Facebook has failed to prevent its feud with an Austrian privacy activist over the legality of two widely used mechanisms for transferring data between the European Union and the U.S., from reaching the EU Court of Justice.

In a May 2nd ruling, the Irish High Court sided with activist Max Schrems and the Irish Data Protection Commissioner, rejecting Facebook’s request to stay the court’s October 2017 referral of the case to the EU Court of Justice to give the company time to appeal the referral to the Irish Supreme Court.

The decision carries with it potential consequences for thousands of international companies that use model contracts and Privacy Shield for transatlantic data transfers.

Schrems filed a grievance over Facebook’s use of model contracts with the Irish Data Commissioner in 2015 saying that Facebook failed to protect EU citizens’ data from the prying eyes of U.S. law enforcement and intelligence agencies.

The Data Commissioner referred the case to the Irish High Court in May 2016 after determining the compliant was “well founded.” The Irish High Court expanded the scope to include Privacy Shield in its 2017 decision to refer the matter to the EU Court of Justice.

In 2015, the EU Court of Justice invalidated the Safe Harbor accord, then a widely used mechanism for transferring data between the EU and U.S., ruling it failed to adequately protect the privacy of EU citizens. Privacy Shield was created to replace Safe Harbor. Details via Reuters, Fortune and Bloomberg.

Last year saw multiple high-profile data breaches, enough to place cybersecurity atop any in-house attorney’s 2018 priority list.

But the threat posed by hackers isn’t the only cyber concern on the minds of in-house counsel this year, reports Corporate Counsel magazine.

In the regulatory realm, complying with the European Union’s General Data Protection Regulation, which takes effect in May,  is expected to be companies’ top data privacy task of 2018. But it’s not the only one. The Chinese government also plans to impose new, below-the-radar data privacy regs that will make companies jump through another set of legal hoops.

The legal implications of new technologies, such as fitness devices that blur the line between medical and personal data collection, are also expected to challenge corporate counsel. And groundbreaking legal cases could change the law regarding who has standing to sue following a data breach in the U.S. and whether companies can use standard contractual clauses to transfer personal data out of Europe.

Copyright: hywards / 123RF Stock Photo
Copyright: hywards / 123RF Stock Photo

France’s data protection regulator – the  Commission Nationale de L’Informatique et des Libertés (CNIL) – ordered Alphabet Inc.’s Google in 2015 to comply with the right to be forgotten.

If the ruling is upheld, the approach to personal privacy threatens the equal and competing legitimate freedom of expression and access to information rights of businesses and consumers outside the European Union.

Scott L. Vernick and Jessica Kitain recently authored the Bloomberg BNA Privacy and Security Law Report article “The Right To Be Forgotten – Protection or Hegemony?” We invite you to read the full article.

Reproduced with permission from Privacy and Security Law Report, 15 PVLR 1253, 6/20/2016. Copyright © 2016 by The Bureau of National Affairs, Inc. (800.372.1033) http://www.bna.com

The French data protection authority (CNIL) is placing Facebook’s EU-U.S. data transfer practices under new scrutiny over its use of the defunct Safe Harbor framework.

The agency issued a two-part order Feb. 8 requiring the social media company to stop using Safe Harbor to transfer data to the United States. Safe Harbor was nullified in October 2015 when the European Court of Justice invalidated the EU Commission’s Safe Harbor agreement with the U.S. The agreement had allowed U.S. companies to transfer EU citizens’ data to the U.S. from the EU.

The ECJ’s decision to invalidate Safe Harbor stemmed from an Austrian citizen’s complaint – filed in the aftermath of revelations about U.S. National Security Agency data collection practices – that Facebook violated his privacy rights by transferring his personal data to the U.S. The decision imperiled 4,000 U.S. companies’ ability to transfer data from the EU to the U.S.

The new CNIL order is based on Facebook continuing to include language detailing its use of Safe Harbor on its France privacy policy page. Part two of the order accuses Facebook of using cookies to track non-users’ activity without their consent, a violation of French law, according to CNIL. It gives Facebook three months to stop tracking non-users without their consent, or face potential fines.

The order comes at an tumultous time for U.S.-EU data transfer policy. EU and US officials agreed to a new EU-U.S. Privacy Shield transatlantic data transfer pact on Feb. 2nd,  but many of the details, including language and legal implications of the agreement are in flux. Critics say details are so scarce that the agreement is not the basis for a working policy. While many in the EU have criticized the U.S. government’s data collection practices, critics point out that the EU may want to take a look in the mirror since many of its member states spy on their own citizens.

It all leads to massive uncertainty. No one is sure how things will develop over the next few months.

If you or your company have questions or concerns about preparing for or responding to new privacy regulations, or you are interested in creating and/or implementing a cybersecurity plan, contact the author or a Fox Rothschild Privacy & Data Security team member.

Critical infrastructure operators and multinational companies must fully disclose cybersecurity breaches and violations to European Union (EU) authorities or face severe penalties under a new EU cybersecurity law.

The law – the Network and Information Security Directive – is aimed at promoting transparency and cooperation between governments and global companies in the response to cyber threats. It lays out new breach reporting rules for companies in the finance, energy, health and technology sectors.

The new rules will apply, notably, to tech companies considered “digital service providers,” a group that includes online retailers and marketplaces, cloud storage firms and search engines. The definition of “digital service providers” is less clear, leaving uncertainty as to what types of companies will face new reporting requirements. Take Facebook, for example. Search engines and e-commerce sites such as Amazon may be required to fully disclose data breaches, while social networks’ disclosure obligations are less clear. They may face no disclosure requirements.

Expect more clarity in coming months. European regulators are negotiating a new transatlantic data transfer agreement to replace Safe Harbor, and could release the long-awaited General Data Protection Regulation, to replace Data Protection Directive, any day.

The upside is that these new laws and directives will provide some uniformity, and clear direction on companies’ obligations in Europe. But that may result in higher privacy protection standards, stiffer penalties and more aggressive compliance enforcement. To prepare, companies should firm-up their data security and privacy compliance efforts to align with industry standards such as ISO 27001.

For help drafting data security policies, or for advice on how to prepare for new European data privacy rules, contact the author or a member of the Fox Rothschild Privacy & Data Security or Technology teams.

Businesses that relied previously on the EU’s Safe Harbor exception to transfer data from Israel to the United States have had that authorization revoked by the Israeli Law, Information and Technology Authority (ILITA).

It’s part of the ongoing ripple effect caused by the invalidation of Safe Harbor.

Now that Safe Harbor is off the table, businesses must rely on standard contractual clauses, binding corporate rules or other legal strategies, to transfer data out of the EU, and now Israel.

Israel is not an official member of the so-called “Euro Data Zone,” but it was granted an exception in 2011 under the EU Data Protection Directive, allowing data to be transferred out of the EU to Israel without requiring companies to use standard contractual clauses or binding corporate rules.

Israel’s 2001 Privacy Protection Regulations permitted moving data from Israel to a database outside the country if the transferee country had laws regulating data protection that were at least as strict as Israeli law. It included an exception for companies located in countries with inadequate legal protections by allowing data transfers to nations to which the EU allows data transfers.

In effect, that allowed Safe Harbor compliant U.S.-based companies to transfer data out of Israel.

A German state has become the first in the European Union to outlaw data transfers made on the basis of model contract clauses.

The Schleswig Holstein Data Protection Authority warned in a public statement this week that such transfers are “no longer permitted” and that businesses can be fined up to €300,000 for transferring personal data to the U.S. “without a legal basis.”

Companies have been concerned that government bodies in the EU might take such steps following the EU Court of Justice’s Schrems Decision that invalidated Safe Harbor. The Schleswig Holstein DPA applied that court’s reasoning that data in the U.S. is not safe from the National Security Agency or other branches of U.S. intelligence, and that model contract clauses don’t provide enough protection for EU privacy rights.

The Schelswig Holstien DPA said the EU Court of Justice decision on the inadequacy of data protection in the U.S. “requires a comprehensive change in US law as well as the conclusion of an international agreement.” With neither in place, it recommends that companies using standard model contracts immediately cancel them, and perform a complete review of all data transfers to U.S. partners in consultation with the DPA.

It’s important to remember this applies only to one German state, but the Schleswig Holstein announcement reinforces fears about the policy influence of the Schrems decision. It suggests the rationale used by the court can be applied equally to other data transfer methods. In addition, it subjects companies to greater regulatory enforcement risk and the possibility of fragmented privacy and data security policy across the continent. It also backs up the contention that US companies’ data protection guarantees to European citizens are worthless, and that processing that data creates unacceptable litigation risk.

National DPAs from across Europe will meet Thursday to discuss the Schrems ruling under the banner of the Article 29 Working Party. Will the Schleswig Holstein DPA’s approach become the standard or an isolated early reaction to the ruling? It’s hard to say.

Regardless, US companies should immediately review their data transfer practices to ensure as much compliance as possible.

For assistance in understanding how the ECJ Decision could affect your company, with privacy and data secuity compliance programs audits, model agreement reviews or Binding Corporate Rules, please contact the author or a Fox Rothschild Privacy & Data Security team member.

The European Court of Justice has invalidated the EU Commission’s Safe Harbor decision, threatening a system used by 4,000 or so large U.S. companies to transfer data from the EU to the U.S.

It may have an immediate impact on EU-US trade.

Under the decision, EU member states’ Data Protection Authorities (DPAs) must investigate complaints related to any company’s transfer of personal data to the United States, from Europe.

Companies that count on Safe Harbor risk being forced to stop all data transfer activities, pending implementation of some other system that complies with European law. Many companies will be left scrambling for other options.

The case, Schrems v Data Protection Commissioner, has its roots in Edward Snowden’s revelation that National Security Agency has broad access to data stored on U.S. servers. Shortly after the news broke, an Austrian citizen complained to the Irish DPA that Facebook violated the privacy rights afforded him under the EU Data Protection Directive by transferring data from the EU to the U.S. Safe Harbor permits U.S. companies to self-certify compliance with the EU Data Protection Directive. Safe Harbor was first called into question in September in an opinion issued by independent Advocate General Yves Bot.

The ECJ held that “[t]his judgment has the consequence that the Irish supervisory authority is required to examine Mr. Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”

For assistance in understanding how your company may be affected by the ECJ decision, with privacy and data security compliance program audits, drafting model agreements, or preparing Binding Corporate Rules, please contact the author or a Fox Rothschild Privacy & Data Security team member.

Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.

The White House’s proposed Consumer Privacy Bill of Rights seeks to provide “a baseline of clear protections for consumers and greater certainty for companies.”  The guiding principles of the draft bill are:  individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.

But the proposed legislation also seeks to afford companies discretion and flexibility to promote innovation, which some officials argue has led to a lack of clarity.

FTC Chairwoman Edith Ramirez had hoped for a “stronger” proposal and had “concerns about the lack of clarity in the requirements that are set forth.”  However, Chairwoman Ramirez acknowledged the significance of a privacy bill backed by the White House.  FTC Commissioner Julie Brill also expressed concern over weaknesses in the draft, calling for more boundaries.

Likewise, European Data Protection Supervisor Giovanni Buttarelli felt that the proposal lacked clarity and that, as written, “a large majority of personal data would not be subject to any provisions or safeguards.”

To review the administration’s proposed bill, click here.


In its continuing efforts to give the State of California a run for its money when it comes to privacy rights, the United Kingdom’s “cookie law” is now in effect. Websites for European companies with European visitors, or non-European companies that are directed at European users, must now inform users of any tracking technology used on the website, and the purpose of the use of that tracking technology.

The Law

The new law is part of the European Union’s "e-Privacy" Directive. Implementation of the e-Privacy Directive requires that each member state incorporate the e-Privacy Directive into its own law in 2011. The United Kingdom accomplished the foregoing by creating the amended Privacy and Electronic Communication Regulations (PECR) Act 2011, which became effective on May 26, 2011. The disclosure of the use of user tracking technology is only one element of PECR.

Types of Tracking Technology

The use of cookies on a website is only one practice covered by the cookie law. Uses of advertising tracking and analytics, for example are covered practices.

Affected Businesses

If you have only a U.S.-based web site, with no web page directed explicitly at the United Kingdom, then the cookie law should not affect you. However, if you have a website or web page directed specifically to residents of the United Kingdom, you almost certainly are subject to the cookie law.

Opt-Out or Opt-In

Good question. Originally the cookie law was interpreted to mean that a user must explicitly opt-in to the tracking technology. However, just before the cookie law went into effect the Information Commissioner’s Office (“ICO”), the United Kingdom’s data protection agency, updated its guidance to say that “implied consent” was acceptable, and that continued use of the subject website would meet the consent requirement.

Compliance Deadline

The cookie law is currently in effect, but it is no secret that many, many organizations are not currently in compliance. Those websites that are in compliance with the cookie law will present users with a dialogue similar to this:

Mobile Applications

Just to keep things interesting, the cookie law applies to mobile applications as well. Because mobile applications have just as many, if not more, opportunities for user tracking, and because that user tracking is not always obvious, it has already been made clear that the ICO will pay particular attention to mobile application compliance


The ICO has the authority to fine non-compliant organizations up to $780,000 (or 500,000 pounds) for not complying with the cookie law. Fortunately, the ICO is not going to be in a big rush to penalize non-compliant organizations and, instead, is focusing on educating companies regarding compliance requirements.