Privacy Shield Released – How Employers Can Take Advantage of the New European Data Transfer Framework (2016)

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed. Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company or employer intended to transfer personal data from the EU into the U.S., they traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….

rishield

What You Need to Know About the New General Data Protection Regulation (GDPR) (2016)

The EU Parliament Committee on Civil Liberties, Justice, and Home Affairs (“LIBE”) finally released the text of the long anticipated new data protection law. While the law has not formally been enacted, its adoption at this point is considered pro forma. Once adopted, its provisions will go into effect in spring of 2018. The hope, and expectation, is that the GDPR will cause the EU to have a much more harmonized approach to data protection.

Here is what companies doing business in the EU need to know about the new General Data Protection Regulation (GDPR or Regulation)….

gdpr

How to Obtain EU Binding Corporate Rules (BCR) Approval (2016)

The following provides background concerning the approved Binding Corporate Rules (“BCR”) procedure. BCRs are in-kind privacy rules and standards that allow multinational groups of companies to transfer personal data within their group of companies, including to corporate affiliates outside of the EU. In order to obtain approval at a BCR, a company’s privacy policy has to demonstrate that it ensures an adequate level of data protection and respective safeguards under EU law. BCR are an internal tool only and do not allow for any data transfers outside of a corporate group…bcr

Privacy Shield: Safe Harbor 2.0? (2016)

As negotiators for the US Department of Commerce (“DOC”), Federal Trade Commission (“FTC”), and the European Commission move toward an agreement intended to allow continued US-EU data transfers, a closer look at the history of “Safe Harbor” and the proposed “Privacy Shield” framework leaves some questions unanswered.

Safe Harbor Invalidation
Under EU Data Protection Directive 95/46/EC (the “Directive”), personal data controlled in the EU may be transferred to countries outside the EU only when an “adequate level of protection” is guaranteed. From 2000 to 2015, thousands of companies achieved this adequacy status through the US-EU “Safe Harbor” framework, an annual certification process approved by the European Commission and made available to US companies subject to the jurisdiction of the FTC or Department of Transportation…..privacyshield

How to Use the EU Model Clauses (2016)

The EU Commission has created model contracts for data transfers (the “Model Contracts”) and determined that organizations which use the Model Contracts offer sufficient safeguards for cross-border data transfer as required by the Directive.

The EU Commission has issued three Model Contracts: Two for transfers from data controllers to data controllers established outside the EU, and one for a transfer to a data processor outside the EU1. Once a company decides to use the model clauses functionally, three steps must be followed in order to put those clauses into place and have them help in the transfer of information out of the EU. The following provides a high level overview of how to implement a Model Contract…

eumodel

Webinar: Life After the Safe Harbor Under the “Privacy Shield”

March 3, 2016 at 12 p.m. EST

Companies of all types were caught off guard when the EU-U.S. Safe Harbor data transfer framework was invalidated in October 2015. In the months following the invalidation, many companies anxiously awaited a replacement for the original Safe Harbor framework. That replacement has now been announced in the form of the newly-negotiated “Privacy Shield” framework. Join Jana Fuchs and Jason Haislmaier as they discuss the details of the Privacy Shield framework, provide an update on the current status and timeline for the formal adoption of the Privacy Shield, and provide strategies for compliance in EU-U.S. cross border data transfers both now and following adoption of the Privacy Shield. Click here for more information or to register.

We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.

Advisory Board Calls for EU-US Safe Harbour Grace Period

The Article 29 Working Party — an independent data protection advisory board for the EU composed of representatives from the Member State’s — urgently called on the Member States to open discussions with US authorities in order to find legal and technical solutions that would replace the now-defunct EU-US Safe Harbour framework… Safe Harbor October 21 2015

The (ex) EU-US Safe Harbor At A Glance (2015)

On Tuesday, October 6, 2015, the European Court of Justice decided that the EU/US Safe Harbor regime for data transfers is no longer… safe.  Until now, companies exchanging data between the EU and the US could rely on the Safe Harbor regime, but with the decision that is no longer an option.  In addition companies currently relying on Safe Harbor are scrambling to find alternative compliance strategies . . . ExSafeHarbor

Progress on EU Data Protection Reform At A Glance (2015)

A timeline has been established in the EU to find an agreement between different versions of the draft data privacy regulations.  If followed, the EU’s new regulation should come into force in 2018 . . . EU Regulation Status_At A Glance_1

US/EU Data Transfers: Informational Article (2015)

Dancing the legal limbo around US_EU data transfers-1_1Difficulties often manifest themselves in transferring data from the ‘safe’ EU to the ‘unsafe’ US.  Difficulties also exist with US law enforcement authority requests for access to such data, which is often not permitted under EU law.  The following article, originally published in the Data Protection Law & Policy Journal, discusses these issues . . .

Appointing your company’s DPO in Germany At A Glance (2015)

Appointment_DPO_1

Under German law most companies are required to assign a data protection official (DPO) within one month of beginning business operations.  The assigned DPO must be adequately qualified, and qualifications generally depend on the scope of data procsesed and the industry in which the business operates . . .

EU Binding Corporate Rules At A Glance (2015)

BindingCorporateRules

The EU Directive creates the legal framework for the national data protection laws in each EU member state.   The EU Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed.  The laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company intends to transfer personal information into the United States they must take one of the following steps to achieve the “adequacy” status required by the Directive.  Binding Corporate Rules . . .

 

German Data Protection Law At A Glance (2015)

Compliance_German_Data_Privacy_1

The main criteria in determining whether German law applies is whether a data controlling company is legally established in Germany or a data controlling company is established outisde the EU but uses equipment that is located in Germany for data processing.  This information sheet provides an overview of the requirements of Germany’s data protection law . . .

The EU Model Contracts At A Glance (2015)

Model Contracts_At A Glance  The EU Data Protection Directive creates the legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. The EU Model Contracts . . .

Usage of US/EU Safe Harbor At A Glance (2015)

SafeHarbor2JPG

Companies completing the Safe Harbor process must make several decisions. For example, they must decide whether to have an independent third party verify their compliance with the Safe Harbor framework, whether to retain an arbitration group to adjudicate complaints about their privacy practices, and what data they wish to include within their certi.cation.  The following provides background and benchmarking concerning the types of companies that utilize . . .

 

Webinar: Data Privacy and Security Challenges in Global Employment Management: A Guide for In-House Attorneys

The presentation includes an interactive case study showing the challenges companies have to solve when operating a global HR system. Topics include the regulatory framework for collection and processing of personal employee data, the transfer of such data within a corporate group, purpose limitation and conflicts of law.  Webinar archived by West Law Legal Ed Group.  Search: “Data Privacy Challenges in Global Employment Management.”

 PrivacyHRManagement

The US/EU Safe Harbor At A Glance (2015)

Safe Harbor_At A Glance_1

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. Few exemptions apply, in particular when explicit consent was given or in direct business cases. The laws of the United States are not considered by the European Union as providing an adequate level of data protection. . .