Safe Harbor

Ohio Enacts Cybersecurity Safe Harbor Law

Written by

Ohio recently enacted the Ohio Data Protection Act (2018 SB 220), a law that offers a breach litigation safe harbor to businesses meeting specific cybersecurity standards. While the law does not prevent a plaintiff from filing a lawsuit following a data breach, it does provide an affirmative defense to companies defending themselves against such claims. If an entity’s data security policies conform to one of several listed cybersecurity frameworks, the entity can invoke the safe harbor as a defense, and possibly defeat a tort claim alleging that the company’s failure to comply with reasonable […] Read more

EU-US Privacy Shield – FAQs

Written by and

Today, the European Commission (“EU Commission”) formally approved a new transatlantic framework for the transfer of personal data from Europe to the United States (“U.S.”) (the “Privacy Shield”). Under the EU Commission’s decision approving the new framework ( the “Adequacy Decision”), U.S. organizations participating in the Privacy Shield will be deemed to ensure an “adequate level of protection” for the transfers of personal data from Europe to the U.S.. The Privacy Shield is the result of extensive negotiations between the EU Commission and the U.S. Department of Commerce [...] Read more

EU Institutions Weigh In on Commission’s EU-U.S. Privacy Shield Proposal

Written by

Last week has seen two important developments in relation to the EU-U.S. Privacy Shield (“Privacy Shield”) for transfers of personal information from Europe to the United States. A draft adequacy decision and related documentation for the Privacy Shield were released by the EU Commission on February 29, 2016, and are now being reviewed by the relevant EU bodies. Following an opinion by the consortium of data protection authorities (“DPAs”), the Article 29 Working Party (“WP29”), which called for substantial amendments to the Privacy Shield, the EU Parliament and the European Data [...] Read more

Germany’s Christmas Present: Data-Protection Class Actions

Written by

Following the European Court of Justice’s Schrems decision invalidating the Safe Harbor mechanism, much attention has focused on how the Data Protection Authorities (DPAs) of EU member states would interpret and enforce Schrems. While close attention to DPA activity is important—and will become even more so upon the passage of the EU General Data Protection Regulation—some DPAs currently appear to be operating near enforcement capacity.  For example, the DPA of the German state of Hamburg recently released a report titled “Numbers - Facts - Shortcomings - Solutions” in which it indicated [...] Read more

Senior Counsel Peter Swire to Debate European Privacy Activist Max Schrems

Written by

Peter Swire, Alston & Bird Senior Counsel and Huang Professor of Law and Ethics at the Georgia Institute of Technology Scheller College of Business, will debate privacy activist Max Schrems on January 26, 2015 in Brussels, Belgium.  The event, sponsored by the Brussels Privacy Hub at the Vrije Universiteit Brussel, will take place at the Belgium Permanent Representative to the EU and is a pre-conference launch event to the Computers, Privacy & Data Protection 2016 conference taking place in Brussels on January 27-29.  (Peter Swire will also participate in two sessions at the conference: [...] Read more

Updated Schrems ECJ / Safe Harbor Ruling FAQs

Written by

Alston & Bird has published an updated set of Frequently Asked Questions (FAQs) on the decision by the European Court of Justice holding that the U.S.-EU Safe Harbor Framework is invalid (also known as the Schrems decision). The FAQs are designed to help companies that rely on the Safe Harbor Framework understand the scope of the ECJ decision and think through options to continue to move personal data from the European Economic Area to the United States.  Our new version incorporates updates based on developments since October 15.  Please see our original blog entry on the decision here. [...] Read more

European Commission Releases Communication on Schrems and Safe Harbor 2.0

Written by

On November 6, 2015, the European Commission released a widely-anticipated Communication assessing the impact of the judgment of the European Court of Justice (“ECJ”) in the Schrems case (C-362/14), which invalidated the U.S.-EU Safe Harbor framework.  Though the Communication is not legally binding, it provides useful guidance to companies on transfers of personal data to the United States in the absence of the Safe Harbor mechanism. The Commission’s Communication is consistent with analysis and approach outlined by the European data protection authorities (“DPA”) in their October [...] Read more

Jan Dhont Authors Corporate Counsel Article on Safe Harbor Decision

Written by

Jan Dhont, Brussels partner and head of the firm’s European Privacy and Data Protection practice authored the Corporate Counsel article, “The Sinking of the Safe Harbor: Just Another Symbolic Decision?”  In the article, Dhont discusses the concerns and uncertainty stemming from the October 6 European Court of Justice strike-down of Safe Harbor, and where companies may go from here.  This ruling is a matter of global concern and may actually result in less privacy for individuals, not more. Dhont notes that while there are mid- to long-term solutions to take the place of Safe Harbor, [...] Read more

Commission Underlines Commitment to Safe Harbor Discussions

Written by

In a keynote speech today before the 37th International conference of Privacy and Data Protection Commissioners in Amsterdam,  EU Justice Commissioner Vera Jourová reiterated the commitment of the European Commission to completing discussions with the United States on a replacement framework for the U.S.-EU Safe Habor. Commissioner Jourová noted that, in the wake of the European Court of Justice’s October 6, 2015 judgment in the Schrems case (C-362-14), the Commission had stepped up discussions with the United States at the political level as well as the technical level.  There is now [...] Read more

Article 29 Working Party Calls for Political Action

Written by

In a concise statement, the Article 29 Working Party (WP29), a consortium of European Data Protection Authorities (DPAs), released a position paper today about the landmark ruling of the European Court of Justice in Maximilian Schrems v. Data Protection Commissioner (C-362-14). WP29 makes a political call on the EU Member States to finalize discussions with the US authorities on a political and legal solution for the transfer of personal information from the EU to the US.  The solution should ensure that strong guarantees are provided to EU data subjects against US surveillance.   WP29 calls [...] Read more