More Dominos Fall on the Data Protection Table

Mintz - Privacy & Cybersecurity Viewpoints

As all of our readers know by now, as of October 6, the US-EU Safe Harbor Framework is no more.   Safe Harbor was the mechanism on which thousands of US companies (and thousands of companies based in the European Union) legitimized their data transfers from the EU to the US.  All the background, including links to a recording of our “emergency” Privacy webinar on the issue, can be found here, here, and here.

Two more dominos outside the European Union have toppled.

Switzerland:  The Swiss Federal Data Protection and Information Commissioner (FDPIC) today announced that until a new agreement can be reached, the US-Swiss Safe Harbor is no longer valid, following the same rationale as the CJEU in the Schrems case.  Advice from the FDPIC in a press release is that companies should take steps to put model clauses in place when transferring data to the US.  The press release also advised that companies should take those measures by the end of January 2016.

Israel:  The Israeli Law, Information and Technology Authority (ILITA) has revoked its prior authorization for data transfers from Israel to the US that are based on Safe Harbor.    Israel’s privacy law (the Israel Privacy Protection Regulations of 2001) is Euro-centric:  it prohibits the transfer of data from a database in Israel to a location outside its borders unless the law of the data importer’s country ensures a level of protection that is equal to or greater than Israeli law.  Like the EU DPD, the Israel law contains several “derogations,” including one that authorizes the transfer of personal data from Israel to a country to which the EU permits data transfers.  Based on the CJEU decision in the Schrems case, the ILITA announced that companies can no longer rely on this derogation as a basis for transfer.   

The ILITA advises that it continues to assess the Schrems decision and will publish additional information  and other clarifications “if necessary”.

Israel’s data protection law received what is called an “adequacy” determination under the EU Data Protection Directive, ensuring that personal data can be transferred from the EU to Israel without reliance on other methods, such as model contractual clauses.  

These actions by data protection authorities outside the European Union are yet another imperative for companies to understand their data flows and get a Plan B in place yesterday.   Switzerland is a hub of financial activity and life sciences/pharmaceuticals.   Israel is a center of technology development, many companies locating US operations in Silicon Valley.

The real question for US companies now is whether other countries such as Argentina, Uruguay, Canada will follow Israel and Switzerland.  We continue advise that US companies urgently evaluate their data flows, form a plan for taking remedial measures to supplant Safe Harbor, and start to execute on that plan.

[View source.]

Written by:

Mintz - Privacy & Cybersecurity Viewpoints

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.