Category: USA

Fact Sheet of the European Commission about the EU-U.S. Privacy Shield

1. March 2016

On the 29th February 2016, the European Commission released a fact sheet about the Frequently Asked Questions related to the EU-U.S. Privacy Shield. The EU-U.S Privacy Shield aims at regulating international data transfers between the EU (including EEA countries Norway, Lichtenstein and Iceland) and the U.S. after the Safe Harbor Decision was declared invalid by the ECJ on October 2015.

The EU-U.S Privacy Shield is a new adequacy decision, under which the U.S. companies that comply with the described data protection principles and abide the obligations described in the framework, will be considered as ensuring an adequate level of data protection.

In contrast to the former Safe Harbor Decision, the EU-U.S. Privacy Shield imposes stronger obligations on companies related to monitoring and enforcement and prevents generalized access to EU personal data from U.S. public Authorities.

Under the Privacy Shield, U.S. companies will have to self-certify that they meet the requirements described in the Framework. The U.S. Department of Commerce will actively verify that the certifying company actually meets the requirements to certify, for example by reviewing the company´s privacy policy.

A key aspect of the Privacy Shield is the possibility for EU data subject to obtain redress in the US in case that their personal data is misused by commercial companies. The possibility to redress involves the following alternatives for the data subject:

  • to lodge a complaint with the company itself, or
  • to complaint towards their local DPA, or
  • to use the Alternative Dispute Resolution (ADR) mechanisms, or
  • through arbitration by having recourse to the Privacy Shield Panel, if the case is not resolved by any of the abovementioned alternatives.

The possibility to redress with regard to national security will be ensured by the institution of the Ombudsman.

All these aspects of the new EU-U.S. Privacy Shield have been reflected in the Judicial Redress Act, signed on February, 24th. This Act gives EU citizens the possibility to address privacy issues to U.S. Courts in relation to personal data transfers for law enforcement purposes. This Act aims at providing EU citizens with the same rights as U.S. citizens.

Also, the so called EU-U.S. “Umbrella-Agreement” covers relevant aspects of data protection regarding EU-U.S. law enforcement cooperation for the purposes of crime and terrorism prevention. This agreement is not a legal basis for data transfers itself, but it will provide safeguards for data transfers made under other existing agreements.

The EU – U.S. Privacy Shield: next steps

19. February 2016

The EU Commission and the U.S. Government agreed recently on the EU- U.S. privacy Shield as a possible mechanism to carry out international data transfers on a valid basis and providing an adequate level of data protection. The agreement shall be adopted by a decision.

The process until both, the proposed agreement and the corresponding decision, are adopted is complex and requires the opinion of several EU institutions

  • The EU Commission should make the proposal for the decision of adopting the agreement. The decision is expected by thy end of February.
  • The WP29, made up of the DPAs from the EU Member States and the European Data Protection Supervisor (EDPS) will have to give its opinion on the proposed agreement. This opinion will not be binding for the EU Commission.
  • Also the Article 31 Committee, established pursuant to art. 31 of the EU Data Protection Directive, will we asked to give an opinion.
  • Finally, the College of the EU Commission will decide about the adoption of the decision.

Additionally, also the ECJ will be requested to examine the proposal in order to determine if it provides an adequate level of protection of the fundamental rights of EU citizens. Also, the DPAs from the Member States may refer to the ECJ for clarification about the agreement.

Statement of the U.S. Department of Commerce on the „EU – U.S. Privacy Shield“

5. February 2016

Not only European negotiators and institutions have given their opinion on the EU – U.S. Privacy Shield, also the U.S. Department of Commerce and the FTC Commissioner, Julie Brill, have made a public statement on the on the advantages of the implementation of the Privacy Shield.

On the 2nd February, the U.S. Department of Commerce stated that the EU – U.S. Privacy Shield improves, on the one hand, the commercial oversight and enhances privacy protections and, on the other hand, it demonstrates the U.S. commitment to limitations on national security. The statement of the Department of Commerce remarks the cooperation between the FTC and EU Data protection Authorities and its commitment to review the Agreement on an annual basis. Also, it ensures that the U.S. Intelligence Community has described in writing the constitutional, statutory and policy safeguards applied to its operations.

The FTC offered a live webcast on the 4th February in which the EU – U.S. Privacy Shield was explained by FTC Commissioner Julie Brill. During the webcast the main aspects of the EU – U.S. privacy Shield were explained. Julie Brill remarked the commercial relevance of this agreement and the acknowledgement by U.S Authorities that the rights of the individuals and national security should be balanced.

 

Statement of the WP29 on the “EU – U.S. Privacy Shield”

4. February 2016

After the Press Conference held by Věra Jourová and Andrus Ansip from the European Commission about the proposal for a new agreement between EU and U.S. to carry out international data transfers, the WP29 met on the 2-3 February in order to discuss the consequences of the sentence from the ECJ and the future of international data transfers between EU and the U.S.

The WP29 has remarked that the following four guarantees should be ensured when international data transfers take place:

a) Transparency: the data subject whose data is processed should be informed so that he/she is able to foreseen the consequences of the data transfer.

b) Proportionality and necessity: the finality for which personal data is collected and accessed and the rights of the data subject should be balanced.

c) Independency of a control body that carries out checks in an effective and impartial manner.

d) Effective remedies: the individual should have the possibility to defend his/her rights before an independent body.

The WP29 will also analyze the existing mechanisms to carry out international data transfers, which currently can only take place if Standard Contractual Clauses or Binding Corporate Rules (BCR) are used. In any case, European DPAs will examine data transfers on a case-by-case basis.

However, the WP29 is still looking forward to receive the relevant documents related to the EU – U.S. Privacy Shield in order to analyze its content and to determine to which extent the agreement is legally binding.

 

If you would like to be updated on a regular basis on this and other data protection issues such as the General Data Protection Directive (GDPR), sign in for one of our newsletters:

German / European Data Protection http://www.datenschutzticker.de/newsletter/ (German Language)

International Data Protection http://www.privacy-ticker.com/newsletter/ (English language)

For how to proceed with your companies´ policies on internal or external data protection transfers to third countries and prepare for the GDPR seek individual advice.

 

The “EU – U.S. Privacy Shield”, a new agreement for international data transfers

3. February 2016

After continuous negotiations during the last months to agree on a new framework for international data transfers, since the ECJ invalidated the Safe Harbor Decision, Andrus Ansip (EU Commission Vice-President) and Věra Jourová (Commissioner) announced yesterday in a Press Conference that a new agreement (EU – U.S. Privacy Shield) to carry out international data transfers has been reached.

Under the EU – U.S. Privacy Shield, the following elements will be regulated:

  • Several redress possibilities will be guaranteed to EU citizens when data transfers to U.S. take place and companies, as first redress possibility, will have deadlines to resolve complaints.
  • The resolution includes a “multi-layered” approach in order to avoid that any complaints remain unresolved by offering different resolution mechanisms. Also the European DPAs will have the possibility to refer complaints to the U.S. Department of Commerce and to the Federal Trade Commission.
  • Companies will be subject to strong obligations regarding the processing of personal data imported from EU Member States. Particularly, personal data processed for HR purposes in the U.S. will have to comply with the decisions of EU DPAs.
  • It will be ensured that national authorities only have access to personal data from EU citizens in exceptional cases and subject to the principles of necessity and proportionality.
  • The figure of the “ombudsman” will be created, in order to make possible that EU citizens can complain regarding surveillance activities by national authorities.

This new framework should be reviewed in an annual basis, so that the rights of EU citizens regarding data protection are continuously ensured. This is an important step forward in comparison with the invalidated Safe Harbor Decision.

Although the main points of this agreement have been discussed, the written draft may take up to three months, as Commissioner Věra Jourová said. The Working Party 29 will advise the College of Commissioners on this issue before adopting the official decision. Additionally, the agreement will have to withstand scrutiny from the ECJ.

New Safe Harbor Agreement

2. February 2016

European officials and the U.S. agreed today on a new safe harbor agreement. The EU Article 29 Working Group had set a deadline until the end of January 2016 to find an alternative agreement, which was missed. The agreement still needs to be approved by the 28 member states. Further information on the new safe harbor agreement is expected after the EU Article 29 Working Group meeting, which is supposed to take place today and tomorrow.

Safe Harbor agreement unlikely by the end of January

27. January 2016

On 6th October 2015 the European Court of Justice has ruled, that the “safe harbor” agreement is invalid. Since then there is no legitimacy for transferring personal data outside of EU-territory. According to the statement of the EU data protection authorities assembled in the Article 29 Working Party, the parties involved were supposed to find an alternative agreement by the end of January 2016. Otherwise, EU data protection authorities would have to take all necessary and appropriate actions, which may include coordinated enforcement actions consequences to be drawn at European and national level.

The European Commission informed a committee of EU member countries during a session mid of January, that there has been no progress in the negotiations so far. According to sources, who took part at the meeting, a deal could still be made at the last minute. Other participants however entitled the deadline as “unrealistic” or “unlikely”.

The European Data Protection Supervisor (EDPS) Giovanni Buttarelli said that the January 31 date was a “legal fiction,” that “could not be fixed, because it would not have a legal basis.” “Even if some agreement was reached, it would be a political agreement,” he added. A final deal, which met all the criteria, “would take months,” he said.

The next meeting of the EU’s Article 29 Working Group will be on February 2. It is to expect, which measures will be taken against companies that still transfer data outside of the EU-territory based on the invalid safe harbor agreement.

Category: EU · Safe Harbor · USA

Proposal to create a U.S. privacy “ombudsman” to verify Safe Harbor compliance

26. January 2016

In a context where the Safe Harbor Decision has been declared invalid and the General Data Protection Regulation has entered into force, the European and American competent authorities are negotiating further mechanisms to carry out international data transfers in compliance with the current legislation.

According to Reuters, the U.S. has proposed creating the institution of the “ombudsman” as a component of the State Department. This institution shall handle with complaints from EU citizens regarding surveillance activities from American authorities,.verify that this surveillance activities are proportionate and that personal data transferred from the EU is accessed only in cases where national security is involved. However, EU negotiators have requested further details about this institution before the proposal is accepted.

Both negotiating parties, EU and U.S. authorities aim at reaching an agreement about the continuity and the legal basis to carry out data transfers to the U.S. by the beginning of February.

American Bar Association urges U.S. courts to regard foreign privacy laws

23. May 2012

One step further in resolving the dilemma of pre-trial Discovery in the U.S. in conflict with non-U.S. data protection laws: The American Bar Association adopted a resolution with the stated purpose to urge courts to respect foreign data protection and privacy laws in case of decisions on discovery issues.

Currently the interests of U.S. litigants to discovery are privileged by the courts when requirements of foreign privacy laws are not regarded. Other parties are in the situation to face inconsistent legal requirements and possible sanctions of foreign legal systems.

The resolution reads as follows:

“RESOLVED, That the American Bar Association urges that, where possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.”

The American Bar Association says that the permission of unlimited discovery could impede global commerce or harm the interests of U.S. parties in foreign courts. Especially the laws in European jurisdictions and the EU Data Protection Directive limit the legal processing of personal data and the transfer of personal data outside of the EEA. There is also the fact, that some jurisdictions have enacted blocking statues to prohibit the seeking for disclosure of information that shall be used for evidence in foreign proceedings. For example in France a French lawyer had to pay a 10.000 Euro fine for obtaining discovery in France for a litigation in the U.S.

The resolution of the American Bar Association is not binding but could encourage U.S. courts to have a critical look at foreign privacy jurisdiction and the consequences of discovery for affected litigants or third parties. At the moment, data controllers who are forced to transfer data from the EU to U.S. for the purpose of discovery would be well advised to follow at least the guidance of Article 29 Working Party to comply with EU data protection obligations and to check in detail which way is the best.

Category: USA
Tags:
Pages: Prev 1 2 3 4 5 6 7 8 9 10 11
1 9 10 11