The roller coaster of developments affecting the Safe Harbor framework shows no signs of slowing down. It has taken a couple of years since Edward Snowden’s revelations for the train to reach to its highest point, but once the European Court of Justice ruled on the Schrems case, we knew it would be a bumpy ride. In the past weeks, most of the attention has focused on the EU data protection authorities, which are now more emboldened than ever and keen to capitalize on the ECJ’s decision to tighten the regime affecting international dataflows. The European Commission’s communication of 6 November to the European Parliament and the Council of the EU, coupled with its practical guidance, represents yet another turn in this uncertain journey. At the same time, the Commission’s intervention is helpful in terms of the decision-making process that many organisations—for which transatlantic transfers are vital—are trying to grapple with.
On November 6, 2015, the European Commission issued its widely anticipated Communication to the European Parliament and Council about the effect of the Court of Justice of the European Union’s Schrems decision, which invalidated the U.S.-EU Safe Harbor framework. The Commission expresses a commitment to negotiate with the U.S. Government a new framework for cross-border transfers of personal data. The Commission also emphasizes that the Communication does not have binding legal effect, but concludes that companies should rely on “alternative tools” for authorizing data flows to third countries like the United States.
On Tuesday November 3, the Spanish data protection authority, Agencia Española de Protección de Datos, sent a letter all companies operating in Spain that had previously notified the AEPD of cross-border data transfers to Safe Harbor certified companies. The letter warns companies that because Safe Harbor certifications are no longer recognized as valid, they must take steps to ensure that alternative mechanisms are implemented in order to continue transferring data to Safe Harbor certified companies in the United States. In particular, the AEPD is requiring of all companies that received the letter to inform it not later than January 29, 2016 of any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the United States.
The Opinion of the Advocate General of the Court of Justice of the European Union on the case assessing the status and validity of Safe Harbor has created significant uncertainty relating to its immediate future. While the CJEU has not yet ruled, the AG’s decisions are typically quite influential. The AG’s view is that the Safe Harbor program does not provide an adequate level of data protection and that it should have already been invalidated by the European Commission.
Following on the heels of the IAPP Congress in Brussels, the CNIL’s (the French data protection authority) international chief, Florence Raynal, engaged in a dialogue with the members of the American Chamber of Commerce’s Digital Economy Committee in France. Raynal engaged with AmCham members on questions relating to the EU-US Safe Harbor framework, focusing on the practicalities of onward transfers. The discussion involved two kinds of transfers.
On Monday, a European Parliament Inquiry established to investigate the recent U.S. National Security Agency surveillance revelations indicated that its final report would recommend suspension of the popular EU-U.S. Safe Harbor Framework.
At the 35th annual Conference of Data Protection Authorities and Privacy Commissioners in Warsaw, Poland today, Hogan Lovells partner and privacy practice lead Christopher Wolf spoke on the issue of privacy and trade in light of the ongoing Transatlantic Trade and Investment Partnership negotiations between the EU and the U.S. This post contains prepared remarks to the commissioner’s on the need for interoperable cross-border privacy standards and the merits of the U.S. privacy regime.
The US privacy framework is under attack from officials in the EU following revelations about NSA surveillance. Yesterday, US Department of Commerce General Counsel Cameron Kerry delivered his valedictory address before his departure from his position next week, and focused both on the progress made by the Obama Administration in privacy and offered the strongest […]
In an August 13 letter to Commissioner Viviane Reding, Article 29 Working Party Chair Jacob Kohnstamm requested more information regarding the United States’ national security surveillance program, including the widely-publicized PRISM program.
According to reports by the German business newspaper Handelsblatt, the German data protection commissioners have sent a letter to the German chancellor Angela Merkel, asking her to push the European Union to suspend the U.S. – EU Safe Harbor regime because of the recently disclosed NSA activities. This letter dates from July 23 and is signed […]
Jan Albrecht, the rapporteur for the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, released a draft report last month with key proposals to amend the European Commission’s proposed Regulation on data protection. The report includes a total of 350 amendments to the original proposal. Highlights of the 215-page report include the following:
The German data protection authorities on September 26, 2011 adopted an “Orientation guide – cloud computing.” The guide sets out mandatory and recommended content for any agreement between German users of cloud computing services and cloud computing serving providers. It highlights the customer’s responsibility for full compliance with German data protection requirements for the cloud. Based on this orientation guide, customers and providers will have to review existing agreements in the German market.
The pending proposal from the European Commission for revision of the EU Directive (expected in early 2012) raises questions about the efficacy under a revised Directive of the EU-US Safe Harbor framework, which permits the legal cross-border transfer of personal data from the EU to the US for companies enrolled in the Safe Harbor and committed to the requisite privacy protections. That’s the recent observation in Europolitics, the European Affairs daily, quoted in this blog entry, along with the rousing defense of the Safe Harbor offered by Google’s Global Privacy Counsel Peter Fleischer.
This blog entry details the major provisions of the draft Kerry/McCain privacy legislation that is circulating around Washington. As explained in the posting, the proposed law would impose major and significant new obligations on businesses dealing with personal information.
The Düsseldorfer Kreis, a working group consisting of representatives from Germany’s sixteen state data protection authorities, issued a Decision (dated 28/29 April 2010) on the transfer of personal data from German companies to U.S. companies which are certified under the U.S.-EU Safe Harbor framework. It stated that Safe Harbor certification of the U.S. company alone is not sufficient to safeguard the transfer because European and U.S. regulators currently do not ensure that the U.S. companies comply with the self-certification. Therefore, German companies are now required to take additional steps when transferring data to the US under the Safe Harbor.
Hogan Privacy and Data Security Co-Chair Chris Wolf recently gave an interview on recent developments under the EU-US Safe Harbor to Nymity that was published in its free online newsletter. The interview is accessible through this blog entry.
The Federal Trade Commission settles with 6 companies over Safe Harbor misrepresentations and lapsed certifications.