The Privacy Shield is now live, having gone into effect on August 1. Perhaps emboldened by the Article 29 Working Party’s late July announcement that European regulators will not challenge the program’s adequacy for at least a year (after the first annual review of the program in May 2017), companies have begun self-certifying in order to legalize their transfers of personal data from the EU to the US. However, as we reported previously, the Privacy Shield nevertheless faces a somewhat precarious future, as it is likely that it will face multiple legal challenges.
The European Parliament has approved the reformed General Data Protection Regulation (the “GDPR”). Given this is a Regulation (rather than a Directive), this legislation will apply automatically in every Member State (without need for additional domestic legislation) when it comes into force on May 25 2018.
Many of the requirements are similar to those set out in Directive 95/46/EC (the “EU Directive”), however there are certain key differences. The table below summarises the key changes.
LabMD’s lack of data security measures resulted in the FTC Commission overturning an Administrative Law Judge (“ALJ”) decision that previously dismissed charges against the company in November. LabMD performed laboratory medical testing for over 750,000 patients since 2001, before going out of business in 2014, partly due to fighting this case. The FTC brought the action under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” An act that causes or is likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition may be deemed unfair.
Yesterday, the European Commission adopted the EU-US Privacy Shield, a framework designed to replace the invalidated Safe Harbor program. In theory, the Privacy Shield offers its adherents a relatively simple, straightforward way to legally transfer personal data from the EU to the US. In reality, however, the Privacy Shield is likely to face legal challenges that may hinder its ability to serve as a reliable means of legal transfer, at least for the immediate future. Continue Reading
Proskauer Counsel Cécile Martin was recently interviewed by DataGuidance’s “Privacy This Week” covering new guidance issued by the French data protection authority (‘CNIL’) on June 15, 2016. The guidance highlights the main changes in relation to the General Data Protection Regulation (‘GDPR’). On June 16, 2016, CNIL launched an online consultation regarding the interpretation and implementation of the GDPR in four areas: data protection officers (‘DPOs’), the right to data portability, Data Protection Impact Assessments (‘DPIAs’) and certification (‘the Consultation’). Click here to read the full article on DataGuidance.
As a result of Thursday’s historic referendum, the United Kingdom will be leaving the EU. The decision will have a profound effect on many areas, including the global economy, trade, immigration and, potentially, the continued unity of the UK. The United Kingdom won’t be departing immediately, though – it must invoke Article 50 of the Lisbon Treaty and then negotiate its withdrawal with the European Council, a process that may take as long as two years once Article 50 is invoked. Multinationals and companies that are thinking about establishing a presence in the UK and/or EU will be watching those negotiations closely in order to determine how the UK’s change in status will affect business going forward.
Last month, one of the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”), Manuel Campos Sánchez-Bordona, issued an opinion suggesting that dynamic IP addresses should be recognized as “personal data” under EU law. If the CJEU adopts this reasoning, it would represent a landmark decision that would resolve a contentious issue that has been plaguing EU data protection law for years. This post delves into the AG’s decision and its potential consequences.