Bad news for companies relying on transatlantic data flows as, once again, the transfer of personal data from Europe to the United States is called into question by the Article 29 Working Party (the “Working Party”), an influential committee of the EU privacy regulators. Ever since the EU-U.S. Safe Harbor Framework was declared invalid by the Court of Justice of the European Union in October 2015, companies have had to find alternative ways to legally transfer personal data. On 29 February 2016, the EU Commission proposed the “EU-U.S. Privacy Shield” as a replacement to the Safe Harbor Framework and a potential solution.
Posts by: Paul Hansford
The European Commission has announced that it has reached a deal to replace the EU-US Safe Harbor framework that was declared invalid last year by the Court of Justice of the European Union (“ECJ”). Heralded as the EU-US Privacy Shield (and colloquially referred to as, “Safe Harbor 2.0”), the framework should provide companies with clearer direction on safe transatlantic data transfer.
After nearly 4 years of negotiations, yesterday evening the EU reached agreement on the final provisions of its new data protection laws. With it, a new era of data protection has been ushered in that will have far reaching consequences for organisations both inside and outside of the EU.
In January 2012, the European Commission put forward its proposals for data protection reform, which included text for a new General Data Protection Regulation. Following negotiations this year with the European Parliament and the Council (the so-called ‘trilogues’ meetings), the three institutions reached final agreement on the Regulation’s provisions late last night.
On December 7, 2015, more than two and a half years after the first draft, the European Union Council finally reached an important, informal agreement with the Parliament on important network and information security rules (“NIS-Directive”) affecting companies across the EU. The culmination of the European Commission’s Cybersecurity strategy effort that began in February 2013 with the European Commission’s proposed draft directive on measures to ensure a common level of network and information security. Final adoption of the NIS-Directive will have several important consequences, including increased focus by Boards of Directors of cybersecurity risk, the need for companies to increase their investment in information security, to prepare and implement cybersecurity incident response plans, to conduct internal comprehensive investigations into the circumstances of a cybersecurity event in order to comply with forthcoming reporting obligations.
Last Friday (6 November 2015) the EU Commission issued a communication on the transfer of personal data from the EU to the US under the Data Protection Directive following the judgment by the Court of Justice in the Schrems case.
In addition to providing some welcome support for the use of data transfer mechanisms such as Model Clauses and BCRs, the communication also contains an important statement from the Commission that it intends to update the decisions it has previously made authorising personal data transfers to certain countries outside of the EU.