Data Protection Directive

By Phil Bradley-Schmieg and Vera Coughlan.  This post has been updated to include links to the final texts and comparisons with preceding drafts.

After three months of legal-linguistic checks and translations, the EU is poised to formally adopt the new EU General Data Protection Regulation (GDPR) and its sister law, the EU Policing and Criminal Justice Data Protection Directive (PCJ DPD).

The new and likely final texts for approval were released late on Wednesday, April 6; the GDPR text can be found here, whilst the final text of the PCJ DPD can be found here. We have also published automated comparisons here and here, for the GDPR and PCJ DPD respectively.

Documents recently released by the Council of the EU (available here and here) suggest that the Council will vote to endorse these final texts by the end of this week (Friday April 7, 2016), before passing them on for approval by the European Parliament during next week’s plenary sessions (April 11-14, 2016).  
Continue Reading EU Poised to Formally Adopt New Data Protection Laws; Amended Texts Published

As noted in our post yesterday, the text of the EU-U.S. Privacy Shield, the upcoming trans-Atlantic data-transfer framework between the EU and U.S. to replace the invalidated U.S.-EU Safe Harbor, has been released by the U.S. Department of Commerce.  Commerce’s release coincided with the release of a draft adequacy decision by the European Commission.

A number of the Privacy Shield principles, notably in enforcement, onward transfer, and regular review, are significantly more stringent than the Safe Harbor.  In light of these new obligations, among others, privacy professionals should carefully consider whether this data-transfer framework is right for their companies.

  1. Tougher and Binding Remedies and Enforcement

In addition to FTC enforcement under Section 5, the Principles encourage individuals to bring their complaints directly to the organization at issue, to which the signatory must respond within 45 days.  If the complaint is not resolved, the consumer may bring his or her complaint before an independent dispute resolution body.  The Principles allow signatories to utilize U.S.- or EU-based dispute resolution bodies, or a panel of EU member state data protection authorities (DPAs).

Continue Reading Privacy Shield: Top Five Reasons It’s Tougher Than the Safe Harbor, Whether You Should Certify, and Next Steps

On February 3rd, the Article 29 Working Party, representing Europe’s data protection authorities, published its reaction to the announcement of a new “Privacy Shield” political agreement between the European Commission and the U.S. Government.  The Privacy Shield agreement, announced on February 2nd (and further described in our blog post here), is intended to replace the now-defunct Safe Harbor Framework, and may form a future legal basis for transatlantic data flows between Europe and the United States.
Continue Reading Article 29 Working Party Reacts to the U.S.-EU Privacy Shield Agreement

Today (February 2nd, 2016), the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows.  The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe Harbor invalid, see our earlier post here).  The EU’s College of Commissioners has also mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.
Continue Reading Agreement Reached on New EU-U.S. Safe Harbor: the EU-U.S. Privacy Shield

This morning, the European Parliament’s Civil Liberties, Justice and Home Affairs committee (“LIBE”) formally adopted the result of the negotiations on the EU’s General Data Protection Regulation (“GDPR”).  The text of GDPR was the outcome of trilogue negotiations between the European Parliament and Council and the Commission, which concluded on December 15, 2015.  The LIBE

Today, the EU institutions reached the long-awaited political agreement on the General Data Protection Regulation (GDPR), which will fundamentally change the EU privacy landscape (for the Commission press release see here and the European Parliament press release here).  Almost four years after the publication of the legislative proposal for the GDPR, the final trilogue

On October 1st, 2015, the Court of Justice of the EU rendered its judgment in the Weltimmo case (C-230/14).  The case addressed two important aspects of EU data protection law, namely applicable law and the scope of the territorial powers of data protection authorities.

The case arose out of a dispute between Weltimmo, a company registered in Slovakia, which operates property dealing websites concerning Hungarian properties, and the Hungarian data protection authority.  Several advertisers lodged a complaint with the data protection authority, which imposed a fine on Weltimmo for a violation of the Hungarian Law on Information.

Continue Reading EU’s Highest Court Rules on Applicable Law and Territorial Powers of the National Data Protection Authorities

By Dan Cooper and Phil Bradley-Schmieg

On March 24, 2015, the Court of Justice of the EU (CJEU) heard arguments in Case C-362/14 (Schrems).  The High Court of Ireland has asked the CJEU whether Ireland’s data protection authority (DPA) — and by extension other EU DPAs — is bound by the Commission’s adequacy decision (Decision 520/2000/EC) with respect to the EU-US Safe Harbor framework, or whether the authority may, or must, conduct an independent investigation into the adequacy of the Safe Harbor in light of subsequent factual developments (potentially prohibiting use of the framework for EU to U.S. transfers).

The impact of the case could be wide-ranging, as thousands of organizations currently rely on the Safe Harbor for transferring personal data from the EU to the U.S., rather than alternative data transfer mechanisms.  Max Schrems, the applicant in the underlying Irish proceedings, argued that given recent allegations as to the freedom with which U.S. intelligence agencies can access EU-originating data from Safe Harbor companies, the Safe Harbor no longer provides adequate protection as a matter of EU law.
Continue Reading CJEU Hears Oral Arguments in Pivotal EU-U.S. Safe Harbor Case

By Sophie Noya and Henriette Tielemans

From September 29 to October 7, 2014, parliamentary Committees of the European Parliament (“EP”) will be holding public confirmation hearings with Commissioners-designates with a view to assessing their skills and qualifications ahead of the EP’s vote on October 22 to approve (or reject) the Council’s appointment of the new Commission.

On October 1, the Committee on Legal Affairs (“JURI”), the Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), the Committee on Internal Market and Consumer Protection (“IMCO”) and the Committee on Women’s Rights and Gender Equality (“FEMM”) therefore held a hearing with Věra Jourová, the Czech Commissioner-designate for Justice, Consumers and Gender Equality.   The answers of the Commissioner designate, some of which are summarized here below, failed to impress the members of the European Parliament who will be subjecting the Commissioner- designate to further questions.  It is therefore at this stage unclear whether Ms Jourova will take up her portfolio later this year.

Continue Reading Committees of European Parliament Hold Confirmation Hearing for Commissioner-Designate for Justice, Consumers, and Gender Equality