Welcome to the November Global Data & Privacy Update. This update is dedicated to covering all the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news in breaches and industry developments for the month.
Safe Harbor confusion continues
In the weeks which have passed since the Court of Justice of the European Union (CJEU) sparked widespread uncertainty with its controversial decision to 'tear up' the Safe Harbor framework, we have seen a truly global reaction. Whilst national data protection regulators from across the world have warned local companies to review the legal basis for their data transfers, EU authorities have attempted to dispel fears of immediate and aggressive enforcement.
As a result, there is, unsurprisingly, little real clarity as yet on what to expect in the new, post-Safe Harbour world. The best hope for a positive resolution to the crisis however lies in the swift agreement of a Safe Harbour 2.0.
In what appears to have been an attempt to inject more urgency into the Commission's negotiations with the US on a new agreement, the Article 29 Working Party (WP29), the independent advisory body made up of representatives from all the EU data protection authorities (EU DPAs), announced in its statement on 16 October 2015 that if no appropriate solution is found by January 2016, the EU DPAs are committed to taking all necessary and appropriate actions, which may include coordinated enforcement action.
This was followed by a Communication from the Commission on 6 November 2015, which reiterated the Commission's commitment to reaching agreement with the US on a new framework which provides proper limitations and safeguards on access to personal data by the US authorities. The Commission discussed the alternatives available to undertakings wishing to transfer personal data to the US and confirmed that businesses could continue to transfer data by using derogations, contractual solutions such as model clauses or, in the case of intragroup transfers, binding corporate rules, whilst admitting that these mechanisms may nonetheless be subject to review by the relevant DPAs.
FCA launches consultation on cloud outsourcing guidance
The FCA has indicated in draft guidance that it will be taking a positive approach to regulating firms which outsource to the cloud or other third party IT services.
The detailed document highlights the potential risks involved in...