On October 3, 2017, the Irish High Court referred a legal challenge to the validity of the EU Standard Contractual Clauses (“SCCs”) to the Court of Justice of the European Union (“CJEU”) for resolution. Max Schrems, who had previously successfully challenged the validity of the now defunct U.S.-EU Safe Harbor Program in the Schrems case, had brought a similar claim in relation to the SCCs, and had requested that the Irish Data Protection Commissioner (“DPC”) declare that the SCCs do not provide sufficient protection when personal data is transferred outside the EU to the US and thus are invalid. The Irish DPC declined to make such a ruling, but instead referred the case to the Irish High Court, and requested that the case be referred to the CJEU for a final decision on the validity of the SCCs.
On January 25, 2017, President Trump issued an Executive Order entitled “Enhancing Public Safety in the Interior of the United States.” While the Order is primarily focused on the enforcement of immigration laws in the U.S., Section 14 declares that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” This provision has sparked a firestorm of controversy in the international privacy community, raising questions regarding the Order’s impact on the Privacy Shield framework, which facilitates lawful transfers of personal data from the EU to the U.S. While political ramifications are certainly plausible from an EU-U.S. perspective, absent further action from the Trump Administration, Section 14 of the Order should not impact the legal viability of the Privacy Shield framework.
On January 11, 2017, the Swiss Federal Data Protection and Information Commissioner announced that it has reached an agreement with the U.S. Department of Commerce on a new Swiss-U.S. Privacy Shield framework (the “Swiss Privacy Shield”), which will allow companies to legally transfer Swiss personal data to the U.S. The Swiss Privacy Shield will replace the U.S.-Swiss Safe Harbor framework, and according to the Swiss government’s announcement, will “apply the same conditions as the European Union, which set up a comparable system with the U.S. last summer,” referring to the EU-U.S. Privacy Shield. According to the announcement, “[t]he fact that the two frameworks are similar is highly significant, as it guarantees the same general conditions for persons and businesses in Switzerland and the EU/EEA area in relation to trans-Atlantic data flows.” A press release from the U.S. Department of Commerce states that the Department will begin accepting certifications on April 12, 2017, and additional information will soon be available here.
The Privacy team at Hunton & Williams has authored several chapters of the recently published 2017 guide to data protection and privacy for Getting the Deal Through. The publication covers data privacy and data protection laws in 26 jurisdictions across the globe. Wim Nauwelaerts, Privacy team partner in the firm’s Brussels office, served as the contributing editor of the guide and co-authored the Belgium chapter and the EU overview. Continue Reading Hunton Privacy Team Publishes Several Chapters in “Getting the Deal Through”
On December 6, 2016, Hunton & Williams announced the release of the second edition treatise Privacy and Cybersecurity Law Deskbook (Wolters Kluwer Legal & Regulatory U.S.) by lead author Lisa J. Sotto, head of the firm’s Global Privacy and Cybersecurity practice. The Deskbook has become an essential tool for those involved in managing privacy and cybersecurity law issues. “The treatise provides a roadmap to comply with global data protection laws, navigate and comply with state breach notification requirements, and stay informed on emerging legal trends,” said Sotto. Members of the global practice group also contributed to the Deskbook. Continue Reading Privacy and Cybersecurity Law Deskbook Second Edition Released
On November 16, 2016, the UK Investigatory Powers Bill (the “Bill”) was approved by the UK House of Lords. Following ratification of the Bill by Royal Assent, which is expected before the end of 2016, the Bill will officially become law in the UK. The draft of the Bill has sparked controversy, as it will hand significant and wide-ranging powers to state surveillance agencies, and has been strongly criticized by some privacy and human rights advocacy groups. Continue Reading UK Parliament Approves Investigatory Powers Bill
A recent update on the Court of Justice of the European Union’s (the “CJEU’s”) website has revealed that Digital Rights Ireland, an Irish privacy advocacy group, has filed an action for annulment against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield (the “Privacy Shield”). Continue Reading Irish Privacy Advocacy Group Challenges EU-U.S. Privacy Shield
Earlier this month, at a meeting of the Article 31 Committee, the European Commission (“Commission”) unveiled two draft Commission Implementing Decisions that propose amendments to the existing adequacy decisions and decisions on EU Model Clauses. Continue Reading European Commission Proposes Changes to Data Export Decisions
On July 12, 2016, after months of negotiations and criticism, the EU-U.S. Privacy Shield (“Privacy Shield”) was officially adopted by the European Commission and the Department of Commerce. Similar to the Safe Harbor, companies must certify their compliance with the seven principles comprising the Privacy Shield to use the Shield as a valid data transfer mechanism. Hunton & Williams partner Lisa J. Sotto and associate Chris D. Hydak recently published an article in Law360 entitled “The EU-U.S. Privacy Shield: A How-To Guide.” In the article, Lisa and Chris detail the Privacy Shield principles, the benefits of certification, how the Shield will be enforced, and the challenges and risks associated with the future of the Privacy Shield.
On July 20, 2016, the French Data Protection Authority (“CNIL”) announced that it issued a formal notice to Microsoft Corporation (“Microsoft”) about Windows 10, ordering Microsoft to comply with the French Data Protection Act within three months.
Following the launch of Microsoft’s new operation system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties that Microsoft could collect excessive personal data via Windows 10. A group composed of several EU data protection authorities was created within the Article 29 Working Party to examine the issue and conduct investigations in their relevant EU Member States. The CNIL initiated its investigation and carried out seven online inspections in April and June 2016. The CNIL also questioned Microsoft on certain points of its privacy statement. Continue Reading CNIL Serves Formal Notice to Microsoft to Comply with French Data Protection Law