We commented last week on developments with Safe Harbor and the proposed replacement scheme Privacy Shield. You can read that alert here.
As we indicated last week enforcement remains a decision to be taken by local data protection regulators across the EU-US. It would seem from an announcement made by the French data protection regulator Commission Nationale de l’Informatique et des Libertés (known as CNIL) yesterday that enforcement has now begun.
CNIL had previously been investigating Facebook for various data handling concerns. Although the investigation is more wide CNIL has also criticised Facebook for (according to CNIL) continuing to rely on Safe Harbor after the CJEU judgment on 6th October.
The case is a useful reminder of the need to plan for Safe Harbor’s fall. It seems unlikely that Privacy Shield will be a complete answer to any organisation’s data transfer issues. In any event Privacy Shield is not ready and companies need to act now to protect themselves.
Whether enforcement remains piecemeal and connected with other investigations or is orchestrated and widespread remains to be seen. What is clear is that any company needs to have plans in place to comply.
Jonathan Armstrong and André Bywater are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785