About Us

We work collaboratively with our clients to build strong, sustainable relationships. Our team is committed to delivering consistent high standards of service, and we understand the importance of accessibility. Working with us, you'll enjoy open communication, meaning well scoped, properly resourced and effectively managed matters.

Learn More

Latest Case

Assisting on whole of government technology agreements November 2, 2017

Maddocks advised the Commonwealth Government’s Digital Transformation Agency (DTA) on its whole of government purchasing agreement with SAP. The DTA was set up in 2015 to assist government departments and agencies with digital transformation and … Continued

Latest News

Maddocks receives Employer of Choice for Equal Opportunity citation for 14th consecutive year February 21, 2018

Wednesday 21 February 2018 Maddocks has once again been recognised by the Workplace Gender Equality Agency for its initiatives in achieving gender equality. Maddocks received an Employer of Choice for Equal Opportunity citation today from … Continued

Latest Article

ACCC’s 2018 enforcement priorities – what you need to know February 20, 2018

Background If 2017 was the year that the ACCC emphasised consumer and small business protection (including an effective focus on achieving higher penalties), 2018 is set to be the year of cartels and the continued … Continued

Return to Safe Harbour?

On 6 October 2015, the  European Court of Justice ruled that the ‘safe harbour’ agreement for data flows between the European Union and the United States was invalid. The safe harbour agreement was set up some 15 years ago to facilitate easier transfer of data from the EU to the US and had previously allowed some 4,000 US companies storing customer data to self-certify their adherence to the scheme.

Following a complaint from an Austrian citizen, Maximillian Schrems regarding the way Facebook processes personal data, the ECJ held the safe harbor principles to be invalid. The ECJ provided a number of reasons for its decision, including that the agreement did not require all organisations entitled to access EU personal data to comply with EU privacy laws. The ECJ also expressed concerns that US authorities were able to gain access to personal data originating from the EU on national security grounds. While the ruling does not necessarily render the transfer of data between the EU and the US unlawful, it means that companies can no longer rely on the safe harbour agreement and must instead, for example, implement model contract clauses with each recipient of personal data prior to disclosing such personal data outside of the EU.

From an Australian perspective, trans-border flows of information are particularly fraught with issues. Organisations based in Australia that use US service providers to provide IT services, and particularly cloud-based services, may be impacted by the decision if data is hosted on US and/or EU servers and those service providers had previously relied on the scheme. Additionally, many believe that the decision likely further cements the EU’s position that Australian privacy laws do not ensure an ‘adequate level’ of protection of personal data transferred from the EU for the purposes of EU privacy law, by virtue of the fact that Australian laws provide that an act done or practice engaged in outside Australia does not breach an Australian Privacy Principle if the act or practice is required by a law of a foreign country.

Now that the dust has at least begun to settle on the decision, attention is being paid to a new arrangement being put in place to replace the now quashed safe harbour agreement. In fact, the European Commission’s vice-president, Andrus Ansip, has indicated that that a new agreement will need to be in place ‘within the next three months’. The Commission has also recently issued guidance to businesses now caught out by the ECJ’s ruling which confirms that the invalidity of the safe harbour agreement ought not necessarily prevent the transfer of data from the EU to the US, as other mechanisms are available.

In the coming weeks, US Senators are expected to vote on the Judicial Redress Act, that could give EU citizens the same legal rights as Americans if their data is mishandled within the US. This will likely at least go some way to appeasing the concerns of the European Commission.

We will, of course, keep you abreast of further developments.

Author:   
Jack Evans 1cm colour Jack Evans
Lawyer
61 2 9291 6178
jack.evans@maddocks.com.au

 

On 6 October 2015, the  European Court of Justice ruled that the ‘safe harbour’ agreement for data flows between the European Union and the United States was invalid. The safe harbour agreement was set up some 15 years ago to facilitate easier transfer of data from the EU to the US and had previously allowed some 4,000 US companies storing customer data to self-certify their adherence to the scheme.

Following a complaint from an Austrian citizen, Maximillian Schrems regarding the way Facebook processes personal data, the ECJ held the safe harbor principles to be invalid. The ECJ provided a number of reasons for its decision, including that the agreement did not require all organisations entitled to access EU personal data to comply with EU privacy laws. The ECJ also expressed concerns that US authorities were able to gain access to personal data originating from the EU on national security grounds. While the ruling does not necessarily render the transfer of data between the EU and the US unlawful, it means that companies can no longer rely on the safe harbour agreement and must instead, for example, implement model contract clauses with each recipient of personal data prior to disclosing such personal data outside of the EU.

From an Australian perspective, trans-border flows of information are particularly fraught with issues. Organisations based in Australia that use US service providers to provide IT services, and particularly cloud-based services, may be impacted by the decision if data is hosted on US and/or EU servers and those service providers had previously relied on the scheme. Additionally, many believe that the decision likely further cements the EU’s position that Australian privacy laws do not ensure an ‘adequate level’ of protection of personal data transferred from the EU for the purposes of EU privacy law, by virtue of the fact that Australian laws provide that an act done or practice engaged in outside Australia does not breach an Australian Privacy Principle if the act or practice is required by a law of a foreign country.

Now that the dust has at least begun to settle on the decision, attention is being paid to a new arrangement being put in place to replace the now quashed safe harbour agreement. In fact, the European Commission’s vice-president, Andrus Ansip, has indicated that that a new agreement will need to be in place ‘within the next three months’. The Commission has also recently issued guidance to businesses now caught out by the ECJ’s ruling which confirms that the invalidity of the safe harbour agreement ought not necessarily prevent the transfer of data from the EU to the US, as other mechanisms are available.

In the coming weeks, US Senators are expected to vote on the Judicial Redress Act, that could give EU citizens the same legal rights as Americans if their data is mishandled within the US. This will likely at least go some way to appeasing the concerns of the European Commission.

We will, of course, keep you abreast of further developments.

Author:   
Jack Evans 1cm colour Jack Evans
Lawyer
61 2 9291 6178
jack.evans@maddocks.com.au