August

On May 22, 2015, the Article 29 Working Party published an update to its explanatory document regarding the use of Binding Corporate Rules (BCRs) by data processors (WP204). The original explanatory document was published on April 19, 2013 and identified two scenarios in which a non-EU processor, processing personal data received under BCRs, should notify the controller and the relevant data protection authorities (DPAs) in the event of a legally binding request for the personal data. Although the Working Party 's guidance provides helpful clarification, there remains a number of unresolved questions. BCRs for processors remain an evolving area of EU data protection law, and it is likely that we will see further guidance on these issues from DPAs and the Working Party as increasing numbers of processors begin to use BCRs.

On June 9, 2015, Max Schrems tweeted that the advocate general of the European Court of Justice (ECJ) will delay his opinion in Europe v. Facebook, a case challenging the U.S.-EU Safe Harbor Framework. The delay may allow the U.S. and EU to conclude their negotiations regarding updating the Safe Harbor Framework before the ECJ issues an opinion that could impact the Framework. Although certain issues concerning the national security exemptions to the U.S.-EU Safe Harbor Framework still need to be resolved, the negotiations are expected to be concluded within weeks. In his case against Facebook, Schrems challenges the Irish Data Protection Commissioner 's claim that the Safe Harbor agreement precluded the agency from stopping data transfers from Ireland to the U.S. by Facebook.

Significant security threats often come from within: according to a security risk study by the Finnish Central Chamber of Commerce (2012), around 20% of large Finnish companies reported that a former employee had illegally copied files and confidential information during employment. Some 20% of the companies did not even know whether such infringements had taken place. Statistics suggest that companies rarely act on their suspicions. These results are very likely a reflection of strict Finnish privacy laws, which make internal security threats quite difficult to monitor. A company considering acting on its suspicions also faces significant legal barriers, often making it difficult to prove malpractice. Without effective rules prescribing acceptable grounds and procedures for internal investigations, Finnish companies will remain largely impotent to fully safeguard their trade secrets.