The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C.  The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, address concerns that have been raised, and seek to ensure that the Privacy Shield is well positioned to continue operating as a valid legal basis for transfers of personal data from the EU to the U.S.

Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce (“Commerce”) and the European Commission (“Commission”), with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security.  Regulators have also indicated that they plan to solicit and incorporate feedback and comments from other Privacy Shield stakeholders as part of the review process, including from self-certified companies and other interested organizations.

Although this is the first annual review, it is important to note that the Privacy Shield has already been the subject of intense public scrutiny.  The draft text of the framework was released in February, several months prior to the final release in July, and a number of stakeholders took the opportunity to comment on the text, leading to several revisions designed to improve and strengthen the Privacy Shield. 
Continue Reading First Annual Privacy Shield Review Will Comprehensively Assess the Framework

By Meena Harris and Caleb Skeath

  1. Data Breaches
  • Studies show increase.  Amidst a flurry of high-profile breaches during 2014, several studies confirmed that data breaches as a whole have risen significantly over the past few years.  The California Attorney General released a study showing a 28% increase in breaches in 2013 as compared to 2012.  Another study, which examined the volume of data breaches during the first quarter of 2014, found an increase of 233% compared to the same time period in 2013.
  • State laws.  In April, Kentucky became the 47th state to enact a data breach notification law.  Florida and Iowa each amended their data breach notification laws in 2014 to, among other changes, enhance regulator notification requirements.  California amended its data breach notice law to expand the types of information covered and to require certain companies to provide one year of free credit monitoring to affected individuals (although the statutory language on the latter point is subject to multiple interpretations).
  • Federal legislation.  Numerous data breach bills, including the Data Security Breach Notification Act of 2014 and the Personal Data Protection and Breach Accountability Act, were introduced in Congress, although none passed during 2014.  The Senate Judiciary Committee, the Senate Commerce Committee, and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, among others, held hearings during 2014 to discuss the need to address data breaches and the possibility of enacting federal legislation.
  • Federal enforcement.  In the enforcement arena, the Federal Trade Commission (“FTC”), the Department of Health and Human Services (“HHS”), and state attorneys general pursued enforcement action during 2014 against companies that had suffered data breaches.  The Securities and Exchange Commission also announced in April that it would conduct over 50 cybersecurity examinations of publicly traded companies.  The Federal Communications Commission (“FCC”), for its part, levied a $10 million fine in October against two telecommunications carriers for exposing customer data, which represented the FCC’s first enforcement action in the wake of a data breach.
  • Continued attention in 2015.  Legislative interest in data breach issues has only increased in early 2015.  Since President Obama proposed national data breach legislation, additional data breach notification bills have been introduced in the House and Senate.  The House Subcommittee on Commerce, Manufacturing, and Trade also held a hearing on crafting a national data breach bill, debating the harm that should trigger notification obligations and the appropriate window for providing notifications.


Continue Reading Top 10 U.S. Privacy Developments of 2014

Today the White House released its big data and privacy report, entitled “Big Data:  Seizing Opportunities, Preserving Values.”  The report is the result of a three-month review, which was led by White House counselor John Podesta and was first announced as part of the President’s January speech on NSA reform.  It primarily outlines the

By Henriette Tielemans

On March 12, 2014, the European Parliament voted 544 to 78, with 60 abstentions, to endorse a report prepared by MEP Claude Moraes (S&P, UK) (the Report), and to pass a resolution summarising Mr. Moraes’ findings (the Resolution).  The Report and Resolution conclude a six-month investigation by the influential Committee on Civil

On October 23, 2013, the European Parliament adopted a resolution calling for the suspension of an EU-US Agreement on the transfer of financial data for the purposes of the Terrorist Finance Tracking Program (the so-called “SWIFT Agreement”).  The resolution comes after allegations that the US National Security Agency (NSA) has had unauthorized access to EU citizens’ bank data held by the Belgian company SWIFT.

The SWIFT Agreement, which entered into force in 2010, permits the sharing of EU citizens’ bank data with US authorities for the purposes of preventing, investigating and prosecuting conduct pertaining to terrorism or terrorist financing subject to a number of data protection safeguards.

However, following the recent allegations that the NSA has had direct access to EU citizens’ financial payment messages and related data in breach of the SWIFT Agreement, the European Parliament adopted the resolution asking the European Commission to suspend the Agreement.  The resolution also calls for further investigations of the NSA spying allegations by requesting the Council and the EU Member States to authorize the Europol Cybercrime Centre to carry out a full on-site technical investigation and by inviting the Parliamentary Committee on Civil Liberties, Justice and Home Affairs to conduct a special inquiry into the mass surveillance of EU citizens.

Continue Reading European Parliament Calls for Suspension of the SWIFT Agreement following NSA Surveillance Claims

On 8 October, 2013, a group of Social and Democrat MEPs called for the suspension of the U.S.-EU Safe Harbor Framework (the “Safe Harbor”).  Their comments, which were triggered by the unauthorized disclosure of document describing a U.S. National Security Agency surveillance program known as “PRISM”, argued that the Safe Harbor is, variously, “misleading,” “vulnerable,&rdquo