by WTC Guest Bloggers Louis Dejoie and Thomas Markey, McNees, Wallace & Nurick LLC
On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated a Safe Harbor provision that allowed companies to transfer personal data from within the EU to the US, finding that the Safe Harbor failed to adequately protect EU citizens’ privacy. The CJEU’s ruling left many companies, which relied on the Safe Harbor to conduct business, in legal limbo. On February 2, 2016, in a step toward legal clarity for businesses and consumers, the EU and US agreed in principle to implement a new Privacy Shield.
The new Privacy Shield addresses several shortcomings that led to the Safe Harbor’s invalidation. First, according to the European Commission’s press release, before importing personal data from the EU, US companies must commit to “robust obligations on how personal data is processed and individual rights are guaranteed.” Second, “the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.” Third, EU citizens will have redress procedures they can follow if they suspect their data has been misused.
Details regarding the Privacy Shield, however, remain sparse. The European Commission’s next step is to prepare an “adequacy decision,” and regulatory changes must occur in the US. Additionally, the Article 29 Working Party—a group of EU data regulators—will evaluate the Privacy Shield and has insisted on receiving all related documents by the end of February. As these events transpire, companies remain in a state of limbo in which they can rely on neither the invalid Safe Harbor nor the yet-to-be-implemented Privacy Shield.
After the Safe Harbor’s invalidation, the primary methods for legalizing transatlantic data transfers became data protection clauses in contracts between data-sharing companies and binding, regulator-approved corporate rules for transfers between subsidiaries and/or parent companies. The Working Party indicated in a statement that regulators will continue to treat standard contractual clauses and binding corporate rules as legal data-transfer methods until the Working Party has time to fully analyze the Privacy Shield. The Working Party expects to complete its analysis in mid-April. The Working Party will also assess the continued legality of standard contractual clauses and binding corporate rules. Any companies relying on the Safe Harbor, however, may now be subject to enforcement actions, which regulators informally suspended until January 31, 2016.
In summary, announcement of the Privacy Shield has not resolved the legal uncertainty regarding EU-US data transfers. The Privacy Shield must be implemented on both sides of the Atlantic, and may face court challenges from privacy advocates who feel the new safeguards remain inadequate. Companies that regularly transfer data from the EU to the US should continue to monitor implementation of the Privacy Shield and the legal adequacy of standard contractual clauses and binding corporate resolutions in the future.
Click here to view the original article.
Click here to learn more about the firm's Privacy & Data group.
Subscribe to:
Post Comments (Atom)
2023 Summer Fancy Food Show
2023 SFFA Summer Fancy Food Show 2023 by Lance Thompson on Jun 29, 2023 June 27th marks the conclusion of another great show held by the ...
-
Posted by Hannah Copenheaver WTC Intern Our Business Travel Roundtable was held in the morning of Friday, February 22 nd at the WTC Of...
-
2023 SFFA Summer Fancy Food Show 2023 by Lance Thompson on Jun 29, 2023 June 27th marks the conclusion of another great show held by the ...
-
Bringing the World to PA 2022 The World Trade Center Harrisburg in conjunction with the Pennsylvania’s Department of Community and Economi...
No comments:
Post a Comment