IP/IT (Intellectual Property/Information Technology)

Similar documents
Privacy & Data Security: The Future of the US-EU Safe Harbor

Luxembourg. Newsletter Q2/Q News on MiFID II and its implementation. Regulation on key information documents for investment products

Establishing a Corporate Set-Up in Myanmar Updated: June 2015

Safe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Context. To cloud or not to cloud, that is a very serious question. Legal challenges in a post Safe Harbour and pre GDPR cloud world

THE TRANSFER OF PERSONAL DATA ABROAD

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

ARTICLE 29 DATA PROTECTION WORKING PARTY

Your Team for China. Legal advice. Tax advice. Luther.

Privacy in the cloud. DNB has indicated that it considers cloud computing a form of outsourcing.

1999 No CONSUMER PROTECTION. The Unfair Terms in Consumer Contracts Regulations 1999

Under European law teleradiology is both a health service and an information society service.

2015 No CONSUMER PROTECTION. The Alternative Dispute Resolution for Consumer Disputes (Amendment) Regulations 2015

EU- US NGO Letter on 1 To Secretary Pritzker

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation

Court of Justice of the European Union PRESS RELEASE No 70/14

Section 1: Development of the EU s competence in the field of police and judicial cooperation in criminal matters

Data protection issues on an EU outsourcing

Application of Data Protection Concepts to Cloud Computing

Benefits for Collective Investment Vehicles in the EU

AIRBUS GROUP BINDING CORPORATE RULES

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

BCS, The Chartered Institute for IT Consultation Response to:

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

The European Union as a Constitutional Guardian of Internet Privacy and Data Protection: the Story of Article 16 TFEU

Article 29 Working Party Issues Opinion on Cloud Computing

DIRECTIVE 2009/38/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

How To Understand The Privacy Shield

Access to Information by Succeeding Auditors

Data Privacy in the Cloud: A Dozen Myths & Facts

Data transfers in the Cloud

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Corporate Policy. Data Protection for Data of Customers & Partners.

Intellectual Property & Data Protection 2015: Legal developments you need to know about

In case of any discrepancy between the original Danish text and the English translation of this Act, the Danish text shall prevail.

Global Social Security Newsletter June 2014

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

Recent case-law of the Court of Justice of the European Union and of the (Supreme) Administrative Courts in public procurement litigation

Listing and Admission to Trading Rules for. Short Term Paper. Release 2

Data Protection, Software Licenses and other Legal Issues in the Cloud

White Collar Crime & Compliance

General Terms and Conditions of ICTRecht

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

Quantitative restrictions on imports and all measures having equivalent effect shall be prohibited between Member States.

COUNCIL OF THE EUROPEAN UNION. Brussels, 22 November /06 DATAPROTECT 45 EDPS 3

The Amendment of the Loan Agreement (for Business)/ Overdraft Facility Agreement (for Consumption)/ Money Mortgage Agreement*

Overview of Employment and Employee Privacy Laws and Key Trends in Austria

The eighth data protection principle and international data transfers

The New Zealand Security Intelligence Service Amendment Bill

Brief Summary on the Philippine B bilateral Air Services Agreement

Data Protection Policy.

Leadership clauses in co-insurance and layered coverage

E U R O P E A N E C O N O M I C A R E A

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Supported by. World Trademark Review. Anti-counterfeiting. Poland. Contributing firm Patpol Patent & Trademark Attorneys.

Factsheet on the Right to be

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

Reform of In-Court Restructurings in Germany New Options and Implications for Creditors, Debtors and Shareholders

The Århus Convention by Jens Hamer, ERA

DIRECTIVE 2014/32/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Version 56 (29/11/2011)

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Rebuilding Trust in EU-US Data Flows

5419/16 ADD 1 VH/np 1 DGD 2C

Liechtenstein. Heinz Frommelt. Sele Frommelt & Partners Attorneys at Law Ltd

Standard conditions of purchase

According to section 53 of the Insurance Act the insurance intermediary is only empowered with respect to the transaction in which it takes part to:

Council of the European Union Brussels, 26 June 2015 (OR. en)

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Minister Shatter presents Presidency priorities in the JHA area to European Parliament

Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users?

The Electricity and Gas (Internal Markets) Regulations 2011

Free access to information and culture: between freedom of expression and commercial interest Copyright law Access to public events

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Principles of Best Practice applicable to the distribution of Life Insurance Products on a Cross-border Basis within the EU or a Third Country

Public Audit (Wales) Act 2004

Student accommodation and affordable housing contributions

Transcription:

IP/IT (Intellectual Property/Information Technology) European Court of Justice declares US Safe Harbor invalid Special Newsletter II Legal advice. Tax advice. Luther.

Special newsletter II IP/IT European Court of Justice declares US Safe Harbor invalid On 6 October 2015 the European Court of Justice (ECJ) held that the Commission Decision 2000/520/EC of 26 July 2000 is invalid. This means that there is no longer any legal basis for the transfer of personal data to the U.S. in many cases. The U.S. lose their status as a country that disposes of an adequate level of data protection that is essentially equivalent to that guaranteed by the Data Protection Directive 95/46/EC within the scope of application of the U.S.-EU Safe Harbor certification. At the same time the ECJ strengthens the control rights of the national data protection authorities with this judgment. 1. Case history The judgment of the ECJ is based on a request for a preliminary ruling under Article 267 of the Treaty on the Functioning of the European Union (TFEU) from the High Court of Ireland, made by decision of 17 July 2014. An Austrian citizen filed the action. He lodged a complaint with the Irish Data Protection Commissioner because of the transfer of his personal data by the European Facebook headquarters, Facebook Ireland Ltd., to the U.S. and insufficient protection of his data in the U.S. without success. The Data Protection Commissioner rejected the complaint on the ground that he would be tied to the considerations of the EU Commission in its Safe Harbor Decision in the year 2000 on the adequacy of the level of data protection in the U.S. In the view of the Data Protection Commissioner the revelations related to NSA surveillance did not affect the validity of this Decision. The Austrian then brought this case before the High Court of Ireland, which in turn submitted the question to the ECJ whether an independent data protection supervisory authority could be tied to the Safe Harbor Decision of the EU Commission insofar as it no longer may perform an own assessment and may not consider more recent developments. In the Advocate General s opinion he announced at the end of September 2015 that in his view it would not be possible for the EU Commission to restrict the control rights of the national data protection authorities by a decision such as the Safe Harbor scheme. This would call their independence which is expressly intended under European law - into question. According to the Advocate General it is the task of the Member States to ensure that the national data protection authorities are able to protect the fundamental rights of their citizens. In his view, U.S. legislation allows to store personal data of EU citizens without those citizens benefiting from effective judicial protection. After the new findings concerning the NSA the EU Commission ought to have suspended the application of the Safe Harbor scheme. According to the Advocate General it is not sufficient that the EU Commission is currently conducting new negotiations with the U.S. in order to put an end to potential infringements of data protection law. 2. Matter of the judgment The ECJ followed the view of the Advocate General. In the light of Articles 7, 8 and 47 of the EU Charter of Fundamental Rights, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data has to be interpreted in such a way that a decision such as the Safe Harbor Decision does not prevent a national data protection supervisory authority from investigating complaints of persons affected, if these persons claim that the law and practice of the country into which personal data is transferred from the EU, do not ensure an adequate level of protection. EU Member States and their responsible supervisory authorities are not entitled to adopt measures contrary to the EU Commission Decision, such as legal acts intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection. Legal acts of EU institutions are in principle presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality. Nevertheless a Commission Decision could not prevent a review by the data protection supervisory authorities. The ECJ states that the Safe Harbor Decision does not contain sufficient guarantees within the meaning of the EU Data Protection Directive. It allows U.S. intelligence services to have access to personal data based on requirements of national security, public interest or other legal regulations in the US without any differentiation regarding the use of such data. The Safe Harbor Decision, furthermore, does not contain any statements regarding EU citizens efficient legal protection against interception and surveillance measures of the National Security Agency. In this context the Advocate General noted that all companies involved in the PRISM program of the NSA are certified under the Safe Harbor scheme which means that 2

the Safe Harbor scheme serves as a door opener for U.S. surveillance authorities to collect personal data originating in the EU. 3. Background The Safe Harbor Decision of the EU Commission has already been criticized for a while. The Data Protection Directive 95/46/EC requires that Member States only permit the transfer of personal data to third countries which ensure an adequate level of data protection. Based on Article 25 of the EU Data Protection Directive the EU Commission has determined for certain states with effect throughout the EU that an adequate level of protection exists in these states for the data transmitted into these countries. In its so-called Safe Harbor Decision 2000/520/EC dated 26 July 2000 the EU Commission found that the U.S. ensured such an adequate level of protection. U.S. enterprises for which the U.S. Department of Commerce is responsible may join the Safe Harbor and have themselves entered in the corresponding list of the US Department of Commerce, if they undertake to adhere to the Safe Harbor Privacy Principles and the associated - binding - FAQ. Transfers of personal data from an EU Member State to an enterprise certified under the Safe Harbor scheme therefore no longer required any additional arrangements with regard to the EU requirements for transfers to third countries. Several thousands of U.S. enterprises, such as Microsoft, IBM, Google and Facebook, are U.S.-European Union Safe Harbor-certified. demand into practice, insofar as data transfers to countries with an adequate level of protection do not require any permit from any supervisory authority. Regardless of this demand and its possibility of implementation in practice as well as the resulting announcement of the EU Commission to review the Safe Harbor Decision, the Decision was still in full force and effect until the current judgment of the ECJ. 4. Consequences of the ECJ judgment As a consequence of the ECJ judgment the national data protection authorities are required to take current trends into account in their review on a case-by-case basis in future. The invalidity of the Safe Harbor Decision has substantial consequences for European enterprises that transfer personal data to the U.S. and have ensured the adequacy of the level of data protection in the U.S. via the U.S.-EU Safe Harbor certification of the enterprise based in the U.S. receiving the data so far. This applies to the transfer of personnel and customer data inside a group for instance, if a European subsidiary exchanges data with its U.S. headquarters as well as to the transfer of data to U.S. IT service providers and social media platforms. In particular for cloud-based services the exchange of data on a global scale is part of their business model which is why they are particularly affected by the ECJ judgment. 5. Immediate need for action for enterprises The Safe Harbor Decision has been criticized not only since the scope of surveillance rights of the U.S. intelligence service NSA was revealed. As early as 28/29 April 2010 the so-called Düsseldorfer Kreis, as an umbrella organization of the German data protection supervisory authorities, determined that German enterprises exporting data have to verify the self-certification of the U.S. importing company in accordance with the Safe Harbor requirements due to problems with the implementation of and adherence to the Safe Harbor standard. Against the backdrop of massive surveillance activities of foreign intelligence services the Conference of data protection officers at national and regional level in a press release dated 24 July 2013 requested the EU Commission to suspend its Decisions on Safe Harbor and the standard contractual clauses until further notice. In this context, the German data protection supervisory authorities announced, not to grant any new permits for data transfers to third parties and to examine the option to suspend corresponding data transfers. It remained unclear, however, how they wanted to put this Since the U.S.-EU Safe Harbor certification no longer applies other tools are required for a legal transfer of data. An alternative could be to use the standard contractual clauses of the EU. The European Commission adopted standard contractual clauses for transfers to so-called commissioned data processors (Commission Decision of 5 February 2010 (2010/87/EU)) and standard contractual clauses for controller to controller transfers (Commission Decision of 15 June 2001 (2001/497/EC) and Commission Decision of 27 December 2004 (2004/915/EC) amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries), that ensure adequate guarantees for the transfer of personal data from the EU to third countries that have to be recognized by the national data protection authorities. Enterprises should verify what standard contractual clauses suit their needs and how any existing contractual arrangements with clients and service providers may be embedded. In this context the different 3

Special newsletter II IP/IT legal requirements, such as the statutory requirement of the written form under Section 11 of the Federal Data Protection Act (Bundesdatenschutzgesetz BDSG), and sub-contracting relationships that may be very complex in individual cases in particular with regard to the distribution of tasks and the data exchange and contractual relationships affected have to be taken account of. For group-internal data transfers in large enterprises or global players so-called binding corporate rules are another option. The European-wide reconciliation procedure between the data protection authorities of the EU and EEA Member States facilitates the process significantly. It is planned to simplify the procedure even further in the future in the draft of the EU General Data Protection Regulation. Depending on the business model affected, it would also generally be a conceivable option to obtain an approval for data transfer from the persons affected. However, such an approval would expressly need to relate to the transfer of data to a third country with inadequate level of protection. Furthermore there are frequent doubts concerning the necessary voluntary nature of such consents. In addition the fact that such consent may be revoked at any time leads to difficulties in the practical implementation. The judgment of the ECJ is immediately valid. The Court did not provide for any transitional period during which data could still be transferred as before. In the coming days the EU Commission wants to prepare requirements in cooperation with the national data protection authorities in order to eliminate the current legal uncertainty that resulted from the judgment. It remains to be seen, whether the data protection authorities will refrain from imposing sanctions for illegal data transfers for a certain period of time, thus in fact creating a transitional period. Enterprises based in the EU are immediately responsible for the admissibility of data transfers to U.S. enterprises. This is particularly the case if the (U.S.) service providers are commissioned data processors that only process the data on behalf of and upon instructions of the controller. The risk of supervisory sanctions and enforcement of claims of persons affected will be borne by the enterprise based in the EU and transferring the data as the controller. Insofar as IT service providers have not already initiated or announced mitigating measures on their own initiative, it is advisable for the enterprises affected to expressly request such measures and to adjust the contractual arrangements accordingly. 4

Imprint Luther Rechtsanwaltsgesellschaft mbh, Anna-Schneider-Steig 22, 50678 Cologne, Phone +49 221 9937 0, Fax +49 221 9937 110, contact@luther-lawfirm.com Editor: Dr Stefanie Hellmich, LL.M. Luther Rechtsanwaltsgesellschaft mbh, An der Welle 10, 60322 Frankfurt a.m., Phone +49 69 27229 24118 stefanie.hellmich@luther-lawfirm.com Copyright: These texts are protected by copyright. You may make use of the information contained herein with our written consent, if you do so accurately and cite us as the source. Please contact the editors in this regard contact@luther-lawfirm.com Disclaimer Although every effort has been made to offer current and correct information, this publication is not exhaustive and thus does not cover all topics with which it deals. It will not be updated and cannot substitute individual legal and/or tax advice. This publication is distributed with the understanding that Luther, the editors and authors cannot be held responsible for the results of any actions taken on the basis of information contained herein or omitted, nor for any errors or omissions in this regard. 5

Luther Rechtsanwaltsgesellschaft mbh advises in all areas of business law. Our clients include medium-sized companies and large corporations, as well as the public sector. Luther is the German member of Taxand, a worldwide organisation of independent tax advisory firms. Berlin, Brussels, Cologne, Dusseldorf, Essen, Frankfurt a. M., Hamburg, Hanover, Leipzig, London, Luxembourg, Munich, Shanghai, Singapore, Stuttgart, Yangon Luther Corporate Services: Delhi-Gurgaon, Kuala Lumpur, Shanghai, Singapore, Yangon Your local contacts can be found on our website www.luther-lawfirm.com. www.luther-lawfirm.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information