Cross Border

Subscribe to Cross Border via RSS

According to a tweet, Giovanni Buttarelli − the European Data Protection Supervisor (EDPS) − declared during the 2016 edition of the conference Computers, Privacy and Data held in Brussels: “Don’t do it again!”  This declaration was addressed to the Privacy Shield negotiators.

On the one hand, the announcement of bilateral supervision measures and

After January 31, 2016, the deadline imposed by WP29 expired. Pessimism was expressed regarding the ability of the EU and U.S. to reach a deal that addresses the requirements set out by the Court of Justice of the European Union (CJEU) in Maximilian Schrems v. Data Protection Commissioner, European Commission Vice President Andrus Ansip, and Commissioner for Justice, Consumers and Gender Equality, Věra Jourová. It was announced on February 2, 2016, that the EU Commission and the U.S. have agreed on a new arrangement − the “EU-U.S. Privacy Shield” − which will replace the Safe Harbour agreement. The arrangement is intended to come into effect within three months of the announcement. During this time, the EU and U.S. have to finalize the implementation mechanism and the monitoring regime. EU Council commissioners (college) have given the mandate to Vice President Ansip and Commissioner Jourová to prepare a draft adequacy decision to adopt the EU-U.S. Privacy Shield.

The EU-U.S. Privacy Shield, as presented to Vice President Ansip and Commissioner Jourová, should meet the requirements of the CJEU’s Schrems decision and include:

  • a new framework arrangement, which will not be a one-off decision as it was in 2000, as it is subject to annual joint reviews and the EU Commission will evaluate and report once a year (with the first annual review held in 2017);
  • a strong U.S. commitment not to carry out mass surveillance of EU citizens and access to data made transparent by all means, including public authorities, media, companies and civil society;  and
  • a three-step mechanism providing independent oversight and individual redress rights, including the creation of an independent and dedicated U.S. ombudsperson to ensure that U.S. authorities process EU citizens’ data in a lawful way and provide them  with a real capacity to act and exercise redress rights.

Once implemented, the EU-U.S. Privacy Shield safeguards should also address concerns raised in relation to transfers of personal data to the U.S. outside of the Safe Harbour arrangement, including pursuant to EU-approved Standard Contractual Clauses.  The coming days and weeks will shed more light on the terms of the EU-U.S. Privacy Shield and its implementation framework. We will monitor these changes and report to you on a regular basis. Should you need assistance, please do not hesitate to contact the McGuireWoods data privacy and security team.

For more information on ex-Safe Harbor, please also refer to the following prior Password Protected blog posts:
Continue Reading Replacing Safe Harbor: EU-U.S. Privacy Shield Announced

In 2015, a number of high-profile media and political events and several legal cases raised questions about personal data protection in the European Union. 2016 looks to be a pivotal year for reforms in personal data protection, including issues related to recent matters.

The following developments are anticipated:

  • The General Data Protection Regulation will form

On December 15, the EU Commission, Parliament and the EU Council reached an agreement, via the “trilogue” meetings on EU data protection reform.  The reform consists of two legal instruments:

  • The General Data Protection Regulation (GDPR)
  • The Data Protection Directive for the police and criminal justice sector

One of the huge advantages of the GDPR

Mass surveillance has come under scrutiny once again, now that the UK Court of Appeal has asked the Court of Justice of the European Union (CJEU) to clarify whether it intended to “lay down mandatory requirements of EU law with which the national legislation of member states must comply,” following its decision last year that

In letters sent on November 20, 2015 (see here the letter sent to the chairman of the Article 29 Working Party), the U.S. Chamber of Commerce and its EU equivalent, BusinessEurope, urged the U.S. and EU negotiators to “expeditiously reach agreement on a strengthened Safe Harbor framework that takes into account the concerns raised by

Once again, Facebook is in the spotlight. On November 9, following the Recommendation 04/2015 of May 13, 2015, issued by the Belgian Data Protection Authority (Belgian DPA) that we mentioned in a previous blog post, a Belgian court sentenced Facebook, under high penalties, to stop profiling data subjects when they simply navigate on third

On October 26, 2015, EU Commissioner Jourová, responsible for data protection, delivered before the European Parliament a speech on the implications of the Schrems ruling (C‑362/14) by the Court of Justice of the EU, which declared as “invalid” the Safe Harbor Decision (European Commission’s Decision 2000/520/EC of 26 July 2000 “on the