A brief rundown of developments in recent weeks in the area of EU data protection law:
EU Data Protection Regulation
On Monday, June 15, the EU Council (comprised, for purposes of data protection reform, of the justice ministers from each of the EU member states) reached an agreement on a draft data protection regulation, marking an important milestone in the ongoing effort to reform and modernize data protection law in the EU. (This development follows the European Commission’s publication of a proposed regulation in January 2012 and the European Parliament’s official agreement to a “compromise” version in March 2014.) Beginning this week, these bodies will begin negotiations to reconcile the three versions with a stated goal of promulgating a final regulation by the end of the year. The regulation will replace the 1995 Data Protection Directive and, once it comes into force, will apply directly in each of the EU member states, creating greater uniformity across the EU in respect of data protection standards.
Check back here next week for an overview of the key differences (and, thus, areas for negotiation) among the positions promulgated by the Commission, Parliament and Council.
Safe Harbor
As we recently reported, the US and EU continue to negotiate reforms to the US-EU Safe Harbor. It was announced earlier in June that progress is being made, and one EU official told the Wall Street Journal at that time that US officials were being given “another month” to address the EU’s concerns. As we’ve reported in the past, US government access to personal data appears to remain a sticking point.
Concurrent with these negotiations, the European Court of Justice (“ECJ”) also has been considering a broad challenge to the Safe Harbor in the case of Schrems v. Facebook Ireland Ltd. The plaintiff in that case has argued that, given the NSA/Snowden revelations, the Safe Harbor (upon which Facebook—like many other US-based companies—relies to transfer and hold users’ personal data in the US) could not provide adequate protection as a matter of EU law. The ECJ is considering, among other questions, whether a data protection authority can investigate an individual’s claim that the US does not adequately protect data transferred from the EU or whether it must accept as a matter of law that Safe Harbor compliance means data is adequately protected. The case has the potential to have far-reaching effects if the ECJ were to reach the merits of the sufficiency of the Safe Harbor program (as opposed to simply addressing whether the Irish data protection authorities may investigate and/or punting in light of the ongoing reform negotiations). An opinion was originally scheduled to be issued on June 24, 2015, but it was disclosed last week that the opinion will be delayed, and no new publication date has yet been announced.