Category: International Data Transfers

The EU-U.S. Privacy Shield has been approved

11. July 2016

On the 8th July 2016, the Vice-President of the EU Commission, Andrus Ansip, and the Commissioner Vera Jourová announced in a joint statement that the EU Member States have approved the updated draft of the EU-U.S. Privacy Shield. However, Austria, Bulgaria, Croatia, and Slovenia abstained from voting.

The statement remarks that the Privacy Shield will ensure a high data protection level for EU citizens, because it imposes stronger obligations for U.S. companies. Specially regarding the bulk collection of personal data from EU citizens by American authorities.

The formal adoption of the Privacy Shield is expected this week.

Although the EU-U.S. Privacy Shield has been approved, the legality of the agreement could be challenged, as occurred with the former Safe Harbor Framework.

EU-U.S. Privacy Shield: approval expected within this week

4. July 2016

The EU Commission and American negotiators reached last week an agreement regarding the final draft of the EU-U.S. Privacy Shield. Now, the EU Commission has sent this draft to the Article 31 WP, who is expected to issue an opinion by tomorrow. If so, the EU-U.S. Privacy Shield will be implemented by the end of this week. Also, the final draft has been sent to the EU Parliament. The EU Parliament can issue an opinion, but cannot block its approval.

The Article 31 WP will meet today to review the text. Normally, the committee has two weeks to issue an opinion but the EU Commission expects an approval already this week.

Agreement by EU and U.S. negotiators on final changes on the Privacy Shield

28. June 2016

After several months of negotiations regarding the legitimating instruments to carry out international data transfers, EU and U.S. negotiators agreed last week on the final changes of the proposed EU-U.S. Privacy Shield.

The initial draft of the EU-U.S. Privacy Shield was criticized by several European Institutions such as the Article 29 WP, the EDPS, Article 31 WP and the UK Data Protection Authority (ICO) for not offering enough safeguards for EU citizens regarding the protection of their personal data upon data transfers to the U.S.

The main critic of the EU-U.S. Privacy Shield was focused on the independency of the ombudsman and on the massive surveillance activities from American Authorities. Additionally, a follow up control mechanism regarding compliance with the EU-U.S. Privacy Shield was required by European negotiators.

EU and U.S. negotiators have agreed to improve the above mentioned aspects in order to ensure more guarantees on the protection of EU citizens’ personal data:

  • The White House committed in writing to collect EU personal data only under certain circumstances and for targeted purposes.
  • Data retention periods have been defined concretely: organizations will be obliged to delete personal data that is no longer needed for the purposes for which it was originally collected.
  • The proposal will include a specification that the ombudsman will be an independent institution.

As a next step, the Article 31 WP, made up of representatives of the EU Member States, will decide if the amended text complies with European Data Protection legislation. Both, the EU Commission and the U.S. Government hope that the EU-U.S. Privacy Shield enters into force by August 2016.

Implications for the UK

After UK citizens have voted to leave the EU, a two-year-negotiation between the EU and the UK Government will take place. During this time, UK organizations will have to comply with European legislation, also regarding international data transfers. When the UK ceases to be an EU Member State, it will be considered as being a third country in terms of international data transfers and will have to ensure enough safeguards regarding the protection of personal data.

German DPA fines three companies for illegal data transfer to the U.S.

7. June 2016

The Data Protection Authority of Hamburg just announced in a press statement that it checked the data transfers of 35 international organizations that are based in Hamburg.

After the judgment declaring the former Safe Harbor Framework by the European Commission invalid  in October 2015 by the European Court of Justice, the DPA contacted organizations in Hamburg operating also in the U.S. and reviewed the transfer of personal data to the U.S. in order to determine whether other instruments are used than the Safe Harbor Framework. According to the mentioned press statement, the review has revelied that the majority of the companies had changed the legal basis of their transfers of data by implementing standard contractual clauses (SCC).

However, according to a report by Spiegel Online, there were three companies that did not change their legal basis for data transfer. Therefore, the three companies were fined:

Adobe (8.000 Euros), Punica (9.000 Euros) and Unilever (11.000 Euros)

As all three companies have changed the legal basis for data transfering during the proceeding, the DPA imposed a fine that was significantly smaller than the maximum of 300.000 Euros.

 

 

Update EU-U.S. Privacy Shield: Article 31 needs more time to consider the implications of the proposal

23. May 2016

On the 19th May, the Article 31 Committee, made up of representatives of the EU Member States, met in order to discuss the implications of the proposed draft of the EU-U.S. Privacy Shield. The Article 31 was created in order to reach decisions that require the approval of the EU Member States according to the Data Protection Directive 95/46/EC. This is the case, for example of the adoption of adequacy decisions, such as Safe Harbor in the past or the EU-U.S. Privacy Shield currently.

Article 31 concluded that it needed more time to reach a decision about the proposal. Moreover, a source of the Commission affirmed that further meetings in May and early June will take place. Also, the recommendations of the Article 29 WP are being taken into consideration before reaching a decision.

The decision of the Article 31 is expected by the end of June. The EU-U.S. Privacy Shield can be only adopted if a qualified majority of 16 Member States representing 65 percent of the EU population votes for the adoption of the Privacy Shield.

Until a decision is reached, Standard Contractual Clauses and Binding Corporate Rules can still be used to carry out international data transfers on a legal basis.

Pages: Prev 1 2 3 4 5 6 7
1 5 6 7