The European Union (EU) may soon decide whether Japan will have “adequate” status for transfers of personal data from the EU. Reuters reported on December 15, 2017 that the European Union is aiming to finalize a data transfer agreement with Japan by early 2018.
Set to be implemented in May 2018, the EU’s General Data Protection Regulation (GDPR) will require that EU citizens’ personal data be transferred to only countries with an adequate data protection status, forbidding companies from storing EU citizens’ personal data in foreign countries deemed to have an “inadequate” level of privacy protection.
Under the EU’s privacy framework, the European Commission has the power to determine, based on Article 25(6) of Directive 94/46/EC, whether a foreign country has an “adequate” level of data protection under that country’s domestic laws or international commitments. If a foreign country is deemed adequate, personal data can flow from the 28 EU countries (and three EEA member countries of Norway, Liechtenstein, and Iceland) to the foreign country without further safeguards.
The commission has so far deemed only 12 countries – Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, the United States (under the EU-US Privacy Shield), and Uruguay – as providing adequate protection. The EU does not include the United States among its adequate protection countries. But Decision 2016/1250 on the adequacy of protection of the EU-US Privacy shield, commonly known as the EU-US Privacy Shield, was designed as a program whereby participating US companies or companies doing business in the US are deemed to have adequate protection.
An adequacy determination for Japan would be monumental for Japanese companies and companies doing business in Japan, with EU Justice Commissioner Vera Jourova recently stating that”[a]n adequacy decision would be great news for business as it would allow for the transfer of personal data from the EU to Japan without the need for extra authorisations.”
In relation to the first annual Joint Review of the EU-U.S. Privacy Shield Framework, the Article 29 Data Protection Working Party (WP29), an independent European advisory body on data protection and privacy, issued its findings on November 28, 2017.
The EU-U.S. Privacy Shield Framework provides a method for companies to transfer personal data to the U.S. from the EU in a way that is consistent with EU Law. As we discussed in a previous blog post, the framework is based on a certification system whereby U.S. companies commit to adhere to a set of Privacy Shield Principles. Other mechanisms for transferring personal data to the U.S. from the EU are through binding corporate rules, model contracts, or use of one of a number of derogations to the EU’s restrictions on cross-border data transfers.
The report reflects the Working Party’s views in relation to the first annual joint review of the Privacy Shield program. It acknowledges both the progress and the efforts to implement Privacy Shield, but it raises a number of concerns and calls on the European Commission and U.S. authorities to restart discussions to address those concerns by May 25, 2018, which is the date the General Data Protection Regulation (GDPR) takes effect.
Continue reading “First Annual Joint Review of EU – U.S. Privacy Shield Addresses Six Areas of Concern”
The European Commission published its first annual report on the functioning of the EU-U.S. Privacy Shield, which protects the personal data transferred from the EU to companies in the U.S. for commercial purposes. The report was released on October 18, 2017.
The EU-U.S. Privacy Shield Framework provides a method for companies to transfer personal data to the U.S. from the EU in a way that is consistent with EU law. The framework is based on a certification system by which U.S. companies commit to adhere to a set of Privacy Shield Principles. To join the Privacy Shield Framework, a company must self-certify to the Department of Commerce that it complies with the Principles. A company’s failure to comply with the Principles is enforceable under Section 5 of the FTC Act, which prohibits unfair or deceptive acts. The key requirements for participating companies include:
- Informing individuals about data processing
- Providing free and accessible dispute resolution
- Cooperating with the Department of Commerce
- Maintaining data integrity and purpose limitations
- Ensuring accountability for data transferred to third parties
- Transparency related to enforcement actions
- Ensuring commitments are kept as long as data is held
Continue reading “First Annual Review of the Privacy Shield Framework”
On October 3, 2017, the Irish High Court referred Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems to the Court of Justice of the European Union (CJEU), where the future of standard contractual clauses (SCCs) will be decided (here).
In December 2015—following the CJEU’s landmark decision in Maximillian Schrems v. Data Protection Commissioner invalidating the U.S.-EU Safe Harbor framework—Schrems amended his original complaint to the Irish Data Protection Commissioner (DPC), challenging the validity of data transfers to the U.S. based on the European Commission approved SCCs (available here). Based on the CJEU’s Schrems decision, the Irish DPC petitioned the Irish High Court asking to refer the matter to the CJEU for ruling on the question of whether the European Commission’s SCC decisions are valid under European law. Specifically, the Data Protection Commissioner questioned whether there is an effective remedy under U.S. law compatible with the requirements of Article 47 of the EU Charter of Fundamental Rights for an EU citizen whose data is transferred to the U.S., where such data is subject to electronic surveillance by U.S. agencies for national security purposes. EU citizens have a right guaranteed by Article 47 of the Charter to an effective remedy before an independent tribunal if their rights or freedoms are violated. These include the rights under Articles 7 and 8 to respect for private and family life and protection of personal data.
Continue reading “Irish High Court Refers Future of EU Model Clauses to CJEU”
Providing data subjects with meaningful information regarding the processing of their personal data and their rights with respect to such processing is an axiom of privacy law—and a key requirement under the General Data Protection Regulation (GDPR).
The significance of this principle of transparency was recently highlighted by the European Court of Human Rights (ECHR) in Bărbulescu v. Romania where the court affirmed an employee’s right to privacy when using communications tools in the workplace due, in part, to the employer’s failure to provide adequate notice regarding its internet monitoring activities. This post briefly discusses the principle of transparency under GDPR and its application to the Bărbulescu case.
Continue reading “GDPR and ECHR Make One Thing Abundantly Transparent: The Significance of Transparency”
Three U.S. companies have entered into consent agreements with the Federal Trade Commission (FTC) for allegedly misrepresenting their participation in the European Union-United States Privacy Shield framework. These are the FTC’s first actions to enforce the EU-US Privacy Shield framework that was put in place in 2016 to replace the US-EU Safe Harbor framework.
Continue reading “The FTC’s First Privacy Shield Enforcement Actions”