If you would like to learn more about the politics and law behind the current Safe Harbor 2.0 negotiations, download the podcast of Running Aground in the Surveillance Safe Harbor, a teleforum hosted by the Federalist Society. The podcast features moderator Matthew R.A. Heiman, Vice President, Chief Compliance & Audit Officer, Tyco International; Stewart A. Baker, Partner, Steptoe & Johnson LLP and former Assistant Secretary for Policy at the Department of Homeland Security; and Susan Foster, a solicitor in England & Wales whose practice bridges the UK and US perspectives on data protection matters. Podcast made available through kind permission of the Federalist Society.
Tying it all together: Safe Harbor and Security-Related Data Flows
One of the fascinating aspects of the privacy-related negotiations between the EU and the US over the past couple of years has been the EU’s efforts to decouple trade (e.g, TTIP) and security-related negotiations from the Safe Harbor 2.0 negotiations. The US Senate’s Judiciary Committee pushed back firmly on that yesterday when it adopted amendments to the Judicial Redress Act, which the EU requires to be passed before it will sign the Umbrella Agreement between the US and EU relating to the sharing of crime-related information between law enforcement authorities. The basic aim of the Judicial Redress Act is to give EU citizens the same rights as US citizens under the United States’ Privacy Act of 1974. The European Commission has said a number of times that passage of the Judicial Redress Act was a step in the right direction for Safe Harbor 2.0 (without saying it was enough to fully address the Commission’s concerns). Continue Reading Tying it all together: Safe Harbor and Security-Related Data Flows
(So) What if there’s no Safe Harbor 2.0?
There’s no doubt businesses in the EU and US would breathe a sigh of relief if a new Safe Harbor agreement is put in place between before European data protection authorities start prosecuting companies for potentially illegal personal data transfers to the US. But if it doesn’t happen, the US is actually not any worse off than most of the rest of the world. No other country has a special agreement with the EU concerning personal data transfers, and only eleven countries have been deemed to be “adequate” by the European Commission: Andorra, Argentina, Canada (commercial organizations only), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Only one of the countries on the “adequate” list, Switzerland, is a “top ten” EU trade partner, according to the latest trade statistics published by the Commission (based on 2014 figures). Only two of the countries are in the top twenty (Canada is in twelfth place). Japan, India, Brazil, Turkey, South Korea, all “top ten” EU trade partners, are not on the “adequate” list. Nor is China or Russia, both of which have significant trade with the EU (coming in second and third in the “total EU trade” rankings published by the Commission). So if the US isn’t on the “adequate” list, it is no worse off than most other major EU trade partners. Continue Reading (So) What if there’s no Safe Harbor 2.0?
The EU Commission’s spin on the new General Data Protection Regulation
The European Union Commission has issued a fact sheet on the new General Data Protection Regulation (final post-trilogue text available via Statewatch). The Commission claims that the Regulation is good for individuals and good for business. We’ll leave that to readers . . . and history . . . .to decide.
As regulations go, the GDPR is a page-turner, but if you don’t have time to read all 204 pages before the holidays, consider joining our webinar at 1 pm ET today. Registration is here.
The General Data Protection Regulation in Bullet Points
Updated at 8:50 pm GMT on 16 December 2015.
The new General Data Protection Regulation is effectively a “done deal” following the final trilogue meeting on December 15. One might assume based on UK media coverage that the biggest change in EU privacy law is that kids under 16 will need their parent’s consent to sign up for social media services and apps. As much consternation as that will cause at the breakfast table, it’s really the least of our worries.
It will take some time to process the new Regulation, and of course we don’t have the complete, official version yet (please read the important caveat at the end of this summary), but here are the key features of the Regulation in bullet point form so we can start mapping out the new legal landscape. This summary focuses more on what’s new than what has stayed in place; generally speaking, rights of data subjects that existed under the Directive also exist under the Regulation. On the other hand, the burdens on data controllers and processors have substantially increased. We’ll explore all of this in more detail over the coming weeks. Continue Reading The General Data Protection Regulation in Bullet Points
Webinar Postponed - Post-Safe Harbor Update for Life Sciences Companies
The webinar on Post-Safe Harbor Update & Cross-Border Data Transfer Issues for Life Sciences Companies that was originally scheduled for today is being postponed and will take place after the holidays. We will announce a new date shortly. Continue Reading Webinar Postponed - Post-Safe Harbor Update for Life Sciences Companies
Privacy Monday: November 9, 2015 - EU/Safe Harbor Updates
And the days dwindle down, to a precious few … November …
We are still following developments in the EU relating to the invalidation of the US-EU Safe Harbor Framework. In case you were on a secluded island during the month of October, you can catch up here.
European Commission Issues Communication. On Friday, the European Commission issued “long-awaited” guidance (called a Communication), which did not shed much new light on the cross-border data transfer issues, but instead rehashes the “alternative transfer tools” available to legitimize data flows to jurisdictions deemed “not adequate,” like the United States. More after the jump. Continue Reading Privacy Monday: November 9, 2015 - EU/Safe Harbor Updates
EU Round-UP: Safe Harbor 2.0 and Upcoming National Challenges
EU Commissioner Vera Jourova recently announced in a speech to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) that the Commission and the US have made substantial progress in finalizing a new Safe Harbor program. Jourova noted that the collection and use of European personal data for US national security purposes remains a key open issue. However, she also reminded LIBE that the US has undergone a substantial review of the NSA’s alleged mass surveillance activities over the past couple of years.
Overall, Jourova’s comments seemed optimistic regarding getting a new Safe Harbor program finalized prior the Art. 29 Working Party’s January deadline for increased enforcement by national Data Protection Authorities starting at the end of January 2016. (The Art. 29 Working Party’s statement is available as a PDF on this page.)
In the meantime, the German regional data protection authorities have collectively announced that they will investigate data transfers by Google and Facebook to the US (without waiting for complaints by German users). The German DPAS have also suspended approval of new Binding Corporate Rules and customized data protection clauses. (Model clauses, which don’t require DPA approval in Germany, are not immediately affected, but could be vulnerable to attack.)
Keeping an eye on national data protection authorities’ enforcement agendas will be important once we have Safe Harbor 2.0 in place, since under the Schrems decision, Safe Harbor 2.0 will be effectively subject to the review of national DPAs and courts.
More Dominos Fall on the Data Protection Table
As all of our readers know by now, as of October 6, the US-EU Safe Harbor Framework is no more. Safe Harbor was the mechanism on which thousands of US companies (and thousands of companies based in the European Union) legitimized their data transfers from the EU to the US. All the background, including links to a recording of our “emergency” Privacy webinar on the issue, can be found here, here, and here.
Two more dominos outside the European Union have toppled. Continue Reading More Dominos Fall on the Data Protection Table
Irish High Court Quashes Irish Data Protection Commission Original Schrems’ Decision
The Irish High Court today has ordered the Irish Data Protection Commissioner (DPC) to investigate Facebook’s European data privacy practices, bringing Max Schrems’ three-year fight full circle. The Court today quashed the original DPC refusal to examine Schrems’ complaint that came back to the High Court after the referral to the European Court of Justice (CJEU).
Ireland’s DPC, Helen Dixon, refused to investigate the original Schrems’ complaint based on the validity of the US-EU Safe Harbor Framework. By now, we all know what happened to Safe Harbor when it reached the CJEU.
Today’s High Court decision awards Schrems costs for his legal bills and travel expenses and Judge Gerard Hogan commented that “the commissioner is obliged now to investigate the complaint … and I’ve absolutely no doubt that she will proceed to do so.”
The EU’s Article 29 Working Party of EU data protection officials issued a joint statement last week forthrightly expressing its position post-CJEU decision:
Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”). In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful.