The Five Most Common Questions Clients Asked Us About Privacy Compliance In 2015

As we wrap up 2015, we thought it might be helpful to talk about some of the most common questions we received this year with respect to privacy compliance. Here is a random sampling of the questions topping the charts this year.

My company is self-certified under the Safe Harbor Framework. Now that the Court of Justice of the European Union (CJEU) has invalidated that framework in the October 2015 Schrems decision, how can I legally transfer data from the European Union to the United States?

Don't panic. Let's enjoy a nice German beer while we talk through this one. Although the practical implications of the CJEU's judgment were (and still are) uncertain for companies that previously had availed themselves of the Safe Harbor Framework to transfer personal data from the EU, in the weeks following the decision a number of European data protection authorities (DPAs) and other regulators issued opinions and guidance. Of particular note, on October 16, 2015, the Article 29 Working Party indicated that although transfers pursuant to the Safe Harbor Framework were no longer permitted, through the end of January 2016 EU DPAs would allow a replacement mechanism or alternative solution (often referred to as "Safe Harbor 2.0") to be developed. In the interim, other data transfer mechanisms, such as binding corporate rules (BCRs) and standard contractual clauses (SCCs), offer potential alternatives for entities to consider. Although some German DPAs have called into question the validity of both BCRs and SCCs as data transfer mechanisms for sending EU personal data to the United States, and have indicated that they will not authorize BCRs or other data export contracts for transfers of personal data from Germany to the U.S., SCCs remain a valid and legal mechanism for data transfers. If you have not done so already, you should seriously consider entering into SCCs as appropriate (controller to controller for intracompany data transfers, or controller to processor for service provider arrangements). And let's revisit this early next year. I will bring the French wine to that meeting. In the meantime, here is some additional information on what has happened in the aftermath of Schrems.

We are a major retailer. Our marketing group is launching a campaign in conjunction with a new microsite that will include text messaging regarding offers that may be of interest to our rewards members. Our rewards members all gave us their mobile phone numbers when they signed up for the rewards program over the past four years. Can we go ahead and start sending text messages?

Hold the phone. For...