Tag Archive: Safe Harbor

EUROPE: European Data Protection Supervisor Calls for “Significant” Improvements to EU-U.S. Privacy Shield

By: Dr. Thomas Jansen and Mari Martin

On May 30, 2016, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued his Opinion on the EU-U.S. Privacy Shield, calling for “significant” improvements to the EU-U.S. Privacy Shield before it can be adopted by the European Commission (EC). According to the EDPS Opinion:

“The draft Privacy Shield may be a step in the right direction, but as currently formulated it does not adequately include, in our view, all appropriate safeguards to protect the EU rights of the individual to privacy and data protection also with regard to judicial redress. Significant improvements are needed should the European Commission wish to adopt an adequacy decision.”

The Opinion stated that in order for the Privacy Shield to be effective, it must provide adequate protection against indiscriminate surveillance by U.S. intelligence agencies and improve existing obligations regarding oversight, transparency, redress and data protection rights. In particular, the EDPS Opinion called on the EC to negotiate improvements to Privacy Shield in three main areas:

  • integrating all key EU data protection principles so that the Privacy Shield will offer essential equivalence between EU and U.S. law;
  • limiting derogations from the Privacy Shield’s provisions; and
  • improving redress and oversight mechanisms contained in the Privacy Shield.

The Opinion also urged the negotiating parties to be unhurried in finding an adequate, long term solution, as it is essential for international organizations supplying goods and services in the EU to be absolutely clear about all the rules with which they must comply.

Background Information

The EC began negotiating the Privacy Shield in October 2015, after the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Safe Harbor data transfer agreement. The Privacy Shield is intended to replace Safe Harbor. The EDPS opinion follows and supports the concerns expressed in the European Parliament’s May 25, 2016 resolution (2016/2727 (RSP)), which called for the EC to reopen negotiations with the U.S. in order to improve perceived “deficiencies” in the EU-U.S. Privacy Shield.

After the CJEU invalidated the EU-U.S. Safe Harbor Agreement, the Article 29 Working Party assured organizations and individuals wanting to transfer data from the EU to the United States that they could rely on other mechanisms provided for in the 1995 Data Protection Directive, such as standard model clauses and binding corporate rules, to continue legally exporting data.

However, these alternative mechanisms suffer from some of the same deficiencies as did Safe Harbor, in particular the lack of restrictions on access to personal data by U.S. intelligence agencies. Last week, the Irish Data Protection Commissioner announced that it would refer the question of the legality of the use of standard model clauses as a basis of data transfer to the CJEU, thus calling into question their continued use in the long term.

Practical Implications

Should the CJEU also invalidate the use of standard model clauses, which is by no means certain, approval of a final version of the Privacy Shield implementing the recommendations and addressing the concerns expressed in the Opinion of the EDPS and the Resolution of the European Parliament on the adequacy of the Privacy Shield will be critical for uninterrupted data flow between the EU and United States.

Like the recent Resolution passed by the European Parliament, the EDPS Opinion should contribute to the essential clarity for international organizations supplying goods and services in the EU regarding the precise rules with which they must comply in order to lawfully transfer personal data between the U.S. and EU.

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-european-data-protection-supervisor-calls-for-significant-improvements-to-eu-u-s-privacy-shield/

EUROPE: European Parliament Passes Resolution Calling for Improvement of EU-U.S. Privacy Shield

By: Dr. Thomas Jansen and Mari Martin

On May 25, 2016, the European Parliament (EP) passed a non-binding resolution calling for the European Commission (EC) to reopen negotiations with the United States in order to improve perceived “deficiencies” in the EU-U.S. Privacy Shield.

The resolution requested improvements beyond the agreement reached between U.S. and EU negotiators in February. On February 29, 2016, the EC published a draft decision that approved the Privacy Shield arrangement as adequate. The Privacy Shield is intended to replace the EU-U.S. Safe Harbor Framework, which the Court of Justice of the European Union invalidated in October 2015.

The resolution, which the EP adopted in a 501-119 vote with 31 abstentions, largely supports criticisms in the April 13, 2016 Opinion issued by the Article 29 Working Party. Although the resolution acknowledged that the Privacy Shield contains “substantial improvements” compared to the Safe Harbor arrangement, it also called on the EC to “continue the dialogue with the U.S. administration in order to negotiate further improvements to the Privacy Shield arrangement in the light of its current deficiencies.”

The “deficiencies” about which the Members of the European Parliament (MEPs) voiced concerns include:

  • the lack of restriction on access to European citizens’ personal data by U.S. intelligence agencies and the possibility of their collecting bulk data;
  • the proposed U.S. Ombudsman, created to review the complaints of European citizens, which the resolution called neither“sufficiently independent” nor “vested with adequate powers to effectively exercise and enforce its duty”; and
  • the complexity of the redress mechanism, which the resolution requested the EC and U.S. make more “user-friendly and effective.”

Further, the resolution called on the EC to:

  • fully implement the recommendations in the April 13, 2016 Opinion of the Article 29 Data Protection Working Party;
  • conduct robust periodic reviews of its decision that the protection provided by the Privacy Shield is adequate, particularly in the light of the new General Data Protection Regulation, which will go into effect in 2018; and
  • continue its dialogue with the U.S. to negotiate further improvements to the Privacy Shield.

The Article 31 Committee responsible for approving the Privacy Shield will take the EP’s resolution into consideration before voting on its adequacy. The Committee, which is composed of Member State representatives and chaired by the EC, is still deliberating regarding the Privacy Shield. The EC is expected to present to the Article 31 Committee a revised adequacy decision at the beginning of June. A vote is intended by the end of the month, and the EC aims to conclude approval of the Privacy Shield by mid-July.

Practical Implications

Invalidation of the EU-U.S. Safe Harbor Framework created considerable uncertainty for both businesses and consumers regarding transatlantic data transfer. Speaking after the European Parliament adopted its resolution, MEP Timothy Kirkhope, a member of the UK Conservative Party, stated:

“The Privacy Shield needs some clarifications as to how it will work in practice, which the Commission have said it is pursuing, but getting the Privacy Shield up and running swiftly is essential for businesses operating across the Atlantic. Businesses and consumers were left in legal limbo and uncertainty when Safe Harbor was rejected. It is about time that the businesses and their clients have legal certainty.”

The resolution should contribute to increased clarity for both businesses and individuals regarding data transfer between the EU and United States.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-european-parliament-passes-resolution-calling-for-improvement-of-eu-u-s-privacy-shield/

EUROPE: Irish Data Protection Authority to Refer Legality of Model Clauses to CJEU

By: Dr. Thomas Jansen and Mari Martin

With the Privacy Shield on hold, EU Model Clauses are the principal legal means under which personal data transfers from Europe to the US are occurring. However, those too are under attack by privacy advocates.

On May 25, 2016, the Irish Data Protection Authority issued a press release stating its intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. At issue is the continued mass surveillance by the U.S. government, the same basis on which the Safe Harbor arrangement was struck down.

This is the latest development following the 2013 legal challenge brought by petitioner Max Schrems, which resulted in Safe Harbor being struck down by the Court of Justice of the European Union in October 2016. Following the CJEU’s ruling on Safe Harbor, Model Clauses remained one legal basis available to organizations seeking EU-U.S. data transfer.

In a press release from May 25, Schrems stated, “I have received the draft decision by the Irish DPC yesterday night and we were informed that the DPC is intending to file the necessary proceedings with the Irish courts within the next days.”

After the CJEU invalidated the Safe Harbor scheme, many organizations, including Facebook, began using Model Clauses as the new basis of transfer for EU data. The EU Article 29 Working Party has stated that it is also assessing the legality of the Model Clauses but that organizations may continue to use them in the interim.

Binding corporate rules and obtaining consent from data subjects remain unchallenged mechanisms of data transfer to the US. However, alleged mass surveillance by the U.S. government remains the common core issue despite limitations placed upon the bulk collection of intelligence information under to Presidential Policy Directive 28 so that it is only for purposes of detecting and countering threats to national security, the proliferation of weapons of mass destruction or violations of trade sanctions. The Presidential Directive also established safeguards for the personal information of all individuals, regardless of the nationality of the individual.

More than a year will likely pass before the CJEU issues a ruling on this latest challenge leaving uncertainty over the most commonly used mechanisms for personal data transfers to the US. The Irish DPA referred the original case brought by Schrems to the CJEU on June 18, 2014, and the Court issued its decision October 6, 2015. Unless and until the CJEU issues a decision striking down the EC decisions establishing the Model Clauses (Decision 2001/497/EC, Decision 2004/915/EC and Decision 2010/87/EU), the Model Clauses remain valid. Until this time, organizations may continue to rely on them for data transfers.

Practical Implications

In the absence of a Privacy Shield framework, if Model Clauses are struck down, companies relying on them will be forced to significantly transform their operations in order to follow binding corporate rules or obtain data subject consent, while providing questionable meaningful benefits to EU citizen privacy.

The effect of a decision striking down the Model Clauses would be more serious than the Safe Harbor invalidation and could conceivably disrupt all personal data transfers outside the European Union except to the small number of countries that have been deemed to have “adequate” privacy regimes. For this reason, the decision would be unlikely to be enforced right away.

We will post updates regarding further developments.

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/irish-data-protection-authority-to-refer-legality-of-model-clauses-to-cjeu/

GERMANY: Substantial fines for companies still relying on the now-defunct Safe Harbor Agreement

By: Dr. Thomas Jansen (thomas.jansen@dlapiper.com) and Verena Grentzenberg (verena.grentzenberg@dlapiper.com)

One of Germany’s state data protection authorities, the Hamburg Data Protection Authority (“DPA”), has announced that it will impose fines on companies which are still relying on the Safe Harbor Scheme.

On 6 October 2015, the European Court of Justice (“ECJ”) declared the Safe Harbor Scheme invalid. In the aftermath, the European DPAs set a grace period until 31 January 2016 which allowed firms to rely on the Safe Harbor Scheme as a legal basis for data transfer.

This grace period has now expired. “I did not expect international companies to continue data transfers to the U.S. relying on the Safe Harbor Agreement as a legal basis” said Johannes Caspar, head of the Hamburg DPA.

After expiration of the grace period, the Hamburg DPA has initiated administrative proceedings against companies that were unable to provide alternative safeguards, such as EU-Model Clauses or Binding Corporate Rules (“BCRs”).

Currently, the Hamburg DPA is preparing to commence proceedings against three large international companies. The DPA has not released the names of the companies yet, but it has revealed that two additional companies are also under investigation.

The proceedings may lead to fines of up to 300.000 EUR per breach.

Several German DPAs have expressed serious doubts that the EU-Model Clauses and BCRs meet the requirements of the ECJ decision, including the Hamburg DPA. Also it has been officially announced by all German DPAs that transfers based on EU- Model Clauses and BCRs will be reviewed in detail, in particular, in case of complaints by data subjects. However, most German DPAs indicated informally that they will accept these alternative measures as long as the Article 29 Working Party has not decided otherwise in a formal statement. Consequently, in general, companies can currently rely on EU-Model Clauses and BCRs as a valid legal bases.

On 2 February 2016, the U.S. and the EU reached an agreement on the key principles of the future transatlantic data transfer (EU-US-Privacy Shield) which imposes stronger obligations on companies in the U.S. to protect European’s personal data. It also provides for stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission, including increased cooperation with European Data Protection Authorities. This agreement will replace the Safe Harbor Agreement and is currently being reviewed by Europe’s data protection regulators. The Article 29 Working Party has stated that no actions need to be taken until it has been determined that the agreement satisfies the privacy concerns.

We will keep you posted about future developments.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-substantial-fines-for-companies-still-relying-on-the-now-defunct-safe-harbor-agreement/

EU: Commissioner Jourová Addresses European Parliament Civil Liberties Committee, Gives a Relatively Reassuring Statement on the Status of Safe Harbor Negotiations


Commissioner Jourová spoke Monday evening (local time), Feb. 1, before the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (Libe), concerning the state of play of the Safe Harbor negotiations.

Jourova struck somewhat a more positive note than what has been reported over the weekend in some European press regarding the status of the negotiations and noted progress in several respects.

Commissioner Jourová’s remarks focused on four areas that must find satisfactory resolution to withstand any future court challenge in the EU:

  • Regarding access to data by public authorities, she noted that there have been important reforms under President Obama, introducing stronger oversight and more transparency. Commissioner Jourová also stated that there will be an annual joint review, which will look at all aspects of the Safe Harbor arrangement, including access to data by public authorities.
  • As concerns independent oversight and individual redress, Commissioner Jourová cited the need to ensure a functionally independent body to answer individual complaints from Europeans if they fear that their personal information has been used in an unlawful way by U.S. authorities in the area of national security. While Commissioner Jourová did not indicate that any solution has been found on this point, she noted that this role could be taken by an Ombudsperson with a real capacity to act and respond to individual complaints.
  • In terms of resolution of complaints against companies in case of privacy violations, Commissioner Jourová noted the negotiators are working on a “last resort” mechanism to ensure that all complaints can – if not previously resolved – be settled through a binding and enforceable decision. This is essential for Safe Harbor 2.0, said Commissioner Jourová, given that the right to legal remedy is enshrined in the European Charter of Fundamental Rights. She also stated that European Data Protection Authorities must have the possibility to refer complaints (concerning commercial aspects or national security) and to uphold the rights of Europeans. The issue of enforcement authority has been particularly difficult in the negotiations, and Commissioner Jourová’s remark did not shed any light on whether there has been progress.
  • Finally, Commissioner Jourova noted the need for commitments by the U.S. that are formal and binding, entailing signatures at highest political level and publication of the commitments in the Federal Register.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-commissioner-jourova-addresses-european-parliament-civil-liberties-committee-gives-a-relatively-reassuring-statement-on-the-status-of-safe-harbor-negotiations/

WEBINAR RECORDING: Safe Harbor invalidation next steps – EU Model Clauses do’s and don’ts

Data Transfer Image WebEU-US Safe Harbor-certified companies and their customers are realizing that – barring the emergence of Safe Harbor 2.0 by January 31, 2016 – in most situations they will need to rely on European Commission-approved standard contractual clauses (better known as Model Clauses) to transfer personal data from the EEA to the US.

Please see below for a link to our webinar discussing EU Model Clauses do’s and don’ts.  This webinar was held on Monday, November 30, 2015.

Please access the webinar recording here.

Our Data Protection, Privacy and Security team have many years of experience implementing data transfer arrangements based on Model Clauses and cover concerns such as:

  • Selecting which Model Clauses to use
  • When Model Clauses can’t be used
  • When Model Clauses will need to be supplemented
  • Hidden risks in the Model Clauses
  • Other actions you may need to implement when adopting Model Clauses

 

Speakers:

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/webinar-recording-safe-harbor-invalidation-next-steps-eu-model-clauses-dos-and-donts/

The European Commission’s commitment to Safe Harbor – three months to go?

By Patrick Van Eecke and Loretta Marshall

Although there are alternative tools authorising data flows to the US (see DLA Piper’s previous Privacy Matters blog post to view the European Commission’s latest guidance on this matter), the Commission considers that a renewed and sound safe harbor framework is the most comprehensive solution for ensuring the protection of EU personal data when it is transferred to the US. In this respect, the Commission will continue to negotiate a renewed framework for transatlantic transfers of personal data and the objective is to conclude discussions with the US government within three months.

Already in 2013, the Commission started negotiations with the US government on a new arrangement for transatlantic data transfers based on 13 recommendations which fall into four categories:

Transparency

1.  Self-certified companies should publicly disclose their privacy policies.

2.  Privacy policies of self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbour website which lists all the ‘current’ members of the scheme.

3.  Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services.

4.  Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme.

Redress

5.  The privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider and/or EU panel.

6.  ADR should be readily available and affordable.

7.  Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.

Enforcement

8.  Following the certification or recertification of companies under the Safe Harbour, a certain percentage of these companies should be subject to ex officio investigations of effective compliance of their privacy policies (going beyond control of compliance with formal requirements).

9.  Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year.

10.  In case of doubts about a company’s compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority.

11.  False claims of Safe Harbour adherence should continue to be investigated.

Access by US authorities

12.  Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour. In particular companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.

13.  It is important that the national security exception foreseen by the Safe Harbour Decision is used only to an extent that is strictly necessary or proportionate.

Now that the Safe Harbor decision has been declared invalid, the Commission has intensified talks with the US government to ensure that the legal requirements formulated by the Court are complied with. Until this renewed transatlantic framework is in place, companies need to rely on the alternative transfer tools available.

To view DLA Piper’s comprehensive guide following the ruling, including a summary of the Judgment, tips on what to do next and latest updates, please click on the following link.

For further information please email dataprivacy@dlapiper.com.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-european-commissions-commitment-to-safe-harbor-three-months-to-go/

GREECE: Impact of the CJEU Safe Harbor / Schrems Judgement

By Mina Zoulovits, Partner at Filotheidis & Partners Law firm

In Greece prior to the Schrems Judgement, transfer of data to the US on the legal basis of Safe Harbor was allowed without need of prior permission of the Data Protection Authority (DPA), subject to simple Notification. However, on Wednesday 21 October 2015, the local DPA has issued an announcement according to which from now on transfers based on Safe Harbor are no longer legal.

The Greek data protection legal regime makes the following distinctions regarding the trans-border flow of personal data to non EU countries.

a) this type of transfer is free if Controller receives prior permission by the Data Protection Authority (DPA) provided that the Authority considers that a specific country ensures an adequate level of protection.

b) when the Authority considers that a country does not ensure an adequate level of protection, trans-border transfer is permitted only exceptionally, subject to receiving prior permission by the DPA only on condition that one or more of the following apply: i) the data subject has given his/her prior consent, ii) processing is necessary for the execution of a contract, in which the subject of the data is a contracting party or in order to undertake measures following the subject’s request during the pre-contractual stage, iii)  processing is necessary for the execution of an obligation of the Controller, which obligation is imposed by law, iv) processing is absolutely necessary for the satisfaction of a legitimate interest of the Controller or of the third person to whom the data is notified, v) processing is necessary for emergency reasons and in order to safeguard superior public interest – prima facie while executing co-operation contracts with the third country’s Public Authorities vi) processing is necessary to file or to defend a right before a Court, vii) transmission takes place from a public record that is intended to provide information available to the public and viii) when Controller provides adequate safeguards or when those safeguards derive from contractual clauses that are aligned with the data protection law; in this last condition, permission of the Data Protection Authority is not needed if the European Commission has already ruled that specific contractual clauses are indeed providing adequate safeguards (as provisioned in the Data Protection Directive).

c) The permission from the Authority is not necessary if the European Commission finds that this country ensures an adequate level of protectionas provisioned in par.2 article 25 of the Data Protection Directive

Hence prior to the judgement of the Court of Justice of the European Union of 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362-14) (the Schrems Judgement), permission from the local DPA was not needed in case that adequate level of protection was supported by (i) valid Safe Harbour certificate for US entities and a simple Data Transfer Agreement; or (ii) agreement between the data importer and data exporter corresponding to the Standard Contractual Clauses issued by the European Commission; or (iii) Intra-group Data Transfer Agreement (e.g. Binding Corporate Rules). Nonetheless all Controllers had to Notify the Greek DPA for the trans-border transmission to the US and for the legal basis of that transmission (even if permission was not necessary).

Following the WP29 Statement (dated 16-10-2015)  on the implementation of the Schrems Judgement  the Greek DPA has issued on the 21-10-2015 an announcement stating that the transmission of personal data to the US on the basis of Safe Harbour principles is no longer legal. Therefore the greek DPA calls all Controllers that had Notified the DPA regarding trans-border transmission to the US based on the Safe Harbor to stop hereinafter any data transmission to that country. The local DPA further stated that WP29 is expected to study the impact of the above decision of the CJEU on all the instruments that have been laid down by the Community and national legislation for the transmission of data outside the E.U. In the meantime, the Data Protection Authorities of the EU consider that Standard Contractual Clauses and Binding Corporate Rules can still be used as legal instruments for those transmissions. Finally the Greek DPA reminds that it has in any case the power to check if the transmission of data to countries outside the EU complies with the conditions of the community and national law and to prohibit any transmission that is contrary to it.

So, until WP29 and local DPA issue further guidance on what would be the legal grounds for trans-border transmission to the US, all Controllers that are interested in transmitting personal data to the US should either uphold Standard Contractual Clauses and Binding Corporate Rules (if applicable) or file a request to receive permission from the DPA on the basis that one of the eight elements described in point b) apply in the specific transmission.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/greece-impact-of-the-cjeu-safe-harbor-shrems-judgement/

GERMANY: DPAs Call into Question ALL Methods of Data Transfer to United States

By:  Dr. Thomas Jansen and Dr. Jan Geert Meents

Yesterday, October 26, 2015, the German Federal Data Protection Officer and the Data Protection Authorities (DPAs) of the German Federal States (together “Datenschutzkonferenz” – DSK) issued a position paper calling into question all methods of data transfer to the United States.

Specifically, the European Court of Justice invalidated the U.S.-EU Safe Harbor Program on October 6, 2015 (20 ECLR 1420, 10/14/15), in which over 4,400 U.S. organizations had participated. Regarding the remaining possible methods of data transfer, the DSK yesterday stated that “[i]n light of the judgment of the ECJ, the admissibility of data transfers to the United States on the basis of other instruments used for this purpose such as standard contractual clauses or BCRs are questionable.”

Further, the DPAs said they wouldn’t approve any new transfers on the basis of binding corporate rules or data export agreements and confirmed that they would be “exercising their powers to audit” standard contractual clauses. The DSK said it is necessary for them to make decisions regarding standard contractual clauses that are consistent with the specifications set out in the ECJ ruling.

The only other basis for transfer under German data protection law is the consent on the data subject. Regarding consent, the DPAs stated that data subject consent “might be a sound basis” for transfers to the U.S. under “strict conditions” but not “massively, or routinely.” However, experience has shown consent to be an impractical basis for data transfer for most organizations.

 DSK Guidance

The DSK called on all organizations wanting to export data to the U.S. or other third countries to immediately ensure conformity of their data transfer methods, referring them to the DSK’s March 27, 2014 guidance guaranteeing human rights in electronic communication and Oct. 9, 2014 guidance on cloud computing.

The DPAs also requested that German legislators grant them the specific “right of action” to enforce privacy requirements and urged the European Commission to negotiate with the U.S. to create “far-reaching” safeguards to protect privacy including the right to legal protections, substantive data protection rights and the principle of proportionality.

The group said it welcomed the Jan. 31, 2016 deadline set by the Article 29 Working Party for EU and U.S. officials to find a replacement for the invalidated Safe Harbor scheme.

 Which Way Forward?

Although the DSK position paper questions the validity of the legal basis of the EU Model Clauses, ultimately, the DSK and German national courts cannot invalidate decisions of the European Commission. No cases regarding the validity of model clauses currently are pending before the ECJ.

Thus, unless and until invalidated by the ECJ, model clauses generally remain a valid method of data transfer to the U.S. and third countries. However, national DPAs may still prohibit transfers based on EU Model Clauses and impose fines. In such case, an affected company should appeal the DPA decision and fine to a German court. The German court then likely would refer the issue to the ECJ.

The consent of the data subject also remains a valid basis for data transfers, provided it is transparent, freely given, and conforms to the conditions set forth by the DPAs.

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-dpas-call-into-question-all-methods-of-data-transfer-to-united-states/

Judicial Redress Act/Safe Harbor

By Sydney White and Jim Halpert

In conjunction with the ongoing US-EU Safe Harbor negotiations, following the umbrella agreement announced last month between US and EU data transfer negotiators on law enforcement uses of data, the European Parliament is waiting on enactment of the Judicial Redress Act by the US before approving the agreement on sharing data for law enforcement purposes.  The Judicial Redress Act was introduced in the Senate by Senators Hatch and Murphy (S. 1600) and in the House (H.R. 1428) by Reps. Sensenbrenner and Conyers (H.R. 1428).

The bill is designed to help mitigate law-enforcement-related international data transfer tensions with Europe.  Specifically, it would provide citizens of EU countries and other US allies core privacy protections (through the Privacy Act) similar to what US citizens are provided in Europe (although these are in practice largely symbolic).  Some privacy advocates have criticized the bill because it does nothing to close a loop hole under the Privacy Act for national security actions, which may also leave some EU officials unsatisfied.

On October 20, the House passed the bill unanimously and the Senate may vote on the bill as early as this week as an amendment to the Cybersecurity Information Sharing Act of 2015 (CISA), which the Senate is currently considering.  Although the recent European Court of Justice decision invalidating the Safe Harbor scheme has added a new element of uncertainty to the Safe Harbor negotiations, the House passage of the bill was designed to demonstrate the US’ commitment to reaching a new Safe Harbor agreement.

For any further information, please contact Sydney White (sydney.white@dlapiper.com) or Jim Halpert (jim.halpert@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/judicial-redress-actsafe-harbor/

Older posts «