EU-U.S. Safe Harbor Agreement

The Senate Judiciary Committee today successfully reported H.R. 1428, the Judicial Redress Act of 2015.  However, the bill included an amendment to the House-passed version that has the potential to influence current negotiations between the United States and the European Union to reach a new Safe Harbor agreement.

As we previously reported, the Judicial

Needless to say, the document most of us are reading now is the 209-page General Data Protection Regulation, just agreed upon by the institutions of the European Union.  A few parts are quite a page-turner.  (Parental consent for under-16s to access the Internet? Srsly?)  But even with this scintillating read, we find ourselves reaching for something a bit less, well, dense.

This weekend we can do that without ever leaving the EU-US comparative mindset.  Professors Ken Bamberger and Deirdre Mulligan of the Berkeley Center for Law & Technology have just published a groundbreaking work called Privacy on the Ground: Driving Corporate Behavior in the United States and Europe (MIT Press).  The book, which expands on the authors’ groundbreaking 2011 article, is based on empirical research that focuses not on what the law says in the EU and the U.S., but how privacy is actually practiced under five countries’ laws – the U.S., U.K., Germany, France, and Spain.  In findings that will be surprising and counterintuitive to some of our European colleagues, Ken and Deirdre find that the strongest privacy management practices are found in the United States and Germany.  That’s right – stronger practices in the U.S. than in France, Spain and the U.K.  I’m looking forward to the European reviews!  And to digging into the details.
Continue Reading Privacy Weekend: Provocative Articles We’re Reading Now

By Monika Kuschewsky and Vera Coughlan

Following the judgment of the Court of Justice of the EU of October 6 in the Schrems case (Case C-362/14) (see our previous blog post here), today, the European Commission issued guidance on transfers of personal data from the EU to the U.S. post Schrems. For the press release see here, Q&As here and the Commission Communication here.

In large, the guidance confirms the status quo and summarizes existing guidance of the Article 29 Data Protection Working Party (“WP29”), the EU advisory body on privacy comprised of representatives of the national data protection authorities (“DPAs”), the European Data Protection Supervisor and the Commission, and the WP29’s statement of October 16 (see our previous blog post here). Most notably, the Commission joins the WP29 in the position that alternative tools authorizing data flows can still be used by companies for lawful data transfers to third countries, including to the U.S. The Commission then further explains each of these alternative tools in more detail:
Continue Reading European Commission issues guidance on the impact of the Schrems (Safe Harbor) ruling of the EU’s Highest Court

Today, the German supervisory authorities (“German DPAs”) responsible for data protection at federal and state (Länder) level published a position paper on the EU-U.S. Safe Harbor (available in German – see here).  This 14-point position paper follows a meeting that these authorities held last week.  Key points include:

  • following the Safe Harbor

The Article 29 Data Protection Working Party (“Article 29 WP”), an EU advisory body on data protection composed of representatives of the national data protection authorities (“DPAs”), the European Data Protection Supervisor and the European Commission, met in plenary on Thursday, October 15, to discuss the first consequences of the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems case (see our previous blog post here). In a press release (see here) on October 16, they emphasize that “it is absolutely essential to have a robust, collective and common position on the implementation of the judgment.” They will closely observe the pending procedures before the Irish High Court, which is expected to issue a judgment in November, now that the case has been referred back to it by the CJEU.

The key take-aways from the Article 29 WP’s press release are that:

  • data transfers under the European Commission’s Safe Harbor decision after the CJEU judgment are unlawful;
  • the Article 29 WP will analyze the impact of the CJEU judgment on other transfer tools − during this period standard contractual clauses and Binding Corporate Rules (“BCRs”) can still be used;
  • grace period: DPAs will take action, including coordinated enforcement action, if by the end of January 2016 no appropriate solution with the U.S. authorities is found (depending on the assessment of the other transfer tools); and
  • in the meantime, DPAs can investigate in particular cases and exercise their powers to protect individuals, for instance, in case of a complaint.


Continue Reading Article 29 WP On the Schrems Ruling (Safe Harbor) − Latest Developments and Next Steps

On October 12, 2015, the European Parliament’s Civil Liberties, Justice and Home Affairs (“LIBE”) Committee held a debate to discuss the aftermath of the ruling of the Court of Justice of the European Union (“CJEU”) ruling in Case C-362/14 Maximillian Schrems v Data Protection Commissioner (see summary of the ruling here and summary of the Advocate-General’s Opinion here).  The debate was chaired by the LIBE Committee Chair, Claude Moraes, and started with a presentation from the European Parliament’s Legal Service.  The Legal Service provided a summary of the CJEU’s decision, and set out the following points:

  • The ruling confirms the importance of the EU Charter of Fundamental Rights in protecting EU citizens, and the fact that all EU laws must comply with the Charter.  In this case, the Charter rights invoked included the right of all EU citizens to privacy and the right to an effective judicial remedy.  It can be concluded from the CJEU’s ruling that the Data Protection Directive 95/46/EC does comply with the Charter.
  • Both the Charter of Fundamental Rights and the Data Protection Directive 95/46/EC provide a high level of protection to EU citizens’ personal data, whether the data are situated inside or outside the EU.  This means that a third country can only be considered to provide “adequate” protection to EU citizens’ personal data when that country itself has strong data protection laws.  The protection provided in a third country need not be identical, but must provide an “essentially equivalent” protection to that guaranteed under EU law.
  • Legislation, whether in the EU or the U.S., cannot legitimately authorize mass or generalized surveillance of EU citizens’ data.
  • The power of local data protection authorities (“DPAs”) to investigate data protection breaches cannot be restricted by the Commission.


Continue Reading Debate in the European Parliament’s LIBE Committee on the Schrems ruling

Today, the Court of Justice of the European Union (the “CJEU”) invalidated the European Commission’s Decision on the EU-U.S. Safe Harbor arrangement (Commission Decision 2000/520 – see here). The Court responded to pre-judicial questions put forward by the Irish High Court in the so-called Schrems case. More specifically, the High Court had enquired, in particular, about the powers of European data protection authorities (“DPAs”) to suspend transfers of personal data that take place under the existing Safe Harbor arrangement. The CJEU ruled both on the DPAs’ powers and the validity of the Safe Harbor, finding that national data protection authorities do have the power to investigate in these circumstances, and further, that the Commission decision finding Safe Harbor adequate is invalid.

This judgment affects all companies that rely on Safe Harbor. They now need to consider alternative data transfer mechanisms.
Continue Reading EU’s Highest Court Invalidates Safe Harbor with Immediate Effect

This morning (September 23, 2015), EU Advocate General (“AG”) Bot issued an Opinion in Case C-362/14 Maximilian Schrems v Data Protection Commissioner (see our earlier post on the hearing here).  The AG Opinion has gone further than expected, covering not just the power of national data protection authorities in relation to complaints under the