Tommaso Ricci’s Post

Headquartered in the US but with a reach that’s truly global, Harvey serves clients in more than 50 jurisdictions from hubs in London, Sydney, and soon, India and Canada. We understand that data sovereignty rhetoric can get noisy. In our latest blog post, we lay out in clear language what our customers can expect and how we are guided by the gold standard on privacy and data processing worldwide. Here are the facts: - The CLOUD Act doesn’t just apply to American companies; it applies to companies that have operations or do business in the United States as well.  - Our infrastructure lets customers have their data processed in the EU and Switzerland, Australia, or the US, with retention periods they control. - We have technical and procedural safeguards to protect customer data in the very unlikely event of inquiries around that data. - Our dedicated Privacy and AI team, led by Anita Gorney, ensures that we comply with GDPR and every other applicable privacy regime. (Read more about commitment to privacy and security here: https://lnkd.in/gbV3EjjE) - We have never received, nor silently complied with, a government demand for customer content. Should any authority come knocking, our playbook is clear — notify, verify, narrow, and, if necessary, litigate. In short, our commitments are written in policy, embedded in code, and we stand ready to enforce in courtrooms if required (turns out, we know some really great lawyers).  Check out the full blog post here: https://lnkd.in/gnpbtF2C

If you’re curious about how modern AI platforms can uphold the highest standards of security while delivering transformative value, this is a must-read about what customers can expect when it comes to Harvey's privacy and data processing:

Amid all the noise on data sovereignty, John LaBarre, General Counsel at Harvey clears up the facts and shows how we lead with the gold standard on privacy and data processing. https://lnkd.in/e6pU99x3

Day 22 # Privacy Definitions Cross-Border Data Transfer- As it is clear from the name- act of tranmission of personal data from one country to another. It would require organisations to comply with specific standards for security and privacy and may involve restrictions like data localisation or bans on transfers to certain countries such as Blacklisting. But with this movement comes a complex landscape of regulations designed to protect personal data. The GDPR sets the standard for data protection, but transferring data outside of the European Economic Area (EEA) requires specific safeguards to ensure an adequate level of protection. ⚖️ Key Mechanisms for Compliant Transfers: Adequacy Decisions: The easiest way to transfer data. The EU has decided that certain countries (like Japan, the UK, and most recently, the U.S. under the new Data Privacy Framework) offer a similar level of protection to EU law. Standard Contractual Clauses (SCCs): These are legal contracts approved by the European Commission that companies can use to ensure data is protected when transferred to a country without an adequacy decision. Binding Corporate Rules (BCRs): A tool for multinational companies to transfer data within their own corporate group, based on internal data protection policies that are approved by EU data protection authorities. Implementing these mechanisms isn't just about avoiding fines; it's about building trust with customers and partners. As the global regulatory landscape continues to evolve, understanding and correctly applying these rules is more important than ever. Blacklisting" vs. "Whitelisting": India's DPDP Act uses a "blacklist" model, meaning data can generally be transferred freely unless the government specifically prohibits it. Other frameworks might use a "whitelist" approach, allowing transfers only to countries with adequate data protection laws or approved by the government.  Imagine you're playing a video game with your friends online. You live in one country, but your friends live in different countries. When you play, the game needs to know things about you, like your username and your score. This information is your "personal data." The game's company might have its main computers (called servers) in another country. So, when you log in and play, your data has to travel from your computer to the company's servers across national borders. This is a "cross-border data transfer." The rules about this are important because they make sure your data is kept safe, no matter where the servers are. It's like making sure your online username and game progress are protected from hackers, even when the data is traveling far away. ❓ How is your organization navigating the complexities of cross-border data transfer? What challenges have you encountered? #DataPrivacy #GDPR #CrossBorderData #DataProtection #Compliance #GlobalDataFlow

EU Court Backs EU–US Data Privacy Framework, What It Means for You. Europe's General Court just upheld the 2023 EU–US data transfer deal giving legal clarity to thousands of cross-border businesses. For companies moving personal data between the EU and the US, this is the lifeline they’ve been waiting for. But let’s unpack what this really means: 👇 If you are using US-based cloud services like Think AWS, Microsoft or Google Cloud, you now have a more secure legal pathway for EU–US transfers. No more constant fear of contracts collapsing under legal scrutiny. But critics warn that privacy activists are already signaling future challenges. Why? Because core concerns around US surveillance laws haven’t fully disappeared. Businesses need to prepare for the possibility that this framework faces the same fate as “Privacy Shield” or “Safe Harbor.” You cannot afford to rebuild your data strategy every 18 months. At Data Protection Academy (DPA), our programs teach you how to: 📌 Build jurisdiction-agnostic compliance frameworks that adapt across regions. 📌 Navigate cross-border transfers with Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and fallback strategies. 📌 Position yourself as the “go-to” privacy leader when businesses face uncertainty. Privacy has moved from an isolated legal issue to a business continuity issue. ***** If you are interested in becoming the professional that executives call when data transfers are on the line, our September cohort is now open. See comments for details. 👇

This is worth taking note of. The Court of Justice of the European Union issued an important ruling on how pseudonymized data should be treated under EU GDPR. Anyone dealing with personal data and privacy enhancing tech will have had difficult conversations about the status of pseudonymized data at some point. This ruling highlights some important and perhaps unexpected points: - Context matters! Pseudonymized data is not automatically personal data for all parties. It depends on whether the recipient has reasonable means to reidentify the individuals. - Opinions are personal data. Even when pseudonymized, individuals comments or views qualify as personal data if they can reasonably be linked to their authors. - Data controllers remain responsible for transparency. Stakeholders must be informed of third-party sharing at the point of collection, regardless of pseudonymization. The judgment makes some issues clearer, others more complex, but overall brings welcome clarity where it was lacking. The #IAPP has a good summary article on this - https://lnkd.in/eCrpUHmn

Reflections from: EU-U.S. Data Transfers: Reaction to the Latombe Judgment event by IAPP I recently attended the IAPP event, EU-U.S. Data Transfers: Reaction to the Latombe Judgment (Latombe v Commission - Case T-553/23), where thought-provoking discussion unfolded around the implication of the General Court’s decision on international data transfers post-Schrems II. As expected, the judgment sparked lively debate. During the session, I contributed the following perspective: “Despite this decision, it may be argued that the current safeguards against surveillance and redress mechanisms in the US, which formed part of the basis for the adoption of the EU-US DPF does not meet the ‘essential equivalent’ standard required under EU law...” In response, I clarified the legal framework underpinning the EU-U.S. Data Privacy Framework (DPF) thus: “The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland that are consistent with EU, UK, and Swiss law. Organisations participating in the EU-U.S. DPF may receive personal data from the European Union / European Economic Area in reliance on the EU-U.S. DPF effective July 10, 2023. July 10, 2023 is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF and the effective date of the EU-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles. The adequacy decision enables the transfer of EU personal data to participating organizations consistent with EU law…” ..https://lnkd.in/eshqFVRr I also posed the following critical questions: • On what legal basis does the U.S. Department of Commerce certify participating US organisations under the DPF? • What rights or obligations does such certification confer? • If the DPF is not considered an adequacy framework, what then constitutes adequacy for the U.S. under EU law? Continue on next post...

⚖️ Personal data: subjective or objective? CJEU finally weighs in In EDPS v SRB (C-413/23 P), the CJEU has set the record straight on a central GDPR question: does perspective matter when deciding what qualifies as “personal data”? ❓The General Court had previously adopted an overly subjective view — holding that data transferred to a recipient did not amount to personal data since the recipient only received pseudonymized data without the key to re-identification. The court‘s clear shift towards a subjective approach came as a surprise, as it clashes with prevailing DPA positions and effectively narrows the GDPR’s scope depending on the recipient’s perspective. On the other end of the spectrum, the EDPB has long defended a strictly objective standard — insisting that identifiability exists whenever anyone with sufficient means might re-identify the data subject. In practice, this sets a very high bar for “true anonymization.” The CJEU has now taken a middle path, offering a more workable standard: ▪️Subjective approach: The recipient’s position matters. If they cannot reasonably identify a person, the data may not be “personal” for them — even if the controller can. ▪️Objective limits: Still, data is anonymous only if the residual risk of re-identification is insignificant. Identifiability must be assessed against “means reasonably likely to be used,” including information available to the recipient. Controllers must therefore consider all re-identification options realistically available in the specific processing context. ▪️Transparency first: For information obligations, only the controller’s perspective counts — recipients must still be named in privacy notices, even if they likely cannot identify the data subject. Practical implications: ✅ Effective pseudonymization can, in some cases, remove data from the GDPR’s scope for recipients. ✅ Controllers must carefully assess re-identification risks in the hands of recipients — in many cases, strict GDPR compliance will still be the safer route. ✅ Privacy notices may need updating to ensure all recipients are disclosed, even if they were previously considered as not accessing personal data.

The EU General Court has just dismissed the challenge to the EU-US Data Privacy Framework in Case T-553/23 Latombe v Commission, confirming that the current transatlantic data transfer mechanism (EU - US Data Privacy Framework) provides adequate protection for European personal data. This ruling validates the third attempt at establishing a stable framework for EU-US data transfers, following the invalidation of Safe Harbor and Privacy Shield in the Schrems I and II cases. The Court specifically rejected arguments about the independence of the US Data Protection Review Court and concerns over bulk data collection by American intelligence agencies. Interestingly, I explored these very challenges in my paper on the EU-US Data Privacy Framework, written in July 2023 right after the framework's adoption, for my Privacy, Personal Data & GDPR course in the MSc in Law and Information and Communication Technologies master's program at the University of Piraeus. The Court's reasoning aligns with several points I analyzed regarding the enhanced safeguards introduced by the 2022 US Executive Order and the procedural improvements to judicial oversight mechanisms. This decision brings much-needed stability to transatlantic data flows, though an appeal to the Court of Justice remains possible. For now, businesses can continue relying on adequacy decisions for US transfers while the Commission maintains its ongoing monitoring obligations. As I concluded in my paper, EU-US data transfers are an inevitable reality with significant legal, economic and political implications, making it impossible to imagine they could cease entirely. The enduring challenge is ensuring these transfers occur under substantive guarantees that the level of protection offered to data subjects in the US is at least equivalent to what they enjoy in the EU. This judgment suggests we may finally have a framework robust enough to meet that standard. The relevant press release available here: https://lnkd.in/e3mjjUgy

Data privacy is no longer a checkbox—it’s a right. Subject Access Requests (SARs) are rising fast under GDPR, CCPA, and DPDP, yet most enterprises still struggle to respond efficiently across sprawling, unstructured data. In my latest commentary, “Privacy in Action: From Chaos to Control in Subject Access Requests,” the message is clear: without visibility, classification, and control, you can’t honour data rights—or build trust. Here’s why I think SAR automation is becoming a boardroom priority: it reduces risk, accelerates compliance, and strengthens digital trust. Does this resonate with you ? is this on your priority list ? are you affected in your role or as a company? Follow the link to learn more https://cutt.ly/UrZc5Yy3