SlideShare a Scribd company logo

Slides presentation RU schrems mr. drs. Mark jansen Dirkzwager advocaten & notarissen - 9 november 2015

Sectie Intellectueel Eigendom en IT-recht van Dirkzwager advocaten & notarissen
Sectie Intellectueel Eigendom en IT-recht van Dirkzwager advocaten & notarissen

Slides presentation - case Safe Harbor/Schrems mr. drs. Mark Jansen Dirkzwager advocaten & notarissen - 9 november 2015 - RU

Internet
1 of 55
Download to read offline
Guest Lecture. November 9th 2015 Schrems - case CoJ EU, 2015-10-06, C-362/14
Agenda  Schrems v. DPC Ireland (Facebook) case (C-362/14, 2015-10-06)  What is Safe Harbor?  The facts of the case.  Decision of the European Union Court of Justice.  Implications and Solutions?
Safe Harbor  Art. 25(1) of Directive 95/46: The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
Safe Harbor  Art. 25(6) of Directive 95/46: The Commission may find, in accordance with the procedure referred to in Article 31(2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.
Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, United States (Safe Harbor) and Uruguay
Safe Harbor  Decision 2000/520 of the Commission: 1. (…), the “Safe Harbor Privacy Principles” (…), as set out in Annex I to this Decision, implemented in accordance with the guidance provided by the frequently asked questions (…) issued by the US Department of Commerce on 21 July 2000 as set out in Annex II to this Decision are considered to ensure an adequate level of protection for personal data transferred from the Community to organisations established in the United States, (…)
Safe Harbor Europe-v-Facebook.org / Business Insider
Safe Harbor  Quite popular program. (Almost) all major tech companies listed  http://safeharbor.export.gov/list.aspx
Safe Harbor  Problem: Edward Snowden leaks information about intelligence activities of the USA in June 2013.  NSA (National Security Agency) monitors all data transferred the USA.  Can we still speak of adequate protection in a third country as meant in Directive 95/46?  This question is answered in Case C-362/14
Facts of the case  Max Schrems, Austrian national, is a member of Facebook.  All non-US members of Facebook sign into an agreement with Facebook Ireland Ltd to become a member.  Facebook Ireland shares personal data with Facebook US.  Max Schrems is worried about his privacy, and therefore files 22 complaints with the Irish Data Protection Commissioner.
Facts of the case  Max Schrems: “Based on revelations made by Edward Snowden concerning the National Security Agency, the law and practice in force in the USA do not ensure adequate protection of the personal data held in its territory against the surveillance activities that are engaged in there by the public authorities.”
Facts of the case  The Irish DPC rejected the complaint, saying there was no case to answer: “Any question of the adequacy of data protection in the United States has to be determined in accordance with Decision 2000/520 and the Commission has found in that decision that the United States ensures an adequate level of protection.”
Facts of the case  Schrems filed for a judicial review in the Irish High Court which was granted: IHC: “electronic surveillance and interception of personal data transferred (…) serve necessary and indispensable objectives in the public interest. However, it added that the revelations made by Edward Snowden had demonstrated a ‘significant over-reach’ on the part of the NSA and other federal agencies.”
Facts of the case  The High Court decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling: ‘(1) Whether in the course of determining a complaint which has been made to an independent office holder (…) that personal data is being transferred to another third country (…) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article 25(6) of Directive [95/46] notwithstanding?’
Facts of the case ‘(2) Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published?’
Ruling of the CoJ  Before we go into the ruling itself, some remarkable facts…  Ruling given within two weeks (!) after the opinion of the Advocate General  Average time consumed by ECJ proceeedings in 2014 was 23,4 months  Usually a ruling is given about 1 year after the opinion  Ruling given at a time negotiations over revision of the Safe Harbor agreement were taking place  Ruling given by the Grand Chamber  Very rare, in 2014 only 8,65% of all cases
Ruling of the CoJ  (39) ‘It is apparent from Article 1 of Directive 95/46 and recitals 2 and 10 in its preamble that that directive seeks to ensure not only effective and complete protection of the fundamental rights and freedoms of natural persons, in particular the fundamental right to respect for private life with regard to the processing of personal data, but also a high level of protection of those fundamental rights and freedoms.’
Ruling of the CoJ  46 (…) In that regard, Chapter IV of the directive, in which Articles 25 and 26 appear, has set up a regime intended to ensure that the Member States oversee transfers of personal data to third countries. That regime is complementary to the general regime set up by Chapter II of the directive laying down the general rules on the lawfulness of the processing of personal data (see, to this effect, judgment in Lindqvist, C-101/01, EU:C:2003:596, paragraph 63).
Ruling of the CoJ  (47) ‘As, (…), the national supervisory authorities are responsible for monitoring compliance with the EU rules (…) each of them is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements (…).’
Ruling of the CoJ  (51) ‘The Commission may adopt, on the basis of Article 25(6) of Directive 95/46, a decision finding that a third country ensures an adequate level of protection.’  (52) ‘Thus, until such time as the Commission decision is declared invalid by the Court, the Member States and their organs, which include their independent supervisory authorities, admittedly cannot adopt measures contrary to that decision, such as acts intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection.’
Ruling of the CoJ  (54) ‘Neither Article 8(3) of the Charter nor Article 28 of Directive 95/46 excludes from the national supervisory authorities’ sphere of competence the oversight of transfers of personal data to third countries which have been the subject of a Commission decision pursuant to Article 25(6) of Directive 95/46.’  (58) ‘If that were not so, persons whose personal data has been or could be transferred to the third country concerned would be denied the right, guaranteed by Article 8(1) and (3) of the Charter, to lodge with the national supervisory authorities a claim for the purpose of protecting their fundamental rights (…)’
Ruling of the CoJ  (61) ‘(…) the Court alone has jurisdiction to declare that an EU act, such as a Commission decision (…), is invalid, the exclusivity of that jurisdiction having the purpose of guaranteeing legal certainty by ensuring that EU law is applied uniformly (…).’
Ruling of the CoJ  (64) In a situation where the national supervisory authority (….) rejects it, the person who lodged the claim must (…) have access to judicial remedies enabling him to challenge such a decision adversely affecting him before the national courts.  (…), those courts must stay proceedings and make a reference to the Court for a preliminary ruling on validity where they consider that one or more grounds for invalidity put forward by the parties or, as the case may be, raised by them of their own motion are well founded (…)
Ruling of the CoJ  Answer(s) to the preliminary questions: (66) ‘(…) a decision adopted pursuant to that provision, such as Decision 2000/520, by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State (…) from examining the claim (…) when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.’
Ruling of the CoJ The preliminary questions are answered BUT The Court of Justice continues:  (67) ‘(…) having regard to what has been held in paragraphs 60 to 63 of the present judgment and in order to give the referring court a full answer, it should be examined whether that decision [2005/520] complies with the requirements stemming from Directive 95/46 read in the light of the Charter.’
Ruling of the CoJ  (73) ‘The word ‘adequate’ in Article 25(6) of Directive 95/46 admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. However, (…) must be understood as requiring the third country in fact to ensure (…) a level of protection (…) that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter. (…)’
Ruling of the CoJ  (75 – 76) The Commission must assess the content of the applicable rules in a third country resulting from its domestic law or international commitments and the practice designed to ensure compliance with those rules. The Commission must also check periodically whether the findings relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified.
Ruling of the CoJ  The Court of Justice continues with checking the validity of Decision 200/520
Ruling of the CoJ  (81) ‘Whilst recourse by a third country to a system of self- certification is not in itself contrary to the requirements (…) the reliability of such a system (…) is founded essentially on the establishment of effective detection and supervision mechanisms enabling any infringements of the rules (…) to be identified and punished in practice.’  (82) ‘(…)Those principles are therefore applicable solely to self- certified United States organisations receiving personal data from the European Union, and United States public authorities are not required to comply with them.’
Ruling of the CoJ  (86) ‘Thus, Decision 2000/520 lays down that ‘national security, public interest, or law enforcement requirements’ have primacy over the safe harbor principles, primacy pursuant to which self- certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them.’
Ruling of the CoJ  (88-89) Decision 2000/520 does not contain any finding regarding the existence of rules adopted by the State intended to limit any interference with the fundamental rights; interference which the State entities would be authorised to engage in when they pursue legitimate objectives, such as national security. The Decision also does not refer to the existence of effective legal protection against interference of that kind.
Ruling of the CoJ  (93) ‘Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail (…).’
Ruling of the CoJ  (94-95) Legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life. Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection.
Ruling of the CoJ  (98) ‘Consequently, without there being any need to examine the content of the safe harbor principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid.’  (99-104) Because Article 3(1) of Decision 2000/520 denies national supervisory authorities some powers which they derive from Article 28 of Directive 95/46, the Commission has exceeded its powers, which makes Article 3 of the Decision invalid.  (106) ‘Having regard to all the foregoing considerations, it is to be concluded that Decision 2000/520 is invalid.’
Ruling of the CoJ Europe-v-Facebook.org / Business Insider
Summary (1/2)  Summary:  transfer of personal data = processing;  National DPA’s have the authority to check transfers from their soil;  EC adequacy findings are binding until declared invalid by the Court;  DPA’s need to investigate complaints about EC adequacy findings and initiate domestic proceedings if they find the complaint to have merit;  The person who lodged the claim must have judicial remedies available if DPA denies complaint;
Summary (2/2)  Summary:  Adequate level = level essentially equivalent to EU level;  Adequacy needs to be reevaluated periodically;  Adequacy level needs to have basis in domestic legal system of third country;  Exceptions to interference with EU fundamental rights needs to be in accordance with principles set out by court;
Implications and Solutions  The CoJ basically ruled that the USA is not a safe country to transfer personal data to.  Major implications for many internet companies (i.e. Facebook, Apple, Twitter, Yahoo, Microsoft, Amazon)  Are there any solutions?
Implications and Solutions  Solution 1: the USA should change it’s legislation?
Implications and Solutions  Solution 2: Explicit consent of the consumer/person to transfer its personal data to the USA?
Implications and Solutions  Solution 3: Use of EC model contracts?
Implications and Solutions  Solution 4: Pseudonimization and anonymization?
Implications and Solutions  Solution 5: transfer data back to EU? Keep data in EU?
Implications and Solutions  Solution 6: ???
Implications and Solutions  And what about other countries (currently) deemed to have an adequate level of protection?
Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay
Questions?  Any (further) questions?
Contact details Mark Jansen m.jansen@dirkzwager.nl +31 26 353 83 67 www.dirkzwagerieit.nl (in Dutch) @ieitrecht
Verantwoording In deze presentatie wordt algemene en beknopte informatie verstrekt over een aantal juridisch relevante ontwikkelingen. Niet beoogd is om hiermee juridisch advies te geven voor concrete situaties. Hoewel veel zorg is besteed aan het opstellen van deze presentatie, aanvaardt Dirkzwager advocaten & notarissen N.V. geen aansprakelijkheid voor de inhoud ervan.
Actuele kennis van wet- en regelgeving Jurispruden tie Dirkzwager zorgt dat u het weet. Advocatuur Arnhem Postbus 3045 6802 DA Arnhem Kantoor Velperpoort Velperweg 1 6824 BZ Arnhem T +31 (0)26 353 83 00 F +31 (0)26 351 07 93 E info@dirkzwager.nl I www.dirkzwager.nl Postbus 111 6800 AC Arnhem Kantoor Velperpoort Verlperweg 1 6824 BZ Arnhem T +31 (0)26 365 55 55 F +31 (0)26 365 55 00 E info@dirkzwager.nl I www.dirkzwager.nl Postbus 55 6500 AB Nijmegen Kantoor Stella Maris Van Schaeck Mathonsingel 4 6512 AN Nijmegen T +31 (0)24 381 31 31 F +31 (0)24 322 20 74 E info@dirkzwager.nl I www.dirkzwager.nl Postbus 1104 6501 BC Nijmegen Kantoor Stella Maris Van Schaeck Mathonsingel 4 6512 AN Nijmegen T +31 (0)24 381 27 27 F +31 (0)24 324 07 26 E info@dirkzwager.nl I www.dirkzwager.nl

Recommended

Second Appeal against Registrar CIC dated 24.03.2017
Second Appeal against Registrar CIC dated 24.03.2017Second Appeal against Registrar CIC dated 24.03.2017
Second Appeal against Registrar CIC dated 24.03.2017
Om Prakash Poddar
 
International court of justice order under the genocide convention--dated 16-...
International court of justice order under the genocide convention--dated 16-...International court of justice order under the genocide convention--dated 16-...
International court of justice order under the genocide convention--dated 16-...
sabrangsabrang
 
CJEU decision on Schrems
CJEU decision on SchremsCJEU decision on Schrems
CJEU decision on Schrems
Greg Sterling
 
Second Appeal dated 21.04.2017 before CIC New Delhi against Non-disclosure of...
Second Appeal dated 21.04.2017 before CIC New Delhi against Non-disclosure of...Second Appeal dated 21.04.2017 before CIC New Delhi against Non-disclosure of...
Second Appeal dated 21.04.2017 before CIC New Delhi against Non-disclosure of...
Om Prakash Poddar
 
Hc order on medical bills
Hc order on medical billsHc order on medical bills
Hc order on medical bills
cjarindia
 
Wp 6601 of 2006
Wp 6601 of 2006Wp 6601 of 2006
Wp 6601 of 2006
sabrangsabrang
 
Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013
Greg Sterling
 
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...
Om Prakash Poddar
 

Recommended

Second Appeal against Registrar CIC dated 24.03.2017
Second Appeal against Registrar CIC dated 24.03.2017Second Appeal against Registrar CIC dated 24.03.2017
Second Appeal against Registrar CIC dated 24.03.2017
Om Prakash Poddar
 
International court of justice order under the genocide convention--dated 16-...
International court of justice order under the genocide convention--dated 16-...International court of justice order under the genocide convention--dated 16-...
International court of justice order under the genocide convention--dated 16-...
sabrangsabrang
 
CJEU decision on Schrems
CJEU decision on SchremsCJEU decision on Schrems
CJEU decision on Schrems
Greg Sterling
 
Second Appeal dated 21.04.2017 before CIC New Delhi against Non-disclosure of...
Second Appeal dated 21.04.2017 before CIC New Delhi against Non-disclosure of...Second Appeal dated 21.04.2017 before CIC New Delhi against Non-disclosure of...
Second Appeal dated 21.04.2017 before CIC New Delhi against Non-disclosure of...
Om Prakash Poddar
 
Hc order on medical bills
Hc order on medical billsHc order on medical bills
Hc order on medical bills
cjarindia
 
Wp 6601 of 2006
Wp 6601 of 2006Wp 6601 of 2006
Wp 6601 of 2006
sabrangsabrang
 
Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013
Greg Sterling
 
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...
First appeal against CIC New Delhi dated 24.01.2017 for Non- Implementation ...
Om Prakash Poddar
 
Sc judgement 30-apr-2021
Sc judgement 30-apr-2021Sc judgement 30-apr-2021
Sc judgement 30-apr-2021
sabrangsabrang
 
Second Appeal dated 06 04 2017 against SC before CIC New Delhi
Second Appeal dated 06 04 2017 against SC before CIC New DelhiSecond Appeal dated 06 04 2017 against SC before CIC New Delhi
Second Appeal dated 06 04 2017 against SC before CIC New Delhi
Om Prakash Poddar
 
Default
DefaultDefault
Default
Pravotv
 
Foundation for ind journ crlp(a) 9053 2021
Foundation for ind journ crlp(a) 9053 2021Foundation for ind journ crlp(a) 9053 2021
Foundation for ind journ crlp(a) 9053 2021
sabrangsabrang
 
суд оон
суд оонсуд оон
суд оон
Юлія Соколова
 
Reply by First Appellate Authority CIC New Delhi against Non-Implementation o...
Reply by First Appellate Authority CIC New Delhi against Non-Implementation o...Reply by First Appellate Authority CIC New Delhi against Non-Implementation o...
Reply by First Appellate Authority CIC New Delhi against Non-Implementation o...
Om Prakash Poddar
 
REPUBLIC OF KENYA IN THE SUPREME COURT OF KENYA AT NAIROBI
REPUBLIC OF KENYA IN THE SUPREME COURT OF KENYA AT NAIROBIREPUBLIC OF KENYA IN THE SUPREME COURT OF KENYA AT NAIROBI
REPUBLIC OF KENYA IN THE SUPREME COURT OF KENYA AT NAIROBI
Wandia Karige
 
Document-CONSENT LAUNCHING PROSECUTION
Document-CONSENT LAUNCHING PROSECUTIONDocument-CONSENT LAUNCHING PROSECUTION
Document-CONSENT LAUNCHING PROSECUTION
CIVIL SURGEON OFFICE FARIDKOT
 
Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program InvalidatedBulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated
CohenGrigsby
 
June 12 order
June 12 orderJune 12 order
June 12 order
ZahidManiyar
 
Supreme Court Majority full judgment
Supreme Court Majority full judgmentSupreme Court Majority full judgment
Supreme Court Majority full judgment
The Star Newspaper
 
Wisconsin: Mailed Ballots Must Once Again Be Returned By Election Day, Court ...
Wisconsin: Mailed Ballots Must Once Again Be Returned By Election Day, Court ...Wisconsin: Mailed Ballots Must Once Again Be Returned By Election Day, Court ...
Wisconsin: Mailed Ballots Must Once Again Be Returned By Election Day, Court ...
Baker Publishing Company
 
Sc on wmen in mental health ins
Sc on wmen in mental health insSc on wmen in mental health ins
Sc on wmen in mental health ins
ZahidManiyar
 
Рішення ЄС щодо санкцій
Рішення ЄС щодо санкційРішення ЄС щодо санкцій
Рішення ЄС щодо санкцій
tsnua
 
20200724 edpb faqoncjeuc31118
20200724 edpb faqoncjeuc3111820200724 edpb faqoncjeuc31118
20200724 edpb faqoncjeuc31118
Internet Law Center
 
EU-US Data Privacy Framework
EU-US Data Privacy FrameworkEU-US Data Privacy Framework
EU-US Data Privacy Framework
Quotidiano Piemontese
 
ECJ Press Release in Schrems II Decision
ECJ Press Release in Schrems II DecisionECJ Press Release in Schrems II Decision
ECJ Press Release in Schrems II Decision
Internet Law Center
 
The Data Retention Directive: recent developments
The Data Retention Directive: recent developmentsThe Data Retention Directive: recent developments
The Data Retention Directive: recent developments
blogzilla
 
Judgment of the Court_ the right to be forgotten
Judgment of the Court_ the right to be forgottenJudgment of the Court_ the right to be forgotten
Judgment of the Court_ the right to be forgotten
Monica Lupașcu
 
Curia case c‑131-12 gonzalez versus google
Curia case c‑131-12 gonzalez versus googleCuria case c‑131-12 gonzalez versus google
Curia case c‑131-12 gonzalez versus google
Jan Husar
 
After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?
Seb Oram
 
MÓDULO IV. INTERCEPTACIÓN DE COMUNICACIONES
MÓDULO IV. INTERCEPTACIÓN DE COMUNICACIONESMÓDULO IV. INTERCEPTACIÓN DE COMUNICACIONES
MÓDULO IV. INTERCEPTACIÓN DE COMUNICACIONES
CISE. Universidad de Salamanca
 

More Related Content

What's hot

Wisconsin: Mailed Ballots Must Once Again Be Returned By Election Day, Court ...
Wisconsin: Mailed Ballots Must Once Again Be Returned By Election Day, Court ...Wisconsin: Mailed Ballots Must Once Again Be Returned By Election Day, Court ...
Wisconsin: Mailed Ballots Must Once Again Be Returned By Election Day, Court ...
Baker Publishing Company
 

What's hot (14)

Sc judgement 30-apr-2021
Sc judgement 30-apr-2021Sc judgement 30-apr-2021
Sc judgement 30-apr-2021
 
Second Appeal dated 06 04 2017 against SC before CIC New Delhi
Second Appeal dated 06 04 2017 against SC before CIC New DelhiSecond Appeal dated 06 04 2017 against SC before CIC New Delhi
Second Appeal dated 06 04 2017 against SC before CIC New Delhi
 
Default
DefaultDefault
Default
 
Foundation for ind journ crlp(a) 9053 2021
Foundation for ind journ crlp(a) 9053 2021Foundation for ind journ crlp(a) 9053 2021
Foundation for ind journ crlp(a) 9053 2021
 
суд оон
суд оонсуд оон
суд оон
 
Reply by First Appellate Authority CIC New Delhi against Non-Implementation o...
Reply by First Appellate Authority CIC New Delhi against Non-Implementation o...Reply by First Appellate Authority CIC New Delhi against Non-Implementation o...
Reply by First Appellate Authority CIC New Delhi against Non-Implementation o...
 
REPUBLIC OF KENYA IN THE SUPREME COURT OF KENYA AT NAIROBI
REPUBLIC OF KENYA IN THE SUPREME COURT OF KENYA AT NAIROBIREPUBLIC OF KENYA IN THE SUPREME COURT OF KENYA AT NAIROBI
REPUBLIC OF KENYA IN THE SUPREME COURT OF KENYA AT NAIROBI
 
Document-CONSENT LAUNCHING PROSECUTION
Document-CONSENT LAUNCHING PROSECUTIONDocument-CONSENT LAUNCHING PROSECUTION
Document-CONSENT LAUNCHING PROSECUTION
 
Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program InvalidatedBulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated
 
June 12 order
June 12 orderJune 12 order
June 12 order
 
Supreme Court Majority full judgment
Supreme Court Majority full judgmentSupreme Court Majority full judgment
Supreme Court Majority full judgment
 
Wisconsin: Mailed Ballots Must Once Again Be Returned By Election Day, Court ...
Wisconsin: Mailed Ballots Must Once Again Be Returned By Election Day, Court ...Wisconsin: Mailed Ballots Must Once Again Be Returned By Election Day, Court ...
Wisconsin: Mailed Ballots Must Once Again Be Returned By Election Day, Court ...
 
Sc on wmen in mental health ins
Sc on wmen in mental health insSc on wmen in mental health ins
Sc on wmen in mental health ins
 
Рішення ЄС щодо санкцій
Рішення ЄС щодо санкційРішення ЄС щодо санкцій
Рішення ЄС щодо санкцій
 

Similar to Slides presentation RU schrems mr. drs. Mark jansen Dirkzwager advocaten & notarissen - 9 november 2015

Judgment of the Court_ the right to be forgotten
Judgment of the Court_ the right to be forgottenJudgment of the Court_ the right to be forgotten
Judgment of the Court_ the right to be forgotten
Monica Lupașcu
 
Curia case c‑131-12 gonzalez versus google
Curia case c‑131-12 gonzalez versus googleCuria case c‑131-12 gonzalez versus google
Curia case c‑131-12 gonzalez versus google
Jan Husar
 
GRAPH: Schrems II GDPR cross-border transfers of personal data
GRAPH: Schrems II GDPR cross-border transfers of personal dataGRAPH: Schrems II GDPR cross-border transfers of personal data
GRAPH: Schrems II GDPR cross-border transfers of personal data
joanna_kornas
 
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR PerspectiveGoogle Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
David Erdos
 
Factsheet data protection_en
Factsheet data protection_enFactsheet data protection_en
Factsheet data protection_en
Greg Sterling
 

Similar to Slides presentation RU schrems mr. drs. Mark jansen Dirkzwager advocaten & notarissen - 9 november 2015 (20)

20200724 edpb faqoncjeuc31118
20200724 edpb faqoncjeuc3111820200724 edpb faqoncjeuc31118
20200724 edpb faqoncjeuc31118
 
EU-US Data Privacy Framework
EU-US Data Privacy FrameworkEU-US Data Privacy Framework
EU-US Data Privacy Framework
 
ECJ Press Release in Schrems II Decision
ECJ Press Release in Schrems II DecisionECJ Press Release in Schrems II Decision
ECJ Press Release in Schrems II Decision
 
The Data Retention Directive: recent developments
The Data Retention Directive: recent developmentsThe Data Retention Directive: recent developments
The Data Retention Directive: recent developments
 
Judgment of the Court_ the right to be forgotten
Judgment of the Court_ the right to be forgottenJudgment of the Court_ the right to be forgotten
Judgment of the Court_ the right to be forgotten
 
Curia case c‑131-12 gonzalez versus google
Curia case c‑131-12 gonzalez versus googleCuria case c‑131-12 gonzalez versus google
Curia case c‑131-12 gonzalez versus google
 
After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?
 
MÓDULO IV. INTERCEPTACIÓN DE COMUNICACIONES
MÓDULO IV. INTERCEPTACIÓN DE COMUNICACIONESMÓDULO IV. INTERCEPTACIÓN DE COMUNICACIONES
MÓDULO IV. INTERCEPTACIÓN DE COMUNICACIONES
 
GRAPH: Schrems II GDPR cross-border transfers of personal data
GRAPH: Schrems II GDPR cross-border transfers of personal dataGRAPH: Schrems II GDPR cross-border transfers of personal data
GRAPH: Schrems II GDPR cross-border transfers of personal data
 
euregs
euregseuregs
euregs
 
Eu rtbf criteria
Eu rtbf criteriaEu rtbf criteria
Eu rtbf criteria
 
EU Guidelines On The Right To Be Forgotten Implementation November 2014
EU Guidelines On The Right To Be Forgotten Implementation November 2014EU Guidelines On The Right To Be Forgotten Implementation November 2014
EU Guidelines On The Right To Be Forgotten Implementation November 2014
 
Guidelines on the implementation of the Court of Justice of the European Union
Guidelines on the implementation of the Court of Justice of the European UnionGuidelines on the implementation of the Court of Justice of the European Union
Guidelines on the implementation of the Court of Justice of the European Union
 
Data retention directive is invalid
Data retention directive is invalidData retention directive is invalid
Data retention directive is invalid
 
Will the GDPR Kibosh EU-US Discovery?
Will the GDPR Kibosh EU-US Discovery? Will the GDPR Kibosh EU-US Discovery?
Will the GDPR Kibosh EU-US Discovery?
 
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR PerspectiveGoogle Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
Google Spain and its Aftermath 2014-2023: An EU and UK GDPR Perspective
 
Judgement of the Court - Data retention Directive
Judgement of the Court - Data retention DirectiveJudgement of the Court - Data retention Directive
Judgement of the Court - Data retention Directive
 
Factsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" rulingFactsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" ruling
 
Factsheet data protection_en
Factsheet data protection_enFactsheet data protection_en
Factsheet data protection_en
 
Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be Forgotten
 

More from Sectie Intellectueel Eigendom en IT-recht van Dirkzwager advocaten & notarissen

Seminar Actualiteiten privacyrecht 25 november 2014
Seminar Actualiteiten privacyrecht 25 november 2014Seminar Actualiteiten privacyrecht 25 november 2014
Seminar Actualiteiten privacyrecht 25 november 2014
Sectie Intellectueel Eigendom en IT-recht van Dirkzwager advocaten & notarissen
 

More from Sectie Intellectueel Eigendom en IT-recht van Dirkzwager advocaten & notarissen (15)

Presentatie actualiteiten privacyrecht 2015 10 november 2015
Presentatie actualiteiten privacyrecht 2015 10 november 2015Presentatie actualiteiten privacyrecht 2015 10 november 2015
Presentatie actualiteiten privacyrecht 2015 10 november 2015
 
Seminar Actualiteiten privacyrecht 25 november 2014
Seminar Actualiteiten privacyrecht 25 november 2014Seminar Actualiteiten privacyrecht 25 november 2014
Seminar Actualiteiten privacyrecht 25 november 2014
 
De nieuwe e-commerce regels - presentatie mr. drs. C.L.A. van der Veeken - we...
De nieuwe e-commerce regels - presentatie mr. drs. C.L.A. van der Veeken - we...De nieuwe e-commerce regels - presentatie mr. drs. C.L.A. van der Veeken - we...
De nieuwe e-commerce regels - presentatie mr. drs. C.L.A. van der Veeken - we...
 
Presentatie privacy in de arbeidsrelatie Dirkzwager advocaten & notarissen N.V.
Presentatie privacy in de arbeidsrelatie Dirkzwager advocaten & notarissen N.V.Presentatie privacy in de arbeidsrelatie Dirkzwager advocaten & notarissen N.V.
Presentatie privacy in de arbeidsrelatie Dirkzwager advocaten & notarissen N.V.
 
Presentatie E-commerce Dirkzwager advocaten & notarissen 29 september 2011
Presentatie E-commerce Dirkzwager advocaten & notarissen 29 september 2011Presentatie E-commerce Dirkzwager advocaten & notarissen 29 september 2011
Presentatie E-commerce Dirkzwager advocaten & notarissen 29 september 2011
 
Privacyseminar Dirkzwager advocaten & notarissen N.V. 11 04 07
Privacyseminar Dirkzwager advocaten & notarissen N.V. 11 04 07 Privacyseminar Dirkzwager advocaten & notarissen N.V. 11 04 07
Privacyseminar Dirkzwager advocaten & notarissen N.V. 11 04 07
 
Auteursrecht en IT - Gastcollege RU
Auteursrecht en IT - Gastcollege RU Auteursrecht en IT - Gastcollege RU
Auteursrecht en IT - Gastcollege RU
 
Workshop ict contracten in de zorg 10 11 10
Workshop ict contracten in de zorg 10 11 10Workshop ict contracten in de zorg 10 11 10
Workshop ict contracten in de zorg 10 11 10
 
Workshop inkoop IT-systemen door overheden
Workshop inkoop IT-systemen door overhedenWorkshop inkoop IT-systemen door overheden
Workshop inkoop IT-systemen door overheden
 
Webwinkels booming business
Webwinkels booming businessWebwinkels booming business
Webwinkels booming business
 
Presentatie workshop inkoop ICT door overheden Dirkzwager advocaten & notaris...
Presentatie workshop inkoop ICT door overheden Dirkzwager advocaten & notaris...Presentatie workshop inkoop ICT door overheden Dirkzwager advocaten & notaris...
Presentatie workshop inkoop ICT door overheden Dirkzwager advocaten & notaris...
 
Merkenrecht Workshop Dirkzwager & TCC 24 maart 2010
Merkenrecht Workshop Dirkzwager & TCC 24 maart 2010Merkenrecht Workshop Dirkzwager & TCC 24 maart 2010
Merkenrecht Workshop Dirkzwager & TCC 24 maart 2010
 
Presentatie wet- en regeldag Kamer van Koophandel 1 december 2009
Presentatie wet- en regeldag Kamer van Koophandel 1 december 2009Presentatie wet- en regeldag Kamer van Koophandel 1 december 2009
Presentatie wet- en regeldag Kamer van Koophandel 1 december 2009
 
Presentatie ondernemen op Internet
Presentatie ondernemen op InternetPresentatie ondernemen op Internet
Presentatie ondernemen op Internet
 
Workshop "Privacy en ICT in de zorg"
Workshop "Privacy en ICT in de zorg"Workshop "Privacy en ICT in de zorg"
Workshop "Privacy en ICT in de zorg"
 

Recently uploaded

Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 

Recently uploaded (20)

Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 

Slides presentation RU schrems mr. drs. Mark jansen Dirkzwager advocaten & notarissen - 9 november 2015

  • 1.
  • 2. Guest Lecture. November 9th 2015 Schrems - case CoJ EU, 2015-10-06, C-362/14
  • 3.
  • 4. Agenda  Schrems v. DPC Ireland (Facebook) case (C-362/14, 2015-10-06)  What is Safe Harbor?  The facts of the case.  Decision of the European Union Court of Justice.  Implications and Solutions?
  • 5. Safe Harbor  Art. 25(1) of Directive 95/46: The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
  • 6.
  • 7. Safe Harbor  Art. 25(6) of Directive 95/46: The Commission may find, in accordance with the procedure referred to in Article 31(2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.
  • 8. Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, United States (Safe Harbor) and Uruguay
  • 9. Safe Harbor  Decision 2000/520 of the Commission: 1. (…), the “Safe Harbor Privacy Principles” (…), as set out in Annex I to this Decision, implemented in accordance with the guidance provided by the frequently asked questions (…) issued by the US Department of Commerce on 21 July 2000 as set out in Annex II to this Decision are considered to ensure an adequate level of protection for personal data transferred from the Community to organisations established in the United States, (…)
  • 11. Safe Harbor  Quite popular program. (Almost) all major tech companies listed  http://safeharbor.export.gov/list.aspx
  • 12. Safe Harbor  Problem: Edward Snowden leaks information about intelligence activities of the USA in June 2013.  NSA (National Security Agency) monitors all data transferred the USA.  Can we still speak of adequate protection in a third country as meant in Directive 95/46?  This question is answered in Case C-362/14
  • 13. Facts of the case  Max Schrems, Austrian national, is a member of Facebook.  All non-US members of Facebook sign into an agreement with Facebook Ireland Ltd to become a member.  Facebook Ireland shares personal data with Facebook US.  Max Schrems is worried about his privacy, and therefore files 22 complaints with the Irish Data Protection Commissioner.
  • 14. Facts of the case  Max Schrems: “Based on revelations made by Edward Snowden concerning the National Security Agency, the law and practice in force in the USA do not ensure adequate protection of the personal data held in its territory against the surveillance activities that are engaged in there by the public authorities.”
  • 15. Facts of the case  The Irish DPC rejected the complaint, saying there was no case to answer: “Any question of the adequacy of data protection in the United States has to be determined in accordance with Decision 2000/520 and the Commission has found in that decision that the United States ensures an adequate level of protection.”
  • 16. Facts of the case  Schrems filed for a judicial review in the Irish High Court which was granted: IHC: “electronic surveillance and interception of personal data transferred (…) serve necessary and indispensable objectives in the public interest. However, it added that the revelations made by Edward Snowden had demonstrated a ‘significant over-reach’ on the part of the NSA and other federal agencies.”
  • 17. Facts of the case  The High Court decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling: ‘(1) Whether in the course of determining a complaint which has been made to an independent office holder (…) that personal data is being transferred to another third country (…) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article 25(6) of Directive [95/46] notwithstanding?’
  • 18. Facts of the case ‘(2) Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published?’
  • 19. Ruling of the CoJ  Before we go into the ruling itself, some remarkable facts…  Ruling given within two weeks (!) after the opinion of the Advocate General  Average time consumed by ECJ proceeedings in 2014 was 23,4 months  Usually a ruling is given about 1 year after the opinion  Ruling given at a time negotiations over revision of the Safe Harbor agreement were taking place  Ruling given by the Grand Chamber  Very rare, in 2014 only 8,65% of all cases
  • 20. Ruling of the CoJ  (39) ‘It is apparent from Article 1 of Directive 95/46 and recitals 2 and 10 in its preamble that that directive seeks to ensure not only effective and complete protection of the fundamental rights and freedoms of natural persons, in particular the fundamental right to respect for private life with regard to the processing of personal data, but also a high level of protection of those fundamental rights and freedoms.’
  • 21. Ruling of the CoJ  46 (…) In that regard, Chapter IV of the directive, in which Articles 25 and 26 appear, has set up a regime intended to ensure that the Member States oversee transfers of personal data to third countries. That regime is complementary to the general regime set up by Chapter II of the directive laying down the general rules on the lawfulness of the processing of personal data (see, to this effect, judgment in Lindqvist, C-101/01, EU:C:2003:596, paragraph 63).
  • 22. Ruling of the CoJ  (47) ‘As, (…), the national supervisory authorities are responsible for monitoring compliance with the EU rules (…) each of them is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements (…).’
  • 23.
  • 24. Ruling of the CoJ  (51) ‘The Commission may adopt, on the basis of Article 25(6) of Directive 95/46, a decision finding that a third country ensures an adequate level of protection.’  (52) ‘Thus, until such time as the Commission decision is declared invalid by the Court, the Member States and their organs, which include their independent supervisory authorities, admittedly cannot adopt measures contrary to that decision, such as acts intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection.’
  • 25. Ruling of the CoJ  (54) ‘Neither Article 8(3) of the Charter nor Article 28 of Directive 95/46 excludes from the national supervisory authorities’ sphere of competence the oversight of transfers of personal data to third countries which have been the subject of a Commission decision pursuant to Article 25(6) of Directive 95/46.’  (58) ‘If that were not so, persons whose personal data has been or could be transferred to the third country concerned would be denied the right, guaranteed by Article 8(1) and (3) of the Charter, to lodge with the national supervisory authorities a claim for the purpose of protecting their fundamental rights (…)’
  • 26. Ruling of the CoJ  (61) ‘(…) the Court alone has jurisdiction to declare that an EU act, such as a Commission decision (…), is invalid, the exclusivity of that jurisdiction having the purpose of guaranteeing legal certainty by ensuring that EU law is applied uniformly (…).’
  • 27. Ruling of the CoJ  (64) In a situation where the national supervisory authority (….) rejects it, the person who lodged the claim must (…) have access to judicial remedies enabling him to challenge such a decision adversely affecting him before the national courts.  (…), those courts must stay proceedings and make a reference to the Court for a preliminary ruling on validity where they consider that one or more grounds for invalidity put forward by the parties or, as the case may be, raised by them of their own motion are well founded (…)
  • 28. Ruling of the CoJ  Answer(s) to the preliminary questions: (66) ‘(…) a decision adopted pursuant to that provision, such as Decision 2000/520, by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State (…) from examining the claim (…) when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.’
  • 29. Ruling of the CoJ The preliminary questions are answered BUT The Court of Justice continues:  (67) ‘(…) having regard to what has been held in paragraphs 60 to 63 of the present judgment and in order to give the referring court a full answer, it should be examined whether that decision [2005/520] complies with the requirements stemming from Directive 95/46 read in the light of the Charter.’
  • 30. Ruling of the CoJ  (73) ‘The word ‘adequate’ in Article 25(6) of Directive 95/46 admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. However, (…) must be understood as requiring the third country in fact to ensure (…) a level of protection (…) that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter. (…)’
  • 31. Ruling of the CoJ  (75 – 76) The Commission must assess the content of the applicable rules in a third country resulting from its domestic law or international commitments and the practice designed to ensure compliance with those rules. The Commission must also check periodically whether the findings relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified.
  • 32. Ruling of the CoJ  The Court of Justice continues with checking the validity of Decision 200/520
  • 33. Ruling of the CoJ  (81) ‘Whilst recourse by a third country to a system of self- certification is not in itself contrary to the requirements (…) the reliability of such a system (…) is founded essentially on the establishment of effective detection and supervision mechanisms enabling any infringements of the rules (…) to be identified and punished in practice.’  (82) ‘(…)Those principles are therefore applicable solely to self- certified United States organisations receiving personal data from the European Union, and United States public authorities are not required to comply with them.’
  • 34. Ruling of the CoJ  (86) ‘Thus, Decision 2000/520 lays down that ‘national security, public interest, or law enforcement requirements’ have primacy over the safe harbor principles, primacy pursuant to which self- certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them.’
  • 35. Ruling of the CoJ  (88-89) Decision 2000/520 does not contain any finding regarding the existence of rules adopted by the State intended to limit any interference with the fundamental rights; interference which the State entities would be authorised to engage in when they pursue legitimate objectives, such as national security. The Decision also does not refer to the existence of effective legal protection against interference of that kind.
  • 36. Ruling of the CoJ  (93) ‘Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail (…).’
  • 37. Ruling of the CoJ  (94-95) Legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life. Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection.
  • 38. Ruling of the CoJ  (98) ‘Consequently, without there being any need to examine the content of the safe harbor principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid.’  (99-104) Because Article 3(1) of Decision 2000/520 denies national supervisory authorities some powers which they derive from Article 28 of Directive 95/46, the Commission has exceeded its powers, which makes Article 3 of the Decision invalid.  (106) ‘Having regard to all the foregoing considerations, it is to be concluded that Decision 2000/520 is invalid.’
  • 39. Ruling of the CoJ Europe-v-Facebook.org / Business Insider
  • 40. Summary (1/2)  Summary:  transfer of personal data = processing;  National DPA’s have the authority to check transfers from their soil;  EC adequacy findings are binding until declared invalid by the Court;  DPA’s need to investigate complaints about EC adequacy findings and initiate domestic proceedings if they find the complaint to have merit;  The person who lodged the claim must have judicial remedies available if DPA denies complaint;
  • 41. Summary (2/2)  Summary:  Adequate level = level essentially equivalent to EU level;  Adequacy needs to be reevaluated periodically;  Adequacy level needs to have basis in domestic legal system of third country;  Exceptions to interference with EU fundamental rights needs to be in accordance with principles set out by court;
  • 42. Implications and Solutions  The CoJ basically ruled that the USA is not a safe country to transfer personal data to.  Major implications for many internet companies (i.e. Facebook, Apple, Twitter, Yahoo, Microsoft, Amazon)  Are there any solutions?
  • 43. Implications and Solutions  Solution 1: the USA should change it’s legislation?
  • 44. Implications and Solutions  Solution 2: Explicit consent of the consumer/person to transfer its personal data to the USA?
  • 45. Implications and Solutions  Solution 3: Use of EC model contracts?
  • 46. Implications and Solutions  Solution 4: Pseudonimization and anonymization?
  • 47. Implications and Solutions  Solution 5: transfer data back to EU? Keep data in EU?
  • 48.
  • 50. Implications and Solutions  And what about other countries (currently) deemed to have an adequate level of protection?
  • 51. Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay
  • 53. Contact details Mark Jansen m.jansen@dirkzwager.nl +31 26 353 83 67 www.dirkzwagerieit.nl (in Dutch) @ieitrecht
  • 54. Verantwoording In deze presentatie wordt algemene en beknopte informatie verstrekt over een aantal juridisch relevante ontwikkelingen. Niet beoogd is om hiermee juridisch advies te geven voor concrete situaties. Hoewel veel zorg is besteed aan het opstellen van deze presentatie, aanvaardt Dirkzwager advocaten & notarissen N.V. geen aansprakelijkheid voor de inhoud ervan.
  • 55. Actuele kennis van wet- en regelgeving Jurispruden tie Dirkzwager zorgt dat u het weet. Advocatuur Arnhem Postbus 3045 6802 DA Arnhem Kantoor Velperpoort Velperweg 1 6824 BZ Arnhem T +31 (0)26 353 83 00 F +31 (0)26 351 07 93 E info@dirkzwager.nl I www.dirkzwager.nl Postbus 111 6800 AC Arnhem Kantoor Velperpoort Verlperweg 1 6824 BZ Arnhem T +31 (0)26 365 55 55 F +31 (0)26 365 55 00 E info@dirkzwager.nl I www.dirkzwager.nl Postbus 55 6500 AB Nijmegen Kantoor Stella Maris Van Schaeck Mathonsingel 4 6512 AN Nijmegen T +31 (0)24 381 31 31 F +31 (0)24 322 20 74 E info@dirkzwager.nl I www.dirkzwager.nl Postbus 1104 6501 BC Nijmegen Kantoor Stella Maris Van Schaeck Mathonsingel 4 6512 AN Nijmegen T +31 (0)24 381 27 27 F +31 (0)24 324 07 26 E info@dirkzwager.nl I www.dirkzwager.nl