Safe Harbor

Schrems: the global impact – how the ECJ ruling is affecting countries outside the EU and US

By Jim Lennon (AU) on November 2, 2015

A number of jurisdictions around the world follow the lead from Europe in relation to data protection and impose similar restrictions on the export of personal data unless there is an “adequate level” of protection offered in the recipient jurisdiction. The EU Commission’s “US Safe Harbor” decision had permitted the transfer of personal data between Europe and the US by establishing that an adequate level of data protection was ensured by the EU-US Safe Harbor scheme.

DIFC Data Protection Commissioner issues guidance on US data exports following Schrems case

Posted on October 30, 2015

The Dubai International Financial Centre (DIFC) Commissioner for Data Protection has issued guidance to DIFC entities on the export of personal data outside the DIFC in light of a landmark data protection ruling by the European Court of Justice (ECJ).

Reports suggest US-EU agreement on cross-border data transfers near, but will it stick?

Posted on October 29, 2015

It is being reported that the EU and the US have reached an agreement in principle on the revised cross-border data transfer framework, commonly referred to as Safe Harbor 2.0. Both sides expect further progress on the specifics in November of this year. Some of the thornier issues, however,regarding US surveillance activities, that are critical to addressing the concerns the ECJ raised in Schrems, are yet to be firmed up with verifiable compliance commitments.

German Data Protection Authorities Suspend BCR approvals, question Model Clause transfers

By Christoph Ritzer (DE) & Marcus Evans (UK) on October 26, 2015

Following on from the EU Article 29 Working Party Statement of 16 October 2015, the Conference of the German Data Protection Authorities – (“DPAs”) has today issued guidance (referred to as a Position Paper) on the consequences of the CJEU decision in the Schrems case (Case C-362/14).

WP29 Issues Post-Safe Harbor Guidance

By Marcus Evans (UK), Jamie Nowak (DE) & Jay Modrall (BE) on October 16, 2015

The following is the statement of WP29 on the Schrems decision. It is a short opinion that we replicated here in full. We note that WP29 appears to suggest that model clauses and BCRs remain viable through at least January …

A German data protection authority questions model clauses

By Christoph Ritzer (DE) on October 15, 2015

The German data protection authority from the northern state Schleswig-Holstein has released guidance in connection with the ECJ’s decision on Safe Harbor.

South African perspective on ECJ Safe Harbour ruling

Posted on October 14, 2015

South Africa’s Protection of Personal Information Act 2013 (POPI) is largely based on the principles of the EU data protection directive. This includes the requirement that personal information must be adequately protected when transferred cross-border (assuming none of the other grounds apply).

U.S. and Europe at a Privacy Crossroads – IAPP New York KnowledgeNet event

Posted on October 13, 2015

On Wednesday, November 18, Boris Segalis, who co-chairs Norton Rose Fulbright’s Data Protection, Privacy and Cybersecurity practice in the U.S. will participate in an IAPP KnowledgeNet panel to discuss topics on the international agenda including Safe Harbor, the …

No Safe Harbor: Implications of the European Schrems decision – conference call

Posted on October 8, 2015

On Wednesday, October 14, 2015, Norton Rose Fulbright attorneys Marcus Evans, Jay Modrall and Boris Segalis will lead a conference call to discuss the implications of the Schrems case, which invalidated the EU-US Safe Harbor Decision.

Register Now

CJEU decision in Schrems: what businesses should do next

By Marcus Evans (UK) & Jay Modrall (BE) on October 8, 2015

This week, the Court of Justice of the European Union (“CJEU”) ruled that the EU-US Safe Harbor Decision is invalid in Case C-362/14 (the “Schrems” case). This followed a similar opinion from its Advocate General, which also sets out the facts of the case.

The decision will impact businesses that rely on the EU-US Safe Harbor to legitimize their storage in, or access from, the US of personal data that is subject to EU data protection rules. It could affect cloud service providers, companies that use cloud services, intragroup shared services and any other export flows to the US that rely on Safe Harbor for data transfer.

In this post we look at what the CJEU decided and on what grounds, and what affected businesses should do next.

Data Protection Report