The governments of Switzerland and the United States finalised the Swiss-U.S. Privacy Shield Framework on 11 January. The Framework is similar in many respects to the EU-U.S. Privacy Shield, and replaces the U.S.-Swiss Safe Harbor Framework with immediate effect. Background… Continue Reading
According to a press release of the Bavarian Data Protection Authority dated 3 November 2016 (“Press Release”), 10 German Data Protection Authorities (“DPAs”) have commenced a coordinated written audit and assessment of international data transfers, i.e., transfers to non-EU countries. Five hundred German companies will be asked to complete a comprehensive questionnaire which covers details of the … Continue Reading
The Interim Deputy Commissioner at the Information Commissioner’s Office (“ICO”), Steve Wood, has published a blog reminding organisations of their obligations when transferring personal data to the United States, pursuant to the case brought by Max Schrems in 2015, which led to the Safe Harbor framework being declared immediately invalid. Wood reminds organisations that continued … Continue Reading
On 26 July, the Article 29 Data Protection Working Party (WP29) released a statement outlining its opinion on the EU-U.S. Privacy Shield, which was adopted by the European Commission earlier this month. After praising the improvements implemented by the Commission and U.S. authorities since its last critical opinion, the WP29 outlined some remaining concerns, including … Continue Reading
At the beginning of July, Baroness Neville-Rolfe, Minister of State at the Department for Business, Energy and Industrial Strategy, gave a speech at the annual Privacy Laws & Business conference, outlining the government’s stance on the implications of Brexit for a range of data issues including the GDPR, cybersecurity, international data transfers and the Internet of … Continue Reading
In a sign of the continuing significance of the U.S. Supreme Court’s recent ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016), another federal court has cited that ruling in dismissing claims for lack of Article III standing. In Gubula v. Time Warner Cable, Inc., No. 15-cv-1078 (E.D. Wis. June 17, 2016), … Continue Reading
Following the CJEU’s judgment of October 2015 invalidating the European Commission’s Safe Harbor Decision, the Data Protection Authority Hamburg (“DPA Hamburg“) started investigations against 35 internationally operating companies in Hamburg. According to a press release of DPA Hamburg of 6 June 2016, these investigations revealed that the majority of the companies under investigation had used the … Continue Reading
In a written statement to Parliament, Baroness Neville-Rolfe confirmed the UK Government’s view that the Treaty on the Functioning of the European Union (“TFEU”) means that Article 48 of the GDPR does not apply to the UK. Article 48 of the GDPR states that any judgment or tribunal decision – or decision of an administrative … Continue Reading
The EU-U.S. data protection Umbrella Agreement consists of a framework of principles and safeguards for trans-Atlantic transfers of personal data (such as criminal records, names and addresses) in relation to the prevention, detection, investigation and prosecution of criminal offences, including terrorism. The agreement seeks to satisfy two core objectives: first, to ensure a high level … Continue Reading
On 19 November, the CNIL released an article in order to provide companies impacted by the recent CJEU ruling on invalidation of Safe Harbor with guidance on the next steps. The article was published at the same time the CNIL sent a mailing to all data controllers relying on Safe Harbor to fix the issue. … Continue Reading
Spain’s Data Protection Authority, the Agencia Española de Proteccion de Datós (‘AEPD’), has issued a deadline of 29 January 2016, for the implementation of alternative mechanisms to Safe Harbor. By letter dated 3 November 2015, the AEPD imposed the deadline on all companies operating in Spain that had previously notified it of personal data transfers … Continue Reading
On 6 November, the European Commission released a communication on the implications of the Court of Justice of the European Union’s decision invalidating the Safe Harbor framework. The key message, which echoes previous announcements by data protection authorities and the Article 29 Working Party, is that data exporters are ultimately responsible for ensuring that transfers … Continue Reading
October has been a busy month for Data Protection Authorities in the EU. Following the Court of Justice of the European Union’s judgment in Maximillian Schrems v Data Protection Commissioner (C-362-14) on 6 October, uncertainty ruled. Businesses and DPAs alike struggled to come to terms with the implications of the invalidation of Safe Harbor. This week, … Continue Reading
In an uncharacteristically swift move, the United States Congress passed the Judicial Redress Act (“Act”) on 20 October 2015. The Act proposes to extend safeguards implemented under the Privacy Act 1974, and, if brought into force, would allow non-U.S. citizens to bring civil actions against United States agencies in certain circumstances. To become law, the Act must now … Continue Reading
On 16 October, the Article 29 Working Party released a statement (“Statement”) on the implications of the Court of Justice of the European Union’s (“CJEU”) judgment in Maximillian Schrems v Data Protection Commissioner (C-362-14). In that judgment, the CJEU invalidated the Safe Harbor regime, which for 15 years had been one of the main tools available to … Continue Reading
We previously issued a briefing on the Court of Justice of the European Union’s (CJEU) ruling that declared all transfers of personal data from the EU to the United States under the U.S.-EU Safe Harbor Framework, including those conducted by vendors or suppliers, immediately invalid. On 14 October 2015, we presented a webinar on this topic, including a practical discussion of the … Continue Reading
Recent headlines continue to explore the ramifications of the Court of Justice of the European Union’s ruling declaring the long-standing EU U.S. Safe Harbor framework invalid. The decision will have widespread implications on how global corporations manage the international transfer of data. Please join Reed Smith on October 14, 2015 at 9:00 a.m. PT | … Continue Reading
Advocate General Yves Bot today delivered an opinion recommending that the European Court of Justice (ECJ) find the U.S.-EU Safe Harbor Program invalid. His opinion, while non-binding, relates to a request for a preliminary ruling referred to the ECJ by the High Court of Ireland, Irish Court in Schrems v. Data Protection Commissioner, (ECJ, No. … Continue Reading
On 6 July 2015, the Hungarian Parliament adopted several amendments (‘Amendments’) to Act CXII 2011 on the Right of Informational Self-Determination and the Freedom of Information (‘Data Protection Act’). The Amendments, currently only available in Hungarian, are designed to develop the data protection and right-to-access public information rules within Hungary, and fix problems the Hungarian … Continue Reading
In late May, the Article 29 Working Party published the letter it sent to the APEC Data Protection subgroup. The letter follows previous discussions and extends cooperation between the two international organisations on data transfer mechanisms, and sets out new plans to align the EU Binding Corporate Rules (‘BCR’) with the APEC Cross-Border Privacy Rules … Continue Reading
On 15 April 2015, Canada became the fourth country to join the APEC Cross-Border Privacy Rules System, a voluntary consumer data privacy program, behind Japan (2014), Mexico (2013), and the United States (2012). All 21 APEC countries were involved in the construction of this system, but membership is not guaranteed. Interested countries are required to … Continue Reading
Gov. Chris Christie has signed into law S. 562, which, as its title states, “Requires health insurance carriers to encrypt certain information.” Violation of this new law constitutes a facial violation of the New Jersey Consumer Fraud Act, a powerful consumer remedies statute. The NJCFA can be enforced by the state attorney general, or by … Continue Reading
The Polish Parliament passed the Facilitation of Business Activity Act (source in Polish) which significantly amends the existing Act on Personal Data Protection. The amendments come into force 1 January 2015. The changes mean that the EU Commission’s approved Standard Contractual Clauses for data transfers (“SCCs”) and approved Binding Corporate Rules (“BCRs”) are automatically recognised … Continue Reading
This post was also written by Taisuke Kimoto, Matthew N. Peters, and Yumiko Miyauchi. In recent weeks, Japanese data protection and privacy law has seen developments in two areas: (1) The Ministry of Economy, Trade and Industry (METI) issuing its first code of practice on privacy notices (2) The Asia-Pacific Economic Cooperation (APEC) approving Japan’s participation in … Continue Reading
