About Us

We work collaboratively with our clients to build strong, sustainable relationships. Our team is committed to delivering consistent high standards of service, and we understand the importance of accessibility. Working with us, you'll enjoy open communication, meaning well scoped, properly resourced and effectively managed matters.

Learn More

Latest Case

Providing innovative procurement solutions for local government projects April 20, 2018

We advised City of Casey on the procurement process of the Bunjil Place Project. Bunjil Place is a $125 million civic and cultural precinct for the City of Casey, encompassing an 800-seat theatre and 200-seat … Continued

Latest News

Maddocks signs on for Luminance AI platform May 24, 2018

Thursday 24 May 2018 Maddocks has adopted an artificial intelligence (AI) platform to assist in streamlining due diligence processes. The firm has signed on to use the market-leading Luminance AI platform to provide due diligence … Continued

Latest Article

Strategic use of regulatory action policies: an example in the context of Freedom of Information May 23, 2018

Regulatory action policies (including strategies and statements issued by regulators) are a useful tool for regulators to signal the importance of a particular regulatory area to the regulated sector and to the public at large. … Continued

Return to Safe Harbour?

On 6 October 2015, the  European Court of Justice ruled that the ‘safe harbour’ agreement for data flows between the European Union and the United States was invalid. The safe harbour agreement was set up some 15 years ago to facilitate easier transfer of data from the EU to the US and had previously allowed some 4,000 US companies storing customer data to self-certify their adherence to the scheme.

Following a complaint from an Austrian citizen, Maximillian Schrems regarding the way Facebook processes personal data, the ECJ held the safe harbor principles to be invalid. The ECJ provided a number of reasons for its decision, including that the agreement did not require all organisations entitled to access EU personal data to comply with EU privacy laws. The ECJ also expressed concerns that US authorities were able to gain access to personal data originating from the EU on national security grounds. While the ruling does not necessarily render the transfer of data between the EU and the US unlawful, it means that companies can no longer rely on the safe harbour agreement and must instead, for example, implement model contract clauses with each recipient of personal data prior to disclosing such personal data outside of the EU.

From an Australian perspective, trans-border flows of information are particularly fraught with issues. Organisations based in Australia that use US service providers to provide IT services, and particularly cloud-based services, may be impacted by the decision if data is hosted on US and/or EU servers and those service providers had previously relied on the scheme. Additionally, many believe that the decision likely further cements the EU’s position that Australian privacy laws do not ensure an ‘adequate level’ of protection of personal data transferred from the EU for the purposes of EU privacy law, by virtue of the fact that Australian laws provide that an act done or practice engaged in outside Australia does not breach an Australian Privacy Principle if the act or practice is required by a law of a foreign country.

Now that the dust has at least begun to settle on the decision, attention is being paid to a new arrangement being put in place to replace the now quashed safe harbour agreement. In fact, the European Commission’s vice-president, Andrus Ansip, has indicated that that a new agreement will need to be in place ‘within the next three months’. The Commission has also recently issued guidance to businesses now caught out by the ECJ’s ruling which confirms that the invalidity of the safe harbour agreement ought not necessarily prevent the transfer of data from the EU to the US, as other mechanisms are available.

In the coming weeks, US Senators are expected to vote on the Judicial Redress Act, that could give EU citizens the same legal rights as Americans if their data is mishandled within the US. This will likely at least go some way to appeasing the concerns of the European Commission.

We will, of course, keep you abreast of further developments.

Author:   
Jack Evans 1cm colour Jack Evans
Lawyer
61 2 9291 6178
jack.evans@maddocks.com.au

 

On 6 October 2015, the  European Court of Justice ruled that the ‘safe harbour’ agreement for data flows between the European Union and the United States was invalid. The safe harbour agreement was set up some 15 years ago to facilitate easier transfer of data from the EU to the US and had previously allowed some 4,000 US companies storing customer data to self-certify their adherence to the scheme.

Following a complaint from an Austrian citizen, Maximillian Schrems regarding the way Facebook processes personal data, the ECJ held the safe harbor principles to be invalid. The ECJ provided a number of reasons for its decision, including that the agreement did not require all organisations entitled to access EU personal data to comply with EU privacy laws. The ECJ also expressed concerns that US authorities were able to gain access to personal data originating from the EU on national security grounds. While the ruling does not necessarily render the transfer of data between the EU and the US unlawful, it means that companies can no longer rely on the safe harbour agreement and must instead, for example, implement model contract clauses with each recipient of personal data prior to disclosing such personal data outside of the EU.

From an Australian perspective, trans-border flows of information are particularly fraught with issues. Organisations based in Australia that use US service providers to provide IT services, and particularly cloud-based services, may be impacted by the decision if data is hosted on US and/or EU servers and those service providers had previously relied on the scheme. Additionally, many believe that the decision likely further cements the EU’s position that Australian privacy laws do not ensure an ‘adequate level’ of protection of personal data transferred from the EU for the purposes of EU privacy law, by virtue of the fact that Australian laws provide that an act done or practice engaged in outside Australia does not breach an Australian Privacy Principle if the act or practice is required by a law of a foreign country.

Now that the dust has at least begun to settle on the decision, attention is being paid to a new arrangement being put in place to replace the now quashed safe harbour agreement. In fact, the European Commission’s vice-president, Andrus Ansip, has indicated that that a new agreement will need to be in place ‘within the next three months’. The Commission has also recently issued guidance to businesses now caught out by the ECJ’s ruling which confirms that the invalidity of the safe harbour agreement ought not necessarily prevent the transfer of data from the EU to the US, as other mechanisms are available.

In the coming weeks, US Senators are expected to vote on the Judicial Redress Act, that could give EU citizens the same legal rights as Americans if their data is mishandled within the US. This will likely at least go some way to appeasing the concerns of the European Commission.

We will, of course, keep you abreast of further developments.

Author:   
Jack Evans 1cm colour Jack Evans
Lawyer
61 2 9291 6178
jack.evans@maddocks.com.au