Between the cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) and the adoption of the Privacy Shield, a number of data exporters have relied on the Standard Contractual Clauses (SCC) as the safest export tool to transfer personal data from the EU to the U.S. But as announced

The GDPR harmonizes data protection laws across the EU and updates the current 20-year-old regime to take account of globalization and the ever-changing technology landscape.  It will apply not only to EU companies, but to any company processing the personal data of individuals in the EU in relation to offering goods or services, or to

The European Commission very recently presented two draft implementing decisions amending the existing adequacy decision on standard contractual clauses.

These drafts were presented to the Article 31 Committee, which is composed of Members State representatives who assist the European Commission concerning the protection of individuals with regard to the processing of personal data.

This presentation is a consequence of the Schrems ruling and past declarations of the Article 29 Working Party that standard contractual clauses remain under scrutiny.

The summary by the Article 31 Committee speaks for itself: “In Schrems, the Court invalidated Article 3 of the Safe Harbour adequacy decision because it found that the Commission exceeded its powers in imposing limitations on the powers of national supervisory authorities (DPAs) to suspend and prohibit data flows. Since a comparable provision restricting the powers of DPAs is present in the existing adequacy and SCCs decisions, the main objective of the proposed draft amending decisions is to remove any such restriction, thereby ensuring that the DPAs can use all the powers provided under EU and national law.”

The Article 31 Committee will make a final decision concerning these draft amendments in the coming days or weeks after reviewing the opinions of the Article 29 Working Party. It is possible that the Article 29 Working Party will propose other amendments.


Continue Reading Expected Soon: Modifications of the Standard Contractual Clauses

A study by the International Association of Privacy Professionals has found that 28,000 data protection officers (DPO) will be needed in the next two years for companies to comply with the EU’s new General Data Protection Regulation (GDPR).  By the time the GDPR comes into force in 2018, in-scope entities will have to have their

The EU’s Market Abuse Regulation (“MAR”) came into effect on July 3, 2016 replacing the EU’s Market Abuse Directive. Unlike the Directive, the MAR has direct effect in each EU member state, including the UK.

The MAR, a civil market abuse regime, is intended to ensure the smooth functioning of the financial markets and enhance

After its first draft of February 29, 2016, the European Commission adopted the EU-U.S. Privacy Shield adequacy decision on July 12, 2016.  The first draft was adopted after the cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) on October 15, 2015 (Schrems case). A new adequacy decision was therefore highly welcome to allow the tens of thousands of U.S. and EU companies that rely on Safe Harbor to transfer personal data across the Atlantic. After the first draft of the adequacy decision, several EU institutions addressed numerous concerns regarding this first draft. First, on April 13, 2016, Article 29 Working Party (WP 29), released an  opinion, noting the Privacy Shield offers major improvementscompared to the invalidated Safe Harbor decisionbut, at the same time, urged the European Commission to resolve all concerns expressed by WP 29 in order to ensure that the protection to be offered by the Privacy Shield is indeed essentially equivalent to that of the EU. This opinion was followed on May 26, 2016 by a resolution of the EU parliament where it also expressed several concerns about the proposed Privacy Shield.  Finally, on May 30, 2016 the European Data Protection Supervisor (EDPS) published its opinion where, although it “welcomed the efforts shown by the parties to find a solution for transfers of personal data”, EDPS added that “robust improvements” were needed “in order to achieve a solid framework, stable in the long term”.

The EU-U.S. Privacy Shield adequacy decision adopted on July 12, 2016 by the European Commission was supposed to cure all the concerns expressed after the first draft. The surprise is of course that WP 29’s press release of July 26, 2016 does not consider that the improvements brought by the EU Commission and the U.S. authorities to the proposal of Privacy Shield adequately respond to the concerns expressed.  For instance, WP 29 regrets:

  • The lack of specific rules on automated decisions and of a general right to object;
  • That it remains unclear how the Privacy Shield Principles will apply to processors;
  • The lack of concrete assurance that bulk collection of personal data will not again happen, despite the commitment of the U.S. Office of the Director of National Intelligence (ODNI);
  • The lack of strict guarantees concerning the independence and the powers of the Ombudsmen in case of conflict caused by access by U.S. public authorities to personal data.

After expressing these criticisms, WP 29 proposes however to decide on the viability of the Privacy Shield after the first annual review of the framework that will take place in May 2017. In other words, WP 29 will not push for a legal challenge of the Privacy Shield before the first review.  This said, even though the timing proposed by WP 29 seems practicable, in case of action by data subjects of privacy activists, the “wait and see” attitude of WP 29 will probably be difficult to maintain. Finally, the position of WP 29 seems very practical.  Indeed, it is difficult to assess the adequacy of the Privacy Shield because it is mainly based on commitments taken from letters by different U.S. heads of administrative bodies and among others the ODNI. This meets one of the very general remarks expressed by the EDPS in its May 30, 2016 opinion, which called for longer term solutions” “with more robust stable legal frameworks to boost transatlantic relations”. The nearly one year deadline given by WP 29 is probably the opportunity to reach robust stable legal frameworks not only for the Privacy Shield, but also for Standard Contractual Clauses and Binding Corporate rules when they relates to transfers of personal data to the U.S.


Continue Reading Is the Privacy Shield Viable? Article 29 Working Party Proposes to Wait for Its Final Verdict

The EU-U.S. Privacy Shield has been formally adopted by the European Commission, enabling U.S. companies who sign up to the framework to receive personal data from the EU. The new deal replaces the previous Safe Harbor framework, which was invalidated by the Court of Justice of the European Union (CJEU) last October.

The new framework

EU Data Privacy

September 27, 2016 | London

Learn more about data protection laws in light of BREXIT. The conference is designed for in-house counsel, risk managers, security officers, regulatory and compliance officers, directors, financial officers, information officers, human resource officers and managers of corporations with cross-border operations. A full agenda is under development, but topics and speakers

The European Commission adopted on July 12, 2016 its long-awaited decision recognizing the U.S. Privacy Shield as providing adequate protection for personal data of EU citizens transferred to the United States. The Privacy Shield is a set of rules and commitments issued by the U.S. Department of Commerce (DOC) and State Department primarily. This new framework will become operational on August 1, 2016.

It replaces the Safe Harbor, an earlier scheme that the European Commission had considered to provide adequate protection to personal data transferred to the United States and that many operators relied on to transfer data across the Atlantic. The Commission decision recognizing Safe Harbor as providing adequate protection was declared invalid on October 6, 2015 by the Court of Justice of the European Union (the Highest Court of the EU) in the Schrems case.

The Court of Justice annulled the Safe Harbor decision on the ground that Safe Harbor did not provide “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union.” More specifically, the Court of Justice took issue with the fact that companies subscribing to the Safe Harbor and receiving personal data from the EU were bound to disregard the Safe Harbor principles anytime they would conflict with U.S. national security, public interest, or law enforcement requirements, without any limitation.  It also criticized the fact that there was no rule or procedure to limit interferences with fundamental rights and freedoms of EU data subjects to what is strictly necessary to national security, public interest, or law enforcement; and no procedures to enable data subjects to exercise their right to know what data relating to them is being processed, and to have that data corrected or erased.

The Privacy Shield was negotiated between the European Commission and the U.S. authorities in order to reintroduce a scheme facilitating the transfer of personal data from the EU to U.S., which businesses need, while at the same time addressing the concern of the Court of Justice, which was necessary in order for the new scheme to withstand legal challenge. Before being formally adopted by the Commission, the new scheme was submitted to the data protection authorities of EU’s member states, which approved it on July 8th.

The Privacy Shield introduces significant changes to the defunct Safe Harbor. It imposes new obligations on the companies in the US receiving and processing personal data, in particular by restricting the onward transfer of personal data to third parties and by explicitly requiring companies to delete data once the purpose for which it was obtained expires.

Effective enforcement of EU data protection principles is ensured through regular reviews by the DOC of how companies subscribing to the Privacy Shield really comply with the rules and by more effective supervision mechanisms. Data subjects will also have the opportunity to file complaints with their home data protection authority in the EU, which will then forward them to the DOC or the International Trade Commission in the US for proper resolution.  If this fails, disputes will be resolved through a binding arbitration mechanism (the Privacy Shield Panel).

The Privacy Shield also sets out limits on the bulk processing of personal data by the US authorities for intelligence and law enforcement purposes. Complaints of EU data subjects will be handled by an Ombudsman in the State Department, independent from the US intelligence services.

For more information about the Privacy Shield, see the Commission’s press release here, or feel free to contact our data protection team.


Continue Reading EU-US Data Protection: the Safe Harbor is dead, long live the Privacy Shield!