International

Subscribe to International via RSS

Following yesterday’s announcement that European officials had agreed on the language of the EU’s new General Data Protection Regulation (“GDPR” or “Regulation”), today the EU Parliament’s Civil Liberties Committee approved the text of the GDPR.  The GDPR isn’t law yet, as it still needs to be approved by the EU Parliament next month.  However, the Parliament is expected to approve the Regulation, which would then go into force in 2018.  Once it becomes effective, the GDPR will replace the twenty-year-old EU Data Protection Directive (the “Directive”) and provide a new omnibus data protection law for the EU.

After nearly four years of negotiation and wrangling, European Officials announced yesterday that they had finally reached agreement on the language for the EU’s new General Data Protection Regulation (“Regulation), which will replace the aging 1995 Data Protection Directive (“Directive”).

In many ways, the announcement is welcome news as it

Poland’s data protection authority, the Generalny Inspektor Ochrony Danych Osobowych (GIODO), recently issued its opinion on the continued validity of personal data transfers to the US.  The opinion comes at a time when nearly every means of legitimizing data transfers from the EU to the US has come under fire: on October 6, the European Court of Justice (CJEU) issued a decision invalidating the US-EU Safe Harbor framework, and soon after Germany’s Conference of Data Protection Commissioners indicated that the German DPAs would not grant any new approvals for data transfers to the US on the basis of binding corporate rules (BCRs) or standard contractual clauses.  Meanwhile, the Article 29 Working Party issued an opinion stating that standard contractual clauses and BCRs remained valid tools for transferring personal data from the EU to the US.  Furthermore, it recognized that American and European authorities were negotiating to develop a Safe Harbor replacement, and that EU DPAs therefore would not bring enforcement actions unless the negotiating authorities fail to reach a solution by end of January 2016.

Today, one month after the European Court of Justice decision that invalidated the Safe Harbor framework, the European Commission (the “Commission”) issued a Communication setting forth its position on alternative tools for the lawful transfer of personal data from the EU to the United States.  The Commission also stated its objective to conclude negotiations with the U.S. government regarding the so-called Safe Harbor 2.0 within three months.  This timeline dovetails with the Article 29 Working Party’s grace period, which continues until the end of January 2016.

Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations.

News out of Germany, however, indicates that a one-size-fits all approach to data transfers from the EU to the U.S. may be difficult to achieve.

Just one week after the milestone decision rendered by the CJEU (http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=fr&type=TXT&ancre) to invalidate the Safe Harbor program established 15 years ago between the U.S. and the EU to facilitate the transfer of personal data from the EU to the U.S., a German data protection authority (DPA) issued

Today, the European Court of Justice (CJEU) invalidated the US-EU Safe Harbor framework, effective immediately.  This momentous decision jeopardizes the continued flow of data from Europe to the US.  As the Safe Harbor framework has been in place for 15 years and counts more than 4500 companies among its participants, today’s ruling is poised to have a major impact on US-EU trade, and leaves many businesses wondering if there are any alternatives that will allow them to continue transferring data across the Atlantic without running afoul of the law.  In this post, we break down the decision and its implications.

In a non-binding opinion issued on September 23, 2015, an Advocate General for the European Court of Justice (“ECJ”) recommended that the ECJ suspend the U.S.-EU Safe Harbor program (“Safe Harbor”) and reexamine whether the Safe Harbor provides adequate protection for personal data of EU citizens.  In light of its non-binding nature, the opinion did not effect any legal change and the ECJ is free to reject or adopt its recommendations.  Nevertheless, the opinion has triggered widespread concerns about the future of the Safe Harbor, due in part to the frequency with which the ECJ follows the recommendations of its advisors.