3. February 2016
After continuous negotiations during the last months to agree on a new framework for international data transfers, since the ECJ invalidated the Safe Harbor Decision, Andrus Ansip (EU Commission Vice-President) and Věra Jourová (Commissioner) announced yesterday in a Press Conference that a new agreement (EU – U.S. Privacy Shield) to carry out international data transfers has been reached.
Under the EU – U.S. Privacy Shield, the following elements will be regulated:
- Several redress possibilities will be guaranteed to EU citizens when data transfers to U.S. take place and companies, as first redress possibility, will have deadlines to resolve complaints.
- The resolution includes a “multi-layered” approach in order to avoid that any complaints remain unresolved by offering different resolution mechanisms. Also the European DPAs will have the possibility to refer complaints to the U.S. Department of Commerce and to the Federal Trade Commission.
- Companies will be subject to strong obligations regarding the processing of personal data imported from EU Member States. Particularly, personal data processed for HR purposes in the U.S. will have to comply with the decisions of EU DPAs.
- It will be ensured that national authorities only have access to personal data from EU citizens in exceptional cases and subject to the principles of necessity and proportionality.
- The figure of the “ombudsman” will be created, in order to make possible that EU citizens can complain regarding surveillance activities by national authorities.
This new framework should be reviewed in an annual basis, so that the rights of EU citizens regarding data protection are continuously ensured. This is an important step forward in comparison with the invalidated Safe Harbor Decision.
Although the main points of this agreement have been discussed, the written draft may take up to three months, as Commissioner Věra Jourová said. The Working Party 29 will advise the College of Commissioners on this issue before adopting the official decision. Additionally, the agreement will have to withstand scrutiny from the ECJ.
2. February 2016
European officials and the U.S. agreed today on a new safe harbor agreement. The EU Article 29 Working Group had set a deadline until the end of January 2016 to find an alternative agreement, which was missed. The agreement still needs to be approved by the 28 member states. Further information on the new safe harbor agreement is expected after the EU Article 29 Working Group meeting, which is supposed to take place today and tomorrow.
27. January 2016
On 6th October 2015 the European Court of Justice has ruled, that the “safe harbor” agreement is invalid. Since then there is no legitimacy for transferring personal data outside of EU-territory. According to the statement of the EU data protection authorities assembled in the Article 29 Working Party, the parties involved were supposed to find an alternative agreement by the end of January 2016. Otherwise, EU data protection authorities would have to take all necessary and appropriate actions, which may include coordinated enforcement actions consequences to be drawn at European and national level.
The European Commission informed a committee of EU member countries during a session mid of January, that there has been no progress in the negotiations so far. According to sources, who took part at the meeting, a deal could still be made at the last minute. Other participants however entitled the deadline as “unrealistic” or “unlikely”.
The European Data Protection Supervisor (EDPS) Giovanni Buttarelli said that the January 31 date was a “legal fiction,” that “could not be fixed, because it would not have a legal basis.” “Even if some agreement was reached, it would be a political agreement,” he added. A final deal, which met all the criteria, “would take months,” he said.
The next meeting of the EU’s Article 29 Working Group will be on February 2. It is to expect, which measures will be taken against companies that still transfer data outside of the EU-territory based on the invalid safe harbor agreement.
26. January 2016
In a context where the Safe Harbor Decision has been declared invalid and the General Data Protection Regulation has entered into force, the European and American competent authorities are negotiating further mechanisms to carry out international data transfers in compliance with the current legislation.
According to Reuters, the U.S. has proposed creating the institution of the “ombudsman” as a component of the State Department. This institution shall handle with complaints from EU citizens regarding surveillance activities from American authorities,.verify that this surveillance activities are proportionate and that personal data transferred from the EU is accessed only in cases where national security is involved. However, EU negotiators have requested further details about this institution before the proposal is accepted.
Both negotiating parties, EU and U.S. authorities aim at reaching an agreement about the continuity and the legal basis to carry out data transfers to the U.S. by the beginning of February.
22. January 2016
After several negotiations, the European Parliament, the European Council and the European Commission finally reached a consensus in December 2015 on the final version of the General Data Protection Regulation (GDPR), which is expected to be approved by the European Parliament in April 2016. The consolidated text of the GDPR involves the following practical consequences:
1) Age of data subject´s consent: although a specific, freely-given, informed and unambiguous consent was also required according to the Data Protection Directive (95/46 EC), the GDPR determines that the minimum age for providing a legal consent for the processing of personal data is 16 years. Nevertheless, each EU Member State can determine a different age to provide consent for the processing of personal data, which should not be below 13 years (Arts. 7 and 8 GDPR).
2) Appointment of a Data Protection Officer (DPO): the appointment of a DPO will be mandatory for public authorities and for data controllers whose main activity involves a regular monitoring of data subjects on a large scale or the processing of sensitive personal data (religion, health matters, origin, race, etc.). The DPO should have expert knowledge in data protection in order to ensure compliance, to be able to give advice and to cooperate with the DPA. In a group of subsidiaries, it will be possible to appoint a single DPO, if he/she is accessible from each establishment (Art. 35 ff. GDPR).
3) Cross-border data transfers: personal data transfers outside the EU may only take place if a Commission decision is in place, if the third country ensures an adequate level of protection and guarantees regarding the protection of personal data (for example by signing Standard Contractual Clauses) or if binding corporate rules have been approved by the respective Data Protection Authority (Art. 41 ff. GDPR).
4) Data security: the data controller should recognize any existing risks regarding the processing of personal data and implement adequate technical and organizational security measures accordingly (Art. 23 GDPR). The GDPR imposes strict standards related to data security and the responsibility of both data controller and data processor. Security measures should be implemented according to the state of the art and the costs involved (Art. 30 GDPR). Some examples of security measures are pseudonymization and encryption, confidentiality, data access and data availability, data integrity, etc.
5) Notification of personal data breaches: data breaches are defined and regulated for the first time in the GDPR (Arts. 31 and 32). If a data breach occurs, data controllers are obliged notify the breach to the corresponding Data Protection Authority within 72 hours after having become aware of it. In some cases, an additional notification to the affected data subjects may be mandatory, for example if sensitive data is involved.
6) One-stop-shop: if a company has several establishments across the EU, the competent Data Protection Authority, will be the one where the controller or processor’s main establishment is located. If an issue affects only to a certain establishment, the competent DPA, is the one where this establishment is located.
7) Risk-based approach: several compliance obligations are only applicable to data processing activities that involve a risk for data subjects.
8) The role of the Data Protection Authorities (DPA): the role of the DPA will be enforced. They will be empowered to impose fines for incompliances. Also, the cooperation between the DPA of the different Member States will be reinforced.
9) Right to be forgotten: after the sentence of the ECJ from May 2014, the right to be forgotten has been consolidated in Art. 17 of the GDPR. The data subject has the right to request from the data controller the erasure of his/her personal data if certain requirements are fulfilled.
10) Data Protection Impact Assesment (PIA): this assessment should be conducted by the organization with support of the DPO. Such an assessment should belong to every organization’s strategy. A PIA should be carried out before starting any data processing operations (Art. 33 GDPR).
