SlideShare a Scribd company logo

Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated

C
CohenGrigsby

On October 6, 2015, the European Court of Justice ("ECJ") invalidated the safe harbor program negotiated between the United States Department of Commerce and the European Commission pursuant to which safe harbor-registered United States companies have processed personal data transferred from the EU within the United States since 2000 (the "Safe Harbor").

Law
1 of 3
Download to read offline
C&GNEWS Page 1111 of 3333 USUSUSUS----EU Data Privacy Safe HarborEU Data Privacy Safe HarborEU Data Privacy Safe HarborEU Data Privacy Safe Harbor Program InvalidatedProgram InvalidatedProgram InvalidatedProgram Invalidated On October 6, 2015, the European Court of Justice ("ECJ") invalidated the safe harbor program negotiated between the United States Department of Commerce and the European Commission pursuant to which safe harbor-registered United States companies have processed personal data transferred from the EU within the United States since 2000 (the "Safe Harbor"). The ECJ's decision has left a wave of uncertainty in its wake about whether US companies have any right to process personal data transferred from the EU (including customer data, employee data, and data processed on behalf of other companies as a service provider) without facing claims from EU data subjects under the EU Privacy Directive1 . The EU Privacy Directive prohibits the transfer of personal data outside of the European Union for processing unless the data is transferred to a non-EU country (a so-called "Third Country") where the EU Commission has found that the Third Country ensures the privacy of personal data to EU standards by reason of its domestic law or its international commitments. The US and the EU differ on their respective approach to data privacy principles and the US is thus not a Third County that is considered to have enacted domestic laws that ensure the privacy of personal data to EU standards. However, the Safe Harbor negotiated between the US Department of Commerce and the EU Commission establishing a legal framework for transfer of data from the EU to the US for processing in compliance with the EU Privacy Directive, appeared to qualify the US "by reason of its international commitments" provision permitting transfer of data from the EU for processing in the US. With its decision in the case of "Maxmillian Schrems v Data Protection Commission" on October 6, 2015, the European Court of Justice has not only invalidated the Safe Harbor, but also cast some degree of doubt on whether any binding arrangement regarding processing of data in the US may ever be negotiated by the United States government at the EU level, for so long as the US insists on bulk data collection/mass surveillance practices by US law enforcement and intelligence agencies, such as those authorized under the Patriot Act. Companies that relied on the Safe Harbor to process data transferred from the EU are now on uncertain ground. Companies that process HR, payroll or other data on their own employees in the 1 EU Directive 95/46/EC
Page 2222 of 3333 EU may nonetheless start to face questions, objections or claims from EU employees, or workers’ councils regarding the potential transfer of employee data out of the EU for processing in the United States. Just as Facebook received a challenge by an end-user in the Schrems case, companies processing customer data transferred from the EU to the United States may start to face pressure from customers, employees and/or workers' councils to set up data centers in the EU so that data can be processed without leaving the EU. A few additional thoughts in terms of context and meaning to the ECJ's Schrems decision: 1. Companies rely on the Safe Harbor to process not only information collected from external parties such as customers, but also to process employee data such as HR or payroll. 2. The ECJ invalidated the Safe Harbor, in part, on a technicality stating that the EU Commission had only examined the adequacy of the Safe Harbor as it pertains to private parties without ever meeting the actual requirement under the EU Privacy Directive to issue a finding that the United States affirmatively meets the requirement of ensuring, by reason of US domestic law or the US’s international commitments, a level of privacy protection equivalent to EU standards. 3. Although the discussion of the technicality above might appear to leave the door open for the EU Commission to issue a formal finding that the Safe Harbor constitutes an international commitment by the US that meets the requisite criteria for ensuring privacy equivalent to EU standards, the ECJ did not stop with its discussion of the technicality. After declaring as invalid the EU Commission’s Decision putting the Safe Harbor in place, the ECJ noted that the Safe Harbor expressly includes requirements requiring Safe Harbor companies to comply with national security, public interest requirements or other domestic legislation of the United States, even where such compliance is contrary to Safe Harbor principles. Without ever mentioning the Patriot Act by name, or the Edward Snowden leaks regarding mass data collection by US intelligence agencies, the ECJ stated that domestic legislation that “authorizes, on a generalized basis, storage of all personal data of all persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data…must be regarded as compromising the essence of the fundamental right to respect for private life.”2 In doing so, the ECJ casts doubt on whether or not any agreement between the United States and the EU Commission will ever satisfy the requirements of the EU Privacy Directive so long as the United States has laws in place that authorize mass data collection by law enforcement and intelligence agencies such as that authorized by the Patriot Act. 4. The ECJ’s decision to invalidate the Safe Harbor is final, binding and cannot be appealed. 5. Please note that, depending on the nature of the personal data being processed, and the nature of the data subjects to whom the data pertains, there may be alternative ways to transfer data from the EU for processing in the United States in compliance with the EU Privacy Directive. Two of the more prevalent means under the EU Privacy Directive consist of obtaining the express, informed consent of the data subject and/or negotiating a private agreement (more often used where data is 2 “Maximillian Schrems v Data Protection Commissioner”, European Court of Justice Case C-362/14, Judgment of the Court, October 6, 2015, Paragraphs 93 – 94, available online at http://curia.europa.eu/juris/documents.jsf?num=C-362/14
Page 3333 of 3333 being transferred business-to-business). Each of these alternatives can be challenging from a practical standpoint, and one could argue that the ECJ’s references to fundamental incompatibility between US bulk data collection by law enforcement/intelligence agencies and EU privacy principles in the Schrems decision will further complicate questions regarding the scope of disclosure necessary to obtain a data subject’s informed consent and whether even a private agreement will continue to be an adequate basis for processing EU data in the United States. 6. The United States Department of Commerce has issued a statement3 in response to the ECJ’s Schrems decision noting an urgent need for a new Safe Harbor framework. However, as stated above, aspects of the ECJ’s decision in this case may make reaching any meaningful agreement with the EU Commission on a new Safe Harbor very challenging, at least so long as the United States maintains its insistence on the continued scope of data collection practices by US law enforcement/intelligence agencies for national security purposes. We will continue to monitor developments, but we encourage our clients who have registered for the Safe Harbor to be proactive in taking stock of the nature and scope of data transferred from the EU for processing in the United States, to be prepared to discuss privacy implications with EU based employees and customers, and perhaps be prepared to budget for network architecture changes that may be required in the wake of the invalidation of the Safe Harbor. The ECJ’s Press Release on the Schrems decision may be found online at http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf. The full text of the Schrems decision may be found online at http://curia.europa.eu/juris/documents.jsf?num=C-362/14 The US Department of Commerce’s statement in response to the Schrems decision was published online at https://www.commerce.gov/news/press-releases/2015/10/statement-us-secretary- commerce-penny-pritzker-european-court-justice For further information, please contact your Cohen & Grigsby attorney. Copyright © 2015 by Cohen & Grigsby, P.C. (No claim to original US or EU Governmental material.) All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of Cohen & Grigsby, P.C. and is intended to alert the recipients to new developments in the area of privacy law. The hiring of a lawyer is an important decision that should not be based solely on advertisements. Before you decide, ask us to send you free written information about Cohen & Grigsby’s qualifications and experience. 3333 “Statement from U.S. Secretary of Commerce Penny Pritzker on European Court of Justice Safe Harbor Framework Decision”, October 6, 2015, available at https://www.commerce.gov/news/press-releases/2015/10/statement-us- secretary-commerce-penny-pritzker-european-court-justice

Recommended

CJEU decision on Schrems
CJEU decision on SchremsCJEU decision on Schrems
CJEU decision on SchremsGreg Sterling
 
ECJ Press Release in Schrems II Decision
ECJ Press Release in Schrems II DecisionECJ Press Release in Schrems II Decision
ECJ Press Release in Schrems II DecisionInternet Law Center
 
Uk data retention review ver 3.0
Uk data retention review ver 3.0Uk data retention review ver 3.0
Uk data retention review ver 3.0Amr El-Deeb
 
Cross Border Infringement On The Internet
Cross Border Infringement On The InternetCross Border Infringement On The Internet
Cross Border Infringement On The InternetWouter Pors
 
edpl_2016_01-020
edpl_2016_01-020edpl_2016_01-020
edpl_2016_01-020Stephanie Michail
 
Data Localisation Legislation - Dansk Industri - December 2014
Data Localisation Legislation - Dansk Industri - December 2014Data Localisation Legislation - Dansk Industri - December 2014
Data Localisation Legislation - Dansk Industri - December 2014DIITEK
 
Data retention directive is invalid
Data retention directive is invalidData retention directive is invalid
Data retention directive is invalidMonica Lupașcu
 
Woglr september 2012
Woglr september 2012Woglr september 2012
Woglr september 2012Martin Arendts
 

Recommended

CJEU decision on Schrems
CJEU decision on SchremsCJEU decision on Schrems
CJEU decision on SchremsGreg Sterling
 
ECJ Press Release in Schrems II Decision
ECJ Press Release in Schrems II DecisionECJ Press Release in Schrems II Decision
ECJ Press Release in Schrems II DecisionInternet Law Center
 
Uk data retention review ver 3.0
Uk data retention review ver 3.0Uk data retention review ver 3.0
Uk data retention review ver 3.0Amr El-Deeb
 
Cross Border Infringement On The Internet
Cross Border Infringement On The InternetCross Border Infringement On The Internet
Cross Border Infringement On The InternetWouter Pors
 
edpl_2016_01-020
edpl_2016_01-020edpl_2016_01-020
edpl_2016_01-020Stephanie Michail
 
Data Localisation Legislation - Dansk Industri - December 2014
Data Localisation Legislation - Dansk Industri - December 2014Data Localisation Legislation - Dansk Industri - December 2014
Data Localisation Legislation - Dansk Industri - December 2014DIITEK
 
Data retention directive is invalid
Data retention directive is invalidData retention directive is invalid
Data retention directive is invalidMonica Lupașcu
 
Woglr september 2012
Woglr september 2012Woglr september 2012
Woglr september 2012Martin Arendts
 
Artikel demystifying germany_ma
Artikel demystifying germany_maArtikel demystifying germany_ma
Artikel demystifying germany_maMartin Arendts
 
Report of the advisory committee to google on the right to be forgotten
Report of the advisory committee to google on the right to be forgottenReport of the advisory committee to google on the right to be forgotten
Report of the advisory committee to google on the right to be forgottenGreg Sterling
 
ECDC – TESSy data access policy, Gaetan Guyodo (ECDC)
ECDC – TESSy data access policy, Gaetan Guyodo (ECDC)ECDC – TESSy data access policy, Gaetan Guyodo (ECDC)
ECDC – TESSy data access policy, Gaetan Guyodo (ECDC)European Centre for Disease Prevention and Control
 
EuroCases
EuroCases EuroCases
EuroCases Apis Europe
 
Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013Greg Sterling
 
EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data...
EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data... EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data...
EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data...European Data Forum
 
New EPA Rule to prevent untreated frack wastewater from being processed by mu...
New EPA Rule to prevent untreated frack wastewater from being processed by mu...New EPA Rule to prevent untreated frack wastewater from being processed by mu...
New EPA Rule to prevent untreated frack wastewater from being processed by mu...Marcellus Drilling News
 
Prezentacja1
Prezentacja1Prezentacja1
Prezentacja1Kinga Dyrda
 
Are Universities Sticky-Evidence from Linkedin Users
Are Universities Sticky-Evidence from Linkedin UsersAre Universities Sticky-Evidence from Linkedin Users
Are Universities Sticky-Evidence from Linkedin UsersJing Deng
 
Severin- Resume 5-29-15
Severin- Resume 5-29-15Severin- Resume 5-29-15
Severin- Resume 5-29-15Pat Severin
 
Cohen & Grigsby Family Day 2015
Cohen & Grigsby Family Day 2015Cohen & Grigsby Family Day 2015
Cohen & Grigsby Family Day 2015CohenGrigsby
 
Tessy Plastics Research
Tessy Plastics ResearchTessy Plastics Research
Tessy Plastics ResearchEmily Carroll
 
Art in the Barn
Art in the BarnArt in the Barn
Art in the BarnCohenGrigsby
 
SEC Adopts "Pay Ratio" Disclosure Rule
SEC Adopts "Pay Ratio" Disclosure RuleSEC Adopts "Pay Ratio" Disclosure Rule
SEC Adopts "Pay Ratio" Disclosure RuleCohenGrigsby
 
Life in africa
Life in africaLife in africa
Life in africadelatoeho
 
Attorney Christopher Davies Summarizes Recent Changes in Condo and HOA Law in...
Attorney Christopher Davies Summarizes Recent Changes in Condo and HOA Law in...Attorney Christopher Davies Summarizes Recent Changes in Condo and HOA Law in...
Attorney Christopher Davies Summarizes Recent Changes in Condo and HOA Law in...CohenGrigsby
 
Prezentacja1
Prezentacja1Prezentacja1
Prezentacja1Kinga Dyrda
 
animal teeth
animal teethanimal teeth
animal teethhlentz4669
 
CHANNEL MANAGEMENT CHECKLIST
CHANNEL MANAGEMENT CHECKLISTCHANNEL MANAGEMENT CHECKLIST
CHANNEL MANAGEMENT CHECKLISTPradeep Banerjee
 
Just.net
Just.netJust.net
Just.netChih-Hsiang Liu
 
Fisika
FisikaFisika
FisikaAhmad Zaki
 
Coca cola presentation
Coca cola presentationCoca cola presentation
Coca cola presentationadvtech2012
 

More Related Content

What's hot

Artikel demystifying germany_ma
Artikel demystifying germany_maArtikel demystifying germany_ma
Artikel demystifying germany_maMartin Arendts
 
Report of the advisory committee to google on the right to be forgotten
Report of the advisory committee to google on the right to be forgottenReport of the advisory committee to google on the right to be forgotten
Report of the advisory committee to google on the right to be forgottenGreg Sterling
 
Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013Greg Sterling
 
EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data...
EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data... EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data...
EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data...European Data Forum
 
New EPA Rule to prevent untreated frack wastewater from being processed by mu...
New EPA Rule to prevent untreated frack wastewater from being processed by mu...New EPA Rule to prevent untreated frack wastewater from being processed by mu...
New EPA Rule to prevent untreated frack wastewater from being processed by mu...Marcellus Drilling News
 

What's hot (7)

Artikel demystifying germany_ma
Artikel demystifying germany_maArtikel demystifying germany_ma
Artikel demystifying germany_ma
 
Report of the advisory committee to google on the right to be forgotten
Report of the advisory committee to google on the right to be forgottenReport of the advisory committee to google on the right to be forgotten
Report of the advisory committee to google on the right to be forgotten
 
ECDC – TESSy data access policy, Gaetan Guyodo (ECDC)
ECDC – TESSy data access policy, Gaetan Guyodo (ECDC)ECDC – TESSy data access policy, Gaetan Guyodo (ECDC)
ECDC – TESSy data access policy, Gaetan Guyodo (ECDC)
 
EuroCases
EuroCases EuroCases
EuroCases
 
Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013Google inc-enforcement-notice-11062013
Google inc-enforcement-notice-11062013
 
EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data...
EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data... EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data...
EDF2013: Selected Talk: František Nonnemann: Re-use of PSI and Personal Data...
 
New EPA Rule to prevent untreated frack wastewater from being processed by mu...
New EPA Rule to prevent untreated frack wastewater from being processed by mu...New EPA Rule to prevent untreated frack wastewater from being processed by mu...
New EPA Rule to prevent untreated frack wastewater from being processed by mu...
 

Viewers also liked

Are Universities Sticky-Evidence from Linkedin Users
Are Universities Sticky-Evidence from Linkedin UsersAre Universities Sticky-Evidence from Linkedin Users
Are Universities Sticky-Evidence from Linkedin UsersJing Deng
 
Severin- Resume 5-29-15
Severin- Resume 5-29-15Severin- Resume 5-29-15
Severin- Resume 5-29-15Pat Severin
 
Cohen & Grigsby Family Day 2015
Cohen & Grigsby Family Day 2015Cohen & Grigsby Family Day 2015
Cohen & Grigsby Family Day 2015CohenGrigsby
 
Tessy Plastics Research
Tessy Plastics ResearchTessy Plastics Research
Tessy Plastics ResearchEmily Carroll
 
SEC Adopts "Pay Ratio" Disclosure Rule
SEC Adopts "Pay Ratio" Disclosure RuleSEC Adopts "Pay Ratio" Disclosure Rule
SEC Adopts "Pay Ratio" Disclosure RuleCohenGrigsby
 
Life in africa
Life in africaLife in africa
Life in africadelatoeho
 
Attorney Christopher Davies Summarizes Recent Changes in Condo and HOA Law in...
Attorney Christopher Davies Summarizes Recent Changes in Condo and HOA Law in...Attorney Christopher Davies Summarizes Recent Changes in Condo and HOA Law in...
Attorney Christopher Davies Summarizes Recent Changes in Condo and HOA Law in...CohenGrigsby
 
CHANNEL MANAGEMENT CHECKLIST
CHANNEL MANAGEMENT CHECKLISTCHANNEL MANAGEMENT CHECKLIST
CHANNEL MANAGEMENT CHECKLISTPradeep Banerjee
 
Coca cola presentation
Coca cola presentationCoca cola presentation
Coca cola presentationadvtech2012
 
Specialolympics powerpoint
Specialolympics powerpointSpecialolympics powerpoint
Specialolympics powerpointadvtech2012
 
NexTier Merges with Eureka Financial
NexTier Merges with Eureka FinancialNexTier Merges with Eureka Financial
NexTier Merges with Eureka FinancialCohenGrigsby
 

Viewers also liked (17)

Prezentacja1
Prezentacja1Prezentacja1
Prezentacja1
 
Are Universities Sticky-Evidence from Linkedin Users
Are Universities Sticky-Evidence from Linkedin UsersAre Universities Sticky-Evidence from Linkedin Users
Are Universities Sticky-Evidence from Linkedin Users
 
Severin- Resume 5-29-15
Severin- Resume 5-29-15Severin- Resume 5-29-15
Severin- Resume 5-29-15
 
Cohen & Grigsby Family Day 2015
Cohen & Grigsby Family Day 2015Cohen & Grigsby Family Day 2015
Cohen & Grigsby Family Day 2015
 
Tessy Plastics Research
Tessy Plastics ResearchTessy Plastics Research
Tessy Plastics Research
 
Art in the Barn
Art in the BarnArt in the Barn
Art in the Barn
 
SEC Adopts "Pay Ratio" Disclosure Rule
SEC Adopts "Pay Ratio" Disclosure RuleSEC Adopts "Pay Ratio" Disclosure Rule
SEC Adopts "Pay Ratio" Disclosure Rule
 
Life in africa
Life in africaLife in africa
Life in africa
 
Attorney Christopher Davies Summarizes Recent Changes in Condo and HOA Law in...
Attorney Christopher Davies Summarizes Recent Changes in Condo and HOA Law in...Attorney Christopher Davies Summarizes Recent Changes in Condo and HOA Law in...
Attorney Christopher Davies Summarizes Recent Changes in Condo and HOA Law in...
 
Prezentacja1
Prezentacja1Prezentacja1
Prezentacja1
 
animal teeth
animal teethanimal teeth
animal teeth
 
CHANNEL MANAGEMENT CHECKLIST
CHANNEL MANAGEMENT CHECKLISTCHANNEL MANAGEMENT CHECKLIST
CHANNEL MANAGEMENT CHECKLIST
 
Just.net
Just.netJust.net
Just.net
 
Fisika
FisikaFisika
Fisika
 
Coca cola presentation
Coca cola presentationCoca cola presentation
Coca cola presentation
 
Specialolympics powerpoint
Specialolympics powerpointSpecialolympics powerpoint
Specialolympics powerpoint
 
NexTier Merges with Eureka Financial
NexTier Merges with Eureka FinancialNexTier Merges with Eureka Financial
NexTier Merges with Eureka Financial
 

Similar to Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated

After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?Seb Oram
 
Data Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe HarborData Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe HarborGayle Gorvett
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyKate Chan
 
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Amministratore Bluefactor
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERSHAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERSThomas O. Dubuisson
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023TrustArc
 
Cours CyberSécurité - Privacy
Cours CyberSécurité - PrivacyCours CyberSécurité - Privacy
Cours CyberSécurité - PrivacyFranck Franchin
 
Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenEdouard Nguyen
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
Factsheet data protection_en
Factsheet data protection_enFactsheet data protection_en
Factsheet data protection_enGreg Sterling
 
Factsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" rulingFactsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" rulingSilesia SEM
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKSally Hunt
 
Patricia Ayojedi V SCTC day Cloud 24 feb16
Patricia Ayojedi V SCTC day Cloud 24 feb16Patricia Ayojedi V SCTC day Cloud 24 feb16
Patricia Ayojedi V SCTC day Cloud 24 feb16Agustin Argelich Casals
 
Data Protection Adequacy and the Investigatory Powers Act
Data Protection Adequacy and the Investigatory Powers ActData Protection Adequacy and the Investigatory Powers Act
Data Protection Adequacy and the Investigatory Powers ActGraham Smith
 

Similar to Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated (20)

Evertio Schrems II
Evertio Schrems IIEvertio Schrems II
Evertio Schrems II
 
After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?
 
Data Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe HarborData Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe Harbor
 
20200724 edpb faqoncjeuc31118
20200724 edpb faqoncjeuc3111820200724 edpb faqoncjeuc31118
20200724 edpb faqoncjeuc31118
 
EU-US Data Privacy Framework
EU-US Data Privacy FrameworkEU-US Data Privacy Framework
EU-US Data Privacy Framework
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data Privacy
 
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...
 
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERSHAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023
 
Cours CyberSécurité - Privacy
Cours CyberSécurité - PrivacyCours CyberSécurité - Privacy
Cours CyberSécurité - Privacy
 
Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be Forgotten
 
Right to be forgotten en
Right to be forgotten enRight to be forgotten en
Right to be forgotten en
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
 
Factsheet data protection_en
Factsheet data protection_enFactsheet data protection_en
Factsheet data protection_en
 
Factsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" rulingFactsheet on the "Right to be Forgotten" ruling
Factsheet on the "Right to be Forgotten" ruling
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UK
 
FINAL REPORT
FINAL REPORTFINAL REPORT
FINAL REPORT
 
Patricia Ayojedi V SCTC day Cloud 24 feb16
Patricia Ayojedi V SCTC day Cloud 24 feb16Patricia Ayojedi V SCTC day Cloud 24 feb16
Patricia Ayojedi V SCTC day Cloud 24 feb16
 
Data Protection Adequacy and the Investigatory Powers Act
Data Protection Adequacy and the Investigatory Powers ActData Protection Adequacy and the Investigatory Powers Act
Data Protection Adequacy and the Investigatory Powers Act
 

Recently uploaded

Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceLaw360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceMichael Cicero
 
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书1k98h0e1
 
Arbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaArbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaNafiaNazim
 
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书SD DS
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书Fir sss
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...shubhuc963
 
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一jr6r07mb
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix
 
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书SD DS
 
如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书Fir L
 
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书SD DS
 
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书 如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书Sir Lt
 
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfWhy Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfMilind Agarwal
 
国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》
国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》
国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》o8wvnojp
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesHome Tax Saver
 
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书Fir L
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionNilamPadekar1
 
如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书Fir L
 

Recently uploaded (20)

Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics GuidanceLaw360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
Law360 - How Duty Of Candor Figures In USPTO AI Ethics Guidance
 
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
 
Arbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaArbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in India
 
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
如何办理(Curtin毕业证书)科廷科技大学毕业证学位证书
 
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...
 
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A History
 
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
 
如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书
 
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
 
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Serviceyoung Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
young Call Girls in Pusa Road🔝 9953330565 🔝 escort Service
 
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书 如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
如何办理(MSU文凭证书)密歇根州立大学毕业证学位证书
 
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfWhy Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
 
国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》
国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》
国外大学毕业证《奥克兰大学毕业证办理成绩单GPA修改》
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax Rates
 
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 sedition
 
如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书
 

Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated

  • 1. C&GNEWS Page 1111 of 3333 USUSUSUS----EU Data Privacy Safe HarborEU Data Privacy Safe HarborEU Data Privacy Safe HarborEU Data Privacy Safe Harbor Program InvalidatedProgram InvalidatedProgram InvalidatedProgram Invalidated On October 6, 2015, the European Court of Justice ("ECJ") invalidated the safe harbor program negotiated between the United States Department of Commerce and the European Commission pursuant to which safe harbor-registered United States companies have processed personal data transferred from the EU within the United States since 2000 (the "Safe Harbor"). The ECJ's decision has left a wave of uncertainty in its wake about whether US companies have any right to process personal data transferred from the EU (including customer data, employee data, and data processed on behalf of other companies as a service provider) without facing claims from EU data subjects under the EU Privacy Directive1 . The EU Privacy Directive prohibits the transfer of personal data outside of the European Union for processing unless the data is transferred to a non-EU country (a so-called "Third Country") where the EU Commission has found that the Third Country ensures the privacy of personal data to EU standards by reason of its domestic law or its international commitments. The US and the EU differ on their respective approach to data privacy principles and the US is thus not a Third County that is considered to have enacted domestic laws that ensure the privacy of personal data to EU standards. However, the Safe Harbor negotiated between the US Department of Commerce and the EU Commission establishing a legal framework for transfer of data from the EU to the US for processing in compliance with the EU Privacy Directive, appeared to qualify the US "by reason of its international commitments" provision permitting transfer of data from the EU for processing in the US. With its decision in the case of "Maxmillian Schrems v Data Protection Commission" on October 6, 2015, the European Court of Justice has not only invalidated the Safe Harbor, but also cast some degree of doubt on whether any binding arrangement regarding processing of data in the US may ever be negotiated by the United States government at the EU level, for so long as the US insists on bulk data collection/mass surveillance practices by US law enforcement and intelligence agencies, such as those authorized under the Patriot Act. Companies that relied on the Safe Harbor to process data transferred from the EU are now on uncertain ground. Companies that process HR, payroll or other data on their own employees in the 1 EU Directive 95/46/EC
  • 2. Page 2222 of 3333 EU may nonetheless start to face questions, objections or claims from EU employees, or workers’ councils regarding the potential transfer of employee data out of the EU for processing in the United States. Just as Facebook received a challenge by an end-user in the Schrems case, companies processing customer data transferred from the EU to the United States may start to face pressure from customers, employees and/or workers' councils to set up data centers in the EU so that data can be processed without leaving the EU. A few additional thoughts in terms of context and meaning to the ECJ's Schrems decision: 1. Companies rely on the Safe Harbor to process not only information collected from external parties such as customers, but also to process employee data such as HR or payroll. 2. The ECJ invalidated the Safe Harbor, in part, on a technicality stating that the EU Commission had only examined the adequacy of the Safe Harbor as it pertains to private parties without ever meeting the actual requirement under the EU Privacy Directive to issue a finding that the United States affirmatively meets the requirement of ensuring, by reason of US domestic law or the US’s international commitments, a level of privacy protection equivalent to EU standards. 3. Although the discussion of the technicality above might appear to leave the door open for the EU Commission to issue a formal finding that the Safe Harbor constitutes an international commitment by the US that meets the requisite criteria for ensuring privacy equivalent to EU standards, the ECJ did not stop with its discussion of the technicality. After declaring as invalid the EU Commission’s Decision putting the Safe Harbor in place, the ECJ noted that the Safe Harbor expressly includes requirements requiring Safe Harbor companies to comply with national security, public interest requirements or other domestic legislation of the United States, even where such compliance is contrary to Safe Harbor principles. Without ever mentioning the Patriot Act by name, or the Edward Snowden leaks regarding mass data collection by US intelligence agencies, the ECJ stated that domestic legislation that “authorizes, on a generalized basis, storage of all personal data of all persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data…must be regarded as compromising the essence of the fundamental right to respect for private life.”2 In doing so, the ECJ casts doubt on whether or not any agreement between the United States and the EU Commission will ever satisfy the requirements of the EU Privacy Directive so long as the United States has laws in place that authorize mass data collection by law enforcement and intelligence agencies such as that authorized by the Patriot Act. 4. The ECJ’s decision to invalidate the Safe Harbor is final, binding and cannot be appealed. 5. Please note that, depending on the nature of the personal data being processed, and the nature of the data subjects to whom the data pertains, there may be alternative ways to transfer data from the EU for processing in the United States in compliance with the EU Privacy Directive. Two of the more prevalent means under the EU Privacy Directive consist of obtaining the express, informed consent of the data subject and/or negotiating a private agreement (more often used where data is 2 “Maximillian Schrems v Data Protection Commissioner”, European Court of Justice Case C-362/14, Judgment of the Court, October 6, 2015, Paragraphs 93 – 94, available online at http://curia.europa.eu/juris/documents.jsf?num=C-362/14
  • 3. Page 3333 of 3333 being transferred business-to-business). Each of these alternatives can be challenging from a practical standpoint, and one could argue that the ECJ’s references to fundamental incompatibility between US bulk data collection by law enforcement/intelligence agencies and EU privacy principles in the Schrems decision will further complicate questions regarding the scope of disclosure necessary to obtain a data subject’s informed consent and whether even a private agreement will continue to be an adequate basis for processing EU data in the United States. 6. The United States Department of Commerce has issued a statement3 in response to the ECJ’s Schrems decision noting an urgent need for a new Safe Harbor framework. However, as stated above, aspects of the ECJ’s decision in this case may make reaching any meaningful agreement with the EU Commission on a new Safe Harbor very challenging, at least so long as the United States maintains its insistence on the continued scope of data collection practices by US law enforcement/intelligence agencies for national security purposes. We will continue to monitor developments, but we encourage our clients who have registered for the Safe Harbor to be proactive in taking stock of the nature and scope of data transferred from the EU for processing in the United States, to be prepared to discuss privacy implications with EU based employees and customers, and perhaps be prepared to budget for network architecture changes that may be required in the wake of the invalidation of the Safe Harbor. The ECJ’s Press Release on the Schrems decision may be found online at http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf. The full text of the Schrems decision may be found online at http://curia.europa.eu/juris/documents.jsf?num=C-362/14 The US Department of Commerce’s statement in response to the Schrems decision was published online at https://www.commerce.gov/news/press-releases/2015/10/statement-us-secretary- commerce-penny-pritzker-european-court-justice For further information, please contact your Cohen & Grigsby attorney. Copyright © 2015 by Cohen & Grigsby, P.C. (No claim to original US or EU Governmental material.) All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of Cohen & Grigsby, P.C. and is intended to alert the recipients to new developments in the area of privacy law. The hiring of a lawyer is an important decision that should not be based solely on advertisements. Before you decide, ask us to send you free written information about Cohen & Grigsby’s qualifications and experience. 3333 “Statement from U.S. Secretary of Commerce Penny Pritzker on European Court of Justice Safe Harbor Framework Decision”, October 6, 2015, available at https://www.commerce.gov/news/press-releases/2015/10/statement-us- secretary-commerce-penny-pritzker-european-court-justice