As discussed in greater detail in EU-US Privacy Shield: Agreement on Transatlantic Data Flows, the European Commission and the US Government announced on February 2, 2016 an agreement on the EU-US Privacy Shield Arrangement to replace the US-EU Safe Harbor, which the Court of Justice of the European Union struck down in its Schrems decision on October 6, 2015. Although the texts for the Privacy Shield have yet to be released, the Article 29 Working…
After months of intense negotiations, the European Commission and the US Government announced today an agreement on the EU-US Privacy Shield (see http://europa.eu/rapid/press-release_IP-16-216_en.htm). This new arrangement replaces the US-EU Safe Harbor Privacy Arrangement (“Safe Harbor”), which was struck down by the Court of Justice of the European Union on October 6, 2015. The EU-US Privacy Shield builds upon the original Safe Harbor, and establishes a range of additional protections for European personal data, particularly on…
On 19 November 2015, the French data protection authority (“CNIL”) published a set of guidelines and FAQs providing guidance to French businesses currently transferring, or planning to transfer, personal data from the EU to the U.S. What Options Are Available For Transferring Personal Data From France To the U.S.?CNIL expressly states that transferring personal data from France to the U.S. on the basis of Safe Harbor is no longer an option. It further confirms that, while…
On 6 November 2015, the EU Commission issued a communication addressed to the EU Parliament and EU Council with the aim of providing an overview of alternative tools for transatlantic data transfers and to further explain the consequences of the Schrems judgment of the Court of Justice of the European Union (“CJEU”) of 6 October 2015 (C‑362/14).The guidance begins by acknowledging the growing industry concerns about data transfers in light of the Schrems judgment and…
On October 22, 2015, the Czech Data Protection Authority (DPA) sent out letters to companies which are registered as data controllers with the DPA. The letter is essentially a notice to inform such Czech companies about the invalidation of Safe Harbor.RecommendationsThe DPA recommends using EU Model Clauses or BCRs instead for data transfers to third countries. The letter does not require companies to respond to it nor does it stipulate a specific timeline to take…
On 23 October 2015, the Portuguese Data Protection Authority (the “CNPD”) issued a statement (available in Portuguese only) outlining its position on transfers of personal data to the U.S. following the Schrems judgement. Businesses that are subject to Portuguese data protection law and engage in transatlantic data transfers would be prudent to assess and adapt those data transfers in light of the statement.What Does The CNPD Say?The CNPD makes the following key statements:Data flows under…
As the EU body leading the Safe Harbor 2.0 negotiations with the U.S. government, the EU Commission plays a crucial role in the current debate about data transfers from the EU to the U.S. On 26 October, 2015, during her speech to the LIBE Committee of the EU Parliament, Vera Jourová (the EU Commissioner responsible for data protection) provided some important insights into the progress of, and requirements for, Safe Harbour 2.0. Jourová also emphasised the…
On 20 October 2015, the U.S. House of Representatives unanimously passed the Judicial Redress Act (the “Act”) which now awaits approval by the U.S. Senate. The Act is a critical piece in rebuilding the EU/U.S. data transfer puzzle, which broke into pieces last month when the European Union Court of Justice (the “CJEU”) ruled the European Commission Safe Harbor decision invalid. What Is the Act About?Currently, individuals that are not U.S. citizens or permanent residents have…
The Spanish Data Protection Agency sent out letters dated October 29, 2015 to companies that are registered with the DPA and that rely on Safe Harbor for data transfers to US recipients. The letter states that companies need to take alternative measures since Safe Harbor has been invalidated. The DPA asks specifically whether the notified data transfers to US recipients based on Safe Harbor will continue, and if so, which alternative measures the company will now take. Safe…
The following is the second part in a two-part commentary (Part One available here) on a position paper issued by the Data Protection Conference of the German State Data Protection Authorities and the German Federal Commissioner for Data Protection (“Conference”) following the recent decision of the Court of Justice of the European Union (“ECJ”) invalidating the Safe Harbor decision of the EU Commission. German DPAs Have The Power To Prohibit Or Suspend Data Flows Under…