On September 16, 2016, Digital Rights Ireland (“DRI”), a digital rights advocacy group, lodged an action with the EU General Court for annulment of the European Commission’s Decision on the EU-U.S. Privacy Shield arrangement.  While the existence of the application has only recently become public knowledge, it was widely-expected that the Privacy Shield would face a legal challenge.  It is also unsurprising that DRI have brought the action (given its objections to the Privacy Shield before it was agreed and its intervention in the Safe Harbor case).

Background

The Privacy Shield was agreed earlier this year, replacing the Safe Harbor framework that was invalidated by the Court of Justice of the EU (“CJEU”) in Schrems.  The Privacy Shield provides a legal basis for transfers of personal data from the European Economic Area to Privacy Shield-certified companies in the U.S.  To date, over 600 companies have certified to the Privacy Shield.  The Privacy Shield contains a much more robust set of commitments than those underpinning the Safe Harbor and will provide stronger protections to data subjects in the EU than its predecessor.
Continue Reading Challenge to EU-U.S. Privacy Shield Lands at EU Court

By Helena Marttila-Bridge

Today, the Article 29 Data Protection Working Party (“Working Party”), a group consisting of representatives from the European data protection authorities, the European Data Protection Supervisor, and the European Commission, published its opinion on the EU-U.S. Privacy Shield draft adequacy decision (“Opinion”) (see here). The Opinion is accompanied by a second document, Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (“European Essential Guarantees”) (see here). This document sets out EU standards for surveillance by public authorities in the EU and U.S., as formulated by the Working Party. The Working Party also issued a press release (see here). The chairwoman of the Working Party, CNIL President Falque-Pierrotin, presented the documents today in a press conference, a recording of which is available here.

According to the Working Party, the Privacy Shield contains significant improvements compared to the now-defunct EU-U.S. Safe Harbor framework; however, there remain certain concerns and a need for clarification. 
Continue Reading EU Data Protection Authorities Call For Further Clarifications on the EU-U.S. Privacy Shield and Raise Some Concerns

Today, the European Commission published the text of the new EU-U.S. Privacy Shield (see the Commission’s press release here), which consists of:

  • a draft adequacy decision;
  • the EU-U.S. Privacy Shield Framework Principles issued by the U.S. Department of Commerce; and
  • the official representations and commitments contained in separate letters from:
    • Secretary of Commerce Penny Pritzker (Annex I);
    • Secretary of State John Kerry (Annex III);
    • Federal Trade Commission Chairwoman Edith Ramirez (Annex IV),
    • Secretary of Transportation, Anthony Foxx (Annex V);
    • General Counsel Robert Litt, Office of the Director of National Intelligence (Annex VI); and
    • Deputy Assistant Attorney General Bruce Swartz, U.S. Department of Justice (Annex VII).

In addition, the European Commission issued a Communication titled “Transatlantic Data Flows: Restoring Trust through Strong Safeguards” which presents the developments and the Commission’s findings since its critical 2013 Communication on the Functioning of the Safe Harbor, a Q&A and a Fact sheet.
Continue Reading EU-U.S. Privacy Shield Package Released

On February 3rd, the Article 29 Working Party, representing Europe’s data protection authorities, published its reaction to the announcement of a new “Privacy Shield” political agreement between the European Commission and the U.S. Government.  The Privacy Shield agreement, announced on February 2nd (and further described in our blog post here), is intended to replace the now-defunct Safe Harbor Framework, and may form a future legal basis for transatlantic data flows between Europe and the United States.
Continue Reading Article 29 Working Party Reacts to the U.S.-EU Privacy Shield Agreement

Today, the German supervisory authorities (“German DPAs”) responsible for data protection at federal and state (Länder) level published a position paper on the EU-U.S. Safe Harbor (available in German – see here).  This 14-point position paper follows a meeting that these authorities held last week.  Key points include:

  • following the Safe Harbor

This morning (September 23, 2015), EU Advocate General (“AG”) Bot issued an Opinion in Case C-362/14 Maximilian Schrems v Data Protection Commissioner (see our earlier post on the hearing here).  The AG Opinion has gone further than expected, covering not just the power of national data protection authorities in relation to complaints under the

By Tom Jackson

On November 26, 2014, the Article 29 Working Party adopted a working document setting out a cooperation procedure for issuing common opinions on contractual clauses considered as compliant with the EC Model Clauses (the “Working Document”).  The Working Document sets out the framework for a procedure designed to streamline the process of obtaining the necessary approvals to transfer data outside the EEA.  It introduces the concept of a “Lead DPA,” through whom an applicant company would be able to deal with a range of competent national authorities in order to gain a common opinion on the adequacy of its contractual clauses.

The publication of this Working Document serves as an indication that European data protection authorities recognize that the current system is burdensome and often time-consuming for companies seeking to transfer data outside the EEA.  However, it remains to be seen when, or even if, the procedure proposed by the Working Party will be put into practice.
Continue Reading Article 29 Working Party Publishes Working Document Setting Out Cooperation Procedure for Issuing Common Opinions on Contractual Clauses

On June 6, 2014, the Justice and Home Affairs Council of the European Union (the “Council”), representing individual EU Member States, reached a common position on certain important aspects of the draft European Data Protection Regulation (the “Regulation”).  Specifically, the Council reached an agreement on rules governing transfers of personal data outside the EU, set out in Chapter V of the Regulation, and on rules relating to its territorial scope.  A number of key elements of the proposal remain under review, however, with agreement not expected for some time.  And, the text of the proposed Regulation still has to be negotiated and agreed in its entirety by both the Council and the European Parliament, and Chapter V (as well as other provisions) may undergo further changes in the process.

While Parliament’s position is now set in stone (following a plenary vote in March 2014), the Council is still in the process of defining its position on key aspects of the Regulation.  According to unofficial sources, the Italian Presidency of the Council (which will take over in July) will aim to agree the remaining Chapters of the Regulation by the end of 2014.  It is unclear whether any negotiations on the text between the Council and Parliament will take place before then.


Continue Reading EU Justice Ministers Reach A Common Position on Aspects of the Draft EDPR