• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

'EU-US Privacy Shield' to replace Safe Harbor

On 2 February 2016, the European Commission announced that the EU Commission and the United States agreed on a new framework for transatlantic data flows to replace Safe Harbor, to be called the EU-US Privacy Shield. 

On 6 October 2015, we reported that the Court of Justice of the European Commission (CJEU) stated in its decision on Schrems that the Safe Harbor framework is invalid and set out the implications of this decision for EU businesses. We also described alternative mechanisms available to EU businesses who want to continue to transfer personal data from the EU to the US. 

The Commission has stated that the EU-US Privacy Shield will be a new framework that will protect the fundamental rights of Europeans where their data is transferred to the US and ensure legal certainty for businesses. The Commission’s press release states that the EU-US Privacy Shield reflects the requirements set out by the CJEU in its ruling on 6 October 2015, that declared the old Safe Harbor framework invalid and will –

  • provide stronger obligations on US companies to protect the personal data of Europeans;
  • provide stronger monitoring and enforcement by the US Department of Commerce and Federal Trade Commission, including through increased cooperation with European Data Protection Authorities;
  • include commitments by the US that possibilities under US law for public authorities to access personal data will be subject to clear conditions, limitations and oversight, preventing generalised access; and
  • give Europeans the possibility to raise enquiries and complaints with a dedicated, new Ombudsperson. 

Commissioner Jourova said: “The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to US companies.  For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Also, for the first time, EU citizens will benefit from redress mechanisms in this area.  In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans.  We have established an annual joint review in order to closely monitor the implementation of these commitments.”

The new arrangement will include the following three core elements –

  • “Strong obligations on companies handling Europeans" personal data and robust enforcement: US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.  The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission.  In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs. 
  • Clear safeguards and transparency obligations on US government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms.  These exceptions must be used only to the extent necessary and proportionate.  The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.  To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access.  The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the US and European Data Protection Authorities to it. 
  • Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities.  Companies have deadlines to reply to complaints.  European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission.  In addition, Alternative Dispute Resolution will be free of charge.  For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.” 

Next steps

While the new agreement is a positive step forwards, it is the first step in a process towards fully implementing the EU-US Privacy Shield on both sides of the Atlantic.  The next steps are for the Commission to prepare a draft adequacy decision in the coming weeks, which, after first, taking the advice of the Article 29 Working Party and second, consulting a committee composed of representatives of the Member States, could then be adopted by the College of Commissioners.  At the same time, the US will be making preparation to implement the new framework from the US side, monitoring mechanisms and the new Ombudsperson. 

What is the reaction of the Article 29 Working Party?

The Article 29 Working Party will only release their statement “late this afternoon”.  However, it seems they don’t yet feel they have sufficient information to come to a view on the proposed EU-US Privacy Shield.  They will review the proposal over the next couple of months, but it appears that as a group they will support transfers using the approved Standard Contractual Clauses (model clauses) or BCRs during this time. 

In this regard, the announcement yesterday has succeeded in buying more time and allowing data transfers to continue.  However, if businesses are still relying on Safe Harbor, it looks likely that some DPAs, at least, will commence enforcement action.

What could this mean for EU businesses?

It will still be some time yet before transatlantic data transfers can take place under the new EU-US Privacy Shield.  The Commission said that the EU-US Privacy Shield will take 3 months to implement. 

Our earlier article set out alternative mechanisms to Safe Harbor that companies can use to transfer personal data from the EU to the US following the CJEU’s declaration that Safe Harbor is invalid, such as the model clauses or BCRs.  Until the EU-US Privacy Shield is agreed and finally put in place, companies should continue to rely on these alternative mechanisms for transatlantic data transfers. 

It remains to be seen how widely the EU-US Privacy Shield will be adopted and how soon EU companies will sign up to it.  Companies that have gone to the effort of putting model clauses in place with their US suppliers or entering into BCRs between group companies, might decide to continue to rely on these mechanisms instead of adopting the new EU-US Privacy Shield so soon afterwards.  Another potential reason in favour of relying on these mechanisms is that the CJEU’s decision in Schrems gave national Data Protection Authorities the power to question adequacy decisions of the Commission, so it is possible that Data Protection Authorities in different member states might reach different conclusions on the adequacy of the EU-US Privacy Shield, and EU companies might well decide to keep their model clauses or BCRs in place as a backup. 

A question mark still hangs over the status of US companies that are currently Safe Harbor certified.  The Commission’s announcement does not clarify whether they will automatically transition to the new EU-US Privacy Shield or whether they will have to register anew under the EU-US Privacy Shield, and what that will involve. 

EU Data Protection Authorities agreed to refrain from taking enforcement action against companies that had relied on Safe Harbor and which had not put in place an alternative solution for exporting data to the US until 31 January 2016.  Now that this deadline has passed, and given that it might take some time for the EU-US Privacy Shield to be formally put in place, we wait to see whether this deadline will be extended, but this should be confirmed by the Article 29 Working Party statement this afternoon, which all DPAs have “committed” to. 

Interestingly, it seems that the changes that form part of the EU-US Privacy Shield deal will also be important for long term approval of model clauses and BCRs transfers to the US, which were also potentially at risk given the nature of the criticisms of Safe Harbor, which to a great extent related to the US legal position more generally, rather than the enforcement of Safe Harbor in particular.

The Privacy Shield is expected to be a living scheme for transatlantic data transfers, including annual joint reviews.  Hopefully, this indicates that it will have built-in flexibility to evolve in response to new innovations and withstand challenges, but at the same time, EU businesses that sign up to the EU-US Privacy Shield should expect to have to update their compliance with it as it evolves.  

For further information please contact Nicola Fulford and Shirine Corboy.