The item you have requested is not currently available in English and you have been redirected to the next available page. You may use your browser's back button to return to the item you were viewing.
Country desks feature Dentons lawyers in one jurisdiction with a particular focus or experience in another jurisdiction.
Learn more about our Canada capabilities
Learn more about our United States capabilities
Learn more about our Latin America and the Caribbean capabilities
Learn more about our Europe capabilities
Learn more about our United Kingdom capabilities
Learn more about our Central and Eastern Europe capabilities
Learn more about our Russia, CIS and the Caucasus capabilities
Learn more about our Africa capabilities
Learn more about our Middle East capabilities
Learn more about our Central Asia capabilities
Learn more about our China capabilities
Learn more about our Asia Pacific capabilities
Learn more about our Australia capabilities
At Dentons, we bring together top tier talent found at the intersection of geography, industry knowledge and substantive legal expertise. Start by clicking here
Dentons secures 145 individual and 43 practice rankings in Legal 500 US 2018
Dentons earned 145 individual recognitions and 43 practice rankings in the 2018 edition of Legal 500 US, an annual legal directory, cataloguing the nation's top-rated lawyers and law firms based on in-depth research and interviews.
2018 Election Update - 150 Days Out Report
Dentons' 2018 Election Update is our Public Policy team's 50-state analysis of these key federal and state races.
Bill introduced to support increased residency training to combat opioid crisis
A new, bipartisan bill was introduced in both houses of Congress on May 15, 2018, to support the creation of new Medicare-funded direct and indirect graduate medical education (DGME and IME) residency training slots specifically to help combat the opioid crisis.
The cannabis tracking system: the known, the inferable and the to-be-announced
One objective of the efforts to legalize cannabis is to displace the illicit market.
The art of good contract management
The Canadian government recently introduced a Bill which contained the most significant changes to Canada's trademark laws in modern history.
Starting your career as a student at Dentons exposes you to a world of experience and opportunities
With 125+ locations in 50+ countries, Dentons is home to top-tier talent that is found at the intersection of geography, industry knowledge and substantive legal experience. Working with Dentons, you will have the opportunity to learn from the best lawyers in the industry at the largest law firm in the world.
Dentons' IP lawyers recognized as 2018 IP stars
Dentons is very proud to see 27 of its Patent lawyers and 179 of its Trademark lawyers appear as IP Stars in this year's edition of Managing Intellectual Property IP Stars.
Dentons achieves pro bono victory for family's right to choose
Global law firm Dentons successfully represented a couple in an important pro bono litigation related to parents’ right to choose for their family.
Dentons partner Scott Turow nominated for 2018 Harper Lee Prize for Legal Fiction
Dentons partner Scott F. Turow is the author of Testimony, one of three novels nominated for the 2018 Harper Lee Prize for Legal Fiction.
The Court of Justice of the European Union (CJEU) has handed down its decision in the Schrems case. The Court agrees with the Advocate General (AG) and says that:
Since the Court decision on Tuesday 6 October 2015, the ICO has issued a press release. It says that businesses should review how data is transferred to the US but that it recognises this will take some time. The ICO also reminds everyone that Safe Harbor is not the only basis for data transfers and that the ICO is considering the judgment in detail and working with counterpart data protection authorities in other EU member states to issue further guidance for businesses on the options available. Clearly, the message is: "Don't Panic". The Commission said the same thing in its press conference on the day of the Decision.
Max Schrems (Austrian privacy campaigner) made a complaint to the Irish Data Protection Authority (DPA) based on the Snowden revelations in relation to information stored by Facebook. The Irish DPA dismissed the complaint because the relevant transfer was covered by Safe Harbor. The matter was then referred to the Irish High Court which clearly had some sympathy with Schrems' concerns but which referred the matter to the CJEU for a ruling.
The Court decided that the existence of a Commission Decision on the Safe Harbor should not trump DPAs' rights to investigate independently. Much was made (both by the Court and the AG) of the need to interpret the law in the light of "the fundamental rights guaranteed by the Charter". This refers, in particular, to Article 7 of the Charter of Fundamental Rights (respect for private life) and Article 8 of the Charter (protection of personal data). The Court leans heavily on the Charter in justifying its "reassessment" of Safe Harbor.
We see a number of issues. Does it convert DPAs from administrative enforcement agencies to quasi-judicial bodies? Note, DPAs can already make assessment decisions. Also, how will this work with the General Data Protection Regulation (GDPR) under which the Commission will have power to make secondary legislation? That model for secondary legislation under the GDPR may need to be reviewed.
More importantly, does this create the risk of particular DPAs firing off country-specific investigations and "local decisions" on data transfers? Clearly, this would not be good for Europe's digital economy. The Commission was at pains to point out in their press conference that there will be guidance issued to ensure clarity and certainty. This will be welcomed by business. The sooner we get the guidance the better. Interestingly, paragraph 48 of the Court's decision references the importance of the transfer of personal data overseas as being necessary for the expansion of international trade. We agree.
Mr Schrems' contention was that US law and practice do not ensure an adequate level of protection within the meaning of Article 25 of Directive 95/46. As mentioned above, the Irish Court seemed to have some sympathy with this.
The Court raised a number of concerns with Safe Harbor. First, the Court highlighted Annex 1 (fourth paragraph) of the Safe Harbor decision which says that Safe Harbor principles may be limited to the extent necessary to meet national security, public interest or law enforcement requirements or by statute, government regulation or case law provided that this is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation. The Court concluded that this means that US law trumps Safe Harbor in the event of conflict. We don't think that this is so "black and white", but nevertheless that was the Court's decision.
The Court also criticised the Commission's original Decision in that it didn’t contain a finding regarding US law striking the right balance with privacy rights. Similarly, the Court was not persuaded that there was any independent body in the US with power to regulate outside of the Safe Harbor regime. Then, again, how often do the EU DPAs take action in relation to EU national governments on similar issues? There has been commentary recently suggesting that, as a matter of fact, US anti-terrorism law is actually more restrictive than that applicable in the EU. This has not been considered by the Court.
The Court was also influenced by the Commission's own position that Safe Harbor needs an upgrade. Hence the 13 recommendations published by the Commission eighteen months ago and the ongoing negotiations with the US.
In this context, the Court basically took the view that "legislation permitting public authorities to have access on a generalised basis to the content of electronic communications" is a breach of Article 7 of the Charter. Similarly, the Court focused on the absence of the ability to pursue legal remedies to also be a breach of the Charter. The Court therefore decided that decision 2000/520 "fails to comply with the requirements laid down in … Directive 95/46".
Interestingly, Article 3(1) of the Safe Harbor Decision lays down specific rules regarding powers available to national data protection authorities in light of a Commission finding as to adequacy. Specifically, this established a higher threshold before the national DPAs could intervene. However the Court decided that this should not be allowed to restrict national Data Protection Authority powers under the Directive so the broader approach to when DPAs can intervene applies. This somewhat flies in the face of the terms of the actual Safe Harbor Decision. Nevertheless, that was the Court's finding.
There are currently 4,465 companies signed up to the self-certification Safe Harbor regime. Technically, the Safe Harbor data export permission no longer applies. Companies therefore need to find alternative legal bases for data exports from Europe to the US. The Commission, in its press conference, has said it is important that transborder data flows continue and that guidance will be published for EU businesses to ensure clarity and certainty. The Commission has also said that it is "well advanced" in agreeing a new Safe Harbor 2.0 package. Apparently it was near to agreeing this before the summer but needs more time to finalise the national security exemptions. So this is absolutely not any kind of international data war. The Commission could not give any time frame, however, for finalising Safe Harbor 2.0.
In the meantime, we advise businesses to do the following:
For current purposes, at least until Safe Harbor 2.0 is agreed, model contracts are likely to be the best alternative. There is, technically, a risk that local data protection authorities try to unpick some of those transfers as well. However, there are significant differences between Safe Harbor and Model Contracts. Model contracts are much more closely aligned with EU law and, essentially, "export data protection law with the data". So the risk, here, should be much lower. Nevertheless, we think it's worth waiting for the guidance which we expect will provide reassurance on this.
As an aside, the Commission also hinted, yesterday, it plans to have the GDPR finalised this year. This seems optimistic but let's wait and see.
The URL of this tweet is below. Copy it to easily share with friends.
Add this Tweet to your website by copying the code below. Learn more