As of, August 1st, 2016, U.S. companies can now join the Safe Harbor successor EU-U.S. Privacy Shield (the “Privacy Shield”) for personal data transfers from the EU to the U.S.
This post gives a high level summary of what companies should consider with the Privacy Shield.
On July 12, 2016, the European Commission (the “Commission”) formally adopted the adequacy decision necessary to implement the Privacy Shield. This means that transfers of personal data from the EU to the U.S. that are made pursuant to the Privacy Shield’s requirements are lawful under EU law. The Privacy Shield replaces the EU-U.S. Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union (“CJEU”) on October 6, 2015.
Yesterday, German federal and state (Länder) data protection authorities (“DPAs”) issued a Position Paper following the recent Court of Justice of the European Union (“CJEU”) ruling that struck down the EU-US Safe Harbor Framework. Read an unofficial translation of the German Position Paper here.
Unfortunately, the Position Paper does little to relieve the pressure many organisations are now facing in relation to their cross-Atlantic data transfer mechanisms, particularly those used to transfer data from Germany to the United States. READ MORE
The European Court of Justice’s (CJEU) recent decision striking down the EU-US Safe Harbor framework has created significant marketplace uncertainty and left companies scrambling for alternative cross-Atlantic data transfer mechanisms.
On October 6, California Governor Jerry Brown signed legislation updating California’s data breach notice statute for the third time in three years. The news was quickly overshadowed by the CJEU’s decision invalidating the US-EU Safe Harbor Framework on the same day, but the California law amendments should not be overlooked. The amendments, which update Cal. Civ. Code § 1789.29 (for state agencies) and § 1789.82 (for businesses), were part of a legislative “package deal” of three separate bills mandating a new breach notice format (S.B. 570), defining “encryption” (A.B. 964), and expanding the definition of “personal information” and clarifying substitute notice requirements (S.B. 34). The amendments will take effect on January 1, 2016.