On January 28, 2016, the Centre for Information Policy Leadership (“CIPL”) held a special roundtable at Hunton & Williams’ Brussels office to examine the “essential equivalence” requirement for protection of data transfers to non-EU countries set by the Court of Justice of the European Union’s (“CJEU's”) Schrems decision. The roundtable brought together leading lawyers, corporate privacy officers, legal experts, regulators and policymakers to discuss the critical issues and impact of the new “essential equivalence” requirement for global data transfers set by the CJEU, and its relevance to the current EU-U.S. negotiations of a new Safe Harbor agreement.
The roundtable discussion touched upon the following topics:
- How should we interpret the CJEU’s clarification of adequacy, and what standards exist to protect EU citizens’ data against access by EU government surveillance and intelligence agencies?
- What are the respective roles and the jurisdiction of the CJEU and the European Court of Human Rights, and how does the separation of competence between the EU and its Member States affect the protection of privacy in Europe?
- How should we interpret the Schrems decision in light of the court’s role within the EU legal order, its relationship with the European Court of Human Rights, and EU Member States exclusive competence in matters of national security and intelligence?
- What is the impact of the key criteria set forth in the Schrems decision on European and international businesses, cross-border data flows and the global economy?
The roundtable was a unique opportunity to hear from two of Europe’s leading voices: Geoffrey Robertson from the UK, and Noelle Lenoir from France. Both Robertson and Lenoir agreed that in determining whether the protection afforded to Europeans in the U.S. is “essentially equivalent” to those afforded by the EU legal order, one has to examine not only the laws and rules in force, but also administrative practices in effect in the country. They also emphasized that it is critical not to compare the two legal orders in abstract, but rather to focus on the protection of privacy in the context of government surveillance and national security. In Europe, that protection is firmly within EU Member States’ competence and hence subject to exemptions in the EU Data Protection Directive. Indeed, it is the European Court of Human Rights in Strasbourg, which is established under the European Convention on Human Rights, that has developed case law mandating eight safeguards for the protection of privacy in Article 8 of the Convention. Despite this mandate, both Robertson and Lenoir argued that most of the eight safeguards have not been fully implemented in all European countries.
Robertson concluded that, following the U.S. law and practice reforms enacted after the Snowden incident, U.S. citizens are significantly better protected against national security surveillance than EU citizens in Europe. Furthermore, based on the new administrative rules and practices, oversight arrangements, disciplinary provisions and right to remedies against improper use in the U.S., Europeans have at least equivalent protection in the U.S. as they do in Europe.
The roundtable discussion also turned to the role of national data protection authorities (“DPAs”) after the Schrems decision. Participants concluded that the DPAs will be required to look at each data transfer case to determine the existence of essential equivalence in data protection in a foreign country. In addition, the consensus was that because foreign laws and administrative practices may change over time, fresh assessments will be necessary, raising concerns over the ability of DPAs, the European Commission and data controllers to continually reassess these issues. Participants also believe the criteria for essential equivalence will have an impact on future adequacy decisions under the new EU General Data Protection Regulation, and potentially on other mechanisms for international data transfers, such as standard contractual clauses and Binding Corporate Rules. Lenoir suggested that there will inevitably be more cases and preliminary rulings by the CJEU, which will bring necessary clarification and further nuances to the criteria set out in the Schrems decision. The period of legal uncertainty is bound to continue for some time.
Finally, the discussion offered glimpses of future solutions, such as:
- The U.S. signing the protocol to the International Covenant on Civil and Political Rights;
- intelligence agencies adopting a code of conduct (an accountability-based framework) that would include privacy safeguards and protections for individuals;
- European jurisdictions developing oversight bodies pass the test of the European Court of Human Rights and enable effective supervision of surveillance activities;
- replication of solutions adopted in the SWIFT case; and
- acceptance of mass surveillance, by allowing collection of data en masse subject to judicial restrictions and use and access limitations.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code