Following the UK Conservatives Party’s landslide victory in December 2019, there were immediate implications for the UK’s Withdrawal from the European Union, which resulted in the UK withdrawing from the EU on 31 January 2020. With the European Parliament’s approval of the Withdrawal Agreement, the UK is now in a transition period until 31 December
CJEU has released Opinion on EU-Canada Passenger Name Record Agreement – What it means for international data transfer mechanisms
In the Opinion 1/15 of 26 July 2017 (“Opinion”), the Court of Justice of the European Union (“CJEU”) held that the proposed agreement between the EU and Canada on the transfer and processing of Passenger Name Record (“PNR”) data may not be concluded in its current form. The Opinion is available here. The CJEU said that the agreement violates EU privacy and data protection laws.
The EU and Canada negotiated an agreement on the transfer and processing of PNR data (“PNR Agreement”). The European Parliament, which was asked to approve the PNR Agreement, called upon the CJEU to give a ruling on its compatibility with the EU Charter of Fundamental Rights. It is the first time the European Parliament or any other EU institution obtained the opinion of the CJEU regarding the question whether a draft international agreement is compatible with EU law.
The PNR Agreement permits the systematic and continuous transfer of PNR data of all airplane passengers flying between the EU and Canada to a Canadian authority. The PNR data includes, for example, the names of air passengers, the dates of intended travel, the travel itinerary, and information relating to payment and baggage. The PNR data may reveal travel habits, relationships between two individuals, information on the financial situation or the dietary habits of individuals. For the purpose of combating terrorism and transnational crime, the PNR Agreement provides that the PNR data can be retained and transferred to other authorities and to other non-member countries. The PNR Agreement stipulates a data storage period of five years.
Continue Reading CJEU has released Opinion on EU-Canada Passenger Name Record Agreement – What it means for international data transfer mechanisms
German Data Protection Authority fines companies for transferring data to the United States
Following the CJEU’s judgment of October 2015 invalidating the European Commission’s Safe Harbor Decision, the Data Protection Authority Hamburg (“DPA Hamburg“) started investigations against 35 internationally operating companies in Hamburg. According to a press release of DPA Hamburg of 6 June 2016, these investigations revealed that the majority of the companies under investigation…
EU Art. 29 Working Party Announces Cooperation Procedure for EU Model Clauses
The Article 29 Data Protection Working Party (Working Party) released a Working Document setting forth a co-operation procedure for issuing common opinions on “Contractual clauses” considered as compliant with the EC Model Clauses (Working Document). The aim of this Working Document is to facilitate the use of the EU model clauses across multiple jurisdictions in…
Article 29 Working Party proposes clauses for data transfers from EU processors to non-EU subprocessors
This post was also written by Matthew N. Peters.
As is well-known, personal data is restricted from leaving the EEA. On 21 March, the EU’s Article 29 Working Party (the WP) issued draft ad hoc model clauses for data transfers from EU processors to non-EU subprocessors. While not yet approved by the EC Commission,…
Spanish Data Protection Authority’s New Outsourcing Model Clauses for Service Providers Subcontracting Outside the EEA
In December 2012, the Spanish Data Protection Authority (SPDA) published a new set of Model Clauses prepared purely for use by service providers that subcontract to companies located in countries outside the EEA.
These new Model Clauses (based on the 2010 controller-to-processor clauses) will allow for an international transfer of personal data between a data…