Data Transfer

A Shifting Cybersecurity Landscape in the European Union

EU data privacy

Orrick Attorneys Aravind Swaminathan, Kolvin Stone and Christian Schröder recently discussed how impending changes to EU data privacy laws will fundamentally change how European companies respond in the face of a cyber attack or data breach.  The article examines the cyber threat landscape and suggests how EU companies should assemble the right individuals into an incident response team for dealing with a data breach.  Drawing on their experience managing client data breaches in the United States, the authors provide concrete strategies for EU companies to deal with a data breach—before, during, and after the event.  For more on how to prepare for the impending changes to EU data privacy laws, click here.

Data transfers in limbo – U.S. companies face fines by German data protection authorities

international data transfers

While EU regulators determine whether to adopt a new agreement for transfers of personal data from Europe to the United States to replace the invalid EU-U.S. Safe Harbor Framework, German data protection authorities have not been idly twiddling their thumbs.

Hamburg’s data protection commissioner, the head of one of 16 Federal German data protection authorities (“DPA”), announced in February that his agency is investigating Hamburg-based subsidiaries of large U.S. companies engaging in transfers of personal data of EU citizens to the U.S.

READ MORE

EU-US Privacy Shield may not be up after all

data privacy

Bad news for companies relying on transatlantic data flows as, once again, the transfer of personal data from Europe to the United States is called into question by the Article 29 Working Party (the “Working Party”), an influential committee of the EU privacy regulators. Ever since the EU-U.S. Safe Harbor Framework was declared invalid by the Court of Justice of the European Union in October 2015, companies have had to find alternative ways to legally transfer personal data. On 29 February 2016, the EU Commission proposed the “EU-U.S. Privacy Shield” as a replacement to the Safe Harbor Framework and a potential solution.

READ MORE

EU-U.S. Privacy Shield is Go…nearly

Privacy Shield

On 29 February 2016 the European Commission issued the legal texts of the EU-U.S Privacy Shield which aims to replace the defunct EU-U.S Safe Harbor Framework as a legitimate mechanism for transferring personal data from the EU to the U.S.

In contrast to its predecessor, the Privacy Shield contains commitments from US government in relation to controls on access to personal data by public authorities. This is an aspect of the new scheme which aims to address the jurisprudence of the Court of Justice of the European Union and criticisms of the previous Safe Harbor Framework.

READ MORE

Safe Harbor 2.0: Political Agreement Reached – The EU-US Privacy Shield

Safe Harbor

The European Commission has announced that it has reached a deal to replace the EU-US Safe Harbor framework that was declared invalid last year by the Court of Justice of the European Union (“ECJ”).  Heralded as the EU-US Privacy Shield (and colloquially referred to as, “Safe Harbor 2.0”), the framework should provide companies with clearer direction on safe transatlantic data transfer.

READ MORE

EU Commission to Update Decisions Authorising Personal Data Transfers to Certain Countries Outside the EU

international

Last Friday (6 November 2015) the EU Commission issued a communication on the transfer of personal data from the EU to the US under the Data Protection Directive following the judgment by the Court of Justice in the Schrems case.

In addition to providing some welcome support for the use of data transfer mechanisms such as Model Clauses and BCRs, the communication also contains an important statement from the Commission that it intends to update the decisions it has previously made authorising personal data transfers to certain countries outside of the EU.

READ MORE

German DPAs Add Further Pressure to EU-US Data Transfers

International Privacy Law

Yesterday, German federal and state (Länder) data protection authorities (“DPAs”) issued a Position Paper following the recent Court of Justice of the European Union (“CJEU”) ruling that struck down the EU-US Safe Harbor Framework. Read an unofficial translation of the German Position Paper here.

Unfortunately, the Position Paper does little to relieve the pressure many organisations are now facing in relation to their cross-Atlantic data transfer mechanisms, particularly those used to transfer data from Germany to the United States.[1] READ MORE

PRIVACY POLICIES AND THE SALE OF CORPORATE ASSETS: It pays to plan ahead to preserve the value of your data assets

privacy policy

Personal data is a valuable corporate asset.  At times, the personal information collected from customers (such as email address, mailing address, phone number, etc.) can be a company’s most valuable asset.  Unfortunately, when a company attempts to sell this asset, it can find the value of the data significantly diminished due to promises made in a privacy policy the company implemented years before it ever contemplated such a sale.

READ MORE

EU Working Party Issues Statement on CJEU’s Invalidation of Safe Harbor Framework

Safe Harbor

The European Court of Justice’s (CJEU) recent decision striking down the EU-US Safe Harbor framework has created significant marketplace uncertainty and left companies scrambling for alternative cross-Atlantic data transfer mechanisms.

READ MORE

US–EU Safe Harbor – Struck Down!

safe harbor

1. CJEU finds Safe Harbor Invalid

In a landmark ruling delivered today, Europe’s highest court, the Court of Justice of the European Union (CJEU) declared that the EU Commission’s US – EU Safe Harbour regime is invalid.  Now over 4400 US entities that rely on Safe Harbor and their millions of EU based customers, partners and affiliates face the prospect of personal data transfers between them being unlawful.

You can read about the background to the decision and commentary on the CJEU ruling towards the end of this alert.  However, important commercial implications arising from the decision and what businesses should be thinking about now are discussed directly below.

READ MORE