The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed. Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company or employer intended to transfer personal data from the EU into the U.S., they traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….
What You Need to Know About the New General Data Protection Regulation (GDPR) (2016)
The EU Parliament Committee on Civil Liberties, Justice, and Home Affairs (“LIBE”) finally released the text of the long anticipated new data protection law. While the law has not formally been enacted, its adoption at this point is considered pro forma. Once adopted, its provisions will go into effect in spring of 2018. The hope, and expectation, is that the GDPR will cause the EU to have a much more harmonized approach to data protection.
Here is what companies doing business in the EU need to know about the new General Data Protection Regulation (GDPR or Regulation)….
How to Obtain EU Binding Corporate Rules (BCR) Approval (2016)
Privacy Shield: Safe Harbor 2.0? (2016)
As negotiators for the US Department of Commerce (“DOC”), Federal Trade Commission (“FTC”), and the European Commission move toward an agreement intended to allow continued US-EU data transfers, a closer look at the history of “Safe Harbor” and the proposed “Privacy Shield” framework leaves some questions unanswered.
Safe Harbor Invalidation
Under EU Data Protection Directive 95/46/EC (the “Directive”), personal data controlled in the EU may be transferred to countries outside the EU only when an “adequate level of protection” is guaranteed. From 2000 to 2015, thousands of companies achieved this adequacy status through the US-EU “Safe Harbor” framework, an annual certification process approved by the European Commission and made available to US companies subject to the jurisdiction of the FTC or Department of Transportation…..
How to Use the EU Model Clauses (2016)
The EU Commission has created model contracts for data transfers (the “Model Contracts”) and determined that organizations which use the Model Contracts offer sufficient safeguards for cross-border data transfer as required by the Directive.
The EU Commission has issued three Model Contracts: Two for transfers from data controllers to data controllers established outside the EU, and one for a transfer to a data processor outside the EU1. Once a company decides to use the model clauses functionally, three steps must be followed in order to put those clauses into place and have them help in the transfer of information out of the EU. The following provides a high level overview of how to implement a Model Contract…
Webinar: Life After the Safe Harbor Under the “Privacy Shield”
March 3, 2016 at 12 p.m. EST
Companies of all types were caught off guard when the EU-U.S. Safe Harbor data transfer framework was invalidated in October 2015. In the months following the invalidation, many companies anxiously awaited a replacement for the original Safe Harbor framework. That replacement has now been announced in the form of the newly-negotiated “Privacy Shield” framework. Join Jana Fuchs and Jason Haislmaier as they discuss the details of the Privacy Shield framework, provide an update on the current status and timeline for the formal adoption of the Privacy Shield, and provide strategies for compliance in EU-U.S. cross border data transfers both now and following adoption of the Privacy Shield. Click here for more information or to register.
We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.
Advisory Board Calls for EU-US Safe Harbour Grace Period
The Article 29 Working Party — an independent data protection advisory board for the EU composed of representatives from the Member State’s — urgently called on the Member States to open discussions with US authorities in order to find legal and technical solutions that would replace the now-defunct EU-US Safe Harbour framework…
The (ex) EU-US Safe Harbor At A Glance (2015)
On Tuesday, October 6, 2015, the European Court of Justice decided that the EU/US Safe Harbor regime for data transfers is no longer… safe. Until now, companies exchanging data between the EU and the US could rely on the Safe Harbor regime, but with the decision that is no longer an option. In addition companies currently relying on Safe Harbor are scrambling to find alternative compliance strategies . . .
Progress on EU Data Protection Reform At A Glance (2015)
US/EU Data Transfers: Informational Article (2015)
Difficulties often manifest themselves in transferring data from the ‘safe’ EU to the ‘unsafe’ US. Difficulties also exist with US law enforcement authority requests for access to such data, which is often not permitted under EU law. The following article, originally published in the Data Protection Law & Policy Journal, discusses these issues . . .
Appointing your company’s DPO in Germany At A Glance (2015)
Under German law most companies are required to assign a data protection official (DPO) within one month of beginning business operations. The assigned DPO must be adequately qualified, and qualifications generally depend on the scope of data procsesed and the industry in which the business operates . . .
EU Binding Corporate Rules At A Glance (2015)
The EU Directive creates the legal framework for the national data protection laws in each EU member state. The EU Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. The laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company intends to transfer personal information into the United States they must take one of the following steps to achieve the “adequacy” status required by the Directive. Binding Corporate Rules . . .
German Data Protection Law At A Glance (2015)
The main criteria in determining whether German law applies is whether a data controlling company is legally established in Germany or a data controlling company is established outisde the EU but uses equipment that is located in Germany for data processing. This information sheet provides an overview of the requirements of Germany’s data protection law . . .
The EU Model Contracts At A Glance (2015)
Usage of US/EU Safe Harbor At A Glance (2015)
Companies completing the Safe Harbor process must make several decisions. For example, they must decide whether to have an independent third party verify their compliance with the Safe Harbor framework, whether to retain an arbitration group to adjudicate complaints about their privacy practices, and what data they wish to include within their certi.cation. The following provides background and benchmarking concerning the types of companies that utilize . . .
Webinar: Data Privacy and Security Challenges in Global Employment Management: A Guide for In-House Attorneys
The presentation includes an interactive case study showing the challenges companies have to solve when operating a global HR system. Topics include the regulatory framework for collection and processing of personal employee data, the transfer of such data within a corporate group, purpose limitation and conflicts of law. Webinar archived by West Law Legal Ed Group. Search: “Data Privacy Challenges in Global Employment Management.”
The US/EU Safe Harbor At A Glance (2015)
The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. Few exemptions apply, in particular when explicit consent was given or in direct business cases. The laws of the United States are not considered by the European Union as providing an adequate level of data protection. . .