February

National EU member state courts, as well as the European Court of Justice (ECJ), have struggled for several years to define the scope of application of EU data protection law in individual member states.
 
In a decision that provides important guidelines on the competence of, and co-operation between, national data protection authorities (DPAs), the ECJ has clarified how data protection law applies in cross-border situations within the EU.
 
In this significant ruling, the ECJ has confirmed its view that even minimal activities in a member state can trigger the application of that member state's data protection law. It clarified that this wide interpretation of the Directive is not only applicable in situations where the data controller is based outside the EU. However, the ECJ still failed to set out clearly when data processing takes place "in the context of the activities" of an establishment.

In 2014, Hewlett-Packard (HP) became the first company to win approval for both binding corporate rules (BCRs) and cross-border privacy rules (CBPRs).
 
Both processes take a significant number of man-hours to achieve. But to demonstrate compliance, many of the administrative hurdles are the same. That's why an EU|APEC working group has approved a plan for increased interoperability by making it easier for companies to comply with both BCRs and CBPRs at once.
 
The EU's Article 29 Working Party has agreed to the APEC Data Privacy Subgroup's proposal to develop a common questionnaire based on the forms that now must be completed to apply for BCRs and CBPRs separately.
 
The idea is that organizations will be able to submit the single questionnaire to both EU DPAs and to APEC Accountability Agents to reach compliance with both systems at once.

The French Data Protection Authority (CNIL) has published guidance, including a set of frequently asked questions, to assist companies that are transferring personal data to the U.S. pursuant to the Safe Harbor framework.

The CNIL stated that the decision of the Court of Justice of the European Union (CJEU) invalidated the European Commission's decision on the adequacy of the protection provided by Safe Harbor. Consequently, companies can no longer rely on Safe Harbor to transfer personal data to the U.S.

The CNIL then met with other European data protection authorities within the Article 29 Working Party, calling upon the EU institutions and Member States to adopt a new legal framework allowing the transfer of personal data from the EU to the U.S. in accordance with the requirements set out by the CJEU by January 31, 2016.