On December 18, 2017, the French data protection authority (“CNIL”) publicly announced that it served a formal notice to WhatsApp regarding the sharing of WhatsApp users’ data with Facebook Inc. (“Facebook”). This decision, dated November 27, 2017, follows the CNIL’s investigations regarding Facebook’s 2014 acquisition of WhatsApp. In 2016, WhatsApp updated its Terms of Service and Privacy Policy to reflect the sharing of information with Facebook. Following this update, the Article 29 Working Party (“Working Party”) requested explanations from WhatsApp on its data processing practices and data sharing, and asked the company to stop sharing data for targeted advertising purposes. The Working Party also gave a mandate to its subgroup in charge of the cooperation on investigations and sanctions to coordinate actions of the relevant national data protection authorities. It is in that context that the CNIL started its investigation of WhatsApp’s data processing practices. Continue Reading The CNIL Serves Formal Notice to WhatsApp Regarding Sharing Data with Facebook

On October 24, 2017, an opinion issued by the EU’s Advocate General Bot (“Bot”) rejected Facebook’s assertion that its EU data processing activities fall solely under the jurisdiction of the Irish Data Protection Commissioner. The non-binding opinion was issued in relation to the CJEU case C-210/16, under which the German courts sought to clarify whether the data protection authority (“DPA”) in the German state of Schleswig-Holstein could take action against Facebook with respect to its use of web tracking technologies on a German education provider’s fan page without first providing notice. Continue Reading Advocate General Rejects Facebook’s Claim of Sole Irish Jurisdiction in EU

On August 25, 2016, WhatsApp announced in a blog post that the popular mobile messaging platform updated its Terms of Service and Privacy Policy to permit certain information sharing with Facebook. After Facebook acquired WhatsApp in 2014, the Director of the FTC’s Bureau of Consumer Protection wrote a letter to both Facebook and WhatsApp that discussed the companies’ obligations to honor privacy statements made to consumers in connection with the acquisition. Continue Reading WhatsApp Updates Privacy Policy to Share Information with Facebook

On June 13, 2016, the U.S. government expressed its wish to join the legal proceedings brought by Max Schrems concerning the validity of international data transfers under EU Standard Contractual Clauses.

Along with the U.S. government, the Irish Business and Employers Confederation and the Business Software Alliance, an industry trade group, also informed Ireland’s High Court of their desire to be added to the case as amici curiae, or “friends of the court.” Continue Reading U.S. Government Seeks to Join Schrems Case

On October 27, 2015, David Smith, the UK Deputy Commissioner of the Information Commissioner’s Office (“ICO”), published a blog post commenting on the ongoing Safe Harbor compliance debate in light of the Schrems v. Facebook decision of the Court of Justice of the European Union. His key message to organizations was, “Don’t panic.”

Continue Reading UK Deputy Information Commissioner on Safe Harbor: “Don’t Panic”

On October 20, 2015, at a hearing in the Irish High Court, Irish Data Protection Commissioner Helen Dixon confirmed that she will investigate allegations made by privacy activist Max Schrems concerning Facebook’s transfer of personal data to the U.S. in reliance on Safe Harbor. Dixon welcomed the ruling of the High Court and noted that she would proceed to “investigate the substance of the complaint with all due diligence.”

Continue Reading Irish Data Protection Authority to Investigate Facebook’s Data Transfers

On October 14, 2015, the data protection authority (“DPA”) in the German state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz) issued a position paper (the “Position Paper”) on the Safe Harbor Decision of the Court of Justice of the European Union (the “CJEU”).

Continue Reading German DPA Issues Position Paper on Data Transfer Mechanisms in Light of CJEU Safe Harbor Decision

On October 6, 2015, the Court of Justice of the European Union (the “CJEU”) issued its judgment in the Schrems v. Facebook case, following the Opinion of the Advocate General published on September 23, 2015. In its judgment, the CJEU concluded that:

  • The national data protection authorities (“DPAs”) have the power to investigate and suspend international data transfers even where the European Commission (the “Commission”) has adopted a decision finding that a third country affords an adequate level of data protection, such as Decision 2000/520 on the adequacy of the protection provided by the Safe Harbor Privacy Principles (the “Safe Harbor Decision”).
  • The Safe Harbor Decision is invalid.

Continue Reading CJEU Declares the Commission’s U.S. Safe Harbor Decision Invalid

On September 29, 2015, the Court of Justice of the European Union (“CJEU”) announced that it will deliver its judgment in the Schrems vs. Facebook case on October 6, 2015. The CJEU’s judgment will be the final ruling in the case, and comes after the Advocate General’s Opinion regarding Safe Harbor earlier this week.

Continue Reading CJEU Announces Date for Judgment on Safe Harbor