Observed annually on January 28, Data Privacy Day constitutes an international effort to raise awareness and promote privacy and data protection best practices. The ECJ deemed this to compromise the fundamental rights to private life and to judicial protection under the Charter.
Data Privacy Day commemorates the signing of Convention 108--the first legally binding international treaty dealing with privacy and data protection--on January 28, 1981. On that basis, the ECJ ruled the Safe Harbor to be invalid.
An annual commemoration of the need to raise awareness about data privacy risks and best practices is fitting, as 2015 saw a number of developments in the cybersecurity and data privacy arena. Indeed, the majority of courts deciding data breach cases this year have held that absent allegations of actual identity theft or other fraud, increased risk of harm alone is insufficient to confer Article III standing. S.: The Commission also emphasized that, unlike Commission adequacy decisions, which concern the general assessment of a third country's system and may cover all transfers to that country, the scope of the guidelines above is limited, and applies only to specific data flows.
Large-scale data breaches impacting millions of consumers continued to plague cyberspace. companies scrambling to ensure that their transatlantic data flows can continue in the new year. It is the data exporters and importers that bear the responsibility of ensuring that the transfers comply with the EU Data Protection Directive.
Increased pressure from consumer protection groups resulted in a number of new and proposed laws that will alter company data collection and sharing practices, and has also led the FTC and other U. regulators to step up their oversight and enforcement activities with respect to cybersecurity and data privacy practices. In this fourth edition of Gibson Dunn's Cybersecurity and Data Privacy Outlook and Review, the firm's Privacy, Cybersecurity and Consumer Protection group describes key data privacy and security events from 2015, as well as anticipated trends for the near future. As the frequency and scope of data breaches continue to increase, companies handling consumer and employee data face an ever-increasing risk of litigation. The European data protection authorities have embraced the ECJ ruling.
Last year also saw international regulators continue to take bold action on data privacy issues--most notably, the European Court of Justice invalidated the EU-U. The topics covered are: (i) civil litigation; (ii) U. government regulation of privacy and data security; (iii) legislative developments; (iv) international developments; and (v) U. While establishing Article III standing--particularly the element of injury-in-fact--is a substantial obstacle for data breach plaintiffs, the fact-specific nature of the inquiry continues to allow a handful of cases to survive a standing challenge (at least six such suits survived past the pleading stage in 2015). FTC Commissioner Julie Brill noted that the Schrems decision "clearly came as a shock to many policy makers and companies in the United States," and she said that invalidation of the Safe Harbor, including the self-certification program, will make FTC enforcement of companies' transatlantic communications more difficult in the absence of company representations.
This year, key issues for standing continued to include whether the plaintiff alleged any actual instances of identity theft or fraud and whether personal information was specifically targeted by hackers. She also said that data transfers relying on the alternatives to Safe Harbor will not offer the same level of transparency previously ensured through the certification process.
The Supreme Court's 2013 decision in Clapper continued to provide the basic test for establishing the injury-in-fact element of Article III standing, namely that "threatened injury must be certainly impending to constitute injury in fact." Clapper v. Brill also hoped that the negotiations would come to a "speedy and successful conclusion." On December 15, 2015, the European Commission, the European Parliament, and the European Council agreed to an EU data protection reform to boost the EU Digital Single Market.
According to the ECJ, national supervisory authorities must be able to examine with due diligence whether a transfer of a person's data to a third country complies with the EU Data Protection Directive requirement of "adequate level of protection." Second, with respect to the validity of the Commission Decision 5000/250 itself, the ECJ noted that U. public agencies can access personal data on the basis of a national security exception to the Safe Harbor and that the persons concerned had no judicial or administrative recourse to oppose such access.  Order Granting Motion to Dismiss at 3, Columbia Cas.
2015) (finding no standing where plaintiffs did not allege that they actually suffered any form of identity theft as a result of the defendant's data breach); In re Horizon Healthcare Services Inc. However, a Commission determination, such as the Commission Decision 5000/250, does not prevent a national supervisory authority of a Member State from examining claims lodged by individuals concerning the processing of their personal data.
The ECJ stated that it alone has jurisdiction to declare an EU act, such as a Commission decision, invalid.
Less than two weeks later, the ECJ issued its decision holding the European Commission's Safe Harbor adequacy determination invalid. First, with respect to the powers of national supervisory authorities, the ECJ stated that the European Commission may adopt a decision that a third country ensures an adequate level of protection under Article 25 of the Directive and that decision is binding on all Member States and their organs, including national supervisory authorities.
He found that national supervisory authorities have the power to intervene and to suspend the data transfers they consider deficient, despite the general assessment made by the European Commission.