News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Tracker Privacy Tracker

Alerts and legal analysis of legislative trends

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Privacy List Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 Member Directory

Locate and network with fellow privacy professionals using this peer-to-peer directory.
Overview Online Training Live Online Training In-Person Training Books Sample Questions Train Your Staff Official Training Partners Web Conferences
European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 CCPA Training

Gain the knowledge needed to address the widest-reaching consumer information privacy law in the U.S.

 GDPR Training

Learn the legal, operational and compliance requirements of the EU regulation and its global influence.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 CIPP/E + CIPM = GDPR Ready CIPP/E + CIPM = GDPR Ready

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for GDPR readiness. Learn more today.

 Certification CDPO Certification CDPO

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools Research Glossary DPAs FTC Casebook Enforcement Database IAPP Westin Research Center Jobs Privacy Vendor Marketplace
Privacy Vendor Marketplace Privacy Vendor Marketplace

Use the Vendor Demo Center, Privacy Vendor List and Privacy Tech Vendor Report to easily identify privacy products and services to support your work.
COVID-19 Resources

Access a collection of privacy news, resources, guidance and tools covering the COVID-19 global outbreak.
CCPA Genius

This tool maps requirements in the law to specific provisions, the proposed regulations, expert analysis and guidance regarding compliance, the ballot initiative, and more.
GDPR Genius

This interactive tool provides IAPP members access to critical GDPR resources — all in one location.
California Consumer Privacy Act

Looking for the latest resources, tools and guidance on the California Consumer Privacy Act? IAPP members can get up-to-date information right here.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
White Papers

Access all white papers published by the IAPP.
IAPP Research: Reports

Access all reports published by the IAPP.
IAPP Research: Surveys

Access all surveys published by the IAPP.
Schrems II FAQ & Resources

This FAQs page addresses topics such as the EU-U.S. Privacy Shield agreement, standard contractual clauses and binding corporate rules.
IAPP Privacy. Security. Risk. Online 2020 IAPP Privacy. Security. Risk. Online 2020

Explore the privacy/technology convergence by selecting live and on-demand sessions from this new web series. Customize your own learning and neworking program!

IAPP Summit Sessions IAPP Summit Sessions

Free to members. Get on-demand access to privacy experts through an ongoing series of 70+ newly recorded sessions. Cutting-edge IAPP event content, worth 20 CPE credits.

 IAPP Data Protection Intensives IAPP Data Protection Intensives

Choose from four DPI events near you each year for in-depth looks at practical and operational aspects of data protection.

IAPP Global Privacy Summit IAPP Global Privacy Summit

The world’s top privacy conference. Whether you work in the public or private sector, anywhere in the world, the Summit is your can't-miss event.

 IAPP Canada Privacy Symposium IAPP Canada Privacy Symposium

Find answers to your privacy questions from keynote speakers and panellists who are experts in Canadian data protection.

 IAPP Asia Privacy Forum IAPP Asia Privacy Forum

World-class discussion and education on the top privacy issues in Asia Pacific and around the globe.

IAPP ANZ Summit IAPP ANZ Summit

Delivering world-class discussion and education on the top privacy issues in Australia, New Zealand and around the globe.

IAPP Europe Data Protection Congress IAPP Europe Data Protection Congress

The hub of European privacy policy debate, thought leadership and strategic thinking with data protection professionals.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

 ANZ Members

Review current member benefits available to Australia and New Zealand members
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | Notes from the IAPP Europe Managing Director, 6 October 2017 Related reading: Roundup: Belgium, Ireland, UK, US and more

rss_feed
PrivacyTraining_ad300x250.Promo1-01

Greetings from London!

This week’s big news emanates from the Emerald Isle, where an Irish High Court judge has asked the Court of Justice of the European Union to determine the validity and legality of European Commission decisions approving EU-U.S. data transfer mechanisms used by the likes of giant tech companies, such as Facebook, Apple and Google.

The case is very significant and potentially has huge implications on trade worth billions of euros across the Atlantic. Not to mention the impact on the data privacy rights of millions of EU citizens, as well as their security. The case hinges predominantly on whether the transfer mechanisms in place afford sufficient protection from the prying eyes of U.S. intelligence and surveillance agencies for people in the EU.

Irish High Court Judge Caroline Costello said in relation to her decision, “European Union law guarantees a high level of protection to EU citizens ... they are entitled to an equivalent high level of protection when their data is transferred outside of the European Economic Area.”

Facebook and the U.S. government had opposed the Irish Data Protection Commissioner’s application for a referral to the CJEU, but the judge agreed to refer, concurring with Irish Commissioner Helen Dixon that there are “well founded” grounds for believing European Commission decisions of 2001, 2004 and 2010 approving the data transfer mechanism known as standard contractual clauses might be invalid. The crux of the concern surrounds the potential absence of an effective remedy in U.S. law compatible with the requirements of Article 47 of the (EU) Charter of Fundamental Rights. The judge went on to say that the newly created U.S. ombudsman dealing with European complaints about surveillance did not eliminate concerns, adding that judicial remedies “are few and far between and certainly not complete or comprehensive.” Costello did state, however, that she was not delivering any value judgment on either EU or U.S. data protection laws.

We have extensive coverage below on what Costello said, what it means, and what the future might hold.

In a statement issued by her office, Commissioner Dixon said she hoped these issues will be addressed by the CJEU as soon as possible to provide certainty for data subjects and controllers alike. In that context, the Commissioner acknowledges that many businesses rely on SCCs to transfer data from the EU to the U.S. It is important to note that today’s decision does not invalidate the SCCs (nor the Privacy Shield), nor does it prohibit their continued use for the purpose of data transfers to the U.S. or elsewhere.

“Uncertainty” is putting it mildly. If the CJEU were to rule against the common legal arrangements used by thousands of firms to transfer personal data outside the EU, this could cause major panic among companies as they look for alternative transfer mechanisms. In reality, millions of these transfers happen every hour of every day, including credit card transactions, hotel and transportation bookings, or even moving employee data between countries. Day-to-day business practices would be heavily impacted.

What’s next? I spoke to Kate Colleary, CIPP/E, from Colleary & Co. law firm and co-founder of privacy consulting company Frontier Privacy. She said the Irish High Court will now hear submissions from all parties on the content and format of the questions to be put to the CJEU. How these questions are phrased is likely to be subject to intense scrutiny and lengthy legal submissions. Once the submissions are made, the Irish Court will draft the final version of the questions to be put to the CJEU and refer the case to that court for a decision. Colleary added that the CJEU is likely to consider the case law to date, the facts as set out in the Snowden revelations, and the ongoing concerns about U.S. agencies’ alleged ability to indiscriminately access personal data of European citizens.

The process is likely to take at least another 18 months to conclude. In the meantime, SCCs and Privacy Shield certifications remain valid. Organizations will continue to rely on those methods to lawfully transfer data to the U.S., but we should expect everyone to be eyeing possibilities for alternative solutions.  

Author
Headshot Paul Jordan IAPP Staff Contributor
Tags
Europe
Comments

If you want to comment on this post, you need to login.

Related Stories
Roundup: Belgium, Ireland, UK, US and more
In this week's global legislative roundup, the U.K. Information Commissioner's Office handed down its stiffest fine to date. The European Data Protection Board addressed simplifying the EU General Data Protection Regulation's dispute-resolution mechanism. Brazil nominated a board of directors for it...
Read More queue Save This
Global News Roundup: Oct. 13–19, 2020
In this week's global legislative roundup, the U.K. Information Commissioner's Office handed down its stiffest fine to date. The European Data Protection Board addressed simplifying the EU General Data Protection Regulation's dispute-resolution mechanism. Brazil nominated a board of directors for it...
Read More queue Save This
Related Stories
Tags
Europe
Recent Comments