As noted in our post yesterday, the text of the EU-U.S. Privacy Shield, the upcoming trans-Atlantic data-transfer framework between the EU and U.S. to replace the invalidated U.S.-EU Safe Harbor, has been released by the U.S. Department of Commerce.  Commerce’s release coincided with the release of a draft adequacy decision by the European Commission.

A number of the Privacy Shield principles, notably in enforcement, onward transfer, and regular review, are significantly more stringent than the Safe Harbor.  In light of these new obligations, among others, privacy professionals should carefully consider whether this data-transfer framework is right for their companies.

  1. Tougher and Binding Remedies and Enforcement

In addition to FTC enforcement under Section 5, the Principles encourage individuals to bring their complaints directly to the organization at issue, to which the signatory must respond within 45 days.  If the complaint is not resolved, the consumer may bring his or her complaint before an independent dispute resolution body.  The Principles allow signatories to utilize U.S.- or EU-based dispute resolution bodies, or a panel of EU member state data protection authorities (DPAs).

Continue Reading Privacy Shield: Top Five Reasons It’s Tougher Than the Safe Harbor, Whether You Should Certify, and Next Steps

Today (February 2nd, 2016), the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows.  The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe Harbor invalid, see our earlier post here).  The EU’s College of Commissioners has also mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement. Continue Reading Agreement Reached on New EU-U.S. Safe Harbor: the EU-U.S. Privacy Shield

The Senate Judiciary Committee today successfully reported H.R. 1428, the Judicial Redress Act of 2015.  However, the bill included an amendment to the House-passed version that has the potential to influence current negotiations between the United States and the European Union to reach a new Safe Harbor agreement.

As we previously reported, the Judicial Redress Act of 2015 would allow EU citizens and citizens of other nations limited rights to file suit in U.S. courts under the federal Privacy Act of 1974 over allegations that the U.S. government misused their personal data.  Passage of the Judicial Redress Act is seen by many as key to the success of the ongoing negotiations between EU and U.S. representatives to reach a new Safe Harbor agreement before the January 31 deadline.

Today, the Senate Judiciary Committee advanced the bill to the full Senate, but, at the eleventh hour, added an amendment that would require the foreign countries covered by the Act to permit the transfer of personal data for commercial purposes between that country and the United States, as well as require the U.S. Attorney General to certify that the transfer of personal data does not materially impede U.S. national security interests.  This new language could complicate current safe harbor negotiations, as the amendment would add further requirements to the extension of privacy rights to foreign citizens, as well as give U.S. regulators considerable flexibility to assert that certain commercial data transfers do not accord with U.S. national security interests.

The key sponsors of the Act urged that the full Senate schedule a vote on its passage at its earliest opportunity.  The House of Representatives passed a parallel measure in late 2015.

By Monika Kuschewsky and Vera Coughlan

Following the judgment of the Court of Justice of the EU of October 6 in the Schrems case (Case C-362/14) (see our previous blog post here), today, the European Commission issued guidance on transfers of personal data from the EU to the U.S. post Schrems. For the press release see here, Q&As here and the Commission Communication here.

In large, the guidance confirms the status quo and summarizes existing guidance of the Article 29 Data Protection Working Party (“WP29”), the EU advisory body on privacy comprised of representatives of the national data protection authorities (“DPAs”), the European Data Protection Supervisor and the Commission, and the WP29’s statement of October 16 (see our previous blog post here). Most notably, the Commission joins the WP29 in the position that alternative tools authorizing data flows can still be used by companies for lawful data transfers to third countries, including to the U.S. The Commission then further explains each of these alternative tools in more detail: Continue Reading European Commission issues guidance on the impact of the Schrems (Safe Harbor) ruling of the EU’s Highest Court

Today, the German supervisory authorities (“German DPAs”) responsible for data protection at federal and state (Länder) level published a position paper on the EU-U.S. Safe Harbor (available in German – see here).  This 14-point position paper follows a meeting that these authorities held last week.  Key points include:

  • following the Safe Harbor judgment of the Court of Justice of the EU (“CJEU”) of October 6 (see our previous blog post here), data transfers on the basis of the European Commission’s Safe Harbor Decision are not admissible and the German DPAs will prohibit data transfers to the U.S. which are exclusively based on Safe Harbor;
  • the admissibility of data transfers to the U.S. on the basis of other transfer mechanisms, such as standard contractual clauses or Binding Corporate Rules (“BCRs”), is called into question;
  • the German DPAs will not currently issue any new authorizations for data transfers to the U.S. on the basis of BCRs or data transfer agreements − this goes a step further than the position expressed by the Article 29 Data Protection Working Party (“WP29”) in its statement of October 16 (see our previous blog post here), in which the WP29 acknowledged that standard contractual clauses and BCRs can still be used as long as the WP29 is analyzing the impact of the CJEU judgment on the other transfer mechanisms; and
  • the German DPAs recognize that consent may in certain limited circumstances provide a legal basis for data transfers to the U.S.

The German supervisory authorities call upon companies to make their data transfers data protection compliant, but at the same time also call for action by legislators, the German Government and the Commission.

The Article 29 Data Protection Working Party (“Article 29 WP”), an EU advisory body on data protection composed of representatives of the national data protection authorities (“DPAs”), the European Data Protection Supervisor and the European Commission, met in plenary on Thursday, October 15, to discuss the first consequences of the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems case (see our previous blog post here). In a press release (see here) on October 16, they emphasize that “it is absolutely essential to have a robust, collective and common position on the implementation of the judgment.” They will closely observe the pending procedures before the Irish High Court, which is expected to issue a judgment in November, now that the case has been referred back to it by the CJEU.

The key take-aways from the Article 29 WP’s press release are that:

  • data transfers under the European Commission’s Safe Harbor decision after the CJEU judgment are unlawful;
  • the Article 29 WP will analyze the impact of the CJEU judgment on other transfer tools − during this period standard contractual clauses and Binding Corporate Rules (“BCRs”) can still be used;
  • grace period: DPAs will take action, including coordinated enforcement action, if by the end of January 2016 no appropriate solution with the U.S. authorities is found (depending on the assessment of the other transfer tools); and
  • in the meantime, DPAs can investigate in particular cases and exercise their powers to protect individuals, for instance, in case of a complaint.

Continue Reading Article 29 WP On the Schrems Ruling (Safe Harbor) − Latest Developments and Next Steps

Today, the Court of Justice of the European Union (the “CJEU”) invalidated the European Commission’s Decision on the EU-U.S. Safe Harbor arrangement (Commission Decision 2000/520 – see here). The Court responded to pre-judicial questions put forward by the Irish High Court in the so-called Schrems case. More specifically, the High Court had enquired, in particular, about the powers of European data protection authorities (“DPAs”) to suspend transfers of personal data that take place under the existing Safe Harbor arrangement. The CJEU ruled both on the DPAs’ powers and the validity of the Safe Harbor, finding that national data protection authorities do have the power to investigate in these circumstances, and further, that the Commission decision finding Safe Harbor adequate is invalid.

This judgment affects all companies that rely on Safe Harbor. They now need to consider alternative data transfer mechanisms. Continue Reading EU’s Highest Court Invalidates Safe Harbor with Immediate Effect

The Court of Justice of the European Union (“CJEU”) in Luxembourg will render its judgment in the Schrems case (C-362/14 Maximilian Schrems v Data Protection Commissioner) on October 6, at 9:30 am CET (see here).

For details on the case and its potential implications for the U.S.-EU Safe Harbor, see our earlier blog post (here) detailing the Opinion of the case’s Advocate General (issued on September 23).

This morning (September 23, 2015), EU Advocate General (“AG”) Bot issued an Opinion in Case C-362/14 Maximilian Schrems v Data Protection Commissioner (see our earlier post on the hearing here).  The AG Opinion has gone further than expected, covering not just the power of national data protection authorities in relation to complaints under the Safe Harbor, but the validity of the Safe Harbor itself; the AG found that the entire Safe Harbor is invalid as it fails to adequately protect personal data transferred from the EU to the United States.

Background

In 2013, following the Snowden revelations, Austrian student Max Schrems filed a complaint with the Irish Data Protection Commission (“Irish DPA”) claiming, in essence, that the law and practices of the U.S. offer no real protection for EU citizens’ personal data kept in the U.S. against State surveillance.  Schrems’ complaint related to his use of Facebook and the transfer of personal data relating to him under the Safe Harbor to Facebook U.S. (Schrems did not allege that Facebook U.S., as a self-certifying entity to which data is transferred, itself violated the Safe Harbor principles because of any access by U.S. authorities to data that Facebook holds.  The Irish High Court acknowledged this, and the AG found that the allegations “do not amount to a breach by Facebook of the safe harbour principles”.)

The Irish DPA considered that he was not required to investigate the complaint on the basis that it was unsustainable in law: Facebook had self-certified under the Safe Harbor regime, and the Commission had decided in Decision 2000/520/EC that under the Safe Harbor scheme the United States ensured an adequate level of protection of the personal data transferred.

Schrems brought proceedings before the High Court in Ireland for judicial review of the Irish DPA’s decision rejecting his complaint.  The Irish High Court, in turn, referred questions to the CJEU, essentially to ascertain whether the Commission’s assessment as to the adequacy of the level of protection, contained in Decision 2000/520, is absolutely binding on national data protection authorities and prevents them from investigating allegations challenging that finding.

Powers of national DPAs

First, the AG concluded that, under EU law, Decision 2000/520 does not prevent national DPAs from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.  The AG came to this conclusion based on a review of several authorities, including relevant provisions of Directive 95/46, prior CJEU precedent, the Charter of Fundamental Rights of the EU, and his interpretation of Commission Decision 2000/520 itself.

The validity of Commission Decision 2000/520

Despite the issue not being expressly referred to the CJEU, the Advocate General considered that the CJEU should determine the validity of Decision 2000/520.  The AG considered that Decision 2000/520 is invalid as it fails to adequately protect personal data transferred from the EU to the U.S.

In the AG’s view, the problem arises primarily from the U.S. use of derogations in the Safe Harbor, which allow for the Safe Harbor principles to be limited in order to meet “national security, public interest or law enforcement requirements” or to address conflicts of law.  The AG noted that (i) there is no independent authority capable of verifying that the implementation of the derogations from the Safe Harbor principles is limited to what is strictly necessary; and (ii) EU citizens do not have means to obtain access to or rectify or erase their data, or administrative or judicial redress with regard to collection and further processing of their personal data by the U.S. security agencies.  Accordingly, Decision 2000/520 does not contain sufficient guarantees or satisfy requirements of the Data Protection Directive (which gives national DPAs certain investigatory and enforcement powers) or the Charter of Fundamental Rights.

What is the impact?

The AG’s Opinion could have an impact on organizations and broader political discussions regarding EU-U.S. data flows.

  • If the CJEU follows the AG’s pinion and rules that the Safe Harbor is invalid, organizations that rely on the Safe Harbor to transfer personal data to the U.S. will have to consider alternative transfer mechanisms in order to transfer personal data lawfully to the United States.  Immediate short-term alternatives are likely to include standard contractual clauses and, in more limited instances, consent.  Binding Corporate Rules are another alternative, but would require more time to put in place.
  • Negotiations on the proposed EU-U.S. Safe Harbor framework are still under way (see our earlier posts here and here).  It will be interesting to observe the impact that the AG’s findings have on these negotiations, particularly regarding requirements that the AG states the U.S. should put in place and about the independence of national DPAs vis-à-vis the Commission.

Also, for those of you wondering if the proposed Regulation may provide a solution, this seems unlikely.  The AG bases some of his findings on provisions of the current Data Protection Directive, but also refers quite extensively to primary EU law, i.e., Articles 7, 8 and 47 of the Charter of Fundamental Rights.  Replacing the Directive with the Regulation would not address more fundamental objections that are based on the Charter.

Next steps

The CJEU will now review the AG’s Opinion, and in the ordinary course of events can be expected to issue its judgment in 5-7 weeks’ time, i.e., at the very end of October, or early November.

The U.S. and EU’s negotiators on the EU-U.S. Safe Harbor data transfer program have missed an end of May target date for reaching an agreement on amendments to the program.

They nevertheless publicly reaffirmed their commitment to reaching an agreement on the Safe Harbor program, and on an “Umbrella Agreement” that would protect personal data exchanged between the U.S. and EU for law enforcement purposes.  The EU is looking to address concerns over safeguards against over-collection and use of EU citizens’ data by U.S. law enforcement agencies.

Whilst no new target date for Safe Harbor agreement has been announced, Reuters reports that U.S. Under Secretary of State Catherine Novelli is optimistic that an agreement could be reached “very, very soon”, and the wait would be a matter of weeks, not months.

That timing could coincide with the release on June 24th of an important legal opinion by a Court of Justice of the EU (CJEU) Advocate-General, Yves Bot, in a significant EU challenge to the current Safe Harbor (case C-362/14 Schrems).  Although non-binding, the Advocate-General’s opinion on the merits of the case could influence the CJEU’s judges, who are expected to rule on the case later this year.