Search results for: safe harbor

As noted in our post yesterday, the text of the EU-U.S. Privacy Shield, the upcoming trans-Atlantic data-transfer framework between the EU and U.S. to replace the invalidated U.S.-EU Safe Harbor, has been released by the U.S. Department of Commerce.  Commerce’s release coincided with the release of a draft adequacy decision by the European Commission.

A number of the Privacy Shield principles, notably in enforcement, onward transfer, and regular review, are significantly more stringent than the Safe Harbor.  In light of these new obligations, among others, privacy professionals should carefully consider whether this data-transfer framework is right for their companies.

  1. Tougher and Binding Remedies and Enforcement

In addition to FTC enforcement under Section 5, the Principles encourage individuals to bring their complaints directly to the organization at issue, to which the signatory must respond within 45 days.  If the complaint is not resolved, the consumer may bring his or her complaint before an independent dispute resolution body.  The Principles allow signatories to utilize U.S.- or EU-based dispute resolution bodies, or a panel of EU member state data protection authorities (DPAs).Continue Reading Privacy Shield: Top Five Reasons It’s Tougher Than the Safe Harbor, Whether You Should Certify, and Next Steps

Today (February 2nd, 2016), the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows.  The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe Harbor invalid, see our earlier post here).  The EU’s College of Commissioners has also mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.
Continue Reading Agreement Reached on New EU-U.S. Safe Harbor: the EU-U.S. Privacy Shield

The Senate Judiciary Committee today successfully reported H.R. 1428, the Judicial Redress Act of 2015.  However, the bill included an amendment to the House-passed version that has the potential to influence current negotiations between the United States and the European Union to reach a new Safe Harbor agreement.

As we
Continue Reading Senate Committee Passes Judicial Redress Act, May Assist Safe Harbor Negotiations

By Monika Kuschewsky and Vera Coughlan

Following the judgment of the Court of Justice of the EU of October 6 in the Schrems case (Case C-362/14) (see our previous blog post here), today, the European Commission issued guidance on transfers of personal data from the EU to the U.S. post Schrems. For the press release see here, Q&As here and the Commission Communication here.

In large, the guidance confirms the status quo and summarizes existing guidance of the Article 29 Data Protection Working Party (“WP29”), the EU advisory body on privacy comprised of representatives of the national data protection authorities (“DPAs”), the European Data Protection Supervisor and the Commission, and the WP29’s statement of October 16 (see our previous blog post here). Most notably, the Commission joins the WP29 in the position that alternative tools authorizing data flows can still be used by companies for lawful data transfers to third countries, including to the U.S. The Commission then further explains each of these alternative tools in more detail:
Continue Reading European Commission issues guidance on the impact of the Schrems (Safe Harbor) ruling of the EU’s Highest Court

Today, the German supervisory authorities (“German DPAs”) responsible for data protection at federal and state (Länder) level published a position paper on the EU-U.S. Safe Harbor (available in German – see here).  This 14-point position paper follows a meeting that these authorities held last week.  Key points
Continue Reading Schrems (Safe Harbor) Judgment – German Data Protection Authorities Issue Position Paper

The Article 29 Data Protection Working Party (“Article 29 WP”), an EU advisory body on data protection composed of representatives of the national data protection authorities (“DPAs”), the European Data Protection Supervisor and the European Commission, met in plenary on Thursday, October 15, to discuss the first consequences of the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems case (see our previous blog post here). In a press release (see here) on October 16, they emphasize that “it is absolutely essential to have a robust, collective and common position on the implementation of the judgment.” They will closely observe the pending procedures before the Irish High Court, which is expected to issue a judgment in November, now that the case has been referred back to it by the CJEU.

The key take-aways from the Article 29 WP’s press release are that:

  • data transfers under the European Commission’s Safe Harbor decision after the CJEU judgment are unlawful;
  • the Article 29 WP will analyze the impact of the CJEU judgment on other transfer tools − during this period standard contractual clauses and Binding Corporate Rules (“BCRs”) can still be used;
  • grace period: DPAs will take action, including coordinated enforcement action, if by the end of January 2016 no appropriate solution with the U.S. authorities is found (depending on the assessment of the other transfer tools); and
  • in the meantime, DPAs can investigate in particular cases and exercise their powers to protect individuals, for instance, in case of a complaint.

Continue Reading Article 29 WP On the Schrems Ruling (Safe Harbor) − Latest Developments and Next Steps

Today, the Court of Justice of the European Union (the “CJEU”) invalidated the European Commission’s Decision on the EU-U.S. Safe Harbor arrangement (Commission Decision 2000/520 – see here). The Court responded to pre-judicial questions put forward by the Irish High Court in the so-called Schrems case. More specifically, the High Court had enquired, in particular, about the powers of European data protection authorities (“DPAs”) to suspend transfers of personal data that take place under the existing Safe Harbor arrangement. The CJEU ruled both on the DPAs’ powers and the validity of the Safe Harbor, finding that national data protection authorities do have the power to investigate in these circumstances, and further, that the Commission decision finding Safe Harbor adequate is invalid.

This judgment affects all companies that rely on Safe Harbor. They now need to consider alternative data transfer mechanisms.
Continue Reading EU’s Highest Court Invalidates Safe Harbor with Immediate Effect

The Court of Justice of the European Union (“CJEU”) in Luxembourg will render its judgment in the Schrems case (C-362/14 Maximilian Schrems v Data Protection Commissioner) on October 6, at 9:30 am CET (see here).

For details on the case and its potential implications for the U.S.-EU
Continue Reading EU-U.S. Safe Harbor: Judgment in the Schrems Case Scheduled For October 6

This morning (September 23, 2015), EU Advocate General (“AG”) Bot issued an Opinion in Case C-362/14 Maximilian Schrems v Data Protection Commissioner (see our earlier post on the hearing here).  The AG Opinion has gone further than expected, covering not just the power of national data protection authorities in
Continue Reading Advocate General Considers EU-U.S. Safe Harbor to be Invalid

The U.S. and EU’s negotiators on the EU-U.S. Safe Harbor data transfer program have missed an end of May target date for reaching an agreement on amendments to the program.

They nevertheless publicly reaffirmed their commitment to reaching an agreement on the Safe Harbor program, and on an “Umbrella Agreement”
Continue Reading U.S. and EU Miss Target for Safe Harbor Renegotiation, But Remain Optimistic