A message to our customers about EU – US Safe Harbor (Microsoft)

Brad Smith, Microsoft on the Issues,  Tuesday, October 06, 2015

We appreciate that some of our customers have questions about the impact of the ruling today by the European Court of Justice (ECJ) about the EU – US Safe Harbor Framework. In particular some customers may ask if this means that they will no longer be able to transfer their customer data from the European Union to the United States. For Microsoft’s enterprise cloud customers, we believe the clear answer is that yes they can continue to transfer data by relying on additional steps and legal safeguards we have put in place. This includes additional and stringent privacy protections and Microsoft’s compliance with the EU Model Clauses, which enable customers to move data between the EU and other places – including the United States – even in the absence of the Safe Harbor. Both the ruling and comments by the European Commission recognized these types of steps earlier today.

EU Court Says Data-Transfer Pact With U.S. Violates Privacy

Natalia Drozdiak and Sam Schechner, Wall Street Journal,  Tuesday, October 06, 2015

The European Union’s highest court on Tuesday struck down a trans-Atlantic pact used by thousands of companies to transfer Europeans’ personal information to the U.S., throwing into jeopardy data traffic that underpins the world’s largest trading relationship. The decision now sets off a costly effort by companies and privacy lawyers to preserve companies’ ability to transfer Europeans’ personal data to the U.S. before regulators move in with fines or orders to suspend data flows. Hanging in the balance is billions of dollars of trade in the online advertising business, as well as more quotidian tasks such as companies’ ability to store human-resources documents about European colleagues.

Sunken Safe Harbor: 5 Implications of Schrems and US-EU Data Transfer

Daniel J. Solove by Daniel Solove, TeachPrivacy
Tuesday, October 06, 2015

Beyond this holding that a country has the power to disregard Safe Harbor and make its independent adequacy findings, the ECJ declared Safe Harbor to be invalid. The main reason for the invalidity of Safe Harbor is the failure of US law to provide adequate limitations and redress from government surveillance, especially NSA surveillance. In particular, the ECJ was troubled by the fact the NSA could engage in massive surveillance and that US courts had failed to provide a way for people to challenge that surveillance. Essentially, the ECJ held that because the NSA's surveillance is virtually unstoppable, the Safe Habor cannot guarantee an adequate level of protection.

Landmark ECJ data protection ruling could impact Facebook and Google

Samuel Gibbs, The Guardian,  Friday, October 02, 2015

The European Court of Justice ruled Thursday that if a company operates a service in the native language of a country, and has representatives in that country, then it can be held accountable by the country’s national data protection agency despite not being headquartered in the country.

U.S. Defends Data-Share Pact With EU

Natalia Drozdiak, Wall Street Journal,  Monday, September 28, 2015

The U.S. on Monday rebutted recent allegations by a top adviser to the European Union’s highest court that the U.S. engages in mass surveillance of European citizens, pledging to continue to work with the EU toward updating a trans-Atlantic data-transfer pact. A nonbinding opinion last week by Yves Bot, an advocate general to the European Court of Justice, recommended that the court invalidate a long-standing agreement between the EU and the U.S., known as Safe Harbor.

EU launches inquiry into web companies' online behavior

Julia Fioretti, Reuters,  Thursday, September 24, 2015

The European Commission on Thursday launched an inquiry into the behavior of online companies such as Google, Facebook and Amazon to try to gauge whether there is a need to regulate the web. The public consultation seeks answers on a broad range of issues, from the contractual restrictions online groups may impose on other businesses, for example, companies seeking to display ads, to how proactive they should be in removing illegal content online.

European Court Adviser Calls Trans-Atlantic Data-Sharing Pact Insufficient

Mark Scott, New York Times,  Wednesday, September 23, 2015

The laws governing companies that share online customer data between Europe and the United States may soon become a lot tougher. A legal position published in Luxembourg on Wednesday by a senior adviser to Europe’s highest court said that a trans-Atlantic “safe harbor” agreement allowing companies to ship people’s data between both regions did not provide sufficient checks on how that information may be used.

House panel approves bill to extend privacy rights to Europe

Cory Bennett, The Hill,  Friday, September 18, 2015

The House Judiciary Committee approved a bill Wednesday that would give European citizens the right to sue in U.S. courts over misuse of their personal data. The measure, known as the Judicial Redress Act, is seen as central to helping mollify European allies angered by the revelation of widespread U.S. surveillance programs. The bill is also the lynchpin in a recently signed deal between the U.S. and European Union that would allow law enforcement agencies on both sides to swap more data.

Data Localization Requirements Through the Backdoor? Germany’s “Federal Cloud”, and New Criteria For the Use of Cloud Services by the German Federal Administration

Monika Kuschewsky, National Law Review,  Wednesday, September 16, 2015

In May 2015, reports about the German government’s plans to establish federal German cloud infrastructure (the “Bundes-Cloud”) raised concerns about the possible introduction of data localization requirements (preventing the storage and processing of data outside Germany). The criteria for the use of cloud services by Germany’s federal administration, which have recently been published, now give shape to these concerns.

EU, U.S. clinch data-sharing deal for security, terrorism cases - document

Julia Fioretti, Reuters UK,  Tuesday, September 08, 2015

The European Union and the United States have clinched a deal protecting personal data shared for law enforcement purposes such as terrorism investigations, according to a document seen by Reuters. The two sides have been negotiating for four years over the so-called "umbrella agreement" that would protect personal data exchanged between police and judicial authorities in the course of investigations, as well as between companies and law enforcement authorities.