European Union

Subscribe to European Union via RSS

Poland’s data protection authority, the Generalny Inspektor Ochrony Danych Osobowych (GIODO), recently issued its opinion on the continued validity of personal data transfers to the US.  The opinion comes at a time when nearly every means of legitimizing data transfers from the EU to the US has come under fire: on October 6, the European Court of Justice (CJEU) issued a decision invalidating the US-EU Safe Harbor framework, and soon after Germany’s Conference of Data Protection Commissioners indicated that the German DPAs would not grant any new approvals for data transfers to the US on the basis of binding corporate rules (BCRs) or standard contractual clauses.  Meanwhile, the Article 29 Working Party issued an opinion stating that standard contractual clauses and BCRs remained valid tools for transferring personal data from the EU to the US.  Furthermore, it recognized that American and European authorities were negotiating to develop a Safe Harbor replacement, and that EU DPAs therefore would not bring enforcement actions unless the negotiating authorities fail to reach a solution by end of January 2016.

Today, one month after the European Court of Justice decision that invalidated the Safe Harbor framework, the European Commission (the “Commission”) issued a Communication setting forth its position on alternative tools for the lawful transfer of personal data from the EU to the United States.  The Commission also stated its objective to conclude negotiations with the U.S. government regarding the so-called Safe Harbor 2.0 within three months.  This timeline dovetails with the Article 29 Working Party’s grace period, which continues until the end of January 2016.

Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations.

News out of Germany, however, indicates that a one-size-fits all approach to data transfers from the EU to the U.S. may be difficult to achieve.

Just one week after the milestone decision rendered by the CJEU (http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=fr&type=TXT&ancre) to invalidate the Safe Harbor program established 15 years ago between the U.S. and the EU to facilitate the transfer of personal data from the EU to the U.S., a German data protection authority (DPA) issued

Today, the European Court of Justice (CJEU) invalidated the US-EU Safe Harbor framework, effective immediately.  This momentous decision jeopardizes the continued flow of data from Europe to the US.  As the Safe Harbor framework has been in place for 15 years and counts more than 4500 companies among its participants, today’s ruling is poised to have a major impact on US-EU trade, and leaves many businesses wondering if there are any alternatives that will allow them to continue transferring data across the Atlantic without running afoul of the law.  In this post, we break down the decision and its implications.

In a non-binding opinion issued on September 23, 2015, an Advocate General for the European Court of Justice (“ECJ”) recommended that the ECJ suspend the U.S.-EU Safe Harbor program (“Safe Harbor”) and reexamine whether the Safe Harbor provides adequate protection for personal data of EU citizens.  In light of its non-binding nature, the opinion did not effect any legal change and the ECJ is free to reject or adopt its recommendations.  Nevertheless, the opinion has triggered widespread concerns about the future of the Safe Harbor, due in part to the frequency with which the ECJ follows the recommendations of its advisors.

In what may prove to be a major step forward in US-EU privacy relations, the House Judicial Committee approved H.R. 1428, the Judicial Redress Act of 2015, on September 16.  If enacted, the bill would allow citizens of “covered countries” to bring civil actions in the US under the Privacy Act of 1974.  In effect, this means that certain foreign nationals would have the same rights US citizens have under the Privacy Act – namely, the right to sue US government agencies in order to access, amend, or correct records the agencies may be keeping about them, or to seek redress for the unlawful disclosure of those records.  (Note that the Privacy Act does not cover private businesses or state and local governments; it only allows individuals to seek records from federal government agencies.) Citizens of the US already have such rights in the EU, so the Judicial Redress Act would provide corresponding rights for EU citizens.

In an expected but controversial move, Google has rejected a demand by the French Data Privacy authority CNIL to apply the European “Right to be Forgotten” worldwide.

We have covered the E.U.’s Right to be Forgotten before, but here is a quick recap: under the E.U. rule, individuals have the right to require organizations that control personal data about them (“data controllers”) to delete all such data and abstain from further disseminating it. A data controller is required to act on an individual’s request to delete their personal data without delay unless they have a legitimate reason for not doing so. A series of European Court rulings established that search engines such as Google qualify as “data controllers,” and that search engines can be required to “delist” links to content as a means of preventing that content from being disseminated. Most surprising however, is the suggestion in these rulings that Google can be required to delist links from all Google domains, not just from domains in the E.U. or in specific E.U. countries.