Embed Size (px)
Citation preview
US – EU Safe Harbor for Cross-Border Data Transfers:
Cyberspace Law Committee
Business Law Section
State Bar of California
Recent Developments of a Program Under Attack
Mark B. Aldrich©2015 Aldrich Law Group All Rights Reserved
US – EU Safe HarborThe Basics
© 2015 Aldrich Law Group All Rights Reserved
Recent Developments
Enforcement Actions
US – EU Safe HarborThe Basics
© 2015 Aldrich Law Group All Rights Reserved
US – EU Safe Harbor Basics
• EU Data Protection Directive 94/46/EC
© 2015 Aldrich Law Group All Rights Reserved
- Established in 1998
- Prohibits Transfer of Personal Information Without Meeting EU “Adequacy” Standard
• US Dept. of Commerce and EU Commission Developed Safe Harbor
- Approved by EU in 2000
US – EU Safe Harbor Basics
• US Companies may self-certify
© 2015 Aldrich Law Group All Rights Reserved
- Annual Certification to Department of Commerce
- Public Notice of Compliance in its Privacy Policy
US – EU Safe Harbor Basics
• Safe Harbor Privacy Principles
© 2015 Aldrich Law Group All Rights Reserved
- Notice
- Choice
- Third Party Transfers
- Access
- Security
- Data Integrity
- Enforcement
US – EU Safe Harbor Basics
• Enforcement
© 2015 Aldrich Law Group All Rights Reserved
- Procedures for Verifying Safe Harbor Principles Implemented
- Obligations to Remedy Problems Arising from Failure to Comply
- Sanctions Must be Sufficiently Rigorous to Ensure Compliance
- Readily Available and Affordable Method
US – EU Safe Harbor
Recent Developments
© 2015 Aldrich Law Group All Rights Reserved
US – EU Safe Harbor:Recent Developments
• April 29, 2010 GDPA Decision
© 2015 Aldrich Law Group All Rights Reserved
- Active Verification of Compliance is Recommended
• July 19, 2013 EU Commission V.P.- “Safe Harbor may not be so safe after all.”
- “Could be a loophole for data transfers because it allows data transfers . . . although U.S. data protection standards are lower than our European ones.”
US – EU Safe Harbor:Recent Developments
• July 24, 2013
© 2015 Aldrich Law Group All Rights Reserved
- GDPA Reacts to Discovery of U.S. Surveillance Programs
• November 27, 2013- EC Calls on U.S. Authorities to Implement 13
Recommendations and Identify Remedies by Summer 2014
US – EU Safe Harbor:Recent Developments
• March 12, 2014
© 2015 Aldrich Law Group All Rights Reserved
- EU Parliament Calls for “Immediate Suspension” of the Safe Harbor Because the Principles “do not provide adequate protection for EU citizens”
• April 10, 2014- Article 29 Working Party Confirms EC’s 13 Recommendations
US – EU Safe Harbor:Recent Developments
• August 8, 2014
© 2015 Aldrich Law Group All Rights Reserved
- Center for Digital Democracy (US) Files Complaint With FTC Against 30 Companies for Safe Harbor Violations
• October 9, 2014- GDPA Publishes Guide for Cloud Computing Highlighting Full
Liability of Cloud Provider for Damages to the Data Subject
- Advised Implementation of EU Model Clauses or Binding Corporate Rules
US – EU Safe Harbor:Recent Developments
• November 17, 2014
© 2015 Aldrich Law Group All Rights Reserved
- TRUSTe Verification Service Settles Claim of Deception by FTC Alleging it Failed to Conduct Annual Re-certifications
• January 27, 2015- GDPA Demands Short Term Resolution of EU Concerns. States
That a Failure of Negotiations Between EC and DOC May Result in the Suspension of All Data Transfers to US by Member DPA’s
US – EU Safe Harbor:Recent Developments
• January 28, 2015
© 2015 Aldrich Law Group All Rights Reserved
- GDPA (Berlin and Bremen) Announce Initiation of Administrative Proceedings Against Two U.S. Companies Which Self-Certified as Complaint With Safe Harbor
• March 24, 2015- European Court of Justice Set to Hear Schrems Appeal,
Transferred From Ireland High Court, for Determination of Validity of Safe Harbor Framework Given Developments Since Enactment In 2000 and Snowden Revelations
US – EU Safe Harbor
Enforcement Actions
© 2015 Aldrich Law Group All Rights Reserved
US – EU Safe Harbor:Enforcement Actions
• Schrems v. Data Protection Comm’r.
© 2015 Aldrich Law Group All Rights Reserved
- Maximillian Schrems Files Administrative Complaint With the Ireland DPC and Requests Investigation of Facebook Data Protection Policy in Light of Snowden Revelations
- DPC Refuses to Investigate Finding Preemption of National Law by Safe Harbor; No Evidence of Actual Harm to Schrems
- Due to Preemption, Complaint Unsustainable in Law
US – EU Safe Harbor:Enforcement Actions
• Schrems v. Data Protection Comm’r.
© 2015 Aldrich Law Group All Rights Reserved
- Schrems Sues DPC for Failing to Investigate
- Ireland High Court findings:
• Preemption Confirmed
• Actual Harm Not Required – Right to Privacy Inviolate
• Given Developments Since 2000, It Was Unclear How the Safe Harbor Could Possibly Comply With Laws Enacted Since 2000
US – EU Safe Harbor:Enforcement Actions
• Schrems v. Data Protection Comm’r.
© 2015 Aldrich Law Group All Rights Reserved
- Case Referred to European Court of Justice (ECJ) to Answer the Following Questions:
• Are DPC’s Absolutely Bound by Community Finding;
• May a DPC Conduct Investigation of the Matter in Light of Factual Developments Since Safe Harbor Enacted
US – EU Safe Harbor:Enforcement Actions
• German DPCs’ Admin. Actions
© 2015 Aldrich Law Group All Rights Reserved
- German Data Protection Commissioners in Berlin and Bremen Commenced Administrative Actions Against Two U.S. Companies Which Self-Certify Safe Harbor Compliance
• Safe Harbor Insufficient Protection for German Data
• Threaten to Block All Data Transfers Out of Germany
US – EU Safe Harbor for Cross-Border Data Transfers:Recent Developments of a Program Under Attack
Mark B. [email protected]
© 2015 Aldrich Law Group All Rights Reserved
