October 2015

Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations.

News out of Germany, however, indicates that a one-size-fits all approach to data transfers from the EU to the U.S. may be difficult to achieve.

Results from the SEC’s First Round of Cybersecurity Examinations. On February 3, 2015, the OCIE published a risk alert summarizing its findings from its examinations of over 100 registered investment advisers and broker-dealers. The examinations were conducted as part of the OCIE’s cybersecurity examination initiative, announced in April 2014, to assess cybersecurity preparedness in the securities industry and gather information on common practices and trends among registered firms. The OCIE interviewed key personnel and reviewed documents at 49 registered investment advisers and 57 registered broker-dealers. The OCIE’s findings focused on how registered investment advisers and broker-dealers:

  • Identify cybersecurity risks;
  • Establish cybersecurity policies, procedures and oversight processes;
  • Protect their networks and information;
  • Identify and address risks associated with remote access to client information, funds transfer requests and third-party vendors; and
  • Detect and handle unauthorized activities and other cyber-attacks.

Just one week after the milestone decision rendered by the CJEU (http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=fr&type=TXT&ancre) to invalidate the Safe Harbor program established 15 years ago between the U.S. and the EU to facilitate the transfer of personal data from the EU to the U.S., a German data protection authority (DPA) of the state of Schleswig-Holstein (one of the German DPAs) issued a position paper where it states that, in its opinion:

  • Given the mass surveillance conducted by U.S. intelligence agencies, data subjects may not be able to provide effective informed consent to the transfer of their data to the U.S., which means that such a legal basis may not be able to be used to legally transfer personal data from Europe to the U.S.;
  • Model contractual clauses are not a reliable a tool to transfer personal data from Europe to the U.S. and data exporters should consider suspending such transfers under the model contracts.  To reach this conclusion, the German DPA relied on the fact that the clauses require the data importer to represent that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter. However, the German DPA agency reasoned, U.S. data importers are not in a position to give such a representation.

Since the Article 29 Working Party on the Protection of Individuals (“WP29”) announced last week that it would it shortly issue a statement on the landmark CJEU ruling invalidating the Safe Harbor Decision (Schrems v. Data Protection Commissioner (C-362- 14)), we have been awaiting their guidance.  Today, the WP29 issued an important statement offering some clarity to companies that, amid the fallout from the decision, have been pondering the question of “What’s next?”

Just one week after the milestone decision rendered by the CJEU (http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=fr&type=TXT&ancre) to invalidate the Safe Harbor program established 15 years ago between the U.S. and the EU to facilitate the transfer of personal data from the EU to the U.S., a German data protection authority (DPA) issued

In Securities and Exchange Commission v. Huang, the district court held that the Fifth Amendment protected two former employees against having to disclose their personal passcodes for company-issued smartphones to government officials.  The decision, likely subject to appellate review, exemplifies the competing interests at play as individuals increasingly use company-issued smartphones for business and personal use.

Today, the European Court of Justice (CJEU) invalidated the US-EU Safe Harbor framework, effective immediately.  This momentous decision jeopardizes the continued flow of data from Europe to the US.  As the Safe Harbor framework has been in place for 15 years and counts more than 4500 companies among its participants, today’s ruling is poised to have a major impact on US-EU trade, and leaves many businesses wondering if there are any alternatives that will allow them to continue transferring data across the Atlantic without running afoul of the law.  In this post, we break down the decision and its implications.

Customer information has become an increasingly valuable business asset.  And, the volume and detail of other available information about consumers has increased along with it, well beyond mere customer names and addresses to preferences, purchasing history, and online activity.  This means that when a business is sold, customer information is often sold along with it.  But careful diligence is required in handling this intangible asset, and the recent settlement in the RadioShack bankruptcy case is instructive.