Photo of Mehboob Dossa

Mebs specialises in advising multinationals, capital providers, independent sponsors, family offices, private equity portfolio companies and executives on a variety of transactions, including mergers and acquisitions, co- investments, leveraged buy-outs, joint ventures, restructuring, setting up operations in the UK, structured equity investments, divestitures, commercial/supply chain transactions and corporate governance matters. He also advises emerging-growth and early-stage companies.

In its long awaited judgment in the Schrems II case, the ECJ has this morning invalidated the EU-US Privacy Shield citing the “limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities” in respect of personal data transferred from the European Union to the United States on the basis that such limitations do not provide the protections ensured under EU law. The ECJ’s concerns centered around certain US surveillance programs which are not limited to what is strictly necessary and EU data subjects not having effective rights of enforcement against US authorities under US laws.
Continue Reading ECJ Invalidates the EU-US Privacy Shield! How Safe is it to Use SCCs for Data Transfers from the EU to the US?

The Court of Justice of the European Union (ECJ) has announced that it will deliver its judgment in what has become known as the Schrems II case (Case 311/18 Facebook Ireland and Schrems) on 16th July 2020. The judgment will determine the validity of the Standard Contractual Clauses (or Model Clauses) (SCCs) as a transfer mechanism under the GDPR. This case arose following a complaint from Max Schrems, a lawyer and data privacy campaigner to the Irish Data Protection Commissioner (DPA) about transfers of his personal data from Facebook Ireland to Facebook US using SCCs. Mr. Schrems’s position is that Facebook is violating the EU data protection laws by allowing US intelligence authorities to access his personal data. The DPA issued proceedings in the Irish High Court in relation to the matter, which were stayed in 2018, with various questions raised by the DPC relating to SCC referred to the ECJ for determination.
Continue Reading ECJ to Deliver Judgment on the Validity of SCCs on 16th July 2020

The EU-US Privacy Shield (Privacy Shield) has passed its third annual review by the European Commission. A framework constructed by the US Department of Commerce and the European Commission to enable transfers of personal data for commercial purposes, the Privacy Shield enables companies from the EU and the US to comply with data protection requirements when transferring personal data from the EU to the US.

The Privacy Shield was approved by the European Commission on 12 July 2016, and was subject to annual reviews to try and avoid failures that resulted in the downfall of the Safe Harbor Principles, which it replaced. The reviews evaluate all aspects of the functioning of the Privacy Shield framework.
Continue Reading EU-US Privacy Shield Passes its Third Annual Review

On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect. Are you ready?

Who’s affected?  

Organizations, anywhere in the world, that process the personal data of European Union (EU) residents should pay attention to GDPR and its territorial scope.

If you collect personal data or behavioral information from someone in the EU

From April 1, 2018, all new cars in the European Union (EU) must be equipped with eCall technology.

What is eCall?

eCall is a service designed to provide quick emergency response. In the event of a serious accident, the in-vehicle eCall system automatically communicates to the emergency services; the vehicle’s exact location; the time of

The EU’s Market Abuse Regulation (“MAR”) came into effect on July 3, 2016 replacing the EU’s Market Abuse Directive. Unlike the Directive, the MAR has direct effect in each EU member state, including the UK.

The MAR, a civil market abuse regime, is intended to ensure the smooth functioning of the financial markets and enhance

The EU-U.S. Privacy Shield has been formally adopted by the European Commission, enabling U.S. companies who sign up to the framework to receive personal data from the EU. The new deal replaces the previous Safe Harbor framework, which was invalidated by the Court of Justice of the European Union (CJEU) last October.

The new framework

Effective immediately, most UK companies, Societates Europaeae and UK Limited Liability Partnerships (LLPs) are required to maintain a register of People with Significant Control (“PSC Register”). Set out below is a brief summary of some of the requirements. The rules are complex, and you should take immediate steps to seek appropriate advice and put in

After January 31, 2016, the deadline imposed by WP29 expired. Pessimism was expressed regarding the ability of the EU and U.S. to reach a deal that addresses the requirements set out by the Court of Justice of the European Union (CJEU) in Maximilian Schrems v. Data Protection Commissioner, European Commission Vice President Andrus Ansip, and Commissioner for Justice, Consumers and Gender Equality, Věra Jourová. It was announced on February 2, 2016, that the EU Commission and the U.S. have agreed on a new arrangement − the “EU-U.S. Privacy Shield” − which will replace the Safe Harbour agreement. The arrangement is intended to come into effect within three months of the announcement. During this time, the EU and U.S. have to finalize the implementation mechanism and the monitoring regime. EU Council commissioners (college) have given the mandate to Vice President Ansip and Commissioner Jourová to prepare a draft adequacy decision to adopt the EU-U.S. Privacy Shield.

The EU-U.S. Privacy Shield, as presented to Vice President Ansip and Commissioner Jourová, should meet the requirements of the CJEU’s Schrems decision and include:

  • a new framework arrangement, which will not be a one-off decision as it was in 2000, as it is subject to annual joint reviews and the EU Commission will evaluate and report once a year (with the first annual review held in 2017);
  • a strong U.S. commitment not to carry out mass surveillance of EU citizens and access to data made transparent by all means, including public authorities, media, companies and civil society;  and
  • a three-step mechanism providing independent oversight and individual redress rights, including the creation of an independent and dedicated U.S. ombudsperson to ensure that U.S. authorities process EU citizens’ data in a lawful way and provide them  with a real capacity to act and exercise redress rights.

Once implemented, the EU-U.S. Privacy Shield safeguards should also address concerns raised in relation to transfers of personal data to the U.S. outside of the Safe Harbour arrangement, including pursuant to EU-approved Standard Contractual Clauses.  The coming days and weeks will shed more light on the terms of the EU-U.S. Privacy Shield and its implementation framework. We will monitor these changes and report to you on a regular basis. Should you need assistance, please do not hesitate to contact the McGuireWoods data privacy and security team.

For more information on ex-Safe Harbor, please also refer to the following prior Password Protected blog posts:
Continue Reading Replacing Safe Harbor: EU-U.S. Privacy Shield Announced

The EU and U.S. reached an agreement on Tuesday (9 September) which will enable the two sides to exchange personal data during criminal and terrorism investigations.

The so-called “Umbrella Agreement” comes after four years of negotiations between the EU and U.S. and will protect personal data exchanged between police and judicial authorities in the course