comparison. Following the analysis laid out by the CJEU in Schrems, it shows how privacy values deeply embedded in U.S. law and practice have resulted in a system of protection of fundamental rights and freedoms that meets the test of essential equivalency.
Click here to view the executive summary.
Top Ten Data Protection and Privacy Issues to Watch in 2016
*This post originally appeared in Law360 on January 7, 2016.
While 2015 was a big year in data, 2016 may prove to be even bigger. Many hot button and game changing topics are being debated in legislative bodies and campaign trails, regulators are focused, and privacy-related litigation continues to rise. Below, we count down the top ten cybersecurity, data protection and privacy issues to watch in 2016.
European Parliament Adopts Surveillance Resolution Aimed at Mass Surveillance and Prompting Progress on Safe Harbor 2.0
On October 29, 2015, the European Parliament adopted a resolution on the electronic mass surveillance of EU citizens (the “Resolution”). Positioned as a follow-up to its resolution of 12 March 2014 in which the Parliament called for the immediate suspension of Safe Harbor and put forward a number of recommendations to limit access to personal data of European citizens as part of mass surveillance, the Resolution calls on the European Commission to “reflect immediately on alternatives to Safe Harbor and on the impact of the judgment [from the Court of Justice of the European Union in the Schrems case] on any other instruments for the transfer of personal data to the U.S.” It also calls for the European Commission to “report on the matter by the end of 2015.” In addition, the European Parliament demanded that the Commission urgently provide an update on the ongoing negotiations between US authorities and the Commission.
EU Commissioner Jourová encourages further progress amidst Safe Harbor fall out
The 37th Annual International Conference of Privacy Commissioners in Amsterdam last week was long planned around the proposals of the transatlantic Privacy Bridges Project for a series of concrete steps to bring the U.S. and EU closer together on privacy. But, with the CJEU’s Schrems decision blowing up the Safe Harbor bridge not long before the conference, there were many references to Safe Harbor as “the elephant in the room.” Perhaps aptly, the logo chosen for conference was a drawbridge.
Safeguards and Oversight of U.S. Surveillance Under Section 702
In Schrems v. Data Protection Commissioner, the Court of Justice of the European Union invalidated the US-EU Safe Harbor agreement on the basis that the European Commission had failed to sufficiently assess the protection of personal data of Europeans under the U.S. data protection regime. The Court alluded to U.S. surveillance activities under the PRISM program authorized by Section 702 of the Foreign Intelligence Surveillance Act, and appeared to assume U.S. law permits mass surveillance of Europeans with few limits, little clarity, and no opportunity for redress. However, the Court did not actually review or assess the applicable legal authorities, remedies, or array of checks and balances, safeguards, and independent oversight. If it had done so, it would have found numerous overlapping controls that assure that such surveillance is neither massive nor indiscriminate, but instead targeted to specific individuals and limited purposes, and provides legal remedies for Europeans. Indeed, prior to the scheduled expiration of the 702 program in 2017, U.S. congressional oversight committees will likely be comparing whether privacy safeguards in place for similar foreign programs are as effective as those of Section 702.
Significantly, the independent Privacy and Civil Liberties Oversight Board reviewed surveillance under Section 702 and found: “[T]the Section 702 program is not based on the indiscriminate collection of information in bulk. Instead the program consists entirely of targeting specific [non-U.S.] persons about whom an individualized determination has been made.” Key safeguards and controls include…
European Data Protection Authorities Give Companies Three Months to Assess New International Data Transfer Solutions and Call “Urgently” for Safe Harbor 2.0 – Model Contracts and Binding Corporate Rules Remain Viable
The Article 29 Working Party, which includes representatives from all EU Data Protection Authorities, released its much-awaited guidance on the judgment by the European Court of Justice declaring the European Commission’s decision on the Safe Harbor to be invalid. Described as “a collective and common position on the judgment,” the “first consequences to be drawn at European and national level” are as follows:
Safe Harbor: Your Questions Answered
The webinar “Safe Harbor Briefing: Your Questions Answered,” took place on October 8, 2015 at 4:30 pm BST through a partnership with Sidley Austin LLP and DataGuidance. Speakers for the briefing panel were Cameron Kerry, Senior Counsel, who as General Counsel of the U.S. Commerce Department led U.S. discussions with the EU on Safe Harbor, William Long, Partner, who advises on European privacy law and Maarten Meulenbelt, Partner, who advises on the EU regulatory affairs. Panelists discussed and answered attendees questions on the CJEU’s judgment, its impact on companies that have relied on Safe Harbor to transfer data, and what to do in response. See more:
The U.S. Government Largely Has Itself to Blame for the EU Court’s Safe Harbor Decision
Originally posted by the Council on Foreign Relations Net Politics Blog on October 8, 2015.
In a decision Tuesday that was as shocking as it was predictable, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor for westward bound international transfers of personal data. The companies whose information flows to the United States will be impeded by the EU decision need to look to the U.S. government and not just the EU for letting this mess happen.
The case stems from a complaint Max Schrems filed with the Irish Data Protection Authority about the privacy risks of using Facebook. He was concerned that electronic communications transferred to the United States would end up in the hands of the NSA’s PRISM program. PRISM involves the NSA’s use of a provision in the Foreign Intelligence Surveillance Act, section 702, that allows it to target non-U.S. persons located outside the United States for foreign intelligence purposes. This section only applies to collections from electronic communication service providers located in the United States.