European Commission
Subscribe to European Commission's Posts

Brexit/GDPR: European Commission Publishes Draft Adequacy Decision for Data Transfers

On 19 February 2021, the European Commission published the draft for an adequacy decision regarding transfers of personal data to the UK. For businesses in the European Union (and EEA) who transfer data to business partners and vendors in the UK, it will be crucial that the final decision is made before the end of June 2021.

Thanks to an additional transitional period for data transfers in the last-minute EU-UK Trade and Cooperation Agreement (TCA), the worst fears of data protection experts that the UK could become a “third country” overnight did not materialise. However, this period ends no later than in June 2021.

While the chances that final decision will be issued in time have now increased, companies in the EU/EEA should be aware that this is not guaranteed. In case the Commission fails to authorize data transfers to the UK, businesses should – if no other safeguards are present – be prepared enter into the standard contractual clauses (SCCs, aka Model Contracts) in order to comply with the GDPR.

McDermott can help you with identifying data transfers to the UK and choosing the right SCCs.




The Privacy Shield: September 30, 2016, Deadline for Early Self-Certification Offers Compliance Opportunity and Risk

The European Commission recently determined that the Privacy Shield Framework is adequate to legitimize data transfers under EU law, providing a replacement for the Safe Harbor program. The Privacy Shield is designed to provide organizations on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Organizations that apply for Privacy Shield self-certification by September 30, 2016, will be granted a nine-month grace period to conform their contracts with third-party processors to the Privacy Shield’s new onward transfer requirements.

Read the full article here.



Safe Harbor Update: European Commission Reaffirms Commitment to a Safe Harbor Sequel

As we reported on October 19th, the Article 29 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data challenged the EU member states to “open discussions with the US” to find a viable alternative to the Safe Harbor program. Today, the European Commission (EC) issued a public statement confirming its commitment to working with the United States on a “renewed and sound framework for transatlantic transfers of personal data.” The apparent trigger for today’s announcement are “concerns” from businesses about “the possibilities for continued data transfers” while the Safe Harbor Sequel is under negotiation.

In its statement, the EC confirms that during the pendency of the U.S.-EU negotiations, Standard Contractual Clauses and Binding Corporate Rules (BCRs) are viable bases for legitimizing data transfers that formerly were validated by the Safe Harbor Program.

The EC was careful to note that today’s guidance “does not lay down any binding rules” and “is without prejudice to the powers and duty of the DPAs (Data Protection Authorities) to examine the lawfulness of such transfers in full independence.”  In other words, a DPA still may decide that Standard Contractual Clauses and BCRs are not viable under its country’s laws.




Court of Justice of the European Union Says Safe Harbor Is No Longer Safe

Earlier today, the Court of Justice of the European Union (CJEU) announced its determination that the U.S.-EU Safe Harbor program is no longer a “safe” (i.e., legally valid) means for transferring personal data of EU residents from the European Union to the United States.

The CJEU determined that the European Commission’s 2000 decision (Safe Harbor Decision) validating the Safe Harbor program did not and “cannot eliminate or even reduce the powers” available to the data protection authority (DPA) of each EU member country. Specifically, the CJEU opinion states that a DPA can determine for itself whether the Safe Harbor program provides an “adequate” level of personal data protection (i.e., “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union” as required by the EU Data Protection Directive (95/46/EC)).

The CJEU based its decision invalidating that Safe Harbor opinion in part on the determination that the U.S. government conducts “indiscriminate surveillance and interception carried out … on a large scale”.

The plaintiff in the case that gave rise to the CJEU opinion, Maximilian Schrems (see background below), issued his first public statement praising the CJEU for a decision that “clarifies that mass surveillance violates our fundamental rights.”

Schrems also made reference to the need for “reasonable legal redress,” referring to the U.S. Congress’ Judicial Redress Act of 2015. The Judicial Redress Act, which has bi-partisan support, would allow EU residents to bring civil actions in U.S. courts to address “unlawful disclosures of records maintained by an [U.S. government] agency.

Edward Snowden also hit the Twittersphere with “Congratulations, @MaxSchrems. You’ve changed the world for the better.”

Background

Today’s CJEU opinion invalidating the Safe Harbor program follows on the September 23, 2015, opinion from the advocate general (AG) to the CJEU in connection with Maximilian Schrems vs. Data Protection Commissioner.

In June 2013, Maximilian Schrems, an Austrian student, filed a complaint with the Irish DPA. Schrems’ complaint related to the transfer of his personal data collected through his use of Facebook. Schrems’ Facebook data was transferred by Facebook Ireland to Facebook USA under the Safe Harbor program. The core claim in Schrems’ complaint is that the Safe Harbor program did not adequately protect his personal data, because Facebook USA is subject to U.S. government surveillance under the PRISM program.

The Irish DPA rejected Schrems’ complaint because Facebook was certified under the Safe Harbor Program. Schrems appealed to the High Court of Ireland, arguing that the Irish (or any other country’s) DPA has a duty to protect EU citizens against privacy violations, like access to their personal data as part of U.S. government surveillance. Since Schrems’ appeal relates to EU law (not solely Irish law), the Irish High Court referred Schrems’ appeal [...]

Continue Reading




Article 29 Working Party Defends BCR-P to European Institutions

On 12 June 2014, in a letter from the Article 29 Data Protection Working Party to the President of the European Parliament, the Working Party has defended, and urged the EU institutions to discuss, Binding Corporate Rules for Processors (BCR-P) in respect of the forthcoming EU General Data Protection Regulation.

In its letter, the Working Party clarifies its views on BCR-P, outlines the safeguards that BCR-P offer and addresses concerns that have led some to call for the dropping of BCR-P. The letter suggests that these issues should be covered during future trialogues between the EU Council, the European Commission (whom both received copies of the letter) and the European Parliament.

Background

Binding Corporate Rules (BCR) represent one of the ways that a data controller can overcome the general prohibition contained in the EU Data Protection Directive (95/46/EC) on cross-border transfers of personal data to countries outside the EEA that do not offer adequate levels of data protection. Broadly, BCR are legally enforceable corporate rules applied by company groups which, on the approval of the relevant national data protection authority, are deemed to ensure sufficient protection for international transfers between group companies.

In December 2011, the European Commission announced that BCR would be updated in the new EU General Data Protection Regulation. Whilst BCR only apply to data controllers, the Working Party is a proponent for BCR-P (which apply similarly to data processors rather than data controllers) and, in June 2012, established a BCR-P framework. In brief, BCR-P permit data processors, on the instruction of data controllers, to forward personal data to their group companies, otherwise known as “sub-processing”. The Working Party has officially permitted companies to apply for BCR-P since January 2013. To date, three international organisations have BCR-P approved by their national data protection authorities, with a further 10 currently under review.

In Defence of BCR-P

In its letter, the Working Party encloses an explanatory document setting out the main guarantees offered to data controllers, data subjects and data protection authorities generally, relating to:

  • Use of external sub-processors;
  • Conflict between an applicable legislation and BCR-P and/or Service agreements / Access by law enforcement authorities;
  • Controllers’ rights;
  • Data subjects’ rights;
  • Processors’ obligations towards data protection authorities; and
  • Implementation of accountability measures.

The Working Party also stresses the high level of protection that BCR-P offer to international transfers of personal data, which, according to the Working Party represent the “optimal solution” to encourage data protection principles abroad. In the alternative, the Working Party suggests that model clauses or Safe Harbour do not offer a comparable level of protection.

In response to calls for the European Parliament to drop BCR-P from future legislation due to a lack of guarantees to frame sub-processing activities, the Working Party clarifies that BCR-P offer greater levels of protection that those currently provided by the European Parliament. Furthermore, the Working Party concludes that to drop BCR-P would create legal uncertainty and represent a loss generally to those organisations with approved BCR-P or those currently [...]

Continue Reading




STAY CONNECTED

TOPICS

ARCHIVES