So far, much of the discussion surrounding last week’s Court of Justice of the European Union “Schrems II” decision has focused on the implications for personal data transfers to the United States or other non-European countries, but its impact will be felt in the UK, as well, and add a further layer of complexity for companies preparing for Dec. 31, when the Brexit transition period will end. The key question at this stage is whether…
The decision by the Court of Justice of the European Union in “Schrems II” provides that the controller-to-processor standard contractual clauses are a viable mechanism for data transfers from the EU to third countries but identified further conditions that need to be considered when implementing them to address the requirement to provide “adequate protection” to such transfers. The CJEU put the onus on data exporters to determine whether the exporter’s implementation of the C2P SCCs…
The Court of Justice of the European Union issued its decision in “Schrems II” Thursday, a landmark decision that invalidates the EU-U.S. Privacy Shield arrangement. Until July 16, Privacy Shield had served as an approved “adequacy” mechanism to protect cross-border transfers of personal data from the European Union to the United States under the EU General Data Protection Regulation. More than 5,000 organizations participate in Privacy Shield. Many thousands more EU companies rely on Privacy…
The European Court of Justice (“ECJ”) issued a landmark ruling earlier today that invalidates the EU – US Privacy Shield Framework (“Privacy Shield”) in Case C-311/18 (“Schrems II”).
The European Union Commission (Commission) has issued a report on its findings from the third annual Privacy Shield review, which took place in September. In its report, the Commission confirmed that the EU-US Privacy Shield framework continues to ensure an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in the United States. In concluding its report, the Commission provided additional action items necessary to…
On September 8, 2017, three U.S. companies settled actions brought by the Federal Trade Commission (“FTC”) for misleading consumers about their participation in the EU – U.S. Privacy Shield Framework (“Privacy Shield”). These were the first Privacy Shield enforcement actions brought by the FTC. The Privacy Shield replaced the U.S. – EU Safe Harbor framework as the legal mechanism for transatlantic data flows in August 2016. It functions through a self-certification process by which U.S.…
United States Commerce Secretary Wilbur Ross and the Trump administration recently confirmed their commitment to the US-EU Privacy Shield (“Privacy Shield”) framework in meetings held with European Union Justice Commissioner Vera Jourova. Commissioner Jourova went to Washington to gain reassurance from the Trump administration that it would maintain its commitment to the Privacy Shield framework. In an interview on Thursday, Commissioner Jourova stated that Secretary Ross assured her that he understood the importance of Privacy…
On January 25, 2017, the U.S. President signed an Executive Order on “Enhancing Public Safety in the Interior of the United States” containing rules for government privacy policies pertaining to foreigners. This caused concerns in Europe, but should not affect the EU-U.S. Privacy Shield.Section 14 of the Executive Order is entitled “Privacy Act” and provides that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not…
On January 11, 2017, the US and Swiss authorities announced their agreement on a new cross-border data transfer framework, the Swiss-US Privacy Shield Framework, to allow US companies to meet the requirements for transfers of personal data from Switzerland to the US. This new Framework, which will replace the existing US-Swiss Safe Harbor program, will begin accepting self-certifications from US companies starting on April 12, 2017. The Framework requirements were described by Swiss authorities as…
In a surprising turn of events, the New York State Department of Financial Services (“DFS”) announced on December 28 significant changes to its cybersecurity regulation in response to industry concerns that the agency’s original proposal was too prescriptive, and did not allow enough time for compliance.In September of 2016, DFS had proposed stringent cybersecurity requirements aimed at protecting “Nonpublic Information” within the custody or control of banks, insurers, and other financial institutions (“Covered Entities”) from…