Trump Executive Order Puts Privacy Shield’s Future in Doubt

Trump Executive Order Puts Privacy Shield’s Future in Doubt

By Amanda J. Katzenstein and By Daniel L. Farris

President Trump signed an Executive Order last week that potentially puts the six-month old Privacy Shield in jeopardy. While mostly aimed at immigration and border patrol, the Executive Order entitled “Enhancing Public Safety in the Interior of the United States,” also includes a provision aimed at eliminating privacy protection for foreigners. Section 14 of the Executive Order reads:

"Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."

By specifically excluding non-U.S. citizens or residents from the protections of the Privacy Act, the U.S. safeguards provided by the Privacy Shield regarding the adequacy of protection of the personally identifiable information of EU citizens could be destroyed, leading to the invalidation of the Privacy Shield Agreement outright. 

Read More

Following EU, U.S. and Swiss Regulators Reach New ‘Privacy Shield’ Data Transfer Agreement

Following EU, U.S. and Swiss Regulators Reach New ‘Privacy Shield’ Data Transfer Agreement

By Daniel L. Farris

The United States and Switzerland finalized a new “Privacy Shield” Agreement on Wednesday that mirrors the existing U.S.-E.U. Privacy Shield framework. The new deal will allow multinationals to continue to transfer data between the U.S. and Switzerland while complying with Swiss data protection requirements. 

The new deal replaces the existing U.S.-Swiss Safe Harbor Agreement, the validity of which has been in question since the Schrems decision was issued in October of 2015. Companies that have maintained their Swiss Safe Harbor certification may begin certifying under the new U.S.-Swiss Privacy Shield framework on April 12th. The 90 day delay is intended to provide companies with time to review the new Swiss principles and the commitments they entail. 

Read More

As Grace Period Ends, Burst of Privacy Shield Applications May Decrease

As Grace Period Ends, Burst of Privacy Shield Applications May Decrease

By Amanda J. Katzenstein

More than 700 companies have self-certified to comply with the Privacy Shield in the two months since the Department of Commerce began accepting submissions. The number of applications is expected to rise as the September 30, 2016 deadline for a special grace period looms, and the number is expected to slow down after October 1, 2016 because the compliance obligations increase after the deadline.

Read More

EU Regulators Reject Privacy Shield

EU Regulators Reject Privacy Shield

By Daniel L. Farris

A group of European data protection authorities, known as the Article 29 Working Party, is refusing to support the proposed transatlantic data transfer deal known as the “Privacy Shield.”  In a highly anticipated opinion issued Wednesday – which does not bode well for US companies anxiously awaiting guidance after the invalidation of Safe Harbor last year – the Working Party criticized the Privacy Shield for its failure to provide protection for EU citizens’ data against US government surveillance programs. 

In February, the European Commission and US Department of Commerce announced a new deal to replace the Safe Harbor mechanism for transferring personal data from Europe to the United States.  While acknowledging that the Privacy Shield was an improvement that would impose new and heightened obligations on US companies to protect Europeans’ privacy, the Working Party expressed numerous concerns over the ways transferred data may be used for commercial or national security purposes. 

Read More

Details of the Privacy Shield Agreement Emerge, but Uncertainty Persists

Details of the Privacy Shield Agreement Emerge, but Uncertainty Persists

By Joseph D. McClendon and Daniel L. Farris

On Monday, U.S. and EU officials revealed the full text of the proposed EU-US Data Privacy Shield agreement. The Privacy Shield, if approved by the European Commission Article 29 Working Party, would introduce new provisions geared at EU concerns regarding mass surveillance and privacy protection of personal data collected and transferred from the EU into the United States.

U.S. and EU officials have been in talks for nearly five months to get a new agreement in place. Negotiations began in October 2015 when the European Court of Justice invalidated the EU Commission’s Safe Harbor decision. That decision put at risk the ability of nearly 4,000 United States companies to transfer data from the EU to the United States under the now invalidated Safe Harbor framework.

Read More

Obama Signs U.S. Privacy Act, Extends U.S. Privacy Rights to Europeans

Obama Signs U.S. Privacy Act, Extends U.S. Privacy Rights to Europeans

By Rachel Stevenson

President Obama signed the Judicial Redress Act of 2015 (H.R. 1428/S.1600) on Wednesday, extending parts of the U.S. Privacy Act of 1974 to European Union (EU) citizens.  This new law is aimed at demonstrating good faith efforts by the United States to restore the trust of our European after the invalidation of the Safe Harbor Agreement.  Europeans skeptical of the old Safe Harbor regime now have increased data privacy, protection, and security rights in the United States.  

Read More

French Data Protection Authority Cracks Down On Facebook Data Transfer

French Data Protection Authority Cracks Down On Facebook Data Transfer

By Joseph D. McClendon

Facebook is again under fire for its EU-US data transfer practices, with the latest scrutiny coming from the French data protection authority (CNIL).  In a two part order issued on February 8, CNIL ordered Facebook to stop transferring user data to the US under the now defunct Safe Harbor framework. In October 2015, the European Court of Justice invalidated the EU Commission’s Safe Harbor pact, an agreement between the EU and US, that allowed US companies to transfer EU citizens’ data to the US out of the EU. The ECJ’s decision, which was prompted by an Austrian citizen’s claim that Facebook’s transfer of his personal information out of the EU violated his privacy rights, put at risk the ability of nearly 4,000 US companies to transfer data from the EU to the United States. CNIL’s order is predicated on the fact that Facebook’s France privacy policy webpage still includes language detailing Facebook’s use of Safe Harbor to transfer data.

Read More

One Pen Stroke Closer to U.S.-EU ‘Privacy Shield’: Congressional Legislation Awaits the President’s Signature

One Pen Stroke Closer to U.S.-EU ‘Privacy Shield’: Congressional Legislation Awaits the President’s Signature

By Rachel Stevenson

In the stalemate culture of Washington DC politics, privacy and security issues prevailed last week when Congress passed the Judicial Redress Act (H.R. 1428/S. 1600) on Feb. 10th.  This show of Congressional support is important as the U.S. and EU continue to work toward adoption of the Data Privacy and Protection Agreement (DPPA). DPPA, also known as an “Umbrella” agreement, covers personal data exchanges between the U.S. and EU so law enforcement can work to prevent, investigate, and adjudicate transnational crimes.  The Judicial Redress Act is vital for the EU to adopt DPPA, whereby extending law enforcement information sharing and generating positive international cooperation.

Read More

New US-EU ‘Privacy Shield’ Will Impose Heightened Compliance Obligations on US Companies

New US-EU ‘Privacy Shield’ Will Impose Heightened Compliance Obligations on US Companies

By Dov H. Scherzer and By Daniel L. Farris

The European Commission and United States Department of Commerce agreed to a new transatlantic data transfer pact on Tuesday, two days after the January 31st deadline imposed by European data protection authorities. The deal comes four months after the European Court of Justice invalidated the Safe Harbor Agreement in Schrems v. Data Protection Commissioner.  

Read More

EU Finalizes Text of New General Data Protection Regulation

EU Finalizes Text of New General Data Protection Regulation

By Joseph D. McClendon

Three years after Luxembourg politician Viviane Reding originally proposed overhauling the EU Data Protection Directive (“Directive”), European Union officials finally reached an agreement to replace the Directive with new comprehensive privacy legislation called the General Data Protection Regulation (“GDPR”).  The GDPR is not yet EU law; however, the EU Parliament is expected to approve the GDPR when it next meets in January 2016.  When approved, the GDPR will become law in 2018 across all 28 EU Member States and will supersede the inconsistent laws the EU Member States implemented in order to comply with the minimum data protection requirements set out in the Directive.

Read More

New EU Cybersecurity Rule Means Additional Compliance Obligations for Critical Infrastructure and Tech Companies

New EU Cybersecurity Rule Means Additional Compliance Obligations for Critical Infrastructure and Tech Companies

By Christopher L.E. Hines

On December 07, 2015, the European Commission (EC) agreed on new cyber security laws that will require certain critical infrastructure operators and multinational companies to fully disclose cyber-security breaches and violations to European Union (EU) authorities or face severe penalties. 

Read More

US-EU Have Agreement in Principle on New Data Sharing Pact

US-EU Have Agreement in Principle on New Data Sharing Pact

By Gregory M. Kratofil, Jr.

The European Commission announced Monday that it has reached a deal in principle with the United States on what is being called “Safe Harbor 2.0” – a new data sharing agreement to replace the Safe Harbor agreement invalidated by the EU Court of Justice earlier this month. The Commission’s announcement came on the same day that the German DPA issued a position paper declaring all remaining alternatives to Safe Harbor – including model contract clauses and Binding Corporate Rules – to no longer be viable means for transatlantic data transfer. 

Read More

Senate Passes Cybersecurity Bill, Conference with House Expected

Senate Passes Cybersecurity Bill, Conference with House Expected

By Darryl Drevna

In something of a response to the EU’s invalidation of Safe Harbor earlier this month, the Senate voted 74 – 21 to pass the Cybersecurity Information Sharing Act (CISA) on Tuesday. The bill was originally introduced by Sen. Dianne Feinstein (D-CA) in June 2014, in the wake of several high-profile cyber attacks on US companies.

Read More

Safe Harbor Alternatives Deemed Invalid by German Privacy Officials

Safe Harbor Alternatives Deemed Invalid by German Privacy Officials

By Joseph D. McClendon

In another blow to U.S. companies that wish to transfer personal information out of the EU, German privacy officials issued a position paper stating that standard contractual clauses and binding corporate rules, two alternatives to Safe Harbor, are no longer viable alternatives to Safe Harbor.

Read More

Israel Revokes U.S. Data Transfer Authorization in Wake of EU Safe Harbor Invalidation

Israel Revokes U.S. Data Transfer Authorization in Wake of EU Safe Harbor Invalidation

By Joseph D. McClendon

The Israeli Law, Information and Technology Authority (ILITA) revoked authorization for businesses that previously relied on the EU’s Safe Harbor exception to transfer data from Israel to the United States. 

Under Israel’s 2001 Privacy Protection Regulations, moving data from inside Israel to a database outside of Israel was permitted provided that the transferee country had laws regulating data protection that were at least as protective of data as Israeli law. 

Read More

What’s Next? Article 29 Working Party Issues an Initial Statement in Wake of ECJ Schrems Decision

What’s Next?  Article 29 Working Party Issues an Initial Statement in Wake of ECJ Schrems Decision

By Mary Kathryn Curry & Dov H. Scherzer

The fallout from the EU Court of Justice (EJC) Schrems decision invalidating the Safe Harbor continues. 

As posted earlier this month, the national Data Protection Authorities (DPAs) from across the EU met under the auspices of the Article 29 Working Party (Working Party) to discuss the consequences to be drawn from the ECJ’s ruling. 

Read More

German State Declares Model Contract Clauses Unlawful

German State Declares Model Contract Clauses Unlawful

By JJ Bollozos, Joseph D. McClendon, and Daniel L. Farris

The Data Protection Authority in the German state of Schleswig Holstein issued a position paper and press release Wednesday in which the DPA warned that data transfers made on the basis of model contract clauses are “no longer permitted.”  Further, the Schleswig Holstein DPA has instructed businesses that they may be fined up to €300,000 for the transfer of personal data to the US “without a legal basis.”  

Read More

Safe Harbor Is Invalid. What Should You Do Next?

Safe Harbor Is Invalid. What Should You Do Next?

By Daniel L. Farris

In the days since the CJEU issued its decision invalidating Safe Harbor, many US companies have struggled to understand what the decision means for them.  Confusion and anxiety characterized many initial reactions, while others in Europe heralded the decision as long overdue.  To aid the formerly-Safe Harbor certified in figuring out where to go next, we humbly offer the following suggestions. 

Read More

European Court of Justice Invalidates Safe Harbor

European Court of Justice Invalidates Safe Harbor

By Daniel L. Farris

The European Court of Justice has declared the EU Commission’s Safe Harbor decision invalid, putting at risk the transfer of data from the EU to the United States pursuant to a system used by 4,000 or so large U.S. companies.

In essence, the decision requires EU member state Data Protection Authorities (DPAs) to investigate complaints related to any company’s transfer of personal data from Europe to the United States.  Companies relying on Safe Harbor are at serious risk of being ordered to suspend all transfer of data, until they can implement alternative means to comply with the legal obligations set forth by European law.

The decision could have immediate impact on EU-US trade, and is likely to leave many companies scrambling to find alternatives to Safe Harbor. 

Read More

Shockwaves from Influential EU Opinion on Safe Harbor Data Transfers Reverberate in the U.S.

Shockwaves from Influential EU Opinion on Safe Harbor Data Transfers Reverberate in the U.S.

By Daniel L. Farris

EU Advocate General Yves Bot sent shockwaves through the Privacy and Data Security community Wednesday when he issued an opinion to the European Court of Justice that suggested the entire US-EU Safe Harbor framework should be struck down, and further that Data Protection Authorities (DPAs) of member states must be permitted to independently investigate and enforce European data protections standards against companies engaged in transatlantic data transfers, regardless of Safe Harbor certification.  The opinion – while non-binding – will empower DPAs to increase oversight and enforcement activity against companies transmitting data from the EU to the US.  Any organization relying on Safe Harbor to support transatlantic data flows should take note, and should consider alternatives to Safe Harbor to support such transfers.

Read More