In its long awaited judgment in the Schrems II case, the ECJ has this morning invalidated the EU-US Privacy Shield citing the “limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities” in respect of personal data transferred from the European Union to the United States on the basis that such limitations do not provide the protections ensured under EU law. The ECJ’s concerns centered around certain US surveillance programs which are not limited to what is strictly necessary and EU data subjects not having effective rights of enforcement against US authorities under US laws.

Continue Reading ECJ Invalidates the EU-US Privacy Shield! How Safe is it to Use SCCs for Data Transfers from the EU to the US?

The Court of Justice of the European Union (ECJ) has announced that it will deliver its judgment in what has become known as the Schrems II case (Case 311/18 Facebook Ireland and Schrems) on 16th July 2020. The judgment will determine the validity of the Standard Contractual Clauses (or Model Clauses) (SCCs) as a transfer mechanism under the GDPR. This case arose following a complaint from Max Schrems, a lawyer and data privacy campaigner to the Irish Data Protection Commissioner (DPA) about transfers of his personal data from Facebook Ireland to Facebook US using SCCs. Mr. Schrems’s position is that Facebook is violating the EU data protection laws by allowing US intelligence authorities to access his personal data. The DPA issued proceedings in the Irish High Court in relation to the matter, which were stayed in 2018, with various questions raised by the DPC relating to SCC referred to the ECJ for determination.

Continue Reading ECJ to Deliver Judgment on the Validity of SCCs on 16th July 2020

The EU-US Privacy Shield (Privacy Shield) has passed its third annual review by the European Commission. A framework constructed by the US Department of Commerce and the European Commission to enable transfers of personal data for commercial purposes, the Privacy Shield enables companies from the EU and the US to comply with data protection requirements when transferring personal data from the EU to the US.

The Privacy Shield was approved by the European Commission on 12 July 2016, and was subject to annual reviews to try and avoid failures that resulted in the downfall of the Safe Harbor Principles, which it replaced. The reviews evaluate all aspects of the functioning of the Privacy Shield framework.
Continue Reading EU-US Privacy Shield Passes its Third Annual Review

The European Union’s (EU) ambitious and far-reaching regulation, the General Data Protection Regulation (GDPR), became effective on 25 May 2018. On the one-year anniversary, we reflect on some of the principal developments following the implementation of the GDPR

European privacy values: a cultural shift

Critics have derided the GDPR for placing an onerous and expensive compliance burden on businesses, causing confusion and creating ‘data privacy fatigue’ amongst consumers and businesses alike.

Conversely, the furore has generated significant publicity around the GDPR, contributing to a cultural shift towards greater consumer empowerment and control over personal information. Public awareness of the GDPR is high – in May 2018, GDPR was searched more often on Google than either Beyoncé or Kim Kardashian. Individuals have a better understanding of their rights in respect of their personal data – which presents more of a risk to data controllers.

Equally, GDPR has completely changed the risk profile of data protection for most businesses. Under the previous, weakly enforced regime, most businesses treated data protection as a low risk issue. Under the new regime, data protection has become a high-risk issue.
Continue Reading The General Data Protection Regulation’s First Birthday

European Commission Comments on GDPR’s One-Year Anniversary

On the one-year anniversary of the GDPR, Andrus Ansip, Vice-President for the Digital Single Market and Věra Jourová, Commissioner for Justice, Consumers and Gender Equality has released a joint statement on the momentous law: “The main aim of the rules has been to empower people and help them to gain more control over their personal data. This is already happening as people are starting to use their new rights and more than two-third of Europeans have heard of the regulation.”  The entire statement can be found here.

FTC Extends Comment Deadline on Proposed Changes to Safeguards Rule

The FTC has extended the deadline to submit comments on proposed changes to the Safeguards Rule by 60 days until August 2nd.  In March, the FTC announced it was seeking comment on proposed changes to the Gramm-Leach-Bliley Act’s Safeguards Rule as well as the Privacy Rule. These regulations require financial institutions to inform customers about its information-sharing practices. More information can be found here.

FBI Reports That Cybercrime Cost $2.7B in 2018

The FBI’s annual Internet Crime Report, states that IC3 received 351,936 complaints in 2018 which is about 900 every day. The statement released with the report said, “[t]he most frequently reported complaints were for non-payment/non-delivery scams, extortion, and personal data breaches. The most financially costly complaints involved business email compromise, romance or confidence fraud, and investment scams, which can include Ponzi and pyramid schemes.” More information can be found here.
Continue Reading ICYMI: A quick look at recent Privacy and Cybersecurity headlines

On 7 February 2019, the German competition law regulator, the Federal Cartel Office (FCO), concluded a lengthy investigation into Facebook.  It found that the company abused its dominant market position by making the use of its social network conditional on the collection of user data from multiple sources.

The FCO’s probe into Facebook is one of the first cases in the EU concerning the intersection between the EU’s new data privacy laws (contained in the General Data Protection Regulation or GDPR) and competition law. The abuse finding under German competition law (which is broadly the same as the pan-EU competition law in this regard) relied on what was, according to the FCO, a breach of EU data protection law.
Continue Reading Federal Cartel Office vs. Facebook: When Data Privacy and Competition Law Collide

The General Data Protection Regulation (GDPR) imposes strict obligations upon organizations that process the “personal data” of European individuals. Failure to comply with GDPR can result in large fines. The UK’s Information Commissioner’s Office (ICO), in recent months, issued a number of fines of £500,000 on global businesses with household names, and such fines have generated a lot of publicity. Many onlookers would be shocked by the magnitude of those fines but may not have appreciated that they were imposed under the Data Protection Act 1998, which was in force when the offending breaches occurred. Had the breaches taken place after May 25th of this year, when the GDPR took effect, those fines would more than likely have been significantly higher.

Businesses have therefore invested significant resources and money to make sure that they do not fall foul of the obligations imposed by the GDPR. Yet, within less than a year of the GDPR becoming binding law, those same businesses face further disruption as Brexit looms.
Continue Reading Implications of Brexit on GDPR

The General Data Protection Regulation (GDPR) is now in effect.  On the 25th of May, the day the GDPR took effect, Commissioner Jourová made a speech, in Brussels, at the General Data Protection Regulation conference to mark the beginning of a new chapter in data protection’s history in the EU. In her speech, the Commissioner recalled that data protection is of vital importance for EU citizens as personal data protection is a fundamental right in the EU and that this matter is also crucial for businesses as personal data protection is an issue for trust in the digital market.

However, some EU countries, including Belgium, Greece and Hungary for example, missed the May 25th deadline and are not ready to fully enforce the GDPR. This creates legal uncertainty for both citizens and companies.


Continue Reading EU Countries that missed the GDPR deadline could face court

The EU and U.S. competent authorities have one year to implement the recommendations that the Article 29 Working Party (WP29, which is a gathering of all EU national data protection authorities) made in its opinion of November 28, 2017 to increase the level of personal data protection provided by the Privacy Shield framework. As they announced in this opinion, failure to do so will result in these authorities challenging the validity of the Privacy Shield adequacy decision before courts. Such a cancellation could lead to certified U.S. companies losing their certification (2,400 companies, including web giants and major cloud providers), having to freeze data flows and implementing other legal mechanisms allowing them to import personal data from the EU.

It should be noted that the EU and U.S. authorities negotiated the Privacy Shield under a perspective that was more in line with Directive 95/46 (the main data protection applicable instrument at the time of negotiation) than with the General Data Protection Regulation (GDPR). The GDPR will repeal this Directive and increase the level of protection of personal data from May 25, 2018, and the WP29 will plan to prepare businesses for it.

In its report, the WP29 focuses on guarantees of enforcement and efficiency.
Continue Reading The WP29 Issues an Ultimatum to Improve the Privacy Shield