Sent to subscribers in January 2016
What a whirlwind the last number of months has been!
On a personal note, I am delighted to announce that I have joined Greenberg Traurig LLP as a Shareholder/Partner in its Silicon Valley Office.
The invalidation of the EU-US Safe Harbor Framework by the CJEU shocked many in the privacy community. As a result of the CJEU October 6, 2015, decision and the associated fall-out, all data transfers from the EEA, Switzerland, Israel, and DIFD to companies located in the United States that have self-certified that they adhere to the Safe Harbor principles are illegal. The ruling affects approximately 4,600 US companies and their respective trading partners. It is also important to recognize that the consequences of the ruling are much broader and deeper than just the mere invalidation of the Safe Harbor program and the immediate need to identify and implement alternative means of exchanging data with foreign customers, business partners or affiliated entities.
In addition to the short-term immediate need to find quick-fix alternatives to the Safe Harbor for day-to-day exchanges, there are significant long-term issues regarding cross-border transfers. In its 35-page analysis, the CJEU repeatedly asserts that personal data when on the US territory are subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard …without limitation” the prospective rules laid down by Safe Harbor when they conflict with US national security and public interest. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights. The CJEU decision, in conjunction with some of the advice issued by data protection authorities in the aftermath of that decision, seems to undermine the entire framework of model clauses, binding corporate rules and other methods that are currently used to address the “adequate protection” requirement under EU Member State data protection laws.
However, at the time of the printing of this supplement it is not clear how many of these issues are going to be addressed. Work is currently underway on finalizing the negotiations on Safe Harbor 2.0, and it is hoped that this revised agreement will address many of the issues raised by the CJEU. In addition to developments on the Safe-Harbor issue, negotiations on the EU General Data Protection Regulation are drawing to a close and it is anticipated that the Regulation will be published toward the end of 2015. All of these developments will be covered in detail in the next few supplements of Global Privacy and Security Law.
Suffice to say that we are in for a very interesting couple of months in the data protection and privacy world. An overview of the other updates in Supplement 19 is provided below.
- Chapter 15—Brazil 15: The public consultation relating to elements of the Marco Civil da Internet law has completed. Legislators are currently seeking proposals on how to organize the content submitted, during the course of the public consultation, to draft and form the final version of the regulations required under the law.
- Chapter 18—Chile: Three bills, amongst others, have been introduced in the Chilean Congress. The aim of these bills is to improve the level of legal protection of personal data and the respective rights of the data subject. The Chilean update provides a brief description of these bills.
- Chapter 10—The Asia-Pacific Region: The number of countries certified under the APEC Cross-Border Privacy Rules System (CBPR) continues to grow; 12 companies have now been certified as having met the certification requirements.
- Chapter 61—Taiwan: Government authorities continue to designate, under Article 27 of the Personal Information Act, specific sectors requiring them to establish security measures for the protection and disposal of personal data. The most recent sectors to be designated are the vessel carrier industry and the travel agency industry.
- Chapter 48—Philippines: The Philippines chapter has been updated with additional information regarding the scope of the Data Privacy Act.
- Chapter 63A—United Arab Emirates: The Board of Directors of the Abu Dhabi Global Market has issued ADGM Consultation Papers No.10 of 2015, which detail proposed data protection regulations for the Abu Dhabi Global Market. Although these regulations may be subject to further revision, the chapter presents a comprehensive overview of the proposed regulation. This chapter has also been updated with further information on the Dubai Healthcare City Data Protection Regulation, and its Healthcare Professional Regulation.
- Chapter 26—Estonia: The Estonia chapter has been updated to provide an overview of the provisions of the Insurance Activities Act that facilitate the processing of personal information by insurance providers.
- Chapter 28—France: The updated France chapter outlines the measures taken by the CNIL across a range of issues throughout 2015.
- Chapter 63—Turkey: A number of new regulations have been enacted throughout the course of 2015, which impact upon personal data. The Turkey chapter for this supplement examines the Regulation for Commercial Correspondence and Commercial Electronic Communications, and the Regulation for Services Providers and Intermediary Service Providers of Electronic Commerce; both of which were enacted during 2015.