On February 2, 2016, the European Commission announced that a political agreement on a new legal framework for data transfers has been reached between the European Union (EU) and the U.S. Today’s agreement introduces the
What’s Next for U.S.-EU Data Transfers? An Analysis of Recent Developments Following Schrems
On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor framework as a legal basis for transferring personal data from the European Union to the U.S.1 The judgment was delivered in Schrems v. Data Protection Commissioner, a case in which Max Schrems, an Austrian student, complained to the Data Protection Authority (DPA) in Ireland about the transfer of his personal data by Facebook to its servers in the U.S.
The Schrems judgment is of major importance to the over 4,000 companies that relied on Safe Harbor to transfer personal data from the EU to the U.S. This article details the background of the case, analyzes its holdings and consequences, and summarizes the main developments that have occurred since the judgment was issued.
Continue Reading What’s Next for U.S.-EU Data Transfers? An Analysis of Recent Developments Following Schrems
Landmark Decision Clarifies Territorial Scope of Application of National Data Protection Laws in the EU
On October 1, 2015, the Court of Justice of the European Union (CJEU), which is the EU’s highest court, delivered its judgment in Case C-230/14—Weltimmo.1 The CJEU ruling is a landmark decision in determining the territorial scope of application of national data protection laws and the competence of national Data Protection Authorities (DPAs) in the EU.
All 28 countries of the EU have their own national data protection laws. The territorial scope of application of these laws often raises questions for companies doing business in multiple EU countries. The main rule states that the national data protection law of a certain EU country applies if data processing is “carried out in the context of the activities of an establishment” of the data controller in that EU country. If the data controller is not established in the EU, but makes use of “equipment” in a certain EU country to process personal data, the national data protection law of that EU country will apply. The Weltimmo case provides some clarity on how to determine the application of EU data protection law when the data controller is established in the EU.
Continue Reading Landmark Decision Clarifies Territorial Scope of Application of National Data Protection Laws in the EU
EU Data Protection Regulators Issue Guidance on Drones
On June 16, 2015, the body of European data protection regulators known as the Article 29 Working Party (WP29) issued an opinion1 that clarifies EU data protection rules in the context of civil drones. The opinion explains how the principles of EU data protection law apply to drones, and provides a list of recommendations for drone manufacturers and operators, regulators and policymakers, and other stakeholders. This article highlights the key takeaways of the WP29 opinion.
Continue Reading EU Data Protection Regulators Issue Guidance on Drones
Status Update on the EU Data Protection Regulation
On June 15, 2015, the Ministers of Justice of all 28 European Union member states, sitting as the Council of the EU (Council), reached a crucial agreement for the future EU data protection legal framework. Much work still needs to be completed, but this is a major step forward in the adoption of the EU General Data Protection Regulation (Regulation).
The Regulation introduces important changes to EU data protection law that will have a significant impact on companies doing business in the EU. While the timing of final approval is still unknown, the fact that the Council has reached a general approach significantly increases the chances that the final text of the Regulation will be adopted in the foreseeable future. To learn more about the practical implications for businesses and how to prepare for the new legal framework, please join our webcast on July 15.
Continue Reading Status Update on the EU Data Protection Regulation
EU Data Protection Regulators Issue Guidance on the Internet of Things and Device Fingerprinting
The European data protection regulators, the Article 29 Working Party (WP29), recently issued two guidance papers which clarify the data protection legal framework applicable to the Internet of Things (IoT) and to the use of device fingerprinting. Both opinions underline WP29’s current focus on data-driven innovations. This article highlights the key takeaways from these two opinions.
Continue Reading EU Data Protection Regulators Issue Guidance on the Internet of Things and Device Fingerprinting