Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: data transfer

Posted in International/EU Privacy

Data Protection in the Event of a “No Deal Brexit”

The Department for Digital, Culture, Media and Sport (‘DDCMS’) has today released guidance on “Data protection if there’s no Brexit deal”, which is part of its preparations for if there is a “no deal” scenario when the Article 50 negotiating period comes to an end on 29 March 2019. The UK will become a “third country” on its exit from the European Union, which means that unhindered cross-border transfers of data will no longer automatically be able to take place between the UK and the EU. The guidance confirms that, given the “unprecedented alignment” between the UK and EU data protection regimes, the UK would continue to allow transfers of data from the UK to the EU at the point of exit. However, the Commission has made it clear that they would not make a decision on adequacy until the UK is a third country (that is, after 29 March 2018), and its procedure for reaching a decision typically lasts several months.

Posted in Consumer Privacy

Details of Legal Challenge to Privacy Shield Revealed

Ever since the first draft of the EU-US Privacy Shield framework was published in early 2016, groups opposed to the idea have indicated their intent to challenge the legality of the framework under EU law. Recently, the privacy advocacy group Digital Rights Ireland made good on that promise. Following the filing of a formal complaint on 15 September asking for an annulment of the framework by the Court of Justice of the European Union, DRI has now made public the details of its complaint.

Posted in International/EU Privacy

German DPAs Launch Enquiry into International Data Transfers

500 German companies will be asked in the coming weeks by 10 German data protection authorities to complete an extensive and detailed questionnaire about their transfers of personal data to third countries. Companies must indicate how they ensure an adequate level of data protection for such data transfers. The questionnaire also covers the use of cloud services provided by U.S. entities. The enquiry and the questionnaire (but not the list of targeted companies) were published by the German DPAs on 3 November 2016.

Posted in International/EU Privacy

Recording and Deck from Webinar: Privacy Shield: What You Need to Know

Thank you to everyone who participated in last week’s webinar “Privacy Shield: What You Need to Know,” in which we explored how companies demonstrate compliance with the Privacy Shield principles, what it takes to move from Safe Harbor to Privacy Shield, and more. A copy of the slide deck and recorded webinar are now available on our blog.

Posted in International/EU Privacy

Future-Proofing Privacy: International Data Transfers 2.0

Part 9 of Future-Proofing Privacy: Future-Proofing Privacy: International Data Transfers 2.0. The Data Protection Directive and the Regulation both impose restrictions on the transfer of personal data by EU based businesses (whether those businesses are data controllers or data processors) to destinations outside the EEA. These restrictions, however, have not been uniformly implemented by EU Member States. In some Member States additional requirements apply, such as prior notification to or approval by the local DPA, particularly where companies wish to rely on EU Model Clauses or BCRs. This approach is essentially set to continue
with some variations.

Posted in International/EU Privacy

A Brief Analysis of the European Parliament and the Article 29 Working Party’s Criticisms of Privacy Shield

Unveiled February 29, 2016, the new EU-U.S. Privacy Shield attempts to address the shortcomings of the Safe Harbor arrangement identified originally by the European Commission and later by the Court of Justice of the European Union in its Schrems decision. The Privacy Shield proposes improved data protection principles, better enforcement by the US Department of Commerce and the Federal Trade Commission, redress mechanisms for EU citizens, and safeguards surrounding law enforcement and intelligence activities. The European Parliament adopted a resolution on May 26, 2016 praising the progress made, but highlighting shortcomings in the Privacy Shield as presented in February 2016. Now that the Irish Data Protection Controller has referred another data transfer mechanism known as Standard Contractual Clauses to the courts for review of their adequacy, greater focus will be placed on whether the criticisms of Privacy Shield are well founded.

Posted in International/EU Privacy

Article 29 Working Party Sees Privacy Shield Glass Half Empty

From the moment that the Chairman of the Article 29 Working Party, Isabelle Falque-Pierrotin, announced at a press conference on 3rd February this year that the Working Party would assess the standing of the EU-US Privacy Shield under EU law, privacy professionals have been waiting to see what the Working Party’s view would be. Earlier this week, on 13th April, the Working Party provided their initial opinion. On the one hand, the Working Party welcomed the significant improvements of the Privacy Shield as a positive step forward. Yet, on the other hand, the Working Party set out their strong concerns on the commercial aspects of the Privacy Shield and the ability for US public authorities to access data transferred under the Privacy Shield. The opinion concluded by urging the European Commission to resolve these concerns and improve the Privacy Shield.

Posted in International/EU Privacy

Inside the New EU-U.S. Data Framework: A Practical Breakdown of the Privacy Shield

The February 29, 2016 announcement of the new EU-U.S. data transfer framework—the Privacy Shield—was accompanied by over 130 pages of documentation and significantly more operational details than its predecessor, Safe Harbor. We have reviewed the Privacy Shield materials and published a comprehensive breakdown of the changes from Safe Harbor to Privacy Shield and the practical impact on business: Inside the New and Improved EU-U.S. Data Transfer Framework.

Posted in International/EU Privacy

First Look: EU–U.S. Privacy Shield

On February 29, 2016 and after more than two years of negotiations with the U.S. Department of Commerce, the European Commission released its draft Decision on the adequacy of the new EU–U.S. Privacy Shield program, accompanied by new information on how the Program will work. The Privacy Shield documentation is significantly more detailed than that associated with its predecessor, the EU-U.S. Safe Harbor, as it describes more specifically the measures that organizations wishing to use the Privacy Shield must implement. Importantly, the Privacy Shield provides for additional transparency and processes associated with U.S. government access to the personal data of EU individuals.

Posted in International/EU Privacy

The GDPR: Things You Should Know

To say that the EU General Data Protection Regulation (GDPR) will change the existing data protection framework in Europe is an understatement. After an intense legislative process of more than 4 years, an ambitious, complex and strict new law that is set to transform the way in which personal information is collected, shared and used globally. Eduardo Ustaran highlights the GDPR’s significant changes in this article published in the Privacy and Data Protection Journal.

Posted in International/EU Privacy

Hong Kong Privacy Commissioner Issues Guidance on Cross-Border Data Transfers

On 29 December, 2014, Hong Kong’s Privacy Commissioner for Personal Data published a guidance note concerning the potential implementation of section 33 of the Personal Data (Privacy) Ordinance, which would restrict the export of personal data from Hong Kong. In a recent client alert, partner Mark Parsons and associate Peter Colegate from the Hogan Lovells Hong Kong office explore the Commissioner’s understanding of how section 33 would be implemented, including some important nuances that are particularly relevant to multi-national businesses operating in Hong Kong and the wider region.

Posted in International/EU Privacy

Spain changes the paradigm of international transfers of personal data allowing Spanish data processors to be “exporters” under the Standard Contractual Clauses for the Transfer of Data

The Spanish Data Protection Authority (SDPA) has established new procedures that allow data processors (not data controllers) based in Spain to obtain authorizations for transferring data processed on behalf of their customers (the data controllers) to sub-processors based in Third Countries that are not deemed to have an adequate level of protection for personal data. In addition, data processors can enter into Standard Contractual Clauses with their sub-processors. Previously in Spain, data controllers had to enter into Standard Contractual Clauses with each of their data processors’ sub-processors in Third Countries and data controllers had to obtain authorizations from the SDPA for such transfers.

Posted in International/EU Privacy

French Data Protection Authority Issues Recommendations in the Context of U.S. Discovery

On August 19, 2009, the French Official Journal published the French Data Protection Authority’s (‘CNIL’) long-awaited recommendations on the transfer of personal data for U.S. discovery purposes (‘Recommendations’, currently only available in French). The Recommendations were based at least in part on suggestions from a working group composed of representatives from all stakeholders, which was set up by the CNIL in 2008. The […]