EU-U.S. Privacy Shield

2022 was another eventful year in the realm of privacy, security and innovation.  Privacy World was there every step of the way, to keep you informed on key developments.  Starting next week, we will be rolling out our popular Year in Review series.  As a lead up to that, below are our ten most popular

The European Commission (the “Commission”) published today its draft adequacy decision for the US (the “Draft Decision”). This paves the way for an institutionalized personal data transfer mechanism across the Atlantic to emerge (and already raises the prospects of it being under scrutiny again).

If your pre- holidays’ workload (that also includes the transition of your old SCCs to the new ones, another transfer duty, does not allow you to read the full 134-page Draft Decision, here is a little tour of what you need to know before it becomes final (and this might still take some time).
Continue Reading Third Time Lucky or Schrems III? The European Union Data Pact with the US Moves One Step Closer (To Be Challenged – Again)

Background

On October 7, 2022, US President Joe Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the Executive Order), introducing new safeguards to protect the personal data shared between the EU and the US.

The Executive Order is the first tangible step towards a new transatlantic framework for personal data transfers, following the March 25, 2022, joint announcement by the European Commission president, Ursula von der Leyen, and US President Biden that they had reached an agreement in principle on a successor to the Privacy Shield.

While details of the actual content leaked over time, here is a summary of what the Executive Order is providing, but, more importantly, what the signature of the order means, not only for those who will be able to certify to the revised Privacy Shield, but also for all others.
Continue Reading We Have an EO, but Not (Yet) a New Transfer Mechanism

Earlier today, President Biden issued the Executive Order that is expected to lay the groundwork for the replacement for Privacy Shield.   

Key Takeaway 

President Biden issued an Executive Order to help pave the way for a new mechanism to transfer personal data subject to EU data protection law from the EU to the US. Whether and when the new mechanism will be available for US businesses remains to be seen.Continue Reading Biden Administration Issues Executive Order for Privacy Shield Replacement

On December 9, 2021, Vice President of the International Institute of Communications (“IIC”), moderated a panel discussion involving U.S. and international stakeholders’ perspectives on privacy and data protection trends and  the value of interoperability in cross-border data transfers at the IIC’s (virtual) annual Telecommunications & Media Forum (“TMF”) in Washington DC.

The panel participants

In a draft adequacy decision, reported to have been seen by the Financial Times (FT), the European Commission (the “Commission”) is set to allow the continued free flow of data between the EU and UK, after confirming that the UK offers an adequate level of protection for personal data, pursuant to Article 45 of the General Data Protection Regulation (the “GDPR”). According to the FT, the draft decision can be expected this week.

The decision, once adopted, will replace the current interim solution, agreed under the EU-UK Trade and Cooperation Agreement, which allows for companies and organisations to transfer personal data from the EU to the UK up until 30 June 2021. For more information on the interim solution please see our previous update “Brexit Updated: Interim Deal Reached on EU-UK Data Transfers”.
Continue Reading Brexit Updated: EU Set to Publish UK Adequacy Decision

"Hot" ButtonSeveral important documents relating to the rules governing the transfer of EU personal data were published during the second week of November 2020 by the European Data Protection Board (EDPB) and the EU Commission. In addition, the EU Commission has also published new standard contractual clauses for use when transferring personal data between a controller and a processor within the EEA and to countries outside the EEA.

Transfers of Personal Data to Third Countries

In the aftermath of the landmark decision by the Court of Justice of the European Union (CJEU) on international data transfers – the so-called Schrems II judgment (see our post on this topic) – organizations have been awaiting additional guidance from EU authorities on measures that must be implemented to transfer personal data to third countries without being in breach of  the Regulation (EU) 2016/679, i.e. the General European Data Protection Regulation (GDPR).

The following documents have been published in relation to implementation of Schrems II.
Continue Reading Watch Out for These Very Important Documents on “Transfers” and “Processing” of Personal Data

Data Protection ShieldSince the Court of Justice of the EU (“CJEU”) decided in its Schrems II ruling that the Privacy Shield is no longer valid and that  EU Standard Contractual Clauses (SCC) can no longer be used without extra scrutiny and require the implementation of additional security measures by both the EU data exporter and the US data importer, companies are wondering on how they can transfer data to non EU countries. According to the CJEU, the SCCs are still valid, but a level of protection for personal data equivalent to that in the EU must be ensured, which would not be the case if public authorities, such as intelligence services, can access EU personal data without adequate judicial oversight or due process.
Continue Reading German DPA Issues Guidance on Schrems II and the Transfer of Personal Data to Non-EU Countries

Many data controllers would like to use the consent of data subjects to transfer data to countries outside the European Economic Area. Has the General Data Protection Regulation 2016/679 (“GDPR”) made it easier use consent as a basis for international transfer than was the case under the Directive 95/46?

Rules on international transfer under GDPR

Chapter V of GDPR offers several legal bases for the transfer of personal data to third countries or international organizations:

  1. The suitability of the recipient country or entity on the basis of an adequacy decision of the European Commission (Article 45).
  2. The establishment of “appropriate safeguards” by the recipient (Article 46) such as standard contractual clauses adopted by the European Commission or BCRs (Article 47).
  3. The “Derogations for specific situations” provided by Article 49 (1) of the GDPR, which provides that transfers, where neither of the above applies, may be carried if one of the listed conditions is fulfilled. One of the derogations is the case where “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”.

Continue Reading Does the GDPR Allow for the Use of Consent for the International Transfer of Data?

The European Parliament plenary adopted on 5 July 2018 the LIBE Committee’s Motion for Resolution on the EU-US Privacy Shield (‘Privacy Shield) indicating the general Parliament’s position towards its functioning. The non-binding resolution calls for the suspension of the Privacy Shield unless the US demonstrates compliance with its requirements by 1 September 2018.  As per our previous post, the European Parliament considers that the personal data protection provided by the Privacy Shield is not adequate. 
Continue Reading European Parliament Calls on US to Show Compliance with EU-US Privacy Shield Within Two Months