Summary The Irish High Court has made a preliminary reference to the Court of Justice of the European Union (“CJEU”), asking whether standard data protection clauses (“standard clauses”) are compatible with the legal rights of data subjects under EU law. Standard clauses are currently used as an appropriate safeguard to facilitate the transfer of personal data outside of the European Economic Area (the “EEA”). The reference to the CJEU comes despite previous decisions from the European Commission (the “Commission”) that have approved their use. It is worth noting that the reference does not invalidate the use of standard clauses for the moment. However, a judgment from the CJEU that does so would have implications for billions of euros worth of trade between the EU and the rest of the world. If the CJEU decides to render the use of standard clauses invalid, this would leave extremely limited scope for compliant data transfers … Continue Reading ››
As Max Schrems continues to do battle over Model Clauses in the Irish High Court, the Article 29 Working Party (WP29) has this week issued guidance surrounding EU-US Privacy Shield (Privacy Shield) related complaints. The guidance will be of note to any EU citizen wishing to complain about the handling of their personal data that has been transferred from the EU to one of the, as of 24 February, 1724 Privacy Shield registered organisations. It encompasses a template complaint form and Rules of Procedure and should provide parties concerned with all the information necessary to notify a breach under the 6 month old framework. The Rules of Procedure provide guidance on how an "Informal Panel of EU DPAs" (Panel) will operate in advising US organisations following a complaint. The Panel will aim to provide guidance within 60 days after receiving a complaint form. The complaint … Continue Reading ››
In the past year, we have seen Safe Harbor declared invalid and the EU-US Privacy Shield put in place, as well as the start of the countdown to GDPR compliance. Datonomy contributors Elle Todd and Rob Bratby join Jamie Davies from Telecom to discuss all things data and reflect on the changes to EU data protection regulation over the past twelve months. Find the article here.
Datonomy summarises the latest developments in the ongoing saga of US data transfers. What's new? On 13 April, the Article 29 Working Party announced their eagerly awaited – but as it turned out, somewhat inconclusive - conclusions on the proposed new EU-US Privacy Shield data transfer mechanism. A lunchtime press conference led by Article 29 Working Party Chairman Isabelle Falque-Pierrotin was followed by the publication in the late afternoon of two new documents:
- a 58 page Opinion on the EU-US Privacy Shield adequacy decision
- a 15 page Working Document on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees)
- the commercial aspects
- derogations for national security purposes.
German data protection authorities have already started issuing proceedings against companies that are still transferring personal data to the US (“Data Transfers”) under Safe Harbor, less than a month after the expiration of the deadline set by the Art. 29 Working Party and the announcement that agreement had been reached on the EU-US Privacy Shield. Companies relying solely on Safe Harbor that have been waiting for the new EU-US Privacy Shield to come into force before changing their approach to Data Transfers should take stock. Enforcement practice has varied significantly around Europe with the German regulators being some of the most active but it is fair to say that simply waiting for the EU-US Privacy Shield without taking any further steps is an increasingly risky approach. Meanwhile, on 29 February the European Commission unveiled the various texts that will make up the Privacy Shield. Datonomy will be reporting on that … Continue Reading ››