Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

Safe Harbor fallout: where are we now?

By Nick Graham
December 18, 2015
  • Marketing, Cookies & Spam
Share on Facebook Share on Twitter Share via email Share on LinkedIn

As we all know, the EU decided to invalidate Safe Harbor on 6 October 2015.  Please see our Insight article and blog post for a quick recap.  But what has happened since?

Article 29 WP Guidance

The most significant guidance is from the A29 WP.  The key points were:

  • International data transfers from Europe based on Safe Harbor are now unlawful;
  • Model Clauses (also known as Standard Contractual Clauses) and Binding Corporate Rules (BCRs) can still be used.  However they are under review and do not prevent individual DPAs from investigating particular cases;
  • By the end of January 2016, if no appropriate solution with the US authorities is found, EU DPAs will take “appropriate actions” (= enforcement?)
  • For more information on the Working Party statement, please see our blog post.

What do DPAs say?

Most EU DPAs have now issued statements on Safe Harbor.  Many welcomed the decision!

The UK approach is “don’t panic”.  The ICO has said that there are alternative mechanisms to Safe Harbor and recommends model clauses.

The French DPA (the CNIL) calls on companies to implement model clauses to transfer data to the US but doesn’t reference other transfer mechanisms such as BCRs or the derogations (e.g. consent).  The CNIL also re-affirms the Working Party position on possible enforcement in due course.

The most extreme position comes from the German DPA for the Schleswig-Holstein.  It disagreed with the Working Party opinion and said that neither model clauses nor consent provide a legal basis for data transfers.  However, the joint position paper of the German Federal State DPAs simply said that German DPAs will not issue “new approvals” on the basis of BCRs or data export agreements.  This is certainly “drawing a new line in the sand”.  In addition, this has slowed down German approvals of BCRs and any approvals of transfer agreements (where approval is required).  However, provided you use the standard Model Clauses, no approval is required in Germany.

What are companies doing in practice?

Companies are seeking to address the issue proactively.  Some are conducting assessments to identify what data is being transferred internationally.  Others are incorporating this within global privacy audits and programmes.  As a minimum, companies are implementing model clauses both intra-group and with vendors.  There is usually a need to prioritise the larger transfers of more sensitive information and the bigger vendor offerings to get the job done.  As we know, many vendors are offering pre-signed Model Clauses.  These need careful review.  Some strike a fair balance between strict legal requirements and a pragmatic approach but some go further.

What’s next?

We are told that the new Safe Harbor deal is imminent. But we are living in a time of uncertainty.  So risk-based decisions are required.

As you’ll have seen, the final GDPR text was released this week too!

A little more holiday reading….

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

All posts Full bio

RELATED POSTS

  • Canada
  • Marketing, Cookies & Spam
  • Privacy Rights

Canadian Privacy Compliance: Time for your Online Checkup

By Margot Patterson
  • Canada
  • Enforcement
  • Marketing, Cookies & Spam

CRTC ENFORCEMENT ADVISORY: REMEMBER, YOU MUST HAVE RECORDS TO PROVE CONSENT

By Privacy and Cybersecurity Group
  • Marketing, Cookies & Spam

CASL: A Call for Clarity

By Margot Patterson

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site