Category: EU
7. April 2016
The Council of the European Union announced that the process for adopting the GDPR will be accelerated. This is due to the the fact that the General Secretariat of the Council sent a Note requesting the Permanent Representatives Committee to use the so called “written procedure” in order to adopt the Council’s position. Initially a vote on the Council’s position was planned on 21st April 2016, when the next Justice and Home Affairs Council takes place. However, the Council has decided to accelerate the process for adoption by using the “written procedure”. Proceding this way is an exemption as it does not include public deliberation.
The mentioned Note states that the “need to send the Council’s position at first reading to the European Parliament during its April I plenary, will only be possible to adopt the Council’s position at first reading within this very short deadline via the written procedure, which would be launched on Thursday 7th April 2016 and would end on Friday 8th April 2016, at midday. Delegations’ attention is drawn to the exceptionally short duration of this written procedure.”
When looking on the next steps it is to say that once the Council’s position is adopted, it will then be sent to the European Parliament. The European Parliament will go on by acknowledging the receipt during the next plenary session taking place on 11-13 April 2016. Afterwards, the Parliament’s Civil Liberties Committee will vote on a recommendation to Parliament regarding the Council’s position. These recommendation will then be used as a foundation for the Parliament’s adoption of the GDPR in one of the following plenary meetings.
6. April 2016
WhatsApp is an online messaging service, that has grown into one of the most used applications, owned by Facebook. Messages, phone calls and photos are exchanged via WhatsApp by more than a billion people. Therefore, only Facebook itself operates a larger communications network.
This week was revealed that the company has added end-to-end encryption to every form of communication developed by a team of 15 of out of 50 overall employees for any person using the latest version of WhatsApp, so that all messages, phone calls and photos are encrypted. This regards any smartphone, from iPhones to Android phones to Windows phones. By encrypting end-to-end not even WhatsApp’s employees have access to the data sent through this communication network. This means that WhatsApp will not be able to comply with a court order demanding the disclosure of the content of messages, phone calls and photos sent by using its service.
This way of encryption has generally led to a public discussion between technology companies and governments. For example, in the UK, politicians have proposed banning this encryption so that companies should be forced to install “backdoors” in order to be able to disclose the content only to law enforcement.
16. March 2016
On the 14th March, the Digital Commissioner Günther Oettinger spoke out on the EU-U.S. Privacy Shield at the CeBIT fair (Center for Office Automation, Information Technology and Telecommunication), which will take place in Hannover (Germany) from the 14th until the 18th March.
Oettinger stated that the EU DPAs will evaluate the EU-U.S. Privacy Shield in the upcoming weeks, so that the new Framework can be effective in June 2016. He also remarked that without a legal regulation for international transfers of personal data, “the trust in cloud services will be low”.
The EU DPAs are expected to meet on the 12th-13th April in order to issue their opinion on the EU-U.S. Privacy Shield. However, this opinion will not be binding.
The Consumer Protection Association of North-Rhine Westphalia submitted a formal complaint against the Fashion ID, run by Peek & Cloppenburg. The Düsseldorf District Court in Germany had to rule, whether Peek & Cloppenburg was allowed to have the Facebook Like button on their shopping website. The court decided, that in this case the Facebook Like button was violating German and EU Data Protection Law. The Fashion ID was transferring the gathered information of its consumers to the social media, irrespective of whether the consumer was signed on Facebook or not. Furthermore, it was criticized, that the information of the personal data subject was also transferred to Facebook, without even clicking the Facebook Like button before.
The Court decided, that such a procedure is not compliant with the applicable law. Companies should therefore implement measures, that safeguard the personal data of the consumer and not transfer the gained information to other parties, without the informed consent of the data subject.
11. March 2016
After the details of the EU-U.S. Privacy Shield were released on February 29th, several institutions will examine its legal implications and validity in order to determine if the new Framework complies with the European Standards on Data Protection. One of these institutions is the Article 29 WP, which will reveal its opinion on the EU-U.S. Privacy Shield by the end of April.
Eduardo Ustaran, an expert in international Privacy and Data Protection, has analyzed the positive impact that the EU-U.S. Privacy Shield may have for the future development of global privacy:
- This Framework may widespread the European Data Protection culture at an international level because multinationals will globally adopt this model, in order to comply with the European Standards.
- Additionally, the U.S. government is adapting its legislation to the Data Protection requirements established by the EU Legislation in this field. For example, the U.S. Judicial Redress Act was approved on February 2016 in line with the new conflict resolution system proposed in the Privacy Shield. This way, EU Citizens will have the possibility to raise complaints to U.S. Authorities when their rights to Privacy and Data Protection have been violated by an organization.
- Also the judiciary will play an important role as ultimate institution that mediates between the citizens and the state.
- As mentioned above, the conflict resolution system proposed in the Privacy Shield includes the participation of several institutions at different levels, which provides the individuals many possibilities to exercise their rights as data subjects. Therefore, individuals will be able, for example, to raise a complaint towards the organization or to raise a complaint at the local DPA.
- The Framework may foster the communication and collaboration between American and European Institutions. For instance, it is foreseen that an annual revision of the Framework takes place.
19. February 2016
The EU Commission and the U.S. Government agreed recently on the EU- U.S. privacy Shield as a possible mechanism to carry out international data transfers on a valid basis and providing an adequate level of data protection. The agreement shall be adopted by a decision.
The process until both, the proposed agreement and the corresponding decision, are adopted is complex and requires the opinion of several EU institutions
- The EU Commission should make the proposal for the decision of adopting the agreement. The decision is expected by thy end of February.
- The WP29, made up of the DPAs from the EU Member States and the European Data Protection Supervisor (EDPS) will have to give its opinion on the proposed agreement. This opinion will not be binding for the EU Commission.
- Also the Article 31 Committee, established pursuant to art. 31 of the EU Data Protection Directive, will we asked to give an opinion.
- Finally, the College of the EU Commission will decide about the adoption of the decision.
Additionally, also the ECJ will be requested to examine the proposal in order to determine if it provides an adequate level of protection of the fundamental rights of EU citizens. Also, the DPAs from the Member States may refer to the ECJ for clarification about the agreement.
16. February 2016
The WP29 has recently published a statement with regards to the action plan in order to implement the EU GDPR (General Data Protection Regulation). The 2016 Action Plan is based on the following four priorities, which are relevant for the tasks of the WP29 and their subgroups.
1. Building up the EDPB (European Data Protection Board) structure and its administration
The main task will be developing IT systems. The European Data Protection Supervisor and the WP29 will furthermore cooperate to set up human resources, a budget and future procedures of the EDPB.
2. Setting up the One-Stop-Shop and the consistency mechanism
In order to prepare the One-Stop-Shop several measures will be necessary, e. g. a lead DPO will have to be designated and the EDPB consistency mechanisms need to be developed.
3. Publishing guidelines for data controllers and processors
The WP29 will publish different guidelines to assist data controllers and data processors in order to fulfil their duties according to the GDPR, such as the new right to portability, “Data Protection Impact Assessment”, and the announcement of a DPO.
4. Communication around the EDPB and the GDPR
The WP29 intends to create an online communication tool, to reinforce the relationship between the EU institutions and to participate in external events to promote the new governance model.
The subgroups of the WP29 will continue fulfilling their tasks. The International Transfers subgroup for instance will carry on analyzing the judgement of the European Court of Justice concerning e.g. the Schrems case. Furthermore, they will be analyzing the EU-U.S. Privacy Shield and its impact on the international data transfers once it has been released.
The WP29 will examine the 2016 Action Plan regularly in order to complete it in 2017.
12. February 2016
On the 8th February, the French DPA (CNIL) announced that it issued a formal notice in which it gives Facebook Inc. and Facebook Ireland Limited 3 months to comply with the French Data Protection Act.
After Facebook informed about changes in its privacy policy at the beginning of 2015, a group formed by the French, the Belgian, the Dutch, the Spanish and the DPA of the German Federal State of Hamburg carried out online and on site audits in order to find out if the updated privacy policy is compliant with the respective data protection legislations.
These audits revealed several incompliances with the French Data Protection Act regarding Facebook´s data processing activities:
- Facebook collects data of internet users that do not have a Facebook account by using cookies when these users visit a public Facebook page, such as public events or the page of a friend. As a result, the cookie provides Facebook with information about third-party websites with Facebook plug-in buttons, such as “like” button, that are visited by the user.
- Sensitive data such as religious beliefs or sexual orientation are also processed by Facebook without prior explicit consent of the account holders.
- Users are not informed in the sign up page about their rights as data subjects and the processing of their personal data.
- Cookies are also set up in the Facebook website without informing users properly and obtaining their consent.
- The company does not provide its users with tools to opt-out targeted advertising.
- Data transfers to U.S. take place on the basis of the Safe Harbor Decision, although it was declared invalid by the ECJ in October 2015.
According to CNIL, this formal notice is not a sanction. However, if Facebook fails to rectify these incompliances within 3 months, the matter will be referred to the CNIL´s Select Committee in order to impose the corresponding sanction.
These findings are also being analyzed by the Belgian, the Dutch, the Spanish and the the DPA of the German Federal State of Hamburg within a cooperation framework in order to act accordingly.
5. February 2016
Not only European negotiators and institutions have given their opinion on the EU – U.S. Privacy Shield, also the U.S. Department of Commerce and the FTC Commissioner, Julie Brill, have made a public statement on the on the advantages of the implementation of the Privacy Shield.
On the 2nd February, the U.S. Department of Commerce stated that the EU – U.S. Privacy Shield improves, on the one hand, the commercial oversight and enhances privacy protections and, on the other hand, it demonstrates the U.S. commitment to limitations on national security. The statement of the Department of Commerce remarks the cooperation between the FTC and EU Data protection Authorities and its commitment to review the Agreement on an annual basis. Also, it ensures that the U.S. Intelligence Community has described in writing the constitutional, statutory and policy safeguards applied to its operations.
The FTC offered a live webcast on the 4th February in which the EU – U.S. Privacy Shield was explained by FTC Commissioner Julie Brill. During the webcast the main aspects of the EU – U.S. privacy Shield were explained. Julie Brill remarked the commercial relevance of this agreement and the acknowledgement by U.S Authorities that the rights of the individuals and national security should be balanced.
4. February 2016
After the Press Conference held by Věra Jourová and Andrus Ansip from the European Commission about the proposal for a new agreement between EU and U.S. to carry out international data transfers, the WP29 met on the 2-3 February in order to discuss the consequences of the sentence from the ECJ and the future of international data transfers between EU and the U.S.
The WP29 has remarked that the following four guarantees should be ensured when international data transfers take place:
a) Transparency: the data subject whose data is processed should be informed so that he/she is able to foreseen the consequences of the data transfer.
b) Proportionality and necessity: the finality for which personal data is collected and accessed and the rights of the data subject should be balanced.
c) Independency of a control body that carries out checks in an effective and impartial manner.
d) Effective remedies: the individual should have the possibility to defend his/her rights before an independent body.
The WP29 will also analyze the existing mechanisms to carry out international data transfers, which currently can only take place if Standard Contractual Clauses or Binding Corporate Rules (BCR) are used. In any case, European DPAs will examine data transfers on a case-by-case basis.
However, the WP29 is still looking forward to receive the relevant documents related to the EU – U.S. Privacy Shield in order to analyze its content and to determine to which extent the agreement is legally binding.
If you would like to be updated on a regular basis on this and other data protection issues such as the General Data Protection Directive (GDPR), sign in for one of our newsletters:
German / European Data Protection http://www.datenschutzticker.de/newsletter/ (German Language)
International Data Protection http://www.privacy-ticker.com/newsletter/ (English language)
For how to proceed with your companies´ policies on internal or external data protection transfers to third countries and prepare for the GDPR seek individual advice.