In the latest step toward finalising a replacement for the defunct Safe Harbor program, the European Commission has published its draft adequacy decision, formally supporting its view that the proposed EU-U.S. Privacy Shield will ensure an adequate level of protection for the transfer of personal data from the EU to U.S. companies which enlist in

Thomas C. Evans
Passage of the U.S. Redress Act Raises Confidence in Privacy Protection for Transatlantic Data Flows
The U.S. Judicial Redress Act has been signed into law by President Obama. The move marks an important step in data transfer relations between the EU and the United States, gives the green light to the EU-U.S. law enforcement data Umbrella Agreement and helps to underpin the Privacy Shield.
Click here to read more in…
The CNIL sets expectations as to the ‘EU-U.S. Privacy Shield’ and starts implementing enforcement measures in case of Safe Harbor remediation default
The CNIL issued a press release February 4, setting expectations concerning the “EU-U.S. Privacy Shield” work-in-progress. In the same time, it has switched to enforcement mode concerning Safe Harbor remediation failure.
Click here to read more in the issued Client Alert.
EU Data Protection Regulators All Set to Scrutinise ‘EU-U.S. Privacy Shield’ and Transfer Mechanisms to the U.S. Generally
On 3 February, the Article 29 Working Party (‘WP29’), a group comprising representatives of the EU Member States’ Data Protection Authorities (‘DPAs’), issued a statement cautiously welcoming the agreement on an “EU-U.S. Privacy Shield”. If it is formally adopted, the Privacy Shield will replace the Safe Harbor agreement that was declared…
Safe Harbor re-launched as the “EU-U.S. Privacy Shield” – but doubts are already raised that it will live to survive a battle
After what seemed like sure defeat, an agreement on Safe Harbor has apparently been reached. Dubbed the “EU-U.S. Privacy Shield”, the regime will, subject to approval processes, replace the existing Safe Harbor arrangement which was invalidated 6 October 2015.
Click here to read more in the issued Client Alert.
European Institutions give the GDPR a warm welcome
In December, we reported that the European Parliament and Council had reached agreement on the text of the General Data Protection Regulation (GDPR). As 2015 drew to a close, the agreement was welcomed and approved by various European institutions. With the GDPR likely to be adopted early in 2016, the year is set to see the biggest shake-up of data protection law for two decades.
LIBE and Coreper
On 17 December, the Civil Liberties, Justice and Home Affairs (LIBE) committee endorsed the draft text agreed by the European Parliament, Council and Commission. The following day, the Permanent Representatives Committee (Coreper) of the Council of the European Union confirmed the agreement on the compromise text. Coreper’s approval is significant as it is considered to represent one of the final steps toward adoption of the text.
Continue Reading European Institutions give the GDPR a warm welcome
The UK’s data protection regulator cracks the enforcement whip
As 2015 draws to a close, the UK’s Data Protection Regulator, the Information Commissioner’s Office (‘ICO’), is making sure it ends the year with a bang. The past few months have seen a significant increase in enforcement action, a theme which seems to be common for the regulator at this time of year because of the rise in shopping and promotional activities.
A key area of focus for the ICO has been to crack down on nuisance calls and inappropriate data-sharing practices through ‘Operation HIDA’.
Continue Reading The UK’s data protection regulator cracks the enforcement whip
Agreement reached on the GDPR
Earlier this month, we reported the progress of trilogue discussions on the long-awaited General Data Protection Regulation (GDPR). On 15 December 2015, almost four years after the legislative proposal was originally tabled by the European Commission, the European Parliament and the Council finally reached agreement, bringing the GDPR one step closer to adoption.
The final trilogue negotiations, which were concluded 15 December 2015, saw a “strong compromise” reached between the European Council, Parliament and Commission. The GDPR will be formally adopted by the European Parliament and Council at the beginning of 2016, and organisations will then have two years to ensure that their data practices are compliant. Some headline provisions of the agreed text are:
- Companies can be fined up to 4% of their annual turnover for data protection breaches
- Companies based outside Europe will be subject to the regulation if they offer goods and services in Europe
- Companies processing sensitive personal data must appoint a data protection officer
- Companies will only have to deal with a single supervisory authority
Countdown to the General Data Protection Regulation…
With the festive season now firmly upon us, there are indications that European Union institutions could soon be delivering an early Christmas present to businesses: the conclusion of trilogue negotiations on the General Data Protection Regulation (‘GDPR’).
The GDPR, according to the latest document to come out of Brussels, aims to “reinforce data protection rights of individuals, facilitate the free flow of personal data in the digital single market and reduce administrative burden.” The EU Commission, Parliament and Council are currently locked in closed-door negotiations to agree to the final text of the GDPR, and while some uncertainty remains over the exact provisions that will be included, the latest available text from the European Presidency indicates that the key changes will be that:
Continue Reading Countdown to the General Data Protection Regulation…
The French CNIL officially requires the use of EU Model Clauses as a quick fix for businesses impacted by the recent Safe Harbor ruling of CJEU – Companies must be compliant as of end January 2016
On 19 November, the CNIL released an article in order to provide companies impacted by the recent CJEU ruling on invalidation of Safe Harbor with guidance on the next steps. The article was published at the same time the CNIL sent a mailing to all data controllers relying on Safe Harbor to fix the issue.…