European Union

Subscribe to European Union via RSS

As a result of Thursday’s historic referendum, the United Kingdom will be leaving the EU. The decision will have a profound effect on many areas, including the global economy, trade, immigration and, potentially, the continued unity of the UK.  The United Kingdom won’t be departing immediately, though – it must invoke Article 50 of the Lisbon Treaty and then negotiate its withdrawal with the European Council, a process that may take as long as two years once Article 50 is invoked. Multinationals and companies that are thinking about establishing a presence in the UK and/or EU will be watching those negotiations closely in order to determine how the UK’s change in status will affect business going forward.

Last month, one of the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”), Manuel Campos Sánchez-Bordona, issued an opinion suggesting that dynamic IP addresses should be recognized as “personal data” under EU law. If the CJEU adopts this reasoning, it would represent a landmark decision that would resolve a contentious issue that has been plaguing EU data protection law for years.  This post delves into the AG’s decision and its potential consequences.

On Wednesday, the EU’s Article 29 Working Party issued its much-anticipated statement on the viability of the proposed EU-US Privacy Shield. As we’ve detailed previously, EU and US officials reached agreement on the Privacy Shield arrangement, which was meant to serve as a replacement for the invalidated Safe Harbor program, back in February, and released details of the Privacy Shield scheme a few weeks later. Observers then began eagerly awaiting the Article 29 Working Party’s opinion on the Privacy Shield, because even though the group’s opinion is not binding on the European Commission – which is responsible for shepherding the Privacy Shield through the approval and adoption process – it nevertheless may prove influential as that process moves forward.

Yesterday, the European Commission announced that EU and US officials had reached an agreement to implement a program known as the EU-US Privacy Shield.  Privacy Shield is designed to be the successor to the Safe Harbor program, which the European Court of Justice (CJEU) invalidated last October.  The announcement brings some relief to the many companies that previously had self-certified their compliance with the Safe Harbor program and feared enforcement actions brought by European data protection authorities (DPAs) against those Safe Harbor adherents who had not adopted alternative means of legitimizing transatlantic data transfers after the CJEU’s decision.  However, as the Privacy Shield would not become effective for at least several more months, such enforcement actions are, theoretically, still possible.

Companies anxiously watching their calendars to see if a new Safe Harbor program will be introduced before the end of January may get their wish: yesterday, a European Commission official announced that the Commission will inform the European Parliament of the outcome of negotiations for a new Safe Harbor program by Monday, February 1.  This is especially welcome news for those Safe Harbor-certified companies that chose not to implement alternative legal mechanisms to legitimize their transatlantic data transfers (such as model contracts or binding corporate rules) after the Safe Harbor program was invalidated in October, and instead held out hope that a new agreement would be reached by the end of January – the point at which EU member states’ data protection authorities may start taking legal action against those companies engaging in unlawful cross-border data transfers.

Now that it’s been approved by the EU Parliament’s Civil Liberties Committee, Europe’s General Data Protection Regulation (the “GDPR” or the “Regulation”) is well on its way to replacing the 20-year-old Data Protection Directive (the “Directive”) as the EU’s omnibus data protection law.  Although it won’t officially become law until it receives the approval of the EU Parliament, now is the time to study the most important aspects of the GDPR so you can be prepared for the new regime.

Following yesterday’s announcement that European officials had agreed on the language of the EU’s new General Data Protection Regulation (“GDPR” or “Regulation”), today the EU Parliament’s Civil Liberties Committee approved the text of the GDPR.  The GDPR isn’t law yet, as it still needs to be approved by the EU Parliament next month.  However, the Parliament is expected to approve the Regulation, which would then go into force in 2018.  Once it becomes effective, the GDPR will replace the twenty-year-old EU Data Protection Directive (the “Directive”) and provide a new omnibus data protection law for the EU.

After nearly four years of negotiation and wrangling, European Officials announced yesterday that they had finally reached agreement on the language for the EU’s new General Data Protection Regulation (“Regulation), which will replace the aging 1995 Data Protection Directive (“Directive”).

In many ways, the announcement is welcome news as it