On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield.
This will be the third attempt to revise this framework, following the invalidation
Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities
The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but
Schrems II: AG deems SCCs valid but comes up with difficult new obligations and expresses “doubts” over privacy shield
What has happened?
Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country of the data importer to determine whether they can in fact comply with the terms of SCCs.
The European Parliament asks for the suspension of the privacy shield
On July 5, the European Parliament passed a non-binding resolution, asking the European Commission, the EU’s executive body, to suspend the Privacy Shield framework. The EU-US Privacy Shield, designed by the US Department of Commerce and the European Commission, provides a mechanism for companies to transfer personal data between the EU and the US while remaining compliant with EU data protection laws.
The European Commission passed the data-sharing privacy framework on July 12, 2016, after its precursor, Safe Harbor, was struck down by the European Court of Justice on October 6, 2015.
Since the European Parliament’s resolution is non-binding, the European Commission could choose to ignore it. However, the Commission will no doubt take the Parliament members’ concerns into consideration in its annual review of the Shield which is due in September.
Further discussions on whether to renegotiate the Privacy Shield is also on the table since the Shield is based on the now defunct EU directive 95/46, which the European Union General Data Protection Regulation replaced when it went into effect on May 25, 2018.
Privacy Shield Update: EU Member States Approve Amended Framework
On July 8, 2016, European Member States approved the proposed EU-US Privacy Shield framework, with four Member States – Austria, Bulgaria, Croatia, and Slovenia – reportedly abstaining. Before the framework can be implemented, formal approval by the European Commission is
Privacy Shield Framework Sees Changes, EU Vote Expected in July 2016
The United States and the European Union reportedly have agreed on changes to the EU-US Privacy Shield. A revised agreement has been sent to EU Member States, and a vote is expected to be held early next month, in early
Norton Rose Fulbright discusses recent opinion on Privacy Shield
The Article 29 Working Party released an opinion yesterday stating that it would not endorse the EU-US Privacy Shield. Norton Rose Fulbright partners Boris Segalis and Marcus Evans spoke with Law360 to discuss how the opinion will affect private
European Union-United States Privacy Shield – A Comprehensive Overview: Webinar
Data privacy partners at Norton Rose Fulbright invite you to join them on Thursday, April 21 for a discussion on the EU-US Privacy Shield and the impact of the Article 29 Working Party’s formal opinion on the adequacy of the Privacy Shield. The WP29’s formal opinion is expected on April 12th or April 13th.
The discussion will be led by Boris Segalis, co-chair of Norton Rose Fulbright’s Data Protection, Privacy and Cybersecurity practice in the US, Marcus Evans, data privacy partner in Norton Rose Fulbright’s London office and Jay Modrall, anti-trust and competition partner in Norton Rose Fulbright’s Brussels office.
Hamburg DPA leader: Model Clauses, BCRs and EU-US Privacy Shield are probably insufficient
On February 26, 2016, Article 29 Working Party member and head of the Hamburg Data Protection Authority, Prof. Dr. Johannes Caspar, again spoke at an event about the consequences of the invalidation of the Safe Harbor, emphasizing his position on the transfer of personal data from the EU to the US.
Details of Privacy Shield published
On February 29, 2016, the European Commission published the documents comprising the new EU-U.S. Privacy Shield, the adoption of which we previously covered on our blog. In the Commission’s opinion, the new framework reflects the requirements set forth by the European Court of Justice in the Schrems ruling, which invalidated the U.S.-EU Safe Harbor framework. The Commission’s proposed adequacy decision holds that “the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-US Privacy Shield”.