Tag Archive: data protection

Preparing for the GDPR: New employee data subject rights could disrupt core HR procedures

The General Data Protection Regulation (GDPR), due to come into force throughout the EU including the UK on 25 May 2018, will force through a culture change in terms of attitudes to data privacy, according to the Information Commissioner Elizabeth Denham. Speaking at the Data Protection Practitioners’ Conference 2017, Denham warned that organisations risking damaging their brands and their business if they are seen to be cavalier with personal data: “If an organisation can’t demonstrate that good data protection is a cornerstone of their business policy and practices, they’re leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue.”

It is important to recognise that it is also a key HR issue. Data protection will become one of the major issues, and potentially source of disputes,  in the employment context in the next few years. Employers will need to adopt a whole new culture in relation to the processing of HR data in light of more restrictions on processing, new and strengthened rights for employees and much more stringent penalties.

Far from being a stand-alone issue or tick-box exercise requiring nothing more than updated data protection policies, data protection will impact the heart of the employment relationship and the operation of core HR projects and procedures.

The GDPR will make it difficult, if not impossible to rely on consent for processing in the employment context due to new and more restrictive conditions for consent and the ability to withdraw consent at any time.

The most commonly used basis for legal processing of HR data (beyond processing required by law) is therefore is likely to be legitimate interest. Employers will be able to show a legitimate interest in processing ordinary HR personal data for routine HR processes. However, employees have the right to object to their data being processed or to ask for it to be deleted where processing is based on legitimate interests grounds.  If this happens employers must stop the processing unless and until they have confirmed to the employee compelling grounds for the processing which overrides the objection.

Similarly, if employees challenge the accuracy of HR personal data processed by the employer, they can require cessation of processing or deletion of the data unless accuracy is verified.

Although in many cases the employer may be able to show an overriding need to process the data and that it is sufficiently accurate, the employer will be unable to process the data whilst this is established. These rights could be used by  employees individually or collectively to disrupt and delay HR processes such as appraisals, capability procedures, disciplinary and grievance proceedings, restructures and redundancy exercises and TUPE transfers.  Alternatively they may rely on unlawful processing to challenge management decisions in subsequent employment tribunal proceedings as well as making complaints to the Information Commissioner’s Office.

The risk for employers can be mitigated by ensuring that privacy considerations are embedded in each HR process and project, both in their design and in how they are operated.  To minimise the risk of the  disruption specifically highlighted above businesses should take the following steps as part of the wider review preparing for GDPR before it comes into force:

Legitimate Interest Objections

  • Understand where legitimate interest is the correct legal basis for HR data processing, the likelihood of objections, and whether there is likely to be an overriding compelling ground to continue processing in the event of an objection;
  • Establish a process for dealing with objections promptly and efficiently, being clear who has authority to make the judgment.

Accuracy Challenges

  • Consider how accuracy of data relied on by the business is ensured in each HR process and improve processes where necessary;
  • Build in opportunities to review accuracy or raise queries where appropriate; and
  • Establish an efficient process for dealing with accuracy challenges under GDPR including any verification required, authority for sign-off and responding to the employee.

These and other new and expanded rights under GDPR hugely increase the potential for data protection to be used as a weapon in the context of employment disputes and prospective areas of conflict. In future briefings we will focus on different practical impacts of GDPR on the employment relationship and what business can do to manage these and prepare for implementation by May 2018.

On a more general basis, the HR team needs to be an integral part of an organisation’s preparation for the GDPR. We can help you to:

  • Identify existing data systems and the personal data processed throughout the employment lifecycle from recruitment to termination and beyond;
  • Understand the legal basis for processing and identify what will need to change to comply with the new regime;
  • Identify particular risk areas where use of data could be exploited to delay or disrupt business critical decisions; and
  • Develop and implement policies or changes to HR practices and procedures to manage potential GDPR issues and support compliance.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/preparing-for-the-gdpr-new-employee-data-subject-rights-could-disrupt-core-hr-procedures/

Despite Brexit, businesses need to start preparing for the General Data Protection Regulation

The Information Commissioner’s Office (ICO) has published an Overview of the European General Data Protection Regulation (GDPR) for organisations. The changes anticipated by GDPR are wide-ranging and require a cross-organisational compliance framework that will take time to assess and implement effectively. Organisations which process data within the UK should start their planning now if they have not already done so.

The result of the 23 June 2016 referendum on membership of the EU means that the Government will ultimately need to consider the effect on the GDPR. However, Brexit should have little, if any, impact on GDPR compliance planning. The GDPR will come into force in the UK without the need for implementing legislation in May 2018, at which time it seems likely that the UK will still be a member of the EU (as exit negotiations are likely to take at least 2 years and have not yet been triggered).

Following the UK’s eventual exit, if the terms of the UK’s withdrawal from the EU result in the UK remaining in the EEA, it is likely that the UK would be required to comply with the GDPR. Even if the UK is outside the EEA, the practical reality is likely to be that substantial compliance with GDPR principles will be required in any event. In order for data to continue to be transferred from other EU countries to the UK, the UK will have to be able to demonstrate that it provides adequate protection for the rights of employees whose personal data is transferred. Demonstrating such adequate protection would be likely to require the implementation of much of the GDPR in national law.

The ICO has also expressed the view that UK data protection legislation requires reform in any event, and it seems likely that they would press for UK law to conform to a large extent with the GDPR.

Key actions which organisations should put in place now include:

  • Put in place effective governance – Organisations should have a strong governance function in place, capable of impacting on and involving all parts of the organisation.  Cross department teams will be needed to ensure effective compliance with the GDPR including HR, IT, Legal and Data Protection or other compliance specialists. Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR; they need to appreciate the impact this is likely to have including on employee data. The degree of change over the next couple of years is such that effective governance is going to be critical to implementing the changes effectively and in good time.  There will need to be ongoing governance in place regarding data flows, privacy notices and documenting privacy impact assessments in a way that hasn’t been seen before.
  • Audit data flows to be clear about the purposes and legal basis for processing – Increasing awareness of the rights of data subjects and the changes to the legal bases for processing are two very good reasons to do this. The GDPR will have a significant impact on how, and how much, employee data can be processed. Use of data (including big data) will impact on all aspects of the employment relationship from recruitment, to compensation and benefits, mobility of your workforce and structural change and growth. HR involvement will be key to ensuring (i) that organisations can continue to process employee data for the purposes which are critical to both day to day management and the achievement of strategic objectives and (ii) that organisations are not exposed to the risks of the substantial sanctions which may be imposed for misuse of employee data under the GDPR.
  • Implement training within your organisation – Many data privacy breaches are caused by simple errors.  By having effective and memorable training processes in place an employee is more likely to think about their actions and hence a breach is avoided.  Effective training on good practice will be valuable whatever legislation is ultimately in place.

For a copy of the ICO Overview click here. The ICO has also published ‘Preparing for the GDPR: 12 steps to take now’ which provides practical guidance.

 

Permanent link to this article: http://www.dlapiperbeaware.co.uk/despite-brexit-businesses-need-to-start-preparing-for-the-general-data-protection-regulation/

New European data protection rules will have significant impact on employers

Today’s adoption of the new EU General Data Protection Regulation (GDPR) heralds a new dawn in data protection, with far-reaching consequences for employers. For many, there will need to be a wholesale change in culture with a brand new approach to processing personal employee data. It is likely that existing practices will fall far wide of the mark and will require substantial review before the GDPR takes effect in 2018.  The importance of this cannot be overstated due to the introduction of extremely onerous sanctions which will heavily penalise breaches of the GDPR.

Although the new regime is challenging, compliance is achievable provided suitable planning and preparation is undertaken, and the correct steps are taken at the right time – beginning with a thorough audit of existing practices for data processing. The UK’s Information Commissioner’s Office (ICO) has published useful guidance for employers on the “12 steps to take now“. In order to meet the new obligations, co-operation in, and understanding of, the issues across the business is critical and employers are therefore likely to need Legal, HR, IT and Compliance teams to take an integrated approach.

Red flags for employers

The most important issues for employers, potentially involving changes to existing practices and/or new and significant administrative burdens, will include:

  • Grounds for processing employee data need to be audited: Employers will need to carefully consider the basis on which they process employee data. Employee consent to processing will almost certainly be invalid in the employment context, and, in any event, can be withdrawn at any time. Grounds which have been historically relied on, such as the employer having a legitimate interest in the data processing, will be subject to challenge due to a new right for employees to object to processing on this ground which cannot be overridden unless the employer has compelling legitimate grounds for the processing.
  • Data subject access requests will be easier for employees:  Employees will be able to make data subject access requests without restriction and without payment of a fee, unless the requests are manifestly unfounded or excessive. Employers must respond without ‘undue delay’ and no later than 1 month (subject to a 2 month extension for complex/multiple requests). At present, there are no exemptions (even on the grounds of legal privilege) which an employer can rely on to avoid provision of the employee’s personal data.
  • Extensive information will have to be given to employees when obtaining personal data: An administratively onerous net is cast over employers with the requirement to provide an extensive list of information to employees at the point when employers obtain their personal data.
  • Routine criminal records checks may not be allowed: Employees may have to review any policy of routinely conducting standard (ie not enhanced) criminal records’ checks. Under the new regime this appears to be unlawful on the basis that there is no requirement under UK law to carry out these checks.
  • Employees have new rights to erasure and rectification of their personal data: Employers must promptly erase an employee’s data if one of a number of ground applies, including that the data is no longer necessary for the purpose for which it was collected. Where data is alleged to be inaccurate, employers will also have onerous responsibilities to check and rectify the data and will be restricted as to how it is used in the interim.
  • Employees have the right not to be subjected to automated decision making: Unless it is necessary for entering into, or performance of, a contract between the employer and employee, is authorised by EU or UK law or is based on the employee’s explicit consent, employees have the right not to be subject to automated decision making, including profiling if it impacts on them legally or significantly. This is likely to apply to matters such as automated shortlisting; performance management triggers for sickness absence; attendance bonuses; holiday or shift rostering. Employers will therefore need alternative mechanisms for decision making if challenged.
  • Employers must notify any data protection breaches within 72 hours: Employers will have to notify the relevant national data protection authority (in the UK, the ICO) within 72 hours of becoming aware of a data protection breach resulting in unauthorised loss, amendment or disclosure of data, unless the breach is unlikely to result in a risk to the rights of the employees. If there is a high risk to employee rights employers will also have to promptly communicate the breach to the employees individually.
  • Employers must be audit ready at all times: Employers are expected to set up systems in a way which ensures compliance by design and default – restricting the data, use and access. The onus is on employers to prove compliance and they must keep records and have policies in place to demonstrate that.
  • Data protection standards may be ‘ramped up’: The long awaited harmonisation arrangements mean national supervisory authorities will be required to co-operate, assist each other in performing their tasks, provide mutual assistance and to actively take steps to achieve consistent application throughout the European Union. On the basis that it is unlikely that member states with stringent laws on data processing will want to compromise their protection, this may lead to a ‘ramping up’ of data protection across Europe to the highest denominator. The concept of lead supervisory authorities for cross-border processing is also being introduced which may be administratively beneficial for multi-national organisations; however, as the national supervisory authority will remain competent in a number of circumstances, it will remain to be seen how effective having a lead authority is in practice.
  • Transfers of data to third countries may be easier: Under the new regime, personal data may be transferred to a third country or an international organisation where there is a Commission finding of adequacy, if appropriate safeguards are in place eg binding corporate rules or standard contractual clauses adopted by the Commission or the ICO, or if one of a number of prescribed derogations is met. The recent impact of the Schrems case (which declared the Safe Harbour regime ineffective) will therefore potentially be resolved if the EU-US Privacy Shield is given a final finding of adequacy.
  • Sanctions are extremely onerous: Infringements relating to matters including the basic principles for processing (including conditions for consent) and the rights of data subjects will attract maximum penalties of €20,000,000 or 4% of total worldwide annual turnover, if higher.
  • Appointment of a DPO may be required: must do so if they are a public authority, are required to do so by local law or have core activities which require regular and systematic monitoring of individuals on a large scale or they carry out large scale processing of sensitive data or criminal records. The DPO is expected to be an expert in data protection law and will have significant responsibilities in ensuring compliance with the GDPR.With the regulation expected to enter into force in 2018 (and no need for national implementing legislation), employers would be wise to use this lead-in period to fully analyse their existing data processing habits, question what data collection and processing is truly necessary for the employment relationship and introduce new policies and procedures to manage the data.

With the regulation expected to enter into force in 2018 (and no need for national implementing legislation), employers would be wise to use this lead-in period to fully analyse their existing data processing habits, question what data collection and processing is truly necessary for the employment relationship and introduce new policies and procedures to manage the data processing cycle so that they can enter 2018 with their house in order, fully equipped to address the data processing challenges ahead.

There is no doubt that the arrival of the GDPR is timely, coming at a point when information and communication technologies now underpin all aspects of the employment relationship and when employee awareness of individual privacy rights is high. Employers who have previously taken a more pragmatic view of compliance for employee data, prioritising protection of consumer and customer data instead, can no longer afford to do so.

For general information on data protection issues, view DLA Piper’s GDPR website and Privacy Matters blog.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/new-european-data-protection-rules-will-have-significant-impact-on-employers/

Employers do not have green light to monitor employee emails, despite ECHR judgment

A recent case before the European Court of Human Rights has set the cat amongst the pigeons on the perennial hot topic of employees’ entitlement to privacy and data protection in the workplace.

Widespread media reports would give employers to believe that unfettered monitoring of employee emails and internet use is now acceptable and that engaging in personal correspondence during working hours is legitimate grounds for dismissal. However, this is simply not the case, and employers must beware. An employer who engages in this type of monitoring, and imposes disciplinary sanctions as a consequence, can, in fact, expect to find themselves in hot water.  Employers must, as a minimum, have comprehensive, and bespoke, internet policies in place, clearly setting out the rights and obligations of employees, how monitoring is conducted and how data is processed and used.  The policies must also be effectively communicated to employees, accompanied by appropriate training and consistently enforced.

The case

Barbulescu v Romania

The claimant, Mr Barbulescu, was an engineer in charge of sales who was employed from August 2004 – August 2007. In July 2007, Mr Barbulescu was asked by his employer to set up a Yahoo Messenger account for the purpose of responding to clients’ enquiries. The employer gave notice to its employees at the beginning of July that internet use would be monitored (although this was disputed by Mr Barbulescu). In the period 5-13 July, the employer monitored Mr Barbulesco’s Yahoo communications.  This identified that Mr Barbulescu had been using the internet for personal purposes, contrary to the company’s rules which prevented personal internet use.  The rules stated, “It is strictly forbidden to disturb order and discipline within the company’s premises and especially…to use computers, photocopiers, telephones, telex and fax machines for personal purposes“.

Mr Barbulescu initially denied any personal use, but the employer’s findings were backed up by a transcript of his communications. Mr Barbulescu sought to argue that his employer had violated the Criminal Code and the Romanian Constitution by violating his correspondence and brought a claim in the Bucharest County Court. The court dismissed his claim, finding that the employer had complied with the relevant disciplinary proceedings and that Mr Barbulescu had been informed about the employer’s rules on personal internet use.  The court said that as Mr Barbulescu had denied using the internet for personal use, the employer had no option but to check the content of his Yahoo communications, and that monitoring employees’ use of company computers was within the broad scope of the employer’s right to check the manner in which professional tasks were being completed.

Mr Barbulescu appealed the court’s decision, claiming that emails are protected by Article 8 of the Convention relating to respect for private life and correspondence. The Court of Appeal dismissed Mr Barbulescu’s appeal, ruling that the employer’s conduct had been reasonable and that monitoring his communications was the only method of establishing the disciplinary breach.

Mr Barbulescu therefore took his case to the European Court of Human Rights (ECHR). The ECHR identified that, on the face of it, telephone calls from business premises are covered by the notions of ‘private life’ and  ‘correspondence’ for the purposes of Article 8, and that emails, and information derived from monitoring employee usage, would be similarly protected. The ECHR also found that in the absence of notice about monitoring, employees would have a reasonable expectation as to privacy of their calls and emails.

The ECHR said that it therefore needed to examine whether a fair balance had been struck between Mr Barbulescu’s right to respect for his private life and correspondence, and his employer’s interests. It found that there had, and that therefore Mr Barbulescu’s claim should fail (although one judge dissented in strong terms).  It relied on the following findings:

  • Mr Barbulescu had been able to raise his arguments before the domestic courts and they had found that the employer had acted within its disciplinary powers;
  • The domestic courts had also found that Mr Barbulescu had used the company’s computer for personal use during working hours, and that there had therefore been a disciplinary breach of the employer’s rules;
  • The employer had only accessed Mr Barbulescu’s account on the basis that the information in question was assumed to relate to Mr Barbulescu’s professional activities; it had not accessed any other documents or data on Mr Barbulescu’s computer and its monitoring was therefore limited in scope and proportionate;
  • The domestic courts had not placed any weight on the contents of the Yahoo account; they had only considered activity on that account to the extent it proved the breach of company rules;
  • It was not unreasonable for an employer to want to verify that employees are completing their professional tasks during working hours; and
  • Mr Barbulescu had failed to convincingly explain why he had used the Yahoo account for personal purposes

Implications

On the face of it, this case does appear to give employers some confidence about their ability to monitor employee emails and internet use. The ECHR was willing to find that a blanket ban on personal internet use was sufficient in this case to weigh the employer’s interests evenly against the claimant’s right to private life and protection of correspondence. This was so, even though it was in dispute whether the employee had been properly notified that monitoring would take place.

However, employers must still exercise significant caution. The UK has a raft of legislation and guidance governing employee monitoring and data protection, and in many workplaces, the lines are unlikely to be as clearly drawn as in this case. Further, in many cases, a blanket ban on personal internet and email use may be impractical. As identified by the dissenting judge, some employers will allow employees to use the company’s internet and email/messaging systems for personal use; others will allow employees to use their own equipment for work-related matters, and some employers will permit both. The dissenting judge was at pains to make clear that an employer’s right to monitor an employee’s communications is not unrestricted or at its discretion. The key issues to consider are:

  • Employees have a reasonable expectation of privacy;
  • Expectations of privacy may, in certain circumstances, be displaced by a bespoke internet policy with specific rules on email, instant messaging, social networks, internet surfing etc and a comprehensive policy on employee monitoring. Automatic or continuous monitoring of internet use is unlikely to be permissible;
  • Employees must be aware of the employer’s policies, both in terms of the rules which apply during working hours, and outside working hours, and in terms of any restrictions on the use of company equipment. Employees should give their explicit consent to the policies;
  • The enforcement of an employer’s internet policies should be guided by the principles of necessity and proportionality. For example, before carrying out any monitoring, employers should consider whether the benefits of that measure outweigh the adverse impact on the employees’ right to privacy;
  • Sanctions for a breach of the employer’s internet rules should normally start with a verbal warning, before moving to a written warning, and ultimately dismissal. Relevant considerations for the appropriate sanction are likely to include whether damage has been caused to the employer and/or whether there has been a pattern of behaviour over a sustained period of time;
  • Any processing of personal data for the purposes of the employment relationship, including staff management, and termination of employment, must be regulated by contract or collective agreement in line with data protection laws and principles. Specific forms of data processing like internet and email use are likely to warrant detailed rules and procedures.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/employers-do-not-have-green-light-to-monitor-employees-emails-despite-echr-judgment/

Safe Harbor: Statement from working group of EU data protection authorities

Following the decision of the ECJ on 6 October 2015 declaring the EU-US Safe Harbor system for data transfer invalid, the Article 29 Working Group of European data protection authorities has now issued a statement setting out its views on several critical issues going forward.

The WP29 comprises all of the national Data Protection Authorities across the EU. Although the WP29’s statement it not decisive, it is influential and welcome in light of conflicting signals that had been coming from different data protection authorities, particularly in Germany. The statement addresses the steps that must be taken by the EU Institutions to resolve the concerns identified in the CJEU’s judgment, and clarifies the WP29’s position on the measures that should be implemented by Safe Harbor-certified companies in the interim.

The statement emphasizes that transfers relying on Safe Harbor are now unlawful.  The WP29 considers that, on an interim basis, the EU Standard Contractual Clauses (or Model Clauses) and Binding Corporate Rules (BCRs) can still be relied upon to legitimize transfers of EU personal data to the United States, pending negotiations over the future of the Safe Harbor arrangements. During that time, the WP29 will “continue its analysis of the impact of the CJEU judgment on other transfer tools” (including the Model Clauses and BCRs). National data protection authorities will in the meantime exercise their powers in response to complaints if necessary to protect individuals’ privacy rights.

The statement indicates that if no appropriate solution is found between the EU and the US authorities by the end of January 2016 EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.

Click here for a copy of the statement:

http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf

 

 

Permanent link to this article: http://www.dlapiperbeaware.co.uk/safe-harbor-statement-from-working-group-of-eu-data-protection-authorities/

Ground-breaking European Court Decision – US Safe Harbor declared invalid

In a ground-breaking Decision on 6 October 2015 the Court of Justice of the European Union (CJEU) declared the US Safe Harbor scheme to be invalid, as well as confirming that individuals have the right to challenge any similar schemes that may be established by the European Commission through their national data protection authorities.

This summary by Andrew Dyson and Patrick van Eecke in our Data Privacy team provides more details. More information on the implications for employment data will follow shortly.

The US Safe Harbor framework was established 15 years ago to provide a mechanism by which European businesses could validly transfer personal data from the EU to the US. The framework has been widely adopted, with over 5000 companies currently using the scheme to support the free flow of data across the Atlantic. It is commonly adopted to support data transfers needed to support intra-group operations (for example to assist a US parent in managing EU based activities) and outsourced services involving a US cloud or software-as-a-service (SAAS) provider.

The Decision of CJEU will have a significant and immediate impact for any business relying on Safe Harbor to enable these operations to date and will require a change in approach to cross-border data transfers.

Impact for businesses

We expect it will take time for the full practical implications of the decision to flow down and take effect, with national data protection authorities likely to develop their own interpretation and positions.  What is clear, however, is that Safe Harbor as it stands at the moment is not valid.

  • The decision will have an immediate impact on any organization currently relying on Safe Harbor as a basis for transferring data to the US, either intra-group or through their supply chain. Subject to any guidance issued by local supervisory authorities (see below), these arrangements are now likely to be invalid. To understand the risks and plan effectively, organizations should quickly identify any arrangements they rely on that are underpinned by Safe Harbor. A strategy can then be adopted to consider alternative arrangements to authorize continuing data transfers to the US. In many cases this may involve adoption of EC approved standard contractual clauses.
  • In the medium term, we expect to see a more fragmented approach from the 28 national supervisory authorities to future decision making around transfers of data to the US . This is likely to create greater uncertainty for any multinational business operating within Europe as regulators may feel empowered by the decision to make independent assessments on adequacy for any alternative arrangements organizations may be considering instead of Safe Harbor – potentially replaying concerns noted in the court decision about the wide scope of the Patriot Act as a basis for undermining the viability of other well established transfer routes such as the EC model clauses.
  • A more fragmented regulatory approach on cross-border issues at a time when legislators are trying their best to support a more integrated global information society will be unwelcome, adding significant cost and regulatory burden to organizations who may feel exposed and vulnerable to challenges from changing political landscapes.
  • If a European national supervisory authority has the power to investigate and suspend the transfer of the personal data in question to the US, irrespective of Safe Harbor , this will create a new and substantial obstacle for any US business looking to establish as a ‘data importing’ business model in the EU market. This could lead to a position where US companies will need establish separate consent arrangements to data sharing which may put them at a major disadvantage when building a consumer facing business model in comparison with EU based companies.
  • Although these other legal avenues exist for sharing personal data between EU companies and citizens and US companies, these solutions are often onerous and difficult to implement on a global scale. Safe Harbor functions as a kind of ‘one stop shop’, a practical solution to allow data transfers from the EU to a trusted business partner in the US – Europe risks endangering this important relationship for transatlantic economic growth.
  • Over the past two years, the EU Commission has been working and negotiating intensively with US authorities to reach a joint solution for the public concern and distrust generated by the revelations based on leaked documents from Edward Snowden back in June 2013 (which confirmed that US authorities can have access on a mass basis to personal data of individuals living in the EU). The two sides of the Atlantic are almost at the end of this extensive negotiating period but the Decision of the CJEU halts momentum to reach a safe solution and risks a swift return to square one.
  • More broadly, the Decision of the CJEU does not only have an impact on Safe Harbor but potentially opens the scope for national authorities to challenge other Decisions of the European Commission (such as, for instance, the standard contractual clauses for controller-controller or controller-processor data transfers).

For further information please email dataprivacy@dlapiper.com

Permanent link to this article: http://www.dlapiperbeaware.co.uk/ground-breaking-european-court-decision-us-safe-harbor-declared-invalid/