The Irish Data Protection Commission (“DPC”), having last month released its annual report (see our blog post here), has now also issued two additional reports detailing statistics on its handling of cross-border cases (see here) and a recently completed Resource Allocation Audit conducted by independent consultants (see here).  Each is important in its own right for the reputation and development of this regulator, the lead EU supervisory authority for many of the large technology companies.

Continue Reading Irish DPC Reports on Cross-Border Activity and Resources

On the second episode of our Inside Privacy Audiocast, we are aiming our looking glass at Russia, and are joined for our discussion by Partner Maria Ostashenko and Senior Associate Anastasia Petrova of the Data Protection and Cybersecurity practice at the Alrud law firm in Moscow.

The pair discuss Russia’s data protection framework, zooming in

The European Commission has today published its Report on the first annual review of the EU-U.S. Privacy Shield (the Report is accompanied with a Staff Working Document, Infographic, and Q&A).  The Commission concludes that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to Privacy Shield-certified companies in the United States.  With its conclusion, the Commission also makes a number of recommendations to further improve the Privacy Shield framework.  The Report follows a joint press statement by the U.S. Secretary of Commerce and EU Commissioner Jourová on September 21, 2017, closing the review and reaffirming that the “United States and the European Union share an interest in the [Privacy Shield] Framework’s success and remain committed to continued collaboration to ensure it functions as intended.”

Background

The EU-U.S. Privacy Shield is a framework that effects the lawful transfer of personal data from the EEA to Privacy Shield-certified companies in the U.S.  The Privacy Shield framework was unveiled by the EU and United States on July 12, 2016 and the Privacy Shield framework became operational on August 1, 2016.  To date, there are over 2,400 in companies (including more than 100 EU-based companies) that have certified, with 400 applications under review.

The Privacy Shield provides an annual review and evaluation procedure intended to regularly verify that the findings of the Commission’s adequacy decision are still factually and legally justified.  Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce and the European Commission, with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security.  In preparation for the Review, the Commission also sought feedback from a number of trade associations, NGOs, and certified companies.  (See our earlier posts on the purpose of the first annual review here and here.)
Continue Reading EU Commission Concludes Privacy Shield “Adequate” in first Annual Review

By Dan Cooper and Rosie Klement

On July 26, 2017, the Court of Justice of the EU (CJEU) published Opinion 1-15 (the “Opinion”) on the proposed agreement between the European Union and Canada on the transfer and processing of passenger name record (“PNR”) data (the “Agreement”).  The Agreement was signed in 2014, but the CJEU was asked to determine whether it was compatible with EU data protection law before it is approved by the European Parliament.

The Opinion concluded that a number of provisions relating to the transfer of PNR data – particularly sensitive data – are incompatible with the EU Data Protection Directive (Directive 95/46) and the fundamental rights to privacy and data protection, and the protection against discrimination, under Articles 7, 8 and 21 of the EU Charter of Fundamental Rights (the “Charter”), meaning the Agreement must be renegotiated before it enters into force.

Notably, the CJEU’s opinion was consistent with its recent judgments concerning data transfers to “third countries” (outside the EEA) in Schrems and Tele2/Watson
Continue Reading CJEU: EU-Canada proposed agreement on the transfer of Passenger Name Record data does not conform to EU data protection law standards

South Korea has became the fifth member economy to join the Asia-Pacific Economic Cooperation’s (“APEC”) Cross-Border Privacy Rules (“CBPR”) system, a voluntary but legally enforceable code of conduct that aims to facilitate secure data transfers and e-commerce between parties to the agreement.

Established in 2011, the CBPR system aims to provide a minimum level of protection for personal information exchanged among member economies as e-commerce continues to boom. It helps mitigate privacy concerns led by the ever-increasing flow of personal data across borders and build consumer trust by ensuring that data is processed in compliance with the CBPR’s high security standards without restricting data flows.  Countries and businesses that took part in the multilateral system agree to implement APEC’s nine privacy principles, which include, for example, preventing harm, notice, collection limitation, integrity, and accountability, in all cases involving the transfer or processing of personal information.
Continue Reading South Korea Joins the APEC Cross-Border Privacy Rules Framework

The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C.  The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, address concerns that have been raised, and seek to ensure that the Privacy Shield is well positioned to continue operating as a valid legal basis for transfers of personal data from the EU to the U.S.

Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce (“Commerce”) and the European Commission (“Commission”), with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security.  Regulators have also indicated that they plan to solicit and incorporate feedback and comments from other Privacy Shield stakeholders as part of the review process, including from self-certified companies and other interested organizations.

Although this is the first annual review, it is important to note that the Privacy Shield has already been the subject of intense public scrutiny.  The draft text of the framework was released in February, several months prior to the final release in July, and a number of stakeholders took the opportunity to comment on the text, leading to several revisions designed to improve and strengthen the Privacy Shield. 
Continue Reading First Annual Privacy Shield Review Will Comprehensively Assess the Framework

On April 11, 2017, the Cyberspace Administration of China (“CAC”) released a draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (“the Draft Measures”) for public comment (official Chinese version available here).  The comment period ends on May 11, 2017.

The issuance of the long-anticipated Draft Measures is another critical step toward implementing China’s Cybersecurity Law (“the Law”), which is set to take effect on June 1, 2017 (see our alert on the Law here).  Importantly, the Draft Measures, if enacted in its current form, would mandate all “network operators” to self-assess the security of their cross-border data transfers and significantly broaden the scope of entities that potentially need to undergo security assessments for such transfers by the Chinese government.  Companies that fall into the scope of “network operators,” but may not qualify for “operators of Critical Information Infrastructure” (“CII”), could see their cross-border data transfers regulated under the Draft Measures.  
Continue Reading China Seeks Public Comments on Draft Regulation on Cross-Border Data Transfer

Nearly 2,000 organizations are now listed as self-certified to the EU-U.S. Privacy Shield on the Department of Commerce’s (“Commerce”) Privacy Shield website.  Given current developments on both sides of the Atlantic, there are likely to be significant Privacy Shield developments in the coming months.

EU Justice Commissioner Věra Jourová recently concluded her visit to the U.S. to meet with Trump Administration officials and others regarding the status of the Privacy Shield.  During her visit, Commissioner Jourová spoke about the importance of the Privacy Shield as a framework with “enormous potential to strengthen the transatlantic economy and reaffirm our shared values.”  She also met with Commerce Secretary Wilbur Ross to discuss the Privacy Shield, and announced that the first annual joint review will occur in September, which she indicated would be “an important milestone where we need to check that everything is in place and working well.”
Continue Reading Privacy Shield Approaches 2,000 Participants; Review Scheduled for September

When China’s new Cybersecurity Law takes effect on June 1, 2017, China will become another important jurisdiction to watch in the international data transfer space.

Before the new Cybersecurity  Law officially was promulgated on November 7, 2016, cross-border data transfer of data from China was largely unregulated by the government.  While many Chinese laws and regulations governed the collection, use and storage (including localization) of data, no binding laws or regulations contained generally applicable legal requirements or constraints on the transfer of data across Chinese borders.
Continue Reading Cross-Border Data Transfer: A China Perspective

On January 10, 2017, the European Commission unveiled the “last major Digital Single Market initiatives” addressing Europe’s digital future.  These initiatives comprise the following:

  • A proposal for a Regulation on Privacy and Electronic Communications (E-Privacy Regulation) (see our post here);
  • A Communication on “Building a European Data Economy” (see our post here); and