In the past year, we have seen Safe Harbor declared invalid and the EU-US Privacy Shield put in place, as well as the start of the countdown to GDPR compliance. Datonomy contributors Elle Todd and Rob Bratby join Jamie Davies from Telecom to discuss all things data and reflect on the changes to EU data protection regulation over the past twelve months. Find the article here.
Datonomy summarises the latest developments in the ongoing saga of US data transfers. What's new? On 13 April, the Article 29 Working Party announced their eagerly awaited – but as it turned out, somewhat inconclusive - conclusions on the proposed new EU-US Privacy Shield data transfer mechanism. A lunchtime press conference led by Article 29 Working Party Chairman Isabelle Falque-Pierrotin was followed by the publication in the late afternoon of two new documents:
- a 58 page Opinion on the EU-US Privacy Shield adequacy decision
- a 15 page Working Document on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees)
- the commercial aspects
- derogations for national security purposes.
German data protection authorities have already started issuing proceedings against companies that are still transferring personal data to the US (“Data Transfers”) under Safe Harbor, less than a month after the expiration of the deadline set by the Art. 29 Working Party and the announcement that agreement had been reached on the EU-US Privacy Shield. Companies relying solely on Safe Harbor that have been waiting for the new EU-US Privacy Shield to come into force before changing their approach to Data Transfers should take stock. Enforcement practice has varied significantly around Europe with the German regulators being some of the most active but it is fair to say that simply waiting for the EU-US Privacy Shield without taking any further steps is an increasingly risky approach. Meanwhile, on 29 February the European Commission unveiled the various texts that will make up the Privacy Shield. Datonomy will be reporting on that … Continue Reading ››
Late on Friday 16 October, Europe’s data protection regulators issued an opinion enabling ongoing transfers of personal information from the EU to the US, at least for the time being. This followed on from the CJEU’s 6 October decision in the Schrems case that the so-called “safe harbor” regime used by more than 4000 US companies to legitimize the import of EU personal information was invalid. Following that decision a number of German data protection authorities ruled that “model clauses”, another mechanism used by thousands of other organisations to legitimize EU to US transfers, were also invalid. There was growing concern that the Article 29 Working Party, an influential body representing Europe’s data protection authorities, would follow the German approach creating more uncertainty and removing one of the few remaining limbs to support transfer. Businesses on both sides of the Atlantic can breathe a sigh of relief. The opinion, although far from categorically … Continue Reading ››