Category: European Data Protection

EU-U.S. Privacy Shield: approval expected within this week

4. July 2016

The EU Commission and American negotiators reached last week an agreement regarding the final draft of the EU-U.S. Privacy Shield. Now, the EU Commission has sent this draft to the Article 31 WP, who is expected to issue an opinion by tomorrow. If so, the EU-U.S. Privacy Shield will be implemented by the end of this week. Also, the final draft has been sent to the EU Parliament. The EU Parliament can issue an opinion, but cannot block its approval.

The Article 31 WP will meet today to review the text. Normally, the committee has two weeks to issue an opinion but the EU Commission expects an approval already this week.

Agreement by EU and U.S. negotiators on final changes on the Privacy Shield

28. June 2016

After several months of negotiations regarding the legitimating instruments to carry out international data transfers, EU and U.S. negotiators agreed last week on the final changes of the proposed EU-U.S. Privacy Shield.

The initial draft of the EU-U.S. Privacy Shield was criticized by several European Institutions such as the Article 29 WP, the EDPS, Article 31 WP and the UK Data Protection Authority (ICO) for not offering enough safeguards for EU citizens regarding the protection of their personal data upon data transfers to the U.S.

The main critic of the EU-U.S. Privacy Shield was focused on the independency of the ombudsman and on the massive surveillance activities from American Authorities. Additionally, a follow up control mechanism regarding compliance with the EU-U.S. Privacy Shield was required by European negotiators.

EU and U.S. negotiators have agreed to improve the above mentioned aspects in order to ensure more guarantees on the protection of EU citizens’ personal data:

  • The White House committed in writing to collect EU personal data only under certain circumstances and for targeted purposes.
  • Data retention periods have been defined concretely: organizations will be obliged to delete personal data that is no longer needed for the purposes for which it was originally collected.
  • The proposal will include a specification that the ombudsman will be an independent institution.

As a next step, the Article 31 WP, made up of representatives of the EU Member States, will decide if the amended text complies with European Data Protection legislation. Both, the EU Commission and the U.S. Government hope that the EU-U.S. Privacy Shield enters into force by August 2016.

Implications for the UK

After UK citizens have voted to leave the EU, a two-year-negotiation between the EU and the UK Government will take place. During this time, UK organizations will have to comply with European legislation, also regarding international data transfers. When the UK ceases to be an EU Member State, it will be considered as being a third country in terms of international data transfers and will have to ensure enough safeguards regarding the protection of personal data.

Further developments regarding EU-U.S. data transfers: the “Umbrella-Agreement” has been signed

6. June 2016

On the 2nd June, the so called “Umbrella-Agreement” was signed between the EU and the U.S. This agreement aims at creating a cooperation framework between the EU and the U.S. regarding criminal law enforcement and the prevention of serious crime and terrorism.

Personal data covered under this agreement includes data exchanged between police and criminal Authorities of the EU Member States and the US Authorities for the purpose of prevention, investigation, detection and prosecution of criminal offences as well as terrorist acts. The data transfers will be carried out according to the existing legal frameworks and enough safeguards will be provided.

The agreement provides EU citizens an equal treatment with U.S. citizens before American courts regarding judicial redress and a full respect for fundamental rights.

However, this agreement does not provide a legal basis for data transfers but it is a complement to the existing and future frameworks between law enforcement authorities.

EU Directive on Cyber Security to be expected in August 2016

19. May 2016

The EU Council adopted this week the Network and Information Security Directive (NIS Directive) at first reading. The NIS Directive is part of the EU cyber security strategy, which main objective is to prevent and respond to disruptions and cyber-attacks in telecommunications systems located in the EU.

The Directive aims at achieving a minimum level of IT security and implementing an effective risk management culture for digital technologies. Furthermore, it also aims at dealing with IT security breaches by imposing the obligation to report significant incidents without delay, especially for business or organizations whose main activity is subject to a higher risk, such as cloud providers or social networks.

The five main goals of the NIS Directive are:

  • To achieve cyber resilience
  • To reduce cybercrime significantly
  • To develop a cyber defense policy at EU level by creating authorities at national level
  • To promote the development of technological resources
  • To implement a solid international cyberspace policy

After the EU Council has adopted the NIS Directive at first reading, the draft must be approved by the EU Parliament at second reading. If the EU Parliament approves the Directive, it might enter into force in August 2016.

Is an exam personal data?

11. May 2016

EU data protection legislation has been lately updated in several aspects. Last week, the GDPR was finally published in the Official Journal of the EU, also the Passenger Name Record (PNR) Directive and the Directive related to criminal records held by authorities have been published in the Official Journal of the EU.

In this evolving landscape, new questions related to the application of EU data protection legislation are arising. Recently, the Irish Supreme Court raised a question to the ECJ related to the scope of application of the definition of personal data. A man that took an accounting exam exercised his right to data subject access request regarding this exam on the basis of Irish Data Protection Laws. However, this access request was refused based on the argument that the data he wrote on the accounting exam could not be referred to as “personal data”, as it was not his “own” personal data, but data related to the subject of the exam in question.

According to the EU definition, personal data is “any information relating to an identified or identifiable natural person”. The scope of this definition is essential in order to determine if data protection laws are applicable or not. In this case, the ECJ will have to answer to this question in a preliminary ruling. In a similar case, an applicant for a Dutch residence permit exercised an access request, which had been refused. The refusal was based on a legal opinion. The ECJ stated that a legal opinion refers to a situation and not to personal data. However, counter-arguments may be given in order to support the inclusion of an exam in the definition of personal data, such as the person´s handwriting or the remarks of the examiner that may be related to the person who wrote the exam, etc.

The ECJ will have to decide whether such data is subject to data protection legislation and, therefore, the data subject access request should be accepted.

GDPR published in the Official Journal of the EU

9. May 2016

After the EU Parliament voted the final draft of the GDPR on April 14th and the EU Commission signed it, the GDPR was finally published in the Official Journal of the EU on May 4th. The GDPR will harmonize several aspects of data protection in order to achieve a higher data protection level within the EU.

The Regulation will enter into force 20 days after publication in the Official Journal of the EU but will be directly applicable two years after its entry into force, this is ending May 2018. This means that organizations have two years to implement the provisions of the GDPR and be compliant.

UK Information Commissioner gives opinion on EU-U.S. Privacy Shield

25. April 2016

The UK Information Commissioner, Christopher Graham, issued last week his opinion about the EU-U.S. Privacy Shield. He criticized the reluctance of the U.S. authorities to make amendments on the agreement. On the 13th April, the Article 29WP also called American negotiators for clarification of some aspects of the Privacy Shield such as data transfers, the institution of the ombudsman or the justification for the collection of personal data, etc. Graham also remarked that the ECJ will also ask for clarification regarding these points and invited both American and European authorities to provide the required clarification.

On the other side, Stefan Selig, U.S. undersecretary of commerce for international trade, affirmed that the opinion issued by the EU Data Protection Authorities will be revised carefully. However, he believes that the current draft of the EU-U.S. Privacy Shield achieves a balance of interests for both parties.

Graham also remarks the importance of reaching an agreement regarding international data transfers, so that the English DPA (ICO) can focus on providing support to organizations regarding the implementation of the GDPR that will be effective on the first half of 2018.

About 28,000 data protection officers are requiered to be appointed under the GDPR

20. April 2016

Article 37 of the GDPR states that data controllers and processors of personal information are required to appoint a data protection officer in cace:

(a)  The processing is carried out by a public authority or body (except courts); or

(b)  The controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”

A data protection officer is able to be appointed by a group, public authorities or individual legal entity. Article 39 of the GDPR requires that a data protection officer is “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. Compliance, trainings on how to process data according to the law and the communication with the national authorities are part of the task area of a data protection officer.

Therefore, due to the GDPR organizations worldwide have to prepare for a number of new requirements in terms of data collection and processing. One particular requirement is that certain organizations will now have to appoint a data protection officer according to Arcticle 37 of the GDPR, as mentioned above. Research indicates the number of data protection officers required to be appointed under the GDPR will be about 28,000. This is an estimate based on official statistics regarding both public and private sector data controllers in the EU and taking further assumptions into account such assuming that US companies obliged to comply with the GDPR would also require a data protection officer, and of those companies who self-certified under Safe Harbor are likely included in that number.

Parliament finally approves of GDPR

15. April 2016

The European Union will have a new data protection regulation. After four years of ups and downs, the European Parliament came to an agreement on thursday in a plenary vote of support for the GDPR and the companion Data Protection Directive for policing and the judiciary.

The German MEP Jan Philipp Albrecht commented that “the General Data Protection Regulation makes a high, uniform level of data protection throughout the EU a reality,” and added that, “the regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty, and fairer competition.”

In order to give businesses and organizations time to adjust their compliance and data protection issues, the new GDPR will officially become effective in two years. The GDPR includes provisions such as the impositions of a clear and affirmative consent for processing personal data and a clear privacy notice. Further, there will be obligations concerning the breach of notification and the implementation of potential fines up to 4 percent of a company’s global annual turnover.

European Commission First Vice-President Frans Timmermans, Vice-President of the Digital Single Market Andrus Ansip, and Commissioner for Justice, Consumers and Gender Equality Vera Jourova welcomed the new regulation as it will “help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.” They went on commenting the Data Protection Directive for police and the judiciary, saying that it “ensures a high level of data protection while improving cooperation in the fight against terrorism and other serious crime across Europe.”

Therefore, in order to build public awareness of the reforms “the EU will launch public awareness-raising campaigns about the new data protection rules” Albrecht and Jourova, along with MEP Marju Lauristin commented and added that “the European Commission will work closely with member states, the national data protection authorities, and stakeholders to ensure the rules will be applied uniformly across the EU.”

Article 29 WP releases its opinion on the EU-U.S. Privacy Shield

14. April 2016

The Article 29 WP, represented by the DPAs from the EU Member States, issued yesterday its opinion on the proposed draft of the EU-U.S. Privacy Shield.

Background

Under the Safe Harbor framework, personal data transfers from the EU to the U.S. have been carried out since the year 2000. In October 6th, 2015, the ECJ declared this framework invalid, as it considered that it did not ensure enough safeguards regarding the protection of personal data from EU citizens. In February 2016, the EU Commission and several American Authorities drafted the new framework that shall replace the Safe Harbor Agreement. The draft has been now analyzed by the EU DPAs, who remark the necessity to clear and define some concepts.

Critical aspects of the EU-U.S. Privacy Shield identified by the Article 29 WP

The Article 29 WP does not believe that, in general terms, the current draft of the Privacy Shield ensures a level of data protection equivalent to that in the EU. The most relevant aspects of the published document could be summarized as follows:

  • Data retention periods are not defined in any of the principles of the framework. This means that companies could keep personal data even if they do not renew their Privacy Shield membership. This contravenes the principle of data retention limitation according to EU data protection legislation.
  • The scope and definition of the purpose limitation concept is described under the notice, the choice and the data integrity and purpose limitation principles. However, in each of these principles is the purpose limitation principle differently defined, what leads to an inconsistent definition of this concept.
  • Also the concept of onward transfers has been critically analyzed by the Article 29 WP. Under this principle, Privacy Shield members may legitimately carry out data transfers to third parties. This involves the risk that the recipient of the data does not ensure the same level of data protection as stipulated according to the EU data protection legislation.
  • The redress mechanism available for EU data subjects may be too complex for the data subjects themselves. The Article WP29 recommends that the local DPAs represent the data subjects or act as intermediaries so that they can exercise their rights in Europe.
  • Finally, the Privacy Shield includes certain guarantees regarding the surveillance activities by U.S. authorities. However, the massive collection of personal data from EU citizens is not fully excluded. Regarding this, the institution of the Ombudsman has been created. According to the Article 29 WP, its functions and legitimation are not sufficiently defined.

The Working Party has requested the EU Commission to clarify these aspects and adopt the corresponding solutions, so that the Privacy Shield ensures an equivalent level of data protection to that in the EU. Particularly, it has recommended to introduce a glossary of terms in the “Privacy Shield FAQ” and a review of the Privacy Shield draft after the GDPR becomes effective, in order to ensure that the Privacy Shield reflects the level of protection reached by the GDPR.

What next?

Since the opinion of the Article 29 WP is not binding, the EU Commission could proceed further with the approval of the EU-U.S. Privacy Shield. However, it will consult a Committee of representatives of the EU Member States before issuing its final decision. Until a final decision is reached, the mechanisms to carry out international data transfers are limited to Binding Corporate Rules and Standard Contractual Clauses.

Pages: Prev 1 2 3 4 5 6 7 8 9 Next
1 5 6 7 8 9