On September 8, 2017, three U.S. companies settled actions brought by the Federal Trade Commission (“FTC”) for misleading consumers about their participation in the EU – U.S. Privacy Shield Framework (“Privacy Shield”). These were the first Privacy Shield enforcement actions brought by the FTC. The Privacy Shield replaced the U.S. – EU Safe Harbor framework as the legal mechanism for transatlantic data flows in August 2016. It functions through a self-certification process by which U.S.…
The Data Protection Authority (“DPA”) of Hamburg, one of 16 German State DPAs, has issued fines against three companies for failing to implement alternative data transfer mechanisms following the invalidation of the European Commission Safe Harbor adequacy decision in October 2015. The fines range from EUR 8,000 to EUR 11,000 for each company.This is the most high-profile example of a DPA taking action against companies for continuing to transfer personal data from Europe to the…
On 25 May 2016, the Irish Data Protection Commissioner (“IDPC”) announced that it would be seeking a judgment from the Court of Justice of the European Union (“CJEU”) on the legal status of the EU Standard Contractual Model Clauses (“EU Model Clauses”) for cross-border data transfers. This development further increases the uncertainty around permissible means of transferring personal data from the EU to the US. Last year, the CJEU declared the EU-US Safe Harbour Framework “inadequate”…
Fact is that it is not per se illegal to transfer data from the EEA to the U.S. What has changed is that the blanket permission for transatlantic data transfers from the EEA to Safe Harbor certified U.S. companies has fallen away. Nonetheless, alternative transfer mechanisms, in particular Binding Corporate Rules and Standard Contractual clauses may be relied upon for lawfully transferring data from the EEA to the U.S. Further, derogations such as consent and performance of…