South Africa’s Protection of Personal Information Act 2013 (POPI) is largely based on the principles of the EU data protection directive. This includes the requirement that personal information must be adequately protected when transferred cross-border (assuming none of the other grounds apply).
October 2015
U.S. and Europe at a Privacy Crossroads – IAPP New York KnowledgeNet event
On Wednesday, November 18, Boris Segalis, who co-chairs Norton Rose Fulbright’s Data Protection, Privacy and Cybersecurity practice in the U.S. will participate in an IAPP KnowledgeNet panel to discuss topics on the international agenda including Safe Harbor, the …
No Safe Harbor: Implications of the European Schrems decision – conference call
On Wednesday, October 14, 2015, Norton Rose Fulbright attorneys Marcus Evans, Jay Modrall and Boris Segalis will lead a conference call to discuss the implications of the Schrems case, which invalidated the EU-US Safe Harbor Decision.
New HIPAA compliance resource available to mobile health app developers
As we reported on the Health Law Pulse blog, the HHS Office of Civil Rights (OCR) has unveiled a new resource to provide mobile health developers guidance on complying with applicable Health Information Portability and Accountability Act (HIPAA) requirements.…
CJEU decision in Schrems: what businesses should do next
This week, the Court of Justice of the European Union (“CJEU”) ruled that the EU-US Safe Harbor Decision is invalid in Case C-362/14 (the “Schrems” case). This followed a similar opinion from its Advocate General, which also sets out the facts of the case.
The decision will impact businesses that rely on the EU-US Safe Harbor to legitimize their storage in, or access from, the US of personal data that is subject to EU data protection rules. It could affect cloud service providers, companies that use cloud services, intragroup shared services and any other export flows to the US that rely on Safe Harbor for data transfer.
In this post we look at what the CJEU decided and on what grounds, and what affected businesses should do next.
Schrems: Commission holds press conference on ECJ ruling invalidating the Commission’s Safe Harbor Decision
As discussed in our post earlier, in today’s ruling on Case C-362/14 (the so-called “Schrems” case), the European Court of Justice (ECJ) invalidated the EU Commission’s “US Safe Harbor” decision with immediate effect. In the meantime, the EU Commission held a press conference discussing the impact of the judgement.
Schrems: ECJ invalidates the Commission’s Safe Harbor Decision
The European Court of Justice (ECJ) ruled on Case C-362/14 (the Schrems case) earlier today, 6 October 2015. In its ruling, the ECJ – among other things – held that the EU Commission’s “US Safe Harbor” decision is invalid.
Day-after-Safe Harbor action plan: anticipating ECJ Schrems decision
As we have written extensively, the European Court of Justice’s (ECJ’s) ruling in the Schrems case on October 6, 2015 may effectively invalidate the US-EU Safe Harbor framework. While we believe that the Advocate General’s rationale for the proposal is weak, organizations that rely on the Safe Harbor are anxious about the consequences such a decision could have on their operations, and want to make appropriate mitigation plans.
UK Hedge Fund Standards Board issues cybersecurity guidance
The UK Hedge Fund Standards Board (HFSB) announced on September 17, 2015, that it has added a “Cybersecurity Memo” to its Toolbox function. The Toolbox provides guidance to managers, investors, and fund directors on fund-related issues such as governance, internal processing, and reporting. The Toolbox acts as a complement to the HFSB’s standard-setting activities.
Schrems Counterpoint: ECJ has good reasons to reject Safe Harbor invalidation
The European Court of Justice (ECJ) is expected to rule on Case C-362/14 (the “Schrems” case) on October 6, 2015. In deciding whether to reject or adopt its Advocate General’s recommendation to invalidate the US-EU Safe Harbor, the ECJ finds itself between the proverbial rock and a hard place. Rejecting the Safe Harbor would lead to uncertainty in the ongoing negotiations to update the Safe Harbor framework, and raise questions about the interpretation of the proposed General Data Protection Regulation, which is currently being finalized in trialogue negotiations among the EU’s Council, Parliament and Commission. If the ECJ chooses not to take the bait – whether on substantive or procedural ground — and to preserve the Safe Harbor status quo, that decision may actually strengthen the Safe Harbor by intimating that the ECJ believes the Safe Harbor to be valid in its current form, and significantly weaken the position of certain DPAs and other European regulators and legislators who have been assailing the framework over the years.
Setting aside the practicalities of the decision and its politics, however, there appear to be strong legal grounds for the ECJ not to follow the Advocate General’s recommendation to declare the Safe Harbor invalid. Most importantly, the Advocate General’s recommendation went far beyond the questions the Irish High Court referred to the ECJ, and his grounds for recommending that the Safe Harbor be declared invalid are legally suspect.