Add blog to your RSS reader
Get blog updates by emailPopular Topics
All Topics
- .Com Disclosure Guide
- 140conf
- 140conf Long Island
- 140confLI
- 47 USC 230
- AAA
- ACI 2017
- Ads
- Advance Registration
- Advertising
- Advertising Agencies
- Advertising Agency
- Advertising Disclosure
- Advertising Industry
- Advertising Injury
- Advertising Law
- Advertising Practice
- advertising self-regulation
- Advertising Self-Regulatory Council
- Advertising Software
- Advertising, Marketing & Promotions News
- Advertorials
- Advisory
- Affiliate Marketing
- Affiliate Program
- AG
- All Natural
- Amazon
- Amazon Silk
- Amazon Tax
- Amazon.com
- Amendments
- American Advertising Federation
- American Bar Association
- Americans with Disabilities Act
- Android
- Annual Audit
- Annual Fee
- anti-fraud
- App Developers
- Apple
- Apps
- Arbitration
- Arbitration Clause
- Arbitration Rules
- Ashley Madison
- ASRC
- AT&T Mobility LLC v. Concepcion
- ATDS
- Attorney
- Attorney General
- Audio Beacons
- Augme
- Auto-dial
- Automatic Renewal
- Automobiles
- BBB AdTruth
- Bead Art Playsets
- Behavioral Advertising
- Best Lawyers
- Blackberry
- Bloggers and Influencers
- Bloomberg BNA
- Brain Training
- Branding
- Brands
- Breach
- Burden of Proof
- Business Law
- Business, Marketing & Promotions News
- Buyers
- California
- California Auto-Renewal Task Force
- California Consumer Privacy Act
- California Department of Alcoholic Beverage Control
- California’s Automatic Renewal Law
- California’s Unfair Competition Law
- Campaigns
- CAN-Spam
- Cancer Fund of America
- cannabis
- Caribbean & Latin American Corporate Counsel Summit 2017
- CARU's Guidelines
- CAS
- Cash prizes
- CASL
- CBBB
- CBD
- Celebrity Images
- Cell Phone Applications
- Cell phones
- CFPB
- CGMP
- Chambers 2017 USA Guide
- Chantal Tode
- Charge Pop-ups
- Charity Fundraising
- Charity Regulators
- Children's Advertising
- Children's Advertising Review Unit (CARU)
- children's marketing
- Children's Privacy
- Civil Penalties
- Class Action
- Class Action Lawsuit
- Class Certification
- Clean Diesel
- Cognitive Claims
- College Athletes
- Colorado
- Commerce Department
- Commercial Advertising
- Commercial Electronic Mail Act (CEMA)
- Communications Decency Act
- compliance
- conference
- Consumer Complaints
- Consumer Complaints List
- Consumer Contracts
- Consumer Data
- Consumer Data Protection Act (“CDPA”)
- Consumer Fraud
- Consumer Fraud Act
- consumer health guidelines
- Consumer Privacy
- Consumer Privacy Bill of Rights
- Consumer Protection
- consumer protection laws
- Consumer Sentinel Network
- Contract
- COPPA
- COPPA FTC Olshan Advertising Marketing Promotions Privacy
- Copyright Act
- Copyright Alert System
- Copyright Infringement
- Copyright Infringement Abroad
- Copyright, Trademark and Other Intellectual Property
- Corporate Law
- Council of Better Business Bureau
- Counterclaims
- Court Decisions
- COVID-19
- Cramming
- Credit Card Payment Surcharges
- Crowdfunding
- Cryptocurrency
- cybersecurity
- D.C. Circuit Court
- Daily Fantasy Sports Contests
- dark patterns
- data breach
- Data Broker
- Data Collection Practices
- Data Protection
- Data Security
- Data Transfers
- Debt collectors
- Deceptive Advertising
- Deceptive Pricing
- Deceptive Tracking
- Department of Commerce
- Department of Labor
- Department of Labor (DOL)
- dietary supplements
- Digital
- Digital Advertising
- Digital Media
- Direct listings
- Direct Marketers
- Direct marketing programs
- Direct response marketing
- DirectTV
- Disclosure
- Disclosure Obligations
- Disclosure Rules
- Discounts
- DMA
- DMCA
- Do Not Call
- Do Not Track
- DOJ
- Domain Extensions
- Domino's Pizza
- Dot Com Disclosures
- DPPA
- DraftKings
- Drawing By Chance
- Ecommerce
- Elder Abuse Prevention and Prosecution Act
- Emissions Testing
- endorsement
- Enforcement Action
- Enhanced Ads
- Entry Fee
- EPA
- Epic
- Ethics
- EU Commission
- EU-US Privacy Shield
- European Commission
- European Court of Justice (ECJ)
- European Union
- European Union registration holders
- European Union Trademark
- Exchange listing
- Ezor
- Factory outlets
- Fair Credit Reporting Act (FCRA)
- Fair Debt Collections Practices Act
- Fair Information Practice Principles
- Fair Labor Standards Act
- false advertisement
- False Advertising
- FanDuel
- Fantasy Contests Act
- Fantasy Sports
- Fantasy Sports Operators
- Farm Bill
- fashion law
- Fax broadcsters
- Faxes
- FCC
- FCC Developments
- FCC Solicited Fax Rule
- FDA
- FDCA
- Federal Laws & Regulations
- Federal Overtime Regulations
- Federal Trade Commission
- Final Rule
- FIPP
- First Amendment
- Fit Products
- Fit Tea
- Florida
- Force Majeure
- Fraud
- FTC
- FTC Act
- FTC Chair
- FTC Guidance
- FTC restitution
- FTC’s Jewelry Guides
- Gambling
- Gambling Laws
- Game Promotions
- GDPR
- General Data Protection Regulation
- Geo-targeted Advertising
- Georgia
- government sanctions
- Guide
- HARO
- Health-related Mobile Apps
- Health-related Products
- Healthy
- HIPAA
- History Sniffing
- HitPath
- Homestead Laws
- HTC
- Hurricane
- IAB
- ICANN
- illegal content
- Illegal Gambling
- Illinois
- IMDb
- Influencer Marketing
- Injury in Fact
- Insider Trading
- Inspection Resources
- Insurance Company
- Insurance Coverage
- INTA
- Intellectual Property
- internet
- Internet and Privacy Law
- iOS
- Iowa
- IP Awareness Assessment Tool
- IPOs
- Jeff Pulver
- Jewelry
- JOLT
- Jurisdiction
- Kindle Fire
- Lanham Act
- Law
- Law Enforcement
- Law Review Article
- law school
- Laws
- lawsuit
- Leading Lawyers
- Lee Bogner
- Legal 500 United States 2017
- Legislation
- letter of consent
- Licensing Fees
- Lily Robotics
- List managers
- Litigation
- Lumosity
- Lumosity ads
- Lumosity games
- Lustigman Firm
- Luxury Daily
- made in the usa
- Magazine publishers
- Mail Order Sales Rule
- Manufacture
- Manufacturer’s Suggested Retail Price (“MSRP”)
- Marden-Kane
- Marketing
- Marketing & Promotions News
- Marketing and Advertising Law
- Marketshare
- Mass texts
- Material Disclosures
- Mc Donalds
- Media and Entertainment
- Media Companies
- Microsoft
- MLM
- Mobile Financial Services
- Mobile In-app Charges
- Mobile Marketer
- Mobile Marketing
- Mobile Payment Systems
- Mobile Payment Systems Security Programs
- Mortgage Bankers Association
- Mortgage Investors
- NAD
- NARB
- Native Advertising
- Native Advertising Guidelines
- Nautilus, Inc.
- NCAA
- Network Advertising Initiative
- New Jersey
- New Jersey Supreme Court
- New York
- New York Law Journal
- New York SHIELD Act
- New York’s Automatic Renewal Law
- NFT
- NIL
- Nomi
- Non-Commercial Calls
- Non-profit Organization
- Notice
- Nutrient Content
- NY Attorney General
- objective consumer harm
- Off-label Prescriptions
- Office for Civil Rights (OCR)
- Office of Foreign Assets Control (OFAC)
- Office of National Coordinator for Health Information Technology (ONC)
- Ohio
- Oklahoma
- Olshan
- Olshan Grundman
- Olshan News
- Online Advertising
- Online Apps
- Online Cancellation
- Online Contracts
- Online Discount Pricing
- Online Entertainment Co
- Online Retail
- Online Reviews
- Online Tracking
- Online travel agencies
- Overstock
- Paid Advertising
- Paid Promotions
- pandemic
- Patents
- Payment Methods
- Penny Auction
- Performance Marketing
- Personally Identifiable Information
- Pet Care
- Peter Shankman
- Pharmaceutical Advertising
- Pharmaceutical Manufacturers
- pre-orders
- Pre-recorded Message
- Price Match Guarantee
- Pricing Guides
- Pricing Practices
- Privacy
- Privacy Act
- Privacy Policy
- Privacy Practices
- Privacy Shield
- Pro-Consumer
- Products
- Professional Association for Customer Engagement (PACE)
- Promotion
- Promotions
- Proposed Rulemaking
- Public Database
- Publication of Age
- Publisher Magazine
- Q&A
- RCT Requirements
- Real Estate
- Real-estate-advertising
- Reasonableness
- Registration
- Regulations
- Resale Value
- Resignation
- Restrictions
- retail
- Retail Stores
- Revisions
- Risk
- Robocalls
- Roundtable
- Safe Harbor
- Sales
- Sales Practices
- Sales Tax
- Sandy
- SDNY
- SEC
- SEC disclosure
- SEC disgorgement
- SEC Form 10
- Section 17600 of the Business and Professions Code
- Securities Act of 1933
- Securities Act Section 17(b)
- Securities Exchange Act of 1934
- self-regulatory
- Sellers
- Service-Mark Infringement
- Settlement
- Sex Offenders
- SilverPush Apps
- Skill Contest
- Skin Care Products
- Smartphone
- Social Media
- Social Media Accounts
- Social Media Marketing
- Social Media Posts
- Social Networking
- South Dakota
- Southern District of Florida
- Spam
- Special Olympics
- Spotify
- Staff Reshuffling
- State Law
- Statute of Limitations
- Subscribers' privacy rights
- Subscription Arrangements
- substantiation rules
- Super Lawyers
- Supreme Court
- Sweeping
- Sweepstakes Law
- Sweeptstakes Contest
- symposium
- Tasty
- TCCWNA
- TCPA
- TCPA Appeals
- TCPA Claim
- TCPA Class Actions
- TCPA Lawsuit
- TCPA Liability
- TCPA Regulation
- TCPA Ruling
- TCPA Violation
- Tech Companies
- Tech Day New York 2017
- Telecom Law
- Telemarketers
- Telemarketing
- Telemarketing Calls
- Telemarketing Law
- Telemarketing Sales Rule (TSR)
- Telephone Consumer Act
- Terms & Conditions
- Text Message Ads
- Text Messages
- Text Messengers
- Textile Fiber Products Identification Act
- The 2017 ANA/BAA 39th Marketing Law Conference: Breakthrough: Legal Strategies for Dynamic Businesses
- The Americans with Disabilities Act
- The Electronic Retailing Self-Regulation Program
- The Kardashians
- The Pennsylvania Record
- Third Circuit Court
- Throttling
- Top Ten Complaints
- Trademark Clearinghouse
- Trademark Protection
- Trademark Rights
- Trademarks
- Transactions
- Transnational Criminal Organization (TCO
- Truth-in-Consumer Contract, Warranty & Notice Act
- U.S. Patent and Trademark Office
- Unauthorized Data
- United Kingdom
- Unsolicited Advertisement
- Unsubscribe Act of 2019
- US Supreme Court
- Use Tax
- Velti
- Vermont
- Vermont House Bill 593
- Vicarious Liability
- Violations
- virtual reality
- Wal-Mart v. Dukes
- Warning Letter
- Washington D.C.
- Washington Law
- Washington’s Consumer Protection Act
- WBO
- Web Agreements
- Web Browsers
- webinar
- webOS
- Websites
- Western District of Washington
- White House
- World Boxing Organization
- World Trademark Review
Recent Posts
- Alleged Creator of Fake Reviews Sued in Federal Court
- Data Entry Error on Phone Number Blocks Class Certification
- Class Action Moves Ahead Over Dogecoin Sweepstakes
- Intellectual Property Owners Beware: Russia Threatens The Established Order On Trademark And Patent Rights
- Andrew Lustigman and Morgan Spina Serve as Panelists on CLE Webinar on Ecommerce Marketing
- Supreme Court OKs TCPA Lawsuits Covering 2015-2020 Despite Constitutional Issue
- Olshan's Brand Management & Protection Attorneys Present Webinar on Understanding U.S. Trademark Registrations
- Bloomberg Law Quotes Mary Grieco on Russian IP Concerns
- FTC Once Again Focuses on Earnings Claims
- Robert Appleton Serves as Panelist on Russia’s Invasion of Ukraine and Impact on the Luxury Market
Archives
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- October 2021
- September 2021
- August 2021
- July 2021
Contact Us
212.451.2258
The Snowden Effect: The Safe Harbor Is Not So Safe Any More
In a landmark decision issued on October 6, 2015, the Court of Justice of the European Union (CJEU) declared the U.S.-EU Safe Harbor for the transfer of personal data to be invalid.
Since 2000, thousands of companies in the United States relied on the Safe Harbor to transfer personal data from the EU to the U.S. in accordance with the EU Data Protection Directive. The Decision is effective immediately and threatens to significantly impact cross-border businesses practices.
History
The EU Data Protection Directive provides that personal information regarding citizens of the EU can only be transferred from the EU to countries that have sufficient data protection protocols in place. While a number of countries satisfy this requirement, the United States does not.
For a company that wishes to transfer personal data to a country that does not have adequate protocols in place, the European Commission provided a few mechanisms for companies to conduct such transfers. In the United States, one of these mechanisms was the Safe Harbor, which was negotiated by the European Commission and the U.S. Department of Commerce and took effect in 2000. To take advantage of the Safe Harbor, a company had to self-certify to the Department of Commerce that it complies with certain EU privacy standards and otherwise complete a registration process.
Schrems v. Data Protection Commissioner
That process has now been tossed aside. In Schrems v. Data Protection Commissioner, the plaintiff alleged that an Irish subsidiary of Facebook transferred data to the U.S. under the Safe Harbor and that his rights of privacy had been violated because Facebook participated in the United States National Security Agency’s (“NSA”) PRISM program, which allowed the NSA access to his data. Schrems filed his complaint with Ireland’s Data Protection commissioner. The Irish commissioner rejected his complaint on the basis that the European Commission had already found that the Safe Harbor provided a sufficient level of data protection. Schrems appealed to the Irish High Court, which in turn referred the case to the CJEU.
The CJEU court held that although the European Commission had decided that the US ensured an adequate level of protection when it approved Safe Harbor, the individual Data Protection Authorities (DPAs) from EU nations can still have independently examine a claim. Thus, in Schrems, the Irish data protection authority could question whether the Safe Harbor adequately protected Irish citizens’ fundamental right of privacy.
The CJEU also declared the EU-U.S. Safe Harbor to be invalid. The court set a high standard for when transfer of data should be permitted and held that an “adequate level of [data] protection” for EU citizens means “a level of protection of fundamental right and freedoms that is essentially equivalent to that guaranteed within the European Union.” The CJEU held that the Safe Harbor failed to meet this standard because the Safe Harbor does not stop the U.S. government from collecting the personal data of EU citizens, even in the absence of a risk to national security. The court noted that leaks from Edward J. Snowden, the former NSA contractor demonstrated that American intelligence agencies had substantial access to the data, infringing on an EU citizens rights to privacy. Since it found this practice to violate the fundamental privacy right of EU citizens, the court declared the Safe Harbor to be invalid.
Impact of the Schrems Decision
The Decision is effective immediately. Given that the Court declared the Safe Harbor to be invalid, companies that had previously relied on the Safe Harbor to transfer data from the EU to the U.S. must now quickly find an alternative method to comply with the EU Data Protection Directive. Alternatives include Binding Corporate Rules and Model Contract Clauses which are basically the model provided by the EU that permit companies to transfer data out of the EU by going through a different approval processes involving the European Commission and data protection authorities in the member states.
In addition, many companies that transfer data from the EU to a processor in the United States previously relied on the fact that the processor was Safe Harbor certified. These companies should review their agreements with such processors and ensure that the processors utilize an alternative means of satisfying the EU Data Protection Directive.
For approximately the last two years, the European Commission and the U.S. Department of Commerce have been negotiating a revision to the Safe Harbor. Those negotiations may now be complicated and delayed in the face of the decision. While the Department of Commerce is continuing, for now, to administer the Safe Harbor program, that may change as a result of the Schrems Decision.
TAKEAWAYS
- Companies involved in EU-US data transfers should closely monitor this developing situation. There is a high level of concern on the federal level, including the White House.
- Companies that had been relying on Safe Harbor self-certification to transfer data should find an alternative method to comply with the EU Data Protection Directive. This may be challenging, but processes to consider include obtaining consent, Model Contract Clauses, and Binding Corporate Rules.
- Similarly, companies that had been relying on vendors that were Safe Harbor certified should ensure that their vendors adopt an alternative method of compliance.
- Companies relying on other methods of compliance such as Binding Corporate Rules and Model Contract Clauses should monitor developments in the EU. In the wake of Schrems, it is very possible that these methods will face scrutiny as well.