EU-US Data Transfers
EU-US Data Privacy Framework – Guidance and Resources
The European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework 10 July. This page will stay updated with the latest guidance documents and resources covering what these new rules say, how they work and what comes next as the framework takes effect. Read More
Implementing Transatlantic Transfers
This chart outlines the key changes and requirements for U.S. organizations participating in the Data Privacy Framework, and for EU organizations transferring to U.S. organizations. Read More
EU-US data adequacy litigation begins
We are off to the adequacy races, again. The first horse to bolt is very often the first to reach the first fence. While EU litigation has many fences, there's only ever one first fence: admissibility. Broadly speaking, there are two main routes by which an adequacy decision (as with other EU regulatory instruments) can be struck down. A ruling by the EU General Court, having adjudicated on a direct action for annulment (under Article 263 of the TFEU). A ruling by the Court of Justice of th... Read More
The EU-US Data Privacy Framework in practice
On 10 July, the European Commission deemed the EU-U.S. Data Privacy Framework adequate, providing enhanced protections to EU individuals as well as much-needed assurance for EU and U.S. businesses that personal data can again flow across the Atlantic in compliance with the EU General Data Protection Regulation. Read More
European Commission adopts EU-US adequacy decision
The European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding it ensures U.S. protection of personal data transferred between the countries is comparable to that offered in the EU. But even as its finalization was announced Monday, the new framework, which enters into force 11 July, is poised to face a legal challenge. "Personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or a... Read More
Web Conference: EU-U.S. Data Privacy Framework: New Independent, Binding Redress Mechanism
Original broadcast date: 27 March 2023 In this web conference, you will learn directly from the source how the redress process functions from beginning to end. In this session, the panelists aim to address key questions such as how the redress mechanism will work overall, what the Attorney General designation of a country is, what is involved at the ODNI CLPO stage of review, how DPRC serves its function as the second level of redress and what steps the CLPO or DPRC can take to remedy a covered violation of law. Read More
MEPs urge European Commission to reject EU-US adequacy
The European Parliament Committee on Civil Liberties, Justice and Home Affairs does not want the European Commission to extend an adequacy decision to the U.S. based on the proposed EU-U.S. Data Privacy Framework. The committee made as much clear in its draft opinion on the EU-U.S. adequacy published Feb. 14. In their opinion, committee members concluded the proposed DPF "fails to create actual equivalence in the level of protection" offered under the EU General Data Protection Regulation and u... Read More
The EU-US Data Privacy Framework and next steps for data transfers
Original broadcast date: Oct. 7, 2022 In this LinkedIn Live event, IAPP's Caitlin Fennessy, CIPP/US, Alton & Bird's Peter Swire, CIPP/US, American University Washington College of Law's Alex Joel, CIPP/G, CIPP/US, and Future of Privacy Forum's Gabriela Zanfir-Fortuna discuss U.S. President Joe Biden's executive order implementing the EU-U.S. Data Privacy Framework. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn profile ... Read More
Infographic: From Privacy Shield to the Trans-Atlantic Data Privacy Framework
The EU and U.S. announced an agreement “in principle” on a new Trans-Atlantic Data Privacy Framework. This infographic outlines the EU adequacy process. Read More
The redress mechanism in the Privacy Shield successor: On the independence and effective powers of the DPRC
On Oct. 7, U.S. President Joe Biden issued an “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities,” and the Department of Justice supplemented it with a new regulation. As explained by the Commission of the European Union, the executive order and regulation establish “a new two-layer redress mechanism, with independent and binding authority.” In the first layer, “EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protecti... Read More
Privacy Shield and the UK — FAQs
This guidance page, published by Privacy Shield Framework, provides information through a list of frequently asked questions regarding the EU-U.S. Privacy Shield Framework and the United Kingdom in light of the Brexit negotiations. Click To View ... Read More
New SCCs are coming soon, but a Privacy Shield replacement remains on the horizon
As hard as it is to believe, it has almost been one year since the Court of Justice of the European Union made its decision in the "Schrems II" case. The CJEU struck down the EU-U.S. Privacy Shield agreement while upholding standard contractual clauses, albeit with caveats. Since then, privacy professionals have been waiting for conclusive answers to address trans-Atlantic data flows, and there has been some news on that front over the past couple of months. The European Commission unveiled its... Read More
Industry gauges future of Privacy Shield replacement
Privacy professionals continue to wait for news on a replacement for the EU-U.S. Privacy Shield after it was struck down by the Court of Justice of the European Union in its “Schrems II” ruling last summer. Recent reports suggest it may not be anytime soon. European Union Justice Commissioner Didier Reynders said a Privacy Shield replacement is likely years away, citing the challenges in finding a data transfer deal that would protect European citizens’ data from U.S. intelligence agencies. Th... Read More
Will Privacy Shield's demise usher in an era of transparency? Part 2
This is the second installment of a two-part series on Privacy Shield's invalidation. In part one, Schwarz discussed concerns about national security agency access to records and its role in Privacy Shield's demise. Here, Schwarz explores options for transparency as to redress, as well as ways companies can use transparency to bolster confidence and encourage continued data sharing through mechanisms such as standard contractual clauses. As noted in part one of this series, in July, the Court o... Read More
Israel’s Privacy Shield announcement: Tiptoeing between the EU and US
Israel’s Privacy Protection Authority announced Sept. 29 that following the "Schrems II" ruling, data transfers from Israel to the United States can no longer rely on the EU-U.S. Privacy Shield. The decision demonstrates the tightrope act third countries find themselves in as they try to gingerly navigate the treacherous EU-U.S. privacy terrain without disrupting economic or political ties. The U.S. and EU are Israel’s largest trade partners. Moreover, Israel is one of the few countries to have... Read More
Irish DPC tells Facebook to stop transferring data to the US: Should panic ensue?
The Wall Street Journal reported Sept. 9 that Ireland's Data Protection Commissioner issued a preliminary order that Facebook must stop transferring user data to the U.S. The order, which was reported based on anonymous sources "according to people familiar with the matter," follows the Court of Justice of the European Union's ruling on the Schrems v. DPC case in July, in which the court struck down the Privacy Shield agreement between the EU and U.S. citing problems with U.S. surveillance polic... Read More
EU, US initiate talks on potential 'enhanced' Privacy Shield
The U.S. Department of Commerce and the European Commission announced Monday that they have initiated discussions "to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgement of the Court of Justice of the European Union in the 'Schrems II' case." Last month's decision invalidated Privacy Shield and placed additional due diligence requirements on companies transferring European citizens' data to non-EU countries through standard contractual cla... Read More
Schrems, Ustaran react to CJEU's ruling on Privacy Shield, SCCs
Privacy professionals are now operating in a different world following the Court of Justice of the European Union's ruling in the "Schrems II" case. The EU-U.S. Privacy Shield agreement is now invalid. The CJEU upheld standard contractual clauses; however, third countries must have the proper protections in place when EU data is transferred. The decision has massive ramifications for international data transfers. The privacy industry now has to both analyze just what exactly the CJEU decided... Read More
The show must go on
It’s already a cliché to say that there’s never a dull moment in privacy. Here comes the Equifax data breach followed in quick succession by Marriott and Capital One; there goes the Cambridge Analytica scandal with the U.S. Federal Trade Commission slapping Facebook a $5 billion fine; make way for Alastair Mactaggart with a new ballot initiative to supersede the California Consumer Privacy Act; now enter "Schrems II" with the invalidation of the EU-U.S. Privacy Shield. Lawyers are running around... Read More
CJEU invalidates EU-US Privacy Shield; SCCs remain valid
In a major development for international data transfers, the European Union's highest court declared Thursday that the EU-U.S. Privacy Shield arrangement — which includes thousands of participating companies — is invalid. The Court of Justice of the European Union, however, did uphold the validity of standard contractual clauses, but there must be protections in place in the third country to which EU data is transferred — specifically with regard to access by public authorities and judicial red... Read More
What Privacy Shield organizations should do in the wake of 'Schrems II'
The Court of Justice of the European Union issued its decision in "Schrems II" Thursday, a landmark decision that invalidates the EU-U.S. Privacy Shield arrangement. Until July 16, Privacy Shield had served as an approved “adequacy” mechanism to protect cross-border transfers of personal data from the European Union to the United States under the EU General Data Protection Regulation. More than 5,000 organizations participate in Privacy Shield. Many thousands more EU companies rely on Privacy Sh... Read More
The 'Schrems II' decision: EU-US data transfers in question
On July 16, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules. The decision also cast a long shadow over other personal data transfers from Europe to the U.S., given the C... Read More