Category: European Data Protection

About 28,000 data protection officers are requiered to be appointed under the GDPR

20. April 2016

Article 37 of the GDPR states that data controllers and processors of personal information are required to appoint a data protection officer in cace:

(a)  The processing is carried out by a public authority or body (except courts); or

(b)  The controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”

A data protection officer is able to be appointed by a group, public authorities or individual legal entity. Article 39 of the GDPR requires that a data protection officer is “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. Compliance, trainings on how to process data according to the law and the communication with the national authorities are part of the task area of a data protection officer.

Therefore, due to the GDPR organizations worldwide have to prepare for a number of new requirements in terms of data collection and processing. One particular requirement is that certain organizations will now have to appoint a data protection officer according to Arcticle 37 of the GDPR, as mentioned above. Research indicates the number of data protection officers required to be appointed under the GDPR will be about 28,000. This is an estimate based on official statistics regarding both public and private sector data controllers in the EU and taking further assumptions into account such assuming that US companies obliged to comply with the GDPR would also require a data protection officer, and of those companies who self-certified under Safe Harbor are likely included in that number.

Parliament finally approves of GDPR

15. April 2016

The European Union will have a new data protection regulation. After four years of ups and downs, the European Parliament came to an agreement on thursday in a plenary vote of support for the GDPR and the companion Data Protection Directive for policing and the judiciary.

The German MEP Jan Philipp Albrecht commented that “the General Data Protection Regulation makes a high, uniform level of data protection throughout the EU a reality,” and added that, “the regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty, and fairer competition.”

In order to give businesses and organizations time to adjust their compliance and data protection issues, the new GDPR will officially become effective in two years. The GDPR includes provisions such as the impositions of a clear and affirmative consent for processing personal data and a clear privacy notice. Further, there will be obligations concerning the breach of notification and the implementation of potential fines up to 4 percent of a company’s global annual turnover.

European Commission First Vice-President Frans Timmermans, Vice-President of the Digital Single Market Andrus Ansip, and Commissioner for Justice, Consumers and Gender Equality Vera Jourova welcomed the new regulation as it will “help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.” They went on commenting the Data Protection Directive for police and the judiciary, saying that it “ensures a high level of data protection while improving cooperation in the fight against terrorism and other serious crime across Europe.”

Therefore, in order to build public awareness of the reforms “the EU will launch public awareness-raising campaigns about the new data protection rules” Albrecht and Jourova, along with MEP Marju Lauristin commented and added that “the European Commission will work closely with member states, the national data protection authorities, and stakeholders to ensure the rules will be applied uniformly across the EU.”

Article 29 WP releases its opinion on the EU-U.S. Privacy Shield

14. April 2016

The Article 29 WP, represented by the DPAs from the EU Member States, issued yesterday its opinion on the proposed draft of the EU-U.S. Privacy Shield.

Background

Under the Safe Harbor framework, personal data transfers from the EU to the U.S. have been carried out since the year 2000. In October 6th, 2015, the ECJ declared this framework invalid, as it considered that it did not ensure enough safeguards regarding the protection of personal data from EU citizens. In February 2016, the EU Commission and several American Authorities drafted the new framework that shall replace the Safe Harbor Agreement. The draft has been now analyzed by the EU DPAs, who remark the necessity to clear and define some concepts.

Critical aspects of the EU-U.S. Privacy Shield identified by the Article 29 WP

The Article 29 WP does not believe that, in general terms, the current draft of the Privacy Shield ensures a level of data protection equivalent to that in the EU. The most relevant aspects of the published document could be summarized as follows:

  • Data retention periods are not defined in any of the principles of the framework. This means that companies could keep personal data even if they do not renew their Privacy Shield membership. This contravenes the principle of data retention limitation according to EU data protection legislation.
  • The scope and definition of the purpose limitation concept is described under the notice, the choice and the data integrity and purpose limitation principles. However, in each of these principles is the purpose limitation principle differently defined, what leads to an inconsistent definition of this concept.
  • Also the concept of onward transfers has been critically analyzed by the Article 29 WP. Under this principle, Privacy Shield members may legitimately carry out data transfers to third parties. This involves the risk that the recipient of the data does not ensure the same level of data protection as stipulated according to the EU data protection legislation.
  • The redress mechanism available for EU data subjects may be too complex for the data subjects themselves. The Article WP29 recommends that the local DPAs represent the data subjects or act as intermediaries so that they can exercise their rights in Europe.
  • Finally, the Privacy Shield includes certain guarantees regarding the surveillance activities by U.S. authorities. However, the massive collection of personal data from EU citizens is not fully excluded. Regarding this, the institution of the Ombudsman has been created. According to the Article 29 WP, its functions and legitimation are not sufficiently defined.

The Working Party has requested the EU Commission to clarify these aspects and adopt the corresponding solutions, so that the Privacy Shield ensures an equivalent level of data protection to that in the EU. Particularly, it has recommended to introduce a glossary of terms in the “Privacy Shield FAQ” and a review of the Privacy Shield draft after the GDPR becomes effective, in order to ensure that the Privacy Shield reflects the level of protection reached by the GDPR.

What next?

Since the opinion of the Article 29 WP is not binding, the EU Commission could proceed further with the approval of the EU-U.S. Privacy Shield. However, it will consult a Committee of representatives of the EU Member States before issuing its final decision. Until a final decision is reached, the mechanisms to carry out international data transfers are limited to Binding Corporate Rules and Standard Contractual Clauses.

Opinion of the Article 29WP on the EU-U.S. Privacy Shield “leaked” by the German DPAs

12. April 2016

After the details of the draft of the new adequacy decision to carry out international data transfers between the EU and the U.S. have been released (“EU-U.S. Privacy Shield”), the Article 29 WP is expected to express its opinion on the proposed text within this week.

On the 6th and 7th April the German DPAs meet to discuss current privacy topics, among others about the EU-U.S. Privacy Shield. A link to the resolution related to this topic was uploaded in the webpages of each federal DPA. The link to the resolution was deleted afterwards. However, a permanent link to the resolution (in German) can be found under https://www.delegedata.de/wp-content/uploads/2016/04/Beschluss_Mandat_Privacy_Shield.pdf.

The resolution of the German DPAs seems to refer to the current draft of the Article 29WP on the EU-U.S. Privacy Shield:

“Therefore, the WP29 is not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection that is essentially equivalent to that in the EU.”

This paragraph suggests that the European DPAs may not release a positive opinion on the EU-U.S. Privacy Shield.

Although the opinion of the Article 29 WP is not binding for the EU Commission, the Article 29 WP may initiate legal actions through the local DPAs against the adequacy decision if it is approved, as stated in paragraph 4 of the above mentioned resolution.

European Council accelerates the process for adopting the GDPR

7. April 2016

The Council of the European Union announced that the process for adopting the GDPR will be accelerated. This is due to the the fact that the General Secretariat of the Council sent a Note requesting the Permanent Representatives Committee to use the so called “written procedure” in order to adopt the Council’s position. Initially a vote on the Council’s position was planned on 21st April 2016, when the next Justice and Home Affairs Council takes place. However, the Council has decided to accelerate the process for adoption by using the “written procedure”. Proceding this way is an exemption as it does not include public deliberation.

The mentioned Note states that the “need to send the Council’s position at first reading to the European Parliament during its April I plenary, will only be possible to adopt the Council’s position at first reading within this very short deadline via the written procedure, which would be launched on Thursday 7th April 2016 and would end on Friday 8th April 2016, at midday. Delegations’ attention is drawn to the exceptionally short duration of this written procedure.”

When looking on the next steps it is to say that once the Council’s position is adopted,  it will then be sent to the European Parliament. The European Parliament will go on by acknowledging the receipt during the next plenary session taking place on 11-13 April 2016. Afterwards, the Parliament’s Civil Liberties Committee will vote on a recommendation to Parliament regarding the Council’s position. These recommendation will then be used as a foundation for the Parliament’s adoption of the GDPR in one of the following plenary meetings.

EU Council releases statement at first reading on the upcoming GDPR

23. March 2016

On March 17th, the EU Council issued its position on the draft of the GDPR.

The statement of the EU Council identifies and analyzes the following key aspects of the GDPR:

  • Material, formal and territorial scope of application of the GDPR in order to achieve a harmonization at a EU level.
  • Principles of the data processing, especially “pseudonymization” and “data minimization”
  • Lawfulness of the processing based on the consent of the data subject, a contract, a legal obligation, etc.
  • Empowerment of data subjects through the enhancement of their rights as data subjects to access the information that is held about them, the right to be forgotten, right to transparency on the processing, right to object to the processing of their personal data, etc.
  • Controller and processor´s accountability for the processing operations. Additionally their obligation to appoint a Data Protection Officer (DPO) in order to ensure compliance with the GDPR.
  • Transfers of personal data to third countries on the basis of adequacy decisions or other mechanisms that ensure an adequate level of data protection in third countries.
  • The EU DPAs supervisory role on the application of the GDPR on each Member State.
  • Remedies, liabilities and penalties as compensation mechanism in case of data breaches or damages caused to the data subjects.
  • Specific data processing situations, for example regarding employee´s personal data

The EU Council remarks that the GDPR reflects the compromise reached between the EU Parliament and the EU Council. Furthermore, it invites the EU Parliament to formally approve the position of the EU Council.

EU-U.S. Privacy Shield expected to be effective in June 2016

16. March 2016

On the 14th March, the Digital Commissioner Günther Oettinger spoke out on the EU-U.S. Privacy Shield at the CeBIT fair (Center for Office Automation, Information Technology and Telecommunication), which will take place in Hannover (Germany) from the 14th until the 18th March.

Oettinger stated that the EU DPAs will evaluate the EU-U.S. Privacy Shield in the upcoming weeks, so that the new Framework can be effective in June 2016. He also remarked that without a legal regulation for international transfers of personal data, “the trust in cloud services will be low”.

The EU DPAs are expected to meet on the 12th-13th April in order to issue their opinion on the EU-U.S. Privacy Shield. However, this opinion will not be binding.

General overview of the EU-U.S. Privacy Shield

11. March 2016

After the details of the EU-U.S. Privacy Shield were released on February 29th, several institutions will examine its legal implications and validity in order to determine if the new Framework complies with the European Standards on Data Protection. One of these institutions is the Article 29 WP, which will reveal its opinion on the EU-U.S. Privacy Shield by the end of April.

Eduardo Ustaran, an expert in international Privacy and Data Protection, has analyzed the positive impact that the EU-U.S. Privacy Shield may have for the future development of global privacy:

  • This Framework may widespread the European Data Protection culture at an international level because multinationals will globally adopt this model, in order to comply with the European Standards.
  • Additionally, the U.S. government is adapting its legislation to the Data Protection requirements established by the EU Legislation in this field. For example, the U.S. Judicial Redress Act was approved on February 2016 in line with the new conflict resolution system proposed in the Privacy Shield. This way, EU Citizens will have the possibility to raise complaints to U.S. Authorities when their rights to Privacy and Data Protection have been violated by an organization.
  • Also the judiciary will play an important role as ultimate institution that mediates between the citizens and the state.
  • As mentioned above, the conflict resolution system proposed in the Privacy Shield includes the participation of several institutions at different levels, which provides the individuals many possibilities to exercise their rights as data subjects. Therefore, individuals will be able, for example, to raise a complaint towards the organization or to raise a complaint at the local DPA.
  • The Framework may foster the communication and collaboration between American and European Institutions. For instance, it is foreseen that an annual revision of the Framework takes place.

Fact Sheet of the European Commission about the EU-U.S. Privacy Shield

1. March 2016

On the 29th February 2016, the European Commission released a fact sheet about the Frequently Asked Questions related to the EU-U.S. Privacy Shield. The EU-U.S Privacy Shield aims at regulating international data transfers between the EU (including EEA countries Norway, Lichtenstein and Iceland) and the U.S. after the Safe Harbor Decision was declared invalid by the ECJ on October 2015.

The EU-U.S Privacy Shield is a new adequacy decision, under which the U.S. companies that comply with the described data protection principles and abide the obligations described in the framework, will be considered as ensuring an adequate level of data protection.

In contrast to the former Safe Harbor Decision, the EU-U.S. Privacy Shield imposes stronger obligations on companies related to monitoring and enforcement and prevents generalized access to EU personal data from U.S. public Authorities.

Under the Privacy Shield, U.S. companies will have to self-certify that they meet the requirements described in the Framework. The U.S. Department of Commerce will actively verify that the certifying company actually meets the requirements to certify, for example by reviewing the company´s privacy policy.

A key aspect of the Privacy Shield is the possibility for EU data subject to obtain redress in the US in case that their personal data is misused by commercial companies. The possibility to redress involves the following alternatives for the data subject:

  • to lodge a complaint with the company itself, or
  • to complaint towards their local DPA, or
  • to use the Alternative Dispute Resolution (ADR) mechanisms, or
  • through arbitration by having recourse to the Privacy Shield Panel, if the case is not resolved by any of the abovementioned alternatives.

The possibility to redress with regard to national security will be ensured by the institution of the Ombudsman.

All these aspects of the new EU-U.S. Privacy Shield have been reflected in the Judicial Redress Act, signed on February, 24th. This Act gives EU citizens the possibility to address privacy issues to U.S. Courts in relation to personal data transfers for law enforcement purposes. This Act aims at providing EU citizens with the same rights as U.S. citizens.

Also, the so called EU-U.S. “Umbrella-Agreement” covers relevant aspects of data protection regarding EU-U.S. law enforcement cooperation for the purposes of crime and terrorism prevention. This agreement is not a legal basis for data transfers itself, but it will provide safeguards for data transfers made under other existing agreements.

The EU – U.S. Privacy Shield: next steps

19. February 2016

The EU Commission and the U.S. Government agreed recently on the EU- U.S. privacy Shield as a possible mechanism to carry out international data transfers on a valid basis and providing an adequate level of data protection. The agreement shall be adopted by a decision.

The process until both, the proposed agreement and the corresponding decision, are adopted is complex and requires the opinion of several EU institutions

  • The EU Commission should make the proposal for the decision of adopting the agreement. The decision is expected by thy end of February.
  • The WP29, made up of the DPAs from the EU Member States and the European Data Protection Supervisor (EDPS) will have to give its opinion on the proposed agreement. This opinion will not be binding for the EU Commission.
  • Also the Article 31 Committee, established pursuant to art. 31 of the EU Data Protection Directive, will we asked to give an opinion.
  • Finally, the College of the EU Commission will decide about the adoption of the decision.

Additionally, also the ECJ will be requested to examine the proposal in order to determine if it provides an adequate level of protection of the fundamental rights of EU citizens. Also, the DPAs from the Member States may refer to the ECJ for clarification about the agreement.

Pages: Prev 1 2 3 4 5 6 7 8 9 Next
1 6 7 8 9