On June 20, 2019, Keith Krach was confirmed by the U.S. Senate to become the Trump administration’s first permanent Privacy Shield Ombudsperson at the State Department. The role of the Privacy Shield Ombudsperson is to act as an additional redress avenue for all EU data subjects whose data is transferred
Continue Reading Privacy Shield Ombudsperson Confirmed by the Senate
European Commission
European Commission Issues Updated Q&A on Interplay between the GDPR and the Clinical Trials Regulation
By Kristof Van Quathem & Dan Cooper on
Posted in European Union, Health Privacy
On April 10, 2019, European Commission Directorate-General for Health and Food Safety issued a revised Q&A analyzing the interplay between the EU Clinical Trials Regulation (“CTR”) and the EU General Data Protection Regulation (“GDPR”). The revised Q&A takes into account the opinion of the European Data Protection Board (“EDPB”) issued…
Continue Reading European Commission Issues Updated Q&A on Interplay between the GDPR and the Clinical Trials Regulation
EU High-Level Working Group Publishes Ethics Guidelines for Trustworthy AI
On April 8, 2019, the EU High-Level Expert Group on Artificial Intelligence (the “AI HLEG”) published its “Ethics Guidelines for Trustworthy AI” (the “guidance”). This follows a stakeholder consultation on its draft guidelines published in December 2018 (the “draft guidance”) (see our previous blog post for more information on the draft guidance). The guidance retains many of the same core elements of the draft guidance, but provides a more streamlined conceptual framework and elaborates further on some of the more nuanced aspects, such as on interaction with existing legislation and reconciling the tension between competing ethical requirements.
According to the European Commission’s Communication accompanying the guidance, the Commission will launch a piloting phase starting in June 2019 to collect more detailed feedback from stakeholders on how the guidance can be implemented, with a focus in particular on the assessment list set out in Chapter III. The Commission plans to evaluate the workability and feasibility of the guidance by the end of 2019, and the AI HLEG will review and update the guidance in early 2020 based on the evaluation of feedback received during the piloting phase.
Continue Reading EU High-Level Working Group Publishes Ethics Guidelines for Trustworthy AI
EU Commission Issues Recommendation on Cybersecurity in the Energy Sector
By Mark Young on
The European Commission (“Commission”) has published a Recommendation on cybersecurity in the energy sector (“Recommendation”). The Recommendation builds on recent EU legislation in this area, including the NIS Directive and EU Cybersecurity Act (see our posts here and here). It sets out guidance to achieve a higher level of cybersecurity taking into account specific characteristics of the energy sector, including the use of legacy technology and interdependent systems across borders.
Continue Reading EU Commission Issues Recommendation on Cybersecurity in the Energy Sector
European Data Protection Board Releases Report on the Privacy Shield
On January 24, the European Data Protection Board (“EDPB”) adopted a report (“Report”) regarding the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”). In a press release accompanying the Report, the EDPB welcomed efforts by EU and U.S. authorities to implement the Privacy Shield, including in particular the recent appointment of a permanent Ombudsperson. But the EDPB also noted that certain concerns remain with respect to the implementation of the Privacy Shield.
The EDPB, which is made up of representatives of various European data protection authorities, is established by the GDPR, and advises on the consistent application of data protection rules throughout the EU. The Report is not binding on the EU or U.S. authorities directly; instead it will serve to guide regulators considering the implementation of the Privacy Shield. The Report is also likely to influence the EU Commission’s assessment of the Privacy Shield, and to contribute to political pressure in the European Parliament to continue to reform the Shield.
Continue Reading European Data Protection Board Releases Report on the Privacy Shield
EU-Japan Adopt Mutual Adequacy Decision
[Update to previous post from August 17, 2018]
On January 23, 2019, the European Commission and Japan mutually recognized each other’s data protection laws as providing an adequate level of protection of personal data (see European Commission press release here). As a result, nearly all personal data can now…
Continue Reading EU-Japan Adopt Mutual Adequacy Decision
Privacy Shield Updates: Second Annual Review and Brexit Guidance
By Inside Privacy on
Earlier this week, the European Commission (“Commission”) published its Report on the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document). The Report concludes that the Privacy Shield “continues to ensure an adequate level of protection” for personal data transferred from the EU to the United States. The Commission also found that the implementation of a number of the recommendations following the first annual review last year improved several aspects of the Privacy Shield, but that certain recommendations still required implementation and/or monitoring.
In another Privacy Shield-related development this week, the International Trade Administration’s Privacy Shield Team announced new guidance on the applicability of the Privacy Shield to the United Kingdom following the UK’s pending withdrawal from the EU.
Continue Reading Privacy Shield Updates: Second Annual Review and Brexit Guidance
NTIA Publishes Stakeholder Comments on Consumer Privacy Proposal
By Inside Privacy on
Posted in Data Privacy
Last week, the National Telecommunications and Information Administration (“NTIA”) released submissions it had received from the Federal Trade Commission (“FTC”) staff and many other parties on NTIA’s proposed framework for advancing consumer privacy while protecting innovation. Although NTIA did not request comments on a possible federal privacy bill, most submissions took the opportunity to inform NTIA of what such a federal privacy bill should look like.
Continue Reading NTIA Publishes Stakeholder Comments on Consumer Privacy Proposal
EU Commission Concludes Privacy Shield “Adequate” in first Annual Review
By Inside Privacy on
The European Commission has today published its Report on the first annual review of the EU-U.S. Privacy Shield (the Report is accompanied with a Staff Working Document, Infographic, and Q&A). The Commission concludes that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to Privacy Shield-certified companies in the United States. With its conclusion, the Commission also makes a number of recommendations to further improve the Privacy Shield framework. The Report follows a joint press statement by the U.S. Secretary of Commerce and EU Commissioner Jourová on September 21, 2017, closing the review and reaffirming that the “United States and the European Union share an interest in the [Privacy Shield] Framework’s success and remain committed to continued collaboration to ensure it functions as intended.”
Background
The EU-U.S. Privacy Shield is a framework that effects the lawful transfer of personal data from the EEA to Privacy Shield-certified companies in the U.S. The Privacy Shield framework was unveiled by the EU and United States on July 12, 2016 and the Privacy Shield framework became operational on August 1, 2016. To date, there are over 2,400 in companies (including more than 100 EU-based companies) that have certified, with 400 applications under review.
The Privacy Shield provides an annual review and evaluation procedure intended to regularly verify that the findings of the Commission’s adequacy decision are still factually and legally justified. Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce and the European Commission, with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security. In preparation for the Review, the Commission also sought feedback from a number of trade associations, NGOs, and certified companies. (See our earlier posts on the purpose of the first annual review here and here.)
Continue Reading EU Commission Concludes Privacy Shield “Adequate” in first Annual Review
Validity of EU Standard Contractual Clauses Referred to CJEU
By Inside Privacy on
Posted in Cross-Border Transfers, European Union
On October 3, 2017, the Irish High Court referred Data Protection Commissioner v Facebook Ireland Limited [2016 No. 4809 P.] to the Court of Justice of the European Union (“CJEU”). The case, commonly referred to as Schrems II, is based on a complaint by Max Schrems concerning the transfer of personal data by Facebook, from Ireland to the United States, using the EU Standard Contract Clauses (“SCCs”).
Background
The SCCs are a European Commission-approved mechanism to legally effect the transfer of personal data from the EEA to third (non-EEA) countries. The SCCs provide for a contractual arrangement between a EEA-based data exporter and a non-EEA-based data importer of personal data, under which the data importer agrees to abide by EU privacy standards.
Continue Reading Validity of EU Standard Contractual Clauses Referred to CJEU