By Gail Crawford and Ulrich Wuermeling

As the whole world now knows, the UK voted to leave the European Union (EU) in its historic referendum on 23rd June by a vote of 51.9 percent in favour of “leave” to 48.1 in favour of “remain”. This blog focusses on how that decision will impact both UK and global organisations’ compliance with data protection law.

The referendum does not start the exit process. To formally start the exit process, the UK has to serve notice under Article 50 of the Treaty on the European Union which triggers a period for negotiation of the terms of the UK’s exit; with exit taking effect once those negotiations have concluded, or after two years (if sooner), irrespective of what terms have (or have not) been agreed. The two year cut-off period can only be extended with unanimous consent from all EU member states.

By Ulrich Wuermeling, Gail Crawford and Jennifer Archie

Earlier this week, the European Commission announced that a “political” agreement has been reached on a new framework for data flows from the EU to the US. The announcement highlights a few changes from the old Safe Harbor regime, such as more direct and active oversight by US regulators, more stringent privacy protections, and establishing an ombudsman at the State Department for EU citizens who wish to complain about data protection matters. However, as a legal and compliance matter, US companies who previously relied upon Safe Harbor to transfer EU data take significant compliance risk if they do nothing in anticipation of newly branded EU-US Privacy Shield framework being formally approved, given it is not yet documented and will be subject to review by the EU data protection supervisory authorities in the so-called Article 29 Working Party as well as representatives of the Member States and the European Parliament.

By Jennifer Archie, Scott Jones and Alex Stout

In a stunning victory, an administrative law judge has recommended the dismissal of a long-pending US Federal Trade Commission (FTC) complaint against LabMD, Inc. (LabMD). In a strongly worded opinion in a case that had become highly politicized following 2014 congressional hearings, ALJ D. Michael Chappell found that the agency had failed to satisfy its burden of proving that LabMD had engaged in unfair trade practices by providing insufficient data security.

By Ulrich Wuermeling

On November 6, the European Commission issued a comprehensive Communication on the consequences of the Schrems Judgment of the Court of Justice of the European Union (ECJ). In the Communication, the Commission puts national data protection authorities in their place by stating that Model Contracts are a valid alternative measure to provide adequate safeguards for data transfers to the US. According to the Commission, even in countries where use of the Model Contracts require permission by national data protection authorities, such permission has to be granted if the Model Contracts are used without modifications. Only the ECJ would have the power to invalidate the Commission Decisions on Model Contracts. According to the Schrems Judgement, the rights of the data protection authorities with respect to such Decisions are limited to examining them and bringing proceedings against them in court, if the authority believes adequate protection has not been provided.

On October 16, the data protection authorities as organized in the so-called Article 29 Working Party claimed in a Statement that they will continue their analysis on the impact of the Schrems Judgment on other transfer tools. Prior to that Statement, some regional data protection authorities had gone further and claimed that current reliance upon Model Contracts as an alternative transfer mechanism could be inadmissible after the Schrems Judgment (notably the data protection authority of Schleswig-Holstein and Rheinland-Pfalz in Germany). A joint Statement of the German data protection authorities followed and caused further confusion. It stated that the data protection authorities will not give permission to data transfers based on data export contracts. However, the Statement only referred to individually drafted data export contracts which are rarely used in practice anyway. One has to keep in mind that in Germany the use of Model Contracts does not need permission by data protection authorities in any event.

By Ulrich Wuermeling

On October 26, the European Commissioner Věra Jourová addressed the Parliament Committee on Civil Liberties, Justice and Home Affairs to discuss the consequences of the Schrems Judgment of the Court of Justice of the European Union (ECJ).

Jourová commented on the status of the negotiations with the US to find a new solution for data transfers: “There is agreement on these matters in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the Court.” She plans to visit the US mid-November and hopes to make further progress on a new arrangement with the US.

By Ulrich Wuermeling

An early Position Paper of the German data protection authority of Schleswig-Holstein on the Schrems Judgment of the Court of Justice of the European Union (ECJ) gave little hope for practical alternatives to Safe Harbor. On October 26, all German data protection authorities published a more reasoned joint Statement that follows the approach taken by the Article 29 Working Party. It still includes some surprises in the details, but also offers hope for Model Contracts to be able to serve at least as an interim solution.

The Statement of the German data protection authorities (GDPA) starts with the unsurprising conclusion that data transfers cannot rely on the Safe Harbor Decision anymore. It continues to mention that the Schrems Judgment also puts data transfers under other instruments (like BCRs or Model Contracts) in question. The GDPAs announcement that they will not approve new BCRs or contractual solutions for data transfers in the US and have also requested that the German government allow data protection authorities to bring claims to courts (as required by the ECJ in the Schrems Judgment). The Statement of the GDPAs is short and obviously a compromise between differing views.

By Gail Crawford, Ulrich Wuermeling and Jennifer Archie

The so called Article 29 Working Party met on October 15, 2015 to discuss the consequences of the Schrems Judgment of the European Court of Justice (ECJ). On October 16, 2015, the Working Party published a Statement summarizing their initial conclusions. The Working Party includes representatives of the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission.

The Working Party states that data transfers made under Safe Harbor are unlawful following the Judgment. However, enforcement actions of the national data protection authorities shall only take place, if no other solution is found by the end of January 2016. In the opinion of the Working Party, such solution could include an intergovernmental agreement between the EU and US with reference to a revised Safe Harbor framework. It will be seen whether the US government will be able to agree to limit law enforcement access and to provide remedies for data subjects as required by the European Court of Justice, to the satisfaction of the EU. Due to this uncertainty, businesses will not be able to wait until January 2016, because they will not be able to implement alternative solutions in time, if the governments do not agree.

By Ulrich Wuermeling

On September 23, the European Court of Justice heard the case which will determine whether US companies can rely on Safe Harbor as a measure to provide adequate privacy protection for personal data imported from the European Union. As of today, more than 4000 US companies have notified the Department of Commerce that they are currently compliant with Safe Harbor. According to the Opinion of Advocate General Yves Bot, however, Safe Harbor certification is not sufficient to comply with European data export requirements. It is not certain but likely that the European Court of Justice will follow the arguments of the Advocate General.

How should companies react on the Opinion of the Advocate General? For the time being, nothing changes. The Opinion is not the final judgment which can be expected before the end of this year. Meanwhile, Safe Harbor stays in place, unless the European Commission decides to suspend Safe Harbor under the political pressure caused by the release of the Opinion. Back in 1995, experts claimed that the European Data Protection Directive would put an end to international trade. The same might be claimed about the upcoming decision (or the proposed European Data Protection Regulation), but experience shows that solutions can be found. Hopefully, the Court will give the European Commission some time to remedy the issues.

A Stored Communications Act (SCA) search warrant case arising out of a New York federal  narcotics trafficking investigation is being closely watched by EU data protection authorities, privacy advocates, multinational internet service providers, and law enforcement, among others, as the  parties pursue an expedited appeal to the Second Circuit Court of Appeals. Captioned In re Search Warrant, No. 13 Mag. 2814, M9-150, the case involves  a U.S. law enforcement request for the contents of an Outlook.com email box,

By Larry Cohen and Gail Crawford

While the popular press has been full of stories about the European Court of Justice’s (“ECJ”) ruling creating a “right to be forgotten” (ahead of the still pending Data Protection Regulation), we will focus on both the ruling as well as the specific questions referred to the ECJ that have far-reaching ramifications for global companies such as the test for applicability of national data protection laws. 

First, some background on the facts of the