Archives: Global Data Transfers

Subscribe to Global Data Transfers RSS Feed

UK relies on EU Treaty exception to avoid “anti-FISA” data transfers clause in European General Data Protection Regulation (“GDPR”)

In a written statement to Parliament, Baroness Neville-Rolfe confirmed the UK Government’s view that the Treaty on the Functioning of the European Union (“TFEU”) means that Article 48 of the GDPR does not apply to the UK. Article 48 of the GDPR states that any judgment or tribunal decision – or decision of an administrative … Continue Reading

European Commission Publishes Proposal for Signing the EU-U.S. Umbrella Agreement

The EU-U.S. data protection Umbrella Agreement consists of a framework of principles and safeguards for trans-Atlantic transfers of personal data (such as criminal records, names and addresses) in relation to the prevention, detection, investigation and prosecution of criminal offences, including terrorism. The agreement seeks to satisfy two core objectives: first, to ensure a high level … Continue Reading

The French CNIL officially requires the use of EU Model Clauses as a quick fix for businesses impacted by the recent Safe Harbor ruling of CJEU – Companies must be compliant as of end January 2016

On 19 November, the CNIL released an article in order to provide companies impacted by the recent CJEU ruling on invalidation of Safe Harbor with guidance on the next steps. The article was published at the same time the CNIL sent a mailing to all data controllers relying on Safe Harbor to fix the issue. … Continue Reading

Spain issues deadline for implementing alternative Safe-Harbor mechanisms

Spain’s Data Protection Authority, the Agencia Española de Proteccion de Datós (‘AEPD’), has issued a deadline of 29 January 2016, for the implementation of alternative mechanisms to Safe Harbor. By letter dated 3 November 2015, the AEPD imposed the deadline on all companies operating in Spain that had previously notified it of personal data transfers … Continue Reading

Safe Harbor update: European Commission issues communication following Safe Harbor invalidation – Safe Harbor 2.0 in three months?

On 6 November, the European Commission released a communication on the implications of the Court of Justice of the European Union’s decision invalidating the Safe Harbor framework. The key message, which echoes previous announcements by data protection authorities and the Article 29 Working Party, is that data exporters are ultimately responsible for ensuring that transfers … Continue Reading

Round-up of Safe Harbor guidance issued by EU Data Protection Authorities

October has been a busy month for Data Protection Authorities in the EU. Following the Court of Justice of the European Union’s judgment in Maximillian Schrems v Data Protection Commissioner (C-362-14) on 6 October, uncertainty ruled. Businesses and DPAs alike struggled to come to terms with the implications of the invalidation of Safe Harbor. This week, … Continue Reading

U.S. Congress passes the Judicial Redress Act, but does it provide effective redress?

In an uncharacteristically swift move, the United States Congress passed the Judicial Redress Act (“Act”) on 20 October 2015. The Act proposes to extend safeguards implemented under the Privacy Act 1974, and, if brought into force, would allow non-U.S. citizens to bring civil actions against United States agencies in certain circumstances. To become law, the Act must now … Continue Reading

The Article 29 Working Party releases statement on Safe Harbor

On 16 October, the Article 29 Working Party released a statement (“Statement”) on the implications of the Court of Justice of the European Union’s (“CJEU”) judgment in Maximillian Schrems v Data Protection Commissioner (C-362-14). In that judgment, the CJEU invalidated the Safe Harbor regime, which for 15 years had been one of the main tools available to … Continue Reading

The Safe Harbor Ruling – FAQs and What Your Business Should Do Now

We previously issued a briefing on the Court of Justice of the European Union’s (CJEU) ruling that declared all transfers of personal data from the EU to the United States under the U.S.-EU Safe Harbor Framework, including those conducted by vendors or suppliers, immediately invalid.  On 14 October 2015, we presented a webinar on this topic, including a practical discussion of the … Continue Reading

What You Need to Know About the Court of Justice of the European Union’s Safe Harbor Ruling: A Practical Discussion of the Impact and Solutions

Recent headlines continue to explore the ramifications of the Court of Justice of the European Union’s ruling declaring the long-standing EU U.S. Safe Harbor framework invalid. The decision will have widespread implications on how global corporations manage the international transfer of data. Please join Reed Smith on October 14, 2015 at 9:00 a.m. PT | … Continue Reading

Safe Harbor Invalid! Will the ECJ follow the Advocate General recommendation?

Advocate General Yves Bot today delivered an opinion recommending that the European Court of Justice (ECJ) find the U.S.-EU Safe Harbor Program invalid. His opinion, while non-binding, relates to a request for a preliminary ruling referred to the ECJ by the High Court of Ireland, Irish Court in Schrems v. Data Protection Commissioner, (ECJ, No. … Continue Reading

Hungary accepts use of BCRs as part of recent data protection law changes

On 6 July 2015, the Hungarian Parliament adopted several amendments (‘Amendments’) to Act CXII 2011 on the Right of Informational Self-Determination and the Freedom of Information (‘Data Protection Act’). The Amendments, currently only available in Hungarian, are designed to develop the data protection and right-to-access public information rules within Hungary, and fix problems the Hungarian … Continue Reading

APEC and Article 29 Working Party cooperation helps facilitate growth of BCRs and CBPRs

In late May, the Article 29 Working Party published the letter it sent to the APEC Data Protection subgroup. The letter follows previous discussions and extends cooperation between the two international organisations on data transfer mechanisms, and sets out new plans to align the EU Binding Corporate Rules (‘BCR’) with the APEC Cross-Border Privacy Rules … Continue Reading

Canada accepted into APEC Privacy System

On 15 April 2015, Canada became the fourth country to join the APEC Cross-Border Privacy Rules System, a voluntary consumer data privacy program, behind Japan (2014), Mexico (2013), and the United States (2012).  All 21 APEC countries were involved in the construction of this system, but membership is not guaranteed. Interested countries are required to … Continue Reading

New Jersey Requires Encryption for Health Insurance Carriers; May Open Door to Class Action Suits over Violations Under State Consumer Protection Law

Gov. Chris Christie has signed into law S. 562, which, as its title states, “Requires health insurance carriers to encrypt certain information.” Violation of this new law constitutes a facial violation of the New Jersey Consumer Fraud Act, a powerful consumer remedies statute. The NJCFA can be enforced by the state attorney general, or by … Continue Reading

Amendments to Poland’s Data Protection Law Ease the Rules on Data Exports and Data Protection Officers

The Polish Parliament passed the Facilitation of Business Activity Act (source in Polish) which significantly amends the existing Act on Personal Data Protection. The amendments come into force 1 January 2015. The changes mean that the EU Commission’s approved Standard Contractual Clauses for data transfers (“SCCs”) and approved Binding Corporate Rules (“BCRs”) are automatically recognised … Continue Reading

Japanese data privacy developments – global transfers and privacy notices code

This post was also written by Taisuke Kimoto, Matthew N. Peters, and Yumiko Miyauchi. In recent weeks, Japanese data protection and privacy law has seen developments in two areas: (1) The Ministry of Economy, Trade and Industry (METI) issuing its first code of practice on privacy notices (2) The Asia-Pacific Economic Cooperation (APEC) approving Japan’s participation in … Continue Reading

Article 29 Working Party proposes clauses for data transfers from EU processors to non-EU subprocessors

This post was also written by Matthew N. Peters. As is well-known, personal data is restricted from leaving the EEA. On 21 March, the EU’s Article 29 Working Party (the WP) issued draft ad hoc model clauses for data transfers from EU processors to non-EU subprocessors.  While not yet approved by the EC Commission, this … Continue Reading

LIBE Committee Report on U.S. Surveillance Activities Calls for an End to EU-U.S. Data Transfers

Recently leaked, the LIBE Committee draft report on surveillance activities signals a dim future for the international free flow of data in the eyes of the European Parliament. The report despairs of the recent revelations by whistle-blowers about the extent of U.S. mass surveillance activities, causing the trust between the EU and the United States … Continue Reading

Ukrainian Data Protection Authority Sets Parameters for Cross-Border Data Transfers

The Ukrainian data protection authority, the State Service of Ukraine on Personal Data Protection (The Service), has issued a letter (No.10/203-13) to clarify the permitted circumstances for transfers of data outside of Ukraine. Ukraine is not a member of the EU and therefore has not implemented the EU Data Protection Directive 95/46/EC, including provisions governing … Continue Reading

Poland’s Draft Data Protection Law To Alter the Rules for Data Transfer and Data Privacy Officers

A draft of Poland’s new draft data protection law has been released and has the potential to significantly change the rules in Poland governing international data transfers and data privacy officers. Under existing rules, Poland is an EU member state that does not currently recognise the Standard Contractual Clauses or Binding Corporate Rules (BCRs) as … Continue Reading

Progress for European Data Protection Reform Halted

We recently reported on the excitement surrounding the breakthrough vote by European Parliament on 21 October which put the delayed overhaul of European data protection rules back on track. Following this landmark vote, Peter Hustinx, European Data Protection Supervisor, issued a press release, stating, “It is essential that the European Union acts quickly so that … Continue Reading

Breakthrough Vote by European Parliament Sets Delayed Data Protection Overhaul Back on Track

In January 2012, the European Commission proposed a legislative package to update the data protection principles enshrined in the 1995 Data Protection Directive (Directive 95/46/EC). The policy objectives of the European Commission set out an ambitious blueprint for a more cohesive EU data protection framework backed by stronger enforcement. Central to facilitating this were proposals … Continue Reading

U.S.-EU Safe Harbor Under Fire

As part of an on-going debate on the European data protection reform, doubts were cast over the adequacy of the Safe Harbor arrangements with the United States. Viviane Reding, the European Commissioner for Justice, Fundamental Rights and Citizenship, called the 13-year-old data-sharing agreement between the EU and the United States a potential “loophole for data … Continue Reading
LexBlog