Ever since the first draft of the EU-US Privacy Shield framework was published in early 2016, groups opposed to the idea have indicated their intent to challenge the legality of the framework under EU law. Recently, the privacy advocacy group Digital Rights Ireland made good on that promise. Following the filing of a formal complaint on 15 September asking for an annulment of the framework by the Court of Justice of the European Union, DRI has now made public the details of its complaint.
500 German companies will be asked in the coming weeks by 10 German data protection authorities to complete an extensive and detailed questionnaire about their transfers of personal data to third countries. Companies must indicate how they ensure an adequate level of data protection for such data transfers. The questionnaire also covers the use of cloud services provided by U.S. entities. The enquiry and the questionnaire (but not the list of targeted companies) were published by the German DPAs on 3 November 2016.
Thank you to everyone who participated in last week’s webinar “Privacy Shield: What You Need to Know,” in which we explored how companies demonstrate compliance with the Privacy Shield principles, what it takes to move from Safe Harbor to Privacy Shield, and more. A copy of the slide deck and recorded webinar are now available on our blog.
In less than one week, on August 1, U.S. companies may begin to submit self-certifications to the EU-U.S. Privacy Shield framework at www.privacyshield.gov. Those companies that previously certified to the predecessor Safe Harbor framework are in a particularly good position to certify to the Privacy Shield, which built upon Safe Harbor’s core principles by adding meaningful substantive and procedural privacy protections for EU individuals.
The much anticipated Privacy Shield framework for the transfer of data between the EU and U.S. received final approval from the European Commission on 12 July 2016. With this important data transfer mechanism available to companies at the beginning of August, the Hogan Lovells Privacy and Cybersecurity team will answer your questions in a webinar next Wednesday, 27 July. CLE credit will be available.
With the recent approval of the EU-US Privacy Shield framework and the ability to start filing online registrations on 1 August, many companies have questions about the advantages and disadvantages of Privacy Shield as compared to other cross-border transfer mechanisms to cover trans-Atlantic data flows.
To answer your questions, we publish here International Data Transfers – Considering your options, a high-level analysis of the EU cross-border transfer options for companies—including the EU Standard Contractual Clauses, Intra-Group Agreements and other ad-hoc contracts, Binding Corporate Rules, Privacy Shield, and Consent—and the pros and cons of choosing each one.
On 12 July 2016, the European Commission issued its much awaited “adequacy decision” concerning the Privacy Shield framework for the transfer of personal data from the EU to the U.S. This adequacy decision is based on the latest version of the Privacy Shield, which was further negotiated and revised following the Article 29 Working Party’s April 2016 concerns with the terms of the original Privacy Shield framework. Many of our clients have questions about Privacy Shield—what it is, when it will be available for use, and how it differs from other data transfer mechanisms, among others. We have prepared blog post to answer these questions about the updated version of Privacy Shield and its implications for companies engaging in trans-Atlantic data flows.
The free flow of data is essential to an ever-growing segment of the global economy. Yet some policymakers and advocates, citing privacy concerns, have called for shutting off the faucet and restricting data flow, to the detriment of European consumers and European businesses, both small and large. After much debate, a major European court opinion, and at least one act of Congress to address the issue, a solution is at hand that will enhance real, enforceable privacy protections on both sides of the Atlantic.
One of Harry Houdini’s most difficult tricks consisted of escaping from a nail-fastened and rope-bound wooden crate with manacles on his hands and feet, while submerged in New York’s East River. That feat is starting to look straightforward when compared to the prospect of lawfully exporting personal data out of the European Union. The restrictions on transfers of data to jurisdictions that do not provide an adequate level of protection have been in place for more than 20 years. And while these restrictions have not prevented the development of the digital economy, judging by this issue’s current direction of travel, we could be facing a situation from which not even the great Houdini could escape.
In a thorough legal analysis of the EU-U.S. Privacy Shield framework, a report from Hogan Lovells says the framework would stand up in the Court of Justice of the European Union, and the true level of data protection afforded by the Privacy Shield framework will only be demonstrated by its functioning and the practices of its participants.
The February 29, 2016 announcement of the new EU-U.S. data transfer framework—the Privacy Shield—was accompanied by over 130 pages of documentation and significantly more operational details than its predecessor, Safe Harbor. We have reviewed the Privacy Shield materials and published a comprehensive breakdown of the changes from Safe Harbor to Privacy Shield and the practical impact on business: Inside the New and Improved EU-U.S. Data Transfer Framework.
On February 29, 2016 and after more than two years of negotiations with the U.S. Department of Commerce, the European Commission released its draft Decision on the adequacy of the new EU–U.S. Privacy Shield program, accompanied by new information on how the Program will work. The Privacy Shield documentation is significantly more detailed than that associated with its predecessor, the EU-U.S. Safe Harbor, as it describes more specifically the measures that organizations wishing to use the Privacy Shield must implement. Importantly, the Privacy Shield provides for additional transparency and processes associated with U.S. government access to the personal data of EU individuals.
Following the announcement by the European Commission of the newly agreed EU-US Privacy Shield, the missing piece of the jigsaw was the Article 29 Working Party’s stance on the adequacy of the existing mechanisms in place—in particular, standard contractual clauses and binding corporate rules. So after two days of intense discussions, the Working Party has issued a statement with its latest position, which is the follow up to their original reaction to the invalidation of Safe Harbor last October. The bottom line: the Working Party still does not view US government surveillance laws as sufficiently protective of privacy—a position which calls all transfers of personal data to the US in question, regardless of the methods used to legitimise the transfer—but they will reconsider this position in light of the Privacy Shield in the coming months.
The European Commission has announced an agreement today with the United States Department of Commerce to replace the invalidated Safe Harbor agreement on transatlantic data flows with a new EU-U.S. “Privacy Shield.” The Privacy Shield aims to address the requirements set out by the European Court of Justice in its Oct. 6, 2015 ruling by imposing stronger obligations on companies, providing stronger monitoring and enforcement by the DOC and Federal Trade Commission , and making commitments regarding access to information on the part of public authorities. In announcing the agreement, Vice-President Ansip noted his belief that the Privacy Shield will benefit both European businesses and citizens, and will prove to be a “much better” solution for transatlantic data flows.
It’s close to 7pm on a Friday evening and my team are trying their best to manage our clients’ stress and frantic desperation. Jokes about how much they love Max Schrems are shared by email. In the meantime, we are diligently working our way through endless charts of dataflows and attempting to cover every single […]
The roller coaster of developments affecting the Safe Harbor framework shows no signs of slowing down. It has taken a couple of years since Edward Snowden’s revelations for the train to reach to its highest point, but once the European Court of Justice ruled on the Schrems case, we knew it would be a bumpy ride. In the past weeks, most of the attention has focused on the EU data protection authorities, which are now more emboldened than ever and keen to capitalize on the ECJ’s decision to tighten the regime affecting international dataflows. The European Commission’s communication of 6 November to the European Parliament and the Council of the EU, coupled with its practical guidance, represents yet another turn in this uncertain journey. At the same time, the Commission’s intervention is helpful in terms of the decision-making process that many organisations—for which transatlantic transfers are vital—are trying to grapple with.
On November 6, 2015, the European Commission issued its widely anticipated Communication to the European Parliament and Council about the effect of the Court of Justice of the European Union’s Schrems decision, which invalidated the U.S.-EU Safe Harbor framework. The Commission expresses a commitment to negotiate with the U.S. Government a new framework for cross-border transfers of personal data. The Commission also emphasizes that the Communication does not have binding legal effect, but concludes that companies should rely on “alternative tools” for authorizing data flows to third countries like the United States.
On Tuesday November 3, the Spanish data protection authority, Agencia Española de Protección de Datos, sent a letter all companies operating in Spain that had previously notified the AEPD of cross-border data transfers to Safe Harbor certified companies. The letter warns companies that because Safe Harbor certifications are no longer recognized as valid, they must take steps to ensure that alternative mechanisms are implemented in order to continue transferring data to Safe Harbor certified companies in the United States. In particular, the AEPD is requiring of all companies that received the letter to inform it not later than January 29, 2016 of any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the United States.
The Opinion of the Advocate General of the Court of Justice of the European Union on the case assessing the status and validity of Safe Harbor has created significant uncertainty relating to its immediate future. While the CJEU has not yet ruled, the AG’s decisions are typically quite influential. The AG’s view is that the Safe Harbor program does not provide an adequate level of data protection and that it should have already been invalidated by the European Commission.
Following on the heels of the IAPP Congress in Brussels, the CNIL’s (the French data protection authority) international chief, Florence Raynal, engaged in a dialogue with the members of the American Chamber of Commerce’s Digital Economy Committee in France. Raynal engaged with AmCham members on questions relating to the EU-US Safe Harbor framework, focusing on the practicalities of onward transfers. The discussion involved two kinds of transfers.
On Monday, a European Parliament Inquiry established to investigate the recent U.S. National Security Agency surveillance revelations indicated that its final report would recommend suspension of the popular EU-U.S. Safe Harbor Framework.
At the 35th annual Conference of Data Protection Authorities and Privacy Commissioners in Warsaw, Poland today, Hogan Lovells partner and privacy practice lead Christopher Wolf spoke on the issue of privacy and trade in light of the ongoing Transatlantic Trade and Investment Partnership negotiations between the EU and the U.S. This post contains prepared remarks to the commissioner’s on the need for interoperable cross-border privacy standards and the merits of the U.S. privacy regime.
The US privacy framework is under attack from officials in the EU following revelations about NSA surveillance. Yesterday, US Department of Commerce General Counsel Cameron Kerry delivered his valedictory address before his departure from his position next week, and focused both on the progress made by the Obama Administration in privacy and offered the strongest […]
In an August 13 letter to Commissioner Viviane Reding, Article 29 Working Party Chair Jacob Kohnstamm requested more information regarding the United States’ national security surveillance program, including the widely-publicized PRISM program.