Category: International Data Transfers
25. October 2016
After a meeting of the Article 31 Committee, the European Commission disclosed two drafts concerning the implementation of amendments to the existing adequacy decisions and decisions on EU Model Clauses.
First of all, adequacy decisions determine whether a third country provides adequate safeguards in order to protect personal data. These decisions are made by the Commission after an assessment of the national laws and international commitments in terms of data protection of the respective country. In the following, countries which are established to be adequate are added to the Commission’s “white list”. Therefore, data transfers can be made from the EEA to that country without any further legal requirements.
The opinion concerning these amendments is divided. Some European Member States which participated at the Article 31 Committee meeting were for implemnting theses amendments. However, other European Member States requested more time in order to consider the proposed changes.
Due to this conflict another meeting has to be scheduled to which the Article 29 Working Party will be aksed to contribute by presenting its views on the respective changes.
18. October 2016
As the Washington Post reported, the Justice Department asked the appeals court for the Southern District of New York to look at the decision concerning Microsoft’s refusal to comply with a search warrant for an alleged drug trafficker’s emails stored on a server in Ireland.
The case which this ruling was based on dealt with Microsoft receiving a warrant in December 2013. However, although it originally has been a case of compliance with a federal law enforcement request, now turned out to be a discussion over government access to digital data held overseas. This is due to increasing challenges to governments if they try to intercept data across borders.
Therefore, Microsoft and a number of tech firms and privacy groups reason that in case the government’s view will be applied, the outcome will be that U.S.-american businesses might lose billions of dollars in revenue.
1. September 2016
According to a survey conducted recently by the International Association of Privacy Professionals (IAPP), trust in current legal mechanisms to carry out data transfers to third countries, such as Standard Contractual Clauses and the EU-U.S. Privacy Shield, has decreased.
The results of this survey reveal that 80 percent of companies relies on the Standard Contractual Clauses approved by the EU Commission to carry out international data transfers, especially to the U.S.A. However, there is currently uncertainty regarding the validity of the Standard Contractual Clauses, which may be also invalidated by the ECJ, as already occurred with the former Safe Harbor framework.
Regarding the EU-U.S. Privacy Shield, which is operative since 1st August, the survey reveals that only 42 percent of U.S. companies plan to self-certify through this new framework, compared to the 73 percent that conducted self-certification with the Safe Harbor framework. The main reason for this may be related to the uncertainty regarding its validity. The Article 29 WP stated recently that the first annual review of the Privacy Shield will be decisive.
Finally, Binding Corporate Rules (BCR) are also used by companies to carry out intra-group data transfers. However, there are several reasons why not many companies implement them. One of these reasons relates to the high costs involved with the implementation. Moreover, the implementation process can last over one year. Also, BCR can be only used for international data transfers within the group, so that other mechanisms shall be used if data transfers outside the group take place.
31. August 2016
On its blog Google Analytics announced on the 29th of August that they have self-certified to the EU-U.S. Privacy Shield.
The statement describes the EU-U.S. Privacy Shield as a new framework for transfers of personal data from Europe to the United States, which can be seen as a significant milestone for the protection of Europeans’ personal data, legal certainty of transatlantic businesses, and trust in the digital economy.
Therefore, Google has now committed that they comply with the Privacy Shield’s principles and furthermore that they will safeguard the transfers of personal data, whereas no action is required from their customers.
26. August 2016
Jan Koum, one of WhatsApp’s founders, stated shortly after selling WhatsApp to Facebook in 2014 that the deal would not affect the digital privacy of his mobile messaging service with millions of users.
However, according to the New York Times WhatsApp is about to share user information with Facebook. This week, WhatsApp published a statement saying that it will start to disclose phone numbers and analytics data of its users to Facebook. By doing so, it will be the first time that WhatsApp will connect the data of its users to Facebook.
Furthermoere, due to the fact that WhatsApp begins to built a profitable business after its previous little emphasis on revenue, it is now changing its privacy policy to the extent that WhatsApp wants to allow businesses to contact customers directly through its platform.
WhatsApp commented on the new privacy policy “We want to explore ways for you to communicate with businesses that matter to you, too, while still giving you an experience without third-party banner ads and spam”.
The new privacy policy will allow Facebook to use a users’s phone number to improve other Facebook-operated services like making new Facebook friend suggestions or better-tailored advertising.
However, WhatsApp underlines that neither it nor Facebook will be able to read users’ encrypted messages and emphasizes that individual phone numbers will not be given to advertisers.
Koum explained that “Our values and our respect for your privacy continue to guide the decisions we make at WhatsApp” and went on “It’s why we’ve rolled out end-to-end encryption, which means no one can read your messages other than the people you talk to. Not us, not Facebook, nor anyone else” and concluded “Our focus is the same as it’s always been — giving you a fast, simple and reliable way to stay in touch with friends and loved ones around the world.”
WhatsApp’s new privacy policy raises concerns due to the lack of data protection. Therefore, the president of the Electronic Privacy Information Center, Marc Rotenberg commented that it is about to file a complaint next week with the Federal Trade Commission in order to prevent WhatsApp from sharing users’ data with Facebook. Rotenberg justified this approach as “Many users signed up for WhatsApp and not Facebook, precisely because WhatsApp offered, at the time, better privacy practices” he explained “If the F.T.C. does not bring an enforcement action, it means that even when users choose better privacy services, there is no guarantee their data will be protected.”
23. August 2016
In order to join the EU-U.S. Privacy Shield a company has to self-certify and therefore ensure the following requirements:
1. The eligibility of the company has to be confirmed in order to participate in the
EU-U.S. Privacy Shield.
2. Development of a Privacy Policy that is compliant to the EU-U.S. Privacy Shield.
- The Privacy Policy has to comply with the EU-U.S. Privacy Shield Principles.
- The Privacy Policy has to refer to the Privacy Shield Compliance.
- An accurate location for the Privacy Policy has to be provided and made sure that it is publicly available.
3. Independent recourse mechanisms need to be identified.
- Enforcement and Liability Principle: the company has to provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual.
4. Verification mechanisms need to be in place.
- The company is required to have procedures in place for verifying compliance through self-assessments or third party assessments.
5. Implementation of a person of contact.
- The company is required to provide a contact with regard to questions, complaints, access requests, and any other issues arising under the EU-U.S. Privacy Shield.
Furthermore, the company has to pay a fee depending on the annual revenue:
| Company’s Annual Revenue | Fee |
| $0 to $5 million | $250 |
| Over $5 million to $25 million | $650 |
| Over $25 million to $500 million | $1,000 |
| Over $500 million to $5 billion | $2,500 |
| Over $5 billion | $3,250 |
17. August 2016
Concerning U.S.-American Companies:
- Annual self-certification that they meet the requirements
- Displaying the privacy policy on their website
- Replying in a reasonable period of time to any complaints
- In case human resources data is processed: cooperation and compliance with European Data Protection Authorities
Concerning European Individuals:
- More transparency about the transfer of personal data to the U.S. and an increase of the protection level of this data.
- Cheaper and easier redress possibilities in case of complaints: either directly towards the company or with the support of the respective Data Protection Authority.
28. July 2016
In the case Verein für Konsumenteninformation v. Amazon, the Court of Justice of the European Union has to decide which Member State’s data protection law should apply in case goods are sold across national borders but within the EU. In the respective case goods are sold from a German or Luxembourgish website to an Austrian consumer.
This can be seen as one of the more significant data protection cases of 2016. The judgement will be significant due to the fact that the EU is in the process of implementing the new General Data Protection Regulation. As a consequence an European Data Protection Board (EDPB) will be established, which will represent Data Protection Authorities of different Member States. The EDPB will also be responsible for conflicts of jurisdiction. However, this process has been described as a “ (…) hyper bureaucratic procedure that will lead to more complexity and longer procedures.”
In case the Court of Justice of the European Union clarifies the jurisdiction of Data Protection Authorities, there may be less need to utilise these hyper-bureaucratic procedures. This could make the EU’s single market more efficient.
The Court of Justice of the European Union will probably rule on this matter today.
27. July 2016
The Article 29 WP issued on the 26th July a statement about the adopted EU-U.S. Privacy Shield. After its previous opinion on the Privacy Shield (opinion WP 238), the WP 29 welcomes the improvements brought by the final draft, but it remarks that there are still some concerns, already addressed in the Opinion WP 238, that have not been clarified yet.
Regarding commercial aspects, the Privacy Shield does not specifically address issues related to automated decision making or the general right to object. Furthermore, it is not clear the impact that the Privacy Shield shall have on data processors.
A further concern relates to the access to personal data by American public authorities. The WP 29 had expected stricter assurances that the institution of the Ombudsman is independent. Additionally, there are neither enough assurances, that a massive collection of EU citizens’ personal data will not take place.
Despite the lack of clarity in some aspects of this new framework, the WP 29 will wait until the first annual review takes place to assess the effectiveness of the EU-U.S. Privacy Shield. The result of the first annual joint review may also involve considering the effectiveness of Binding Corporate Rules and Standard Contractual Clauses.
19. July 2016
Recently, the European online newspaper POLITICO published an interview conducted with the two lead U.S. negotiators of the Privacy Shield: Justin Antonipillai, counselor to Commerce Secretary Penny Pritzker and acting undersecretary of commerce for economic affairs, and Ted Dean, a deputy assistant secretary in the department.
Antonipillai explained the EU-U.S. Privacy Shield as “a program to allow companies to transfer data from the EU to the U.S. in a way that meets requirements under European privacy laws”. He remarked that the main objective of the Privacy Shield is to make both, companies and EU citizens, confident that the requirements to transfer personal data are being meet.
He also explained how American and European different methodologies to ensure privacy and data protection have converged in order to agree on the Privacy Shield. According to Antonipillai, an important fact is that companies are certifying and following the principles voluntarily.
Dean also recognizes that the Privacy Shield may be challenged in court. But he adds that the current framework has been built up and discussed with EU Institutions and European DPAs and there is an interest from both sides on a long-term duration of the new framework. Finally, he stated that the impact of the “Brexit” on international personal data transfers cannot be predicted in advance.
Pages: Prev 1 2 3 4 5 6 7 8 Next 
