Photo of Courtney M. Bowman

Courtney M. Bowman

Subscribe to Courtney M. Bowman's Posts

On Wednesday, the EU’s Article 29 Working Party issued its much-anticipated statement on the viability of the proposed EU-US Privacy Shield. As we’ve detailed previously, EU and US officials reached agreement on the Privacy Shield arrangement, which was meant to serve as a replacement for the invalidated Safe Harbor program, back in February, and released details of the Privacy Shield scheme a few weeks later. Observers then began eagerly awaiting the Article 29 Working Party’s opinion on the Privacy Shield, because even though the group’s opinion is not binding on the European Commission – which is responsible for shepherding the Privacy Shield through the approval and adoption process – it nevertheless may prove influential as that process moves forward.

After a decade of winding its way through the legislative process, Turkey’s new Data Protection Law entered into force on April 7.  Although Turkey previously had a few sectoral data protection laws on the books, this is the first time the country has had an omnibus data protection law.  Although details remain somewhat scant at this point, this new law deserves the attention of any company that conducts business in Turkey or collects the personal data of customers, employees, or other individuals located in Turkey.

Yesterday, the European Commission announced that EU and US officials had reached an agreement to implement a program known as the EU-US Privacy Shield.  Privacy Shield is designed to be the successor to the Safe Harbor program, which the European Court of Justice (CJEU) invalidated last October.  The announcement brings some relief to the many companies that previously had self-certified their compliance with the Safe Harbor program and feared enforcement actions brought by European data protection authorities (DPAs) against those Safe Harbor adherents who had not adopted alternative means of legitimizing transatlantic data transfers after the CJEU’s decision.  However, as the Privacy Shield would not become effective for at least several more months, such enforcement actions are, theoretically, still possible.

Companies anxiously watching their calendars to see if a new Safe Harbor program will be introduced before the end of January may get their wish: yesterday, a European Commission official announced that the Commission will inform the European Parliament of the outcome of negotiations for a new Safe Harbor program by Monday, February 1.  This is especially welcome news for those Safe Harbor-certified companies that chose not to implement alternative legal mechanisms to legitimize their transatlantic data transfers (such as model contracts or binding corporate rules) after the Safe Harbor program was invalidated in October, and instead held out hope that a new agreement would be reached by the end of January – the point at which EU member states’ data protection authorities may start taking legal action against those companies engaging in unlawful cross-border data transfers.

Now that it’s been approved by the EU Parliament’s Civil Liberties Committee, Europe’s General Data Protection Regulation (the “GDPR” or the “Regulation”) is well on its way to replacing the 20-year-old Data Protection Directive (the “Directive”) as the EU’s omnibus data protection law.  Although it won’t officially become law until it receives the approval of the EU Parliament, now is the time to study the most important aspects of the GDPR so you can be prepared for the new regime.

Following yesterday’s announcement that European officials had agreed on the language of the EU’s new General Data Protection Regulation (“GDPR” or “Regulation”), today the EU Parliament’s Civil Liberties Committee approved the text of the GDPR.  The GDPR isn’t law yet, as it still needs to be approved by the EU Parliament next month.  However, the Parliament is expected to approve the Regulation, which would then go into force in 2018.  Once it becomes effective, the GDPR will replace the twenty-year-old EU Data Protection Directive (the “Directive”) and provide a new omnibus data protection law for the EU.

Poland’s data protection authority, the Generalny Inspektor Ochrony Danych Osobowych (GIODO), recently issued its opinion on the continued validity of personal data transfers to the US.  The opinion comes at a time when nearly every means of legitimizing data transfers from the EU to the US has come under fire: on October 6, the European Court of Justice (CJEU) issued a decision invalidating the US-EU Safe Harbor framework, and soon after Germany’s Conference of Data Protection Commissioners indicated that the German DPAs would not grant any new approvals for data transfers to the US on the basis of binding corporate rules (BCRs) or standard contractual clauses.  Meanwhile, the Article 29 Working Party issued an opinion stating that standard contractual clauses and BCRs remained valid tools for transferring personal data from the EU to the US.  Furthermore, it recognized that American and European authorities were negotiating to develop a Safe Harbor replacement, and that EU DPAs therefore would not bring enforcement actions unless the negotiating authorities fail to reach a solution by end of January 2016.

Today, the European Court of Justice (CJEU) invalidated the US-EU Safe Harbor framework, effective immediately.  This momentous decision jeopardizes the continued flow of data from Europe to the US.  As the Safe Harbor framework has been in place for 15 years and counts more than 4500 companies among its participants, today’s ruling is poised to have a major impact on US-EU trade, and leaves many businesses wondering if there are any alternatives that will allow them to continue transferring data across the Atlantic without running afoul of the law.  In this post, we break down the decision and its implications.