During the week of 18 September 2017, the European Commission and the Article 29 Working Party (“WP29”) will undertake the first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”). The meetings will take place in the United States. As for the U.S. side, the U.S. Department of Commerce will conduct the review, and it is likely that, among others, the U.S. Department of State and the U.S. Department of Justice will participate.

The EU-U.S. Privacy Shield mechanism

EU organisations that want to transfer personal data to recipients outside the EU/EEA must assess whether the recipient country ensures an adequate level of data protection. On 6 October 2015, the European Court of Justice (“CJEU”) invalidated the “Safe Harbour” decision by the European Commission, the predecessor to the Privacy Shield, in its Schrems v Data Protection Commissioner (Ireland) judgment (“Schrems Judgment”). By decision of 12 July 2016, the European Commission adopted a new transfer mechanism: the EU-U.S. Privacy Shield (“Adequacy Decision”).

Certified organisations

On a voluntarily basis, U.S. organisations can register for a self-certification to the U.S. Department of Commerce, and publicly assure to comply with the requirements under the Privacy Shield. A list of the certified organisations can be found here.

While about 5,500 organisations had signed up to Safe Harbour, about 2,500 organisations, including many large organisations, have already self-certified to the Privacy Shield in its first year. Apart from that, organisations still consider EU Model Clauses, as well as Binding Corporate Rules, as a good alternative to the Privacy Shield.Continue Reading Upcoming first annual review of the EU-U.S. Privacy Shield

The House of Lords EU Home Affairs Sub-Committee (“the Committee”) has published a report on the EU Data Protection Package and the impact of Brexit (“the Report”). The Report considers the implications of the UK’s exit from the EU for cross-border data transfers, and for UK data protection policy more generally.

The Report looks at four elements of the EU’s data protection package: (1) the General Data Protection Regulation (“GDPR”), (2) the Police and Criminal Justice Directive (“PCJ”), (3) the EU-U.S. Privacy Shield, and (4) the EU-U.S. Umbrella Agreement. Upon leaving the EU, the UK will become a ‘third country’ under EU data protection rules, and all four measures of this data protection package will cease to apply to the UK. However, the legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK.

The Government says it wants to maintain unhindered and uninterrupted data flows with the UK post-Brexit. According to the Report, the Committee supports this objective, but is concerned by the lack of detail on how the Government plans to achieve this outcome. The Committee is concerned that any arrangement that creates greater friction around data transfers between the UK and EU, post-Brexit, risks (1) hindering police and security cooperation, and (2) presenting a non-tariff barrier to trade, particularly in services, putting companies operating out of the UK at a competitive disadvantage. In the Committee’s view, the Government should set out clearly, as soon as possible, how it plans to deliver this objective.
Continue Reading House of Lords publishes report on Brexit and the EU Data Protection Package

In the Opinion 1/15 of 26 July 2017 (“Opinion”), the Court of Justice of the European Union (“CJEU”) held that the proposed agreement between the EU and Canada on the transfer and processing of Passenger Name Record (“PNR”) data may not be concluded in its current form. The Opinion is available here. The CJEU said that the agreement violates EU privacy and data protection laws.

Background

The EU and Canada negotiated an agreement on the transfer and processing of PNR data (“PNR Agreement”). The European Parliament, which was asked to approve the PNR Agreement, called upon the CJEU to give a ruling on its compatibility with the EU Charter of Fundamental Rights. It is the first time the European Parliament or any other EU institution obtained the opinion of the CJEU regarding the question whether a draft international agreement is compatible with EU law.

PNR Agreement

The PNR Agreement permits the systematic and continuous transfer of PNR data of all airplane passengers flying between the EU and Canada to a Canadian authority. The PNR data includes, for example, the names of air passengers, the dates of intended travel, the travel itinerary, and information relating to payment and baggage. The PNR data may reveal travel habits, relationships between two individuals, information on the financial situation or the dietary habits of individuals. For the purpose of combating terrorism and transnational crime, the PNR Agreement provides that the PNR data can be retained and transferred to other authorities and to other non-member countries. The PNR Agreement stipulates a data storage period of five years.
Continue Reading CJEU has released Opinion on EU-Canada Passenger Name Record Agreement – What it means for international data transfer mechanisms

The governments of Switzerland and the United States finalised the Swiss-U.S. Privacy Shield Framework on 11 January. The Framework is similar in many respects to the EU-U.S. Privacy Shield, and replaces the U.S.-Swiss Safe Harbor Framework with immediate effect.

Background
Continue Reading Switzerland and the United States Agree Privacy Shield Framework

Just four months after its adoption by the European Commission, the EU-U.S. Privacy Shield is facing its first formal legal challenge.

The challenge comes from the Irish advocacy group Digital Rights Ireland, who is joined by French privacy advocacy group La Quadrature du Net and non-profit internet service provider French Data Network.
Continue Reading EU-US Privacy Shield challenged in the European Court of Justice

The Interim Deputy Commissioner at the Information Commissioner’s Office (“ICO”), Steve Wood, has published a blog reminding organisations of their obligations when transferring personal data to the United States, pursuant to the case brought by Max Schrems in 2015, which led to the Safe Harbor framework being declared immediately invalid. Wood reminds organisations that

On 26 July, the Article 29 Data Protection Working Party (WP29) released a statement outlining its opinion on the EU-U.S. Privacy Shield, which was adopted by the European Commission earlier this month. After praising the improvements implemented by the Commission and U.S. authorities since its last critical opinion, the WP29 outlined some remaining

At the beginning of July, Baroness Neville-Rolfe, Minister of State at the Department for Business, Energy and Industrial Strategy, gave a speech at the annual Privacy Laws & Business conference, outlining the government’s stance on the implications of Brexit for a range of data issues including the GDPR, cybersecurity, international data transfers and the Internet

The options available to EU organisations for lawfully transferring personal data from Europe to the United States appear to be dwindling. In particular, there have been further setbacks to the approval of the Privacy Shield and, separately, a new legal challenge to the validity of EU model contract clauses. For more information click here to