Is the Safe Harbor Framework Still Safe?

On October 6, 2015, the European Court of Justice (ECJ) will issue its decision in Schrems v. Data Protection Commissioner, Case C-362/14, which may invalidate the U.S.-EU Safe Harbor Framework. The Safe Harbor Framework permits U.S. companies to transfer personal data regarding their employees and customers from the European Union (EU) to the United States in compliance with E.U. data protection requirements.

The case involves a legal challenge that Austrian national Maximilian Schrems brought against Facebook Inc. for transferring personal data from the European Union to the United States under the Safe Harbor Framework. Schrems, who subscribed to Facebook in 2008, signed a contract with Facebook Ireland—a subsidiary of Facebook Inc.—as do all Facebook subscribers residing in the European Union. As Schrems’ agreement was with Facebook Ireland, he filed his complaint with the Irish Data Protection Commissioner and the Irish courts. While the court rejected Schrems’ claim that the Safe Harbor Framework was inadequate to protect his privacy interests, it requested that the ECJ examine the question of whether the Irish Data Protection Commissioner is bound to follow the Safe Harbor Framework or whether it should conduct its own investigation into the adequacy of Facebook’s data privacy protections.

On September 23, 2015, the ECJ Advocate General, Yves Bot, issued a non-binding opinion recommending that the ECJ invalidate the Safe Harbor Framework. A main factor in this opinion was Edward Snowden’s revelation that personal data transferred from the European Union under the Safe Harbor Framework has been accessed by the United States’ National Security Agency under the PRISM program.

In making this recommendation, the Advocate General arguably went beyond the question put to the ECJ by the Irish court, and the ECJ is not bound to follow the opinion of the Advocate General and does not always do so. However, a decision by the ECJ to invalidate the Safe Harbor Framework as the Bot opinion recommends would have serious ramifications as the more than 4,500 companies that currently use the Safe Harbor Framework will need to find other legal means to transfer personal data from the European Union to the United States.

The Ogletree Deakins Data Privacy Practice Group is evaluating the impact of an adverse ECJ decision and will provide further updates on this topic on October 6, 2015, after the release of the Schrems decision.

Domestic Violence Q&A: What to Do When the Alleged Perpetrator is Your Employee

A significant number of employees are impacted by domestic violence—most frequently as victims and as relatives or friends of victims. According to recent studies and polls, 1 in 5 women in the United States is or has been involved in an abusive relationship, 44 percent of Americans say they know of someone in an abusive relationship, and 21 percent of surveyed employees report that they have been victims of domestic violence.

New U.S. Electronic Visa Update System (EVUS) Required for Certain Chinese Nationals Beginning November 29, 2016

On October 20, 2016, the Department of Homeland Security issued a final rule requiring travelers holding People’s Republic of China (PRC) passports with B-1, B-2, or 10-year B-1/B-2 visas to enroll in the Electronic Visa Update System (EVUS) before being admitted into the United States. The rule will go into effect on November 29, 2016, and will apply to both current visa holders and new applicants.

Is the Safe Harbor Framework Still Safe?

Recommended Reading

OSHA Signals Rulemaking to Broaden Scope of Who Is Permitted to Accompany Compliance Officers During Worksite Inspections

Domestic Violence Q&A: What to Do When the Alleged Perpetrator is Your Employee

New U.S. Electronic Visa Update System (EVUS) Required for Certain Chinese Nationals Beginning November 29, 2016