Photo of Kate Brimsted

Following the CJEU’s judgment of October 2015 invalidating the European Commission’s Safe Harbor Decision, the Data Protection Authority Hamburg (“DPA Hamburg“) started investigations against 35 internationally operating companies in Hamburg. According to a press release of DPA Hamburg of 6 June 2016, these investigations revealed that the majority of the companies under investigation

The options available to EU organisations for lawfully transferring personal data from Europe to the United States appear to be dwindling. In particular, there have been further setbacks to the approval of the Privacy Shield and, separately, a new legal challenge to the validity of EU model contract clauses. For more information click here to

In a written statement to Parliament, Baroness Neville-Rolfe confirmed the UK Government’s view that the Treaty on the Functioning of the European Union (“TFEU”) means that Article 48 of the GDPR does not apply to the UK. Article 48 of the GDPR states that any judgment or tribunal decision – or decision of an administrative authority – requiring the transfer of personal data to a third (i.e., non-EU) country may only be recognised or enforceable if based on an international agreement, such as a mutual legal assistance treaty in force between the requesting third country and the EU member state in question. 
Continue Reading UK relies on EU Treaty exception to avoid “anti-FISA” data transfers clause in European General Data Protection Regulation (“GDPR”)

The Council of the European Union adopted the EU Network and Information Security (NIS) Directive (the ‘Directive’) 17 May, ready for final adoption by the European Parliament. The Directive, initially proposed in 2013, has been progressing through the EU legislative procedure for some time. As we reported in December last year, the Directive covers

From 16 May, those making (or instigating) direct marketing telephone calls must provide Caller Line Identification (‘CLI’) when making calls live or through automated means. The display of their telephone numbers to consumers has the effect of making it easier for consumers to refuse and/or report unwanted marketing calls.

The Privacy and Electronic Communications (EC

The long-awaited General Data Protection Regulation was published in the Official Journal of the European Union on 4 May 2016. This means that the most comprehensive reform to the EU’s omnibus data protection law in 20 years will apply throughout the European Union from 25 May 2018.

We have written in previous posts (here

After four years of protracted discussions and negotiations, the General Data Protection Regulation (the “GDPR”) gained final approval from the European Parliament 14 April. It will enter into force 20 days after publication in the Official Journal of the European Union (expected imminently), and it comes into force two years after that date – i.e., mid-2018.

The GDPR replaces the Data Protection Directive 95/46/EC (the “Directive”) and the legislation enacted by Member States to implement it. As a regulation, the GDPR will be directly applicable in all Member States; indeed, one of its core aims is to harmonise legal requirements across the EU, eliminating many of the inconsistencies that developed under the Directive.

The GDPR constitutes the single biggest change to EU data protection rules for 20 years and is considerably more comprehensive and onerous than the regime it replaces. We set out below some of the most significant changes.
Continue Reading The Data Protection Directive Is Dead! Long Live the General Data Protection Regulation!

On 13 April, the Article 29 Data Protection Working Party (‘WP29’) published its opinion on whether the proposed Privacy Shield programme, which is intended to replace the now-invalid Safe Harbor pact for facilitating trans-Atlantic data flows, achieved an adequate level of protection. The WP29 acknowledged that many of the shortcomings of Safe Harbor have been addressed; however, they stated that “some key principles as outlined in European law are not reflected [in the Privacy Shield],” and went on to identify “strong concerns” and make a number of suggested improvements. The WP29’s opinion is not binding and it does not halt the process in the EU of formally approving the Privacy Shield, although, at the very least, the opinion will be grist to the mill for the Privacy Shield’s detractors.

Concerns identified: In its press release, WP29 calls on the European Commission to resolve its concerns to “ensure that the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU”. Specific concerns raised were: (1) lack of obligation on Privacy Shield organisations to delete data if no longer necessary (i.e., lack of detail on data retention); (2) the U.S. administration does not exclude the possibility of continued massive and indiscriminate collection of data; and (3) the Ombudsman role may lack sufficient powers to function effectively as an additional redress mechanism.

As well as these, the WP29 suggested that restraints on onward transfers by Privacy Shield organisations should be strengthened and clarified, particularly in relation to scope, purpose limitation and transfers to agents.
Continue Reading Privacy Shield does not achieve adequacy of protection under current regime, say EU Data Protection Authorities

In the latest step toward finalising a replacement for the defunct Safe Harbor program, the European Commission has published its draft adequacy decision, formally supporting its view that the proposed EU-U.S. Privacy Shield will ensure an adequate level of protection for the transfer of personal data from the EU to U.S. companies which enlist in