A pair of highly anticipated guidance documents outline the European Data Protection Board’s (EDPB) expectations for organizations transferring data out of the EU. While the detailed process for evaluating data transfers brings welcomed guidance and clarity, some aspects of the EDPB’s framework present significant obstacles for those working with non-EU service providers or moving data for routine business purposes.
For the full alert, visit the Faegre Drinker website.
On January 23, 2019, the European Commission announced its decision to adopt adequacy status with Japan for transfers of personal data. Pursuant to the European Union’s (EU) General Data Protection Regulation (GDPR), this decision will allow personal data to flow freely between the 28 EU countries, three additional European Economic Area member countries (Norway, Liechtenstein, and Iceland), and Japan, without the need for additional data protection safeguards or derogations. Japan adopted an equivalent decision with the EU on January 22, 2019. These reciprocal findings of adequacy will create the largest area of safe data flows in the world.
The EU Commission published its second annual review of the functioning of the EU-US Privacy Shield, which focused on the commercial issues, human resources and data automated individual decision-making and developments in the U.S. legal framework. This report follows the same general structure as the report on the first annual EU-US Privacy Shield review that we reported on last year.
On October 3, 2017, the Irish High Court referred Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems to the Court of Justice of the European Union (CJEU), where the future of standard contractual clauses (SCCs) will be decided (here).
In December 2015—following the CJEU’s landmark decision in Maximillian Schrems v. Data Protection Commissioner invalidating the U.S.-EU Safe Harbor framework—Schrems amended his original complaint to the Irish Data Protection Commissioner (DPC), challenging the validity of data transfers to the U.S. based on the European Commission approved SCCs (available here). Based on the CJEU’s Schrems decision, the Irish DPC petitioned the Irish High Court asking to refer the matter to the CJEU for ruling on the question of whether the European Commission’s SCC decisions are valid under European law. Specifically, the Data Protection Commissioner questioned whether there is an effective remedy under U.S. law compatible with the requirements of Article 47 of the EU Charter of Fundamental Rights for an EU citizen whose data is transferred to the U.S., where such data is subject to electronic surveillance by U.S. agencies for national security purposes. EU citizens have a right guaranteed by Article 47 of the Charter to an effective remedy before an independent tribunal if their rights or freedoms are violated. These include the rights under Articles 7 and 8 to respect for private and family life and protection of personal data.
Providing data subjects with meaningful information regarding the processing of their personal data and their rights with respect to such processing is an axiom of privacy law—and a key requirement under the General Data Protection Regulation (GDPR).
The significance of this principle of transparency was recently highlighted by the European Court of Human Rights (ECHR) in Bărbulescu v. Romania where the court affirmed an employee’s right to privacy when using communications tools in the workplace due, in part, to the employer’s failure to provide adequate notice regarding its internet monitoring activities. This post briefly discusses the principle of transparency under GDPR and its application to the Bărbulescu case.