General overview of the EU-U.S. Privacy Shield

11. March 2016

After the details of the EU-U.S. Privacy Shield were released on February 29th, several institutions will examine its legal implications and validity in order to determine if the new Framework complies with the European Standards on Data Protection. One of these institutions is the Article 29 WP, which will reveal its opinion on the EU-U.S. Privacy Shield by the end of April.

Eduardo Ustaran, an expert in international Privacy and Data Protection, has analyzed the positive impact that the EU-U.S. Privacy Shield may have for the future development of global privacy:

  • This Framework may widespread the European Data Protection culture at an international level because multinationals will globally adopt this model, in order to comply with the European Standards.
  • Additionally, the U.S. government is adapting its legislation to the Data Protection requirements established by the EU Legislation in this field. For example, the U.S. Judicial Redress Act was approved on February 2016 in line with the new conflict resolution system proposed in the Privacy Shield. This way, EU Citizens will have the possibility to raise complaints to U.S. Authorities when their rights to Privacy and Data Protection have been violated by an organization.
  • Also the judiciary will play an important role as ultimate institution that mediates between the citizens and the state.
  • As mentioned above, the conflict resolution system proposed in the Privacy Shield includes the participation of several institutions at different levels, which provides the individuals many possibilities to exercise their rights as data subjects. Therefore, individuals will be able, for example, to raise a complaint towards the organization or to raise a complaint at the local DPA.
  • The Framework may foster the communication and collaboration between American and European Institutions. For instance, it is foreseen that an annual revision of the Framework takes place.

Chinese privacy law

2. March 2016

According to an article on the International Association of Privacy website, Chinese privacy laws are still in their early stages and the existing laws are similar to international norms like notice and security. Nevertheless, the development of Chinese privacy law should not be ignored by companies, who wish to enter the Chinese market, since China is the growing economic power and has a wide consumer range. To understand Chinese privacy awareness, companies have to understand the cultural background and Chinese consumer expectations.

First of all, there should be a focus on community values, because the Chinese put a lot of importance to values and ethics. It is relevant to develop corporate policies, which show an understanding for the community values. For Chinese people it is important, that privacy law protects their private lives from community exposure.

Secondly, companies should try to understand the expectations of the Chinese consumers. The Chinese may be more open to data processing, especially if the processing leads to pragmatic outcomes, such as tailored features. Also, the Chinese may have fewer expectations towards privacy compared with other values, such as corporate transparency. Therefore companies should adjust their policies and put emphasis on transparency reports.

Category: General
Tags:

Fact Sheet of the European Commission about the EU-U.S. Privacy Shield

1. March 2016

On the 29th February 2016, the European Commission released a fact sheet about the Frequently Asked Questions related to the EU-U.S. Privacy Shield. The EU-U.S Privacy Shield aims at regulating international data transfers between the EU (including EEA countries Norway, Lichtenstein and Iceland) and the U.S. after the Safe Harbor Decision was declared invalid by the ECJ on October 2015.

The EU-U.S Privacy Shield is a new adequacy decision, under which the U.S. companies that comply with the described data protection principles and abide the obligations described in the framework, will be considered as ensuring an adequate level of data protection.

In contrast to the former Safe Harbor Decision, the EU-U.S. Privacy Shield imposes stronger obligations on companies related to monitoring and enforcement and prevents generalized access to EU personal data from U.S. public Authorities.

Under the Privacy Shield, U.S. companies will have to self-certify that they meet the requirements described in the Framework. The U.S. Department of Commerce will actively verify that the certifying company actually meets the requirements to certify, for example by reviewing the company´s privacy policy.

A key aspect of the Privacy Shield is the possibility for EU data subject to obtain redress in the US in case that their personal data is misused by commercial companies. The possibility to redress involves the following alternatives for the data subject:

  • to lodge a complaint with the company itself, or
  • to complaint towards their local DPA, or
  • to use the Alternative Dispute Resolution (ADR) mechanisms, or
  • through arbitration by having recourse to the Privacy Shield Panel, if the case is not resolved by any of the abovementioned alternatives.

The possibility to redress with regard to national security will be ensured by the institution of the Ombudsman.

All these aspects of the new EU-U.S. Privacy Shield have been reflected in the Judicial Redress Act, signed on February, 24th. This Act gives EU citizens the possibility to address privacy issues to U.S. Courts in relation to personal data transfers for law enforcement purposes. This Act aims at providing EU citizens with the same rights as U.S. citizens.

Also, the so called EU-U.S. “Umbrella-Agreement” covers relevant aspects of data protection regarding EU-U.S. law enforcement cooperation for the purposes of crime and terrorism prevention. This agreement is not a legal basis for data transfers itself, but it will provide safeguards for data transfers made under other existing agreements.

Authorization of the French DPA to process Personal Data for litigation purposes

26. February 2016

In February 2016, the French DPA (CNIL), published a single decision (AU-046) addressed to cover data processing activities from public organisms and private organizations for the purpose of managing and enforcing court actions.

The CNIL states that corporations may process certain categories of personal data, such as criminal convictions, offences or security measures in this context, in order to defend their interests in court. Art. 25. I. 3° of the French Data Protection Act, regulates the processing of these categories of personal data, for which a prior authorization from the CNIL is required. Also the prevention of criminal offences falls under the scope of this article. However, this article does not apply if the offences and criminal convictions are not related to the criminal sphere.

The AU-046 aims at accelerating and simplifying the process to obtain CNIL´s authorization for the processing of these personal data categories. The scope of application of this authorization is the processing related to offenses, convictions and security measures to prepare, perform and follow disciplinary action or judicial proceedings and, if necessary, to enforce the decision.

This authorization concerns all sectors and all types of litigation.

Category: French DPA
Tags: ,

The EU – U.S. Privacy Shield: next steps

19. February 2016

The EU Commission and the U.S. Government agreed recently on the EU- U.S. privacy Shield as a possible mechanism to carry out international data transfers on a valid basis and providing an adequate level of data protection. The agreement shall be adopted by a decision.

The process until both, the proposed agreement and the corresponding decision, are adopted is complex and requires the opinion of several EU institutions

  • The EU Commission should make the proposal for the decision of adopting the agreement. The decision is expected by thy end of February.
  • The WP29, made up of the DPAs from the EU Member States and the European Data Protection Supervisor (EDPS) will have to give its opinion on the proposed agreement. This opinion will not be binding for the EU Commission.
  • Also the Article 31 Committee, established pursuant to art. 31 of the EU Data Protection Directive, will we asked to give an opinion.
  • Finally, the College of the EU Commission will decide about the adoption of the decision.

Additionally, also the ECJ will be requested to examine the proposal in order to determine if it provides an adequate level of protection of the fundamental rights of EU citizens. Also, the DPAs from the Member States may refer to the ECJ for clarification about the agreement.

WP29 – Statement on 2016 Action Plan for the GDPR

16. February 2016

The WP29 has recently published a statement with regards to the action plan in order to implement the EU GDPR (General Data Protection Regulation). The 2016 Action Plan is based on the following four priorities, which are relevant for the tasks of the WP29 and their subgroups.

1. Building up the EDPB (European Data Protection Board) structure and its administration

The main task will be developing IT systems. The European Data Protection Supervisor and the WP29 will furthermore cooperate to set up human resources, a budget and future procedures of the EDPB.

2. Setting up the One-Stop-Shop and the consistency mechanism

In order to prepare the One-Stop-Shop several measures will be necessary, e. g. a lead DPO will have to be designated and the EDPB consistency mechanisms need to be developed.

3. Publishing guidelines for data controllers and processors

The WP29 will publish different guidelines to assist data controllers and data processors in order to fulfil their duties according to the GDPR, such as the new right to portability, “Data Protection Impact Assessment”, and the announcement of a DPO.

4. Communication around the EDPB and the GDPR

The WP29 intends to create an online communication tool, to reinforce the relationship between the EU institutions and to participate in external events to promote the new governance model.

The subgroups of the WP29 will continue fulfilling their tasks. The International Transfers subgroup for instance will carry on analyzing the judgement of the European Court of Justice concerning e.g. the Schrems case. Furthermore, they will be analyzing the EU-U.S. Privacy Shield and its impact on the international data transfers once it has been released.

The WP29 will examine the 2016 Action Plan regularly in order to complete it in 2017.

 

The French DPA requests Facebook to comply with the French Data Protection Act

12. February 2016

On the 8th February, the French DPA (CNIL) announced that it issued a formal notice in which it gives Facebook Inc. and Facebook Ireland Limited 3 months to comply with the French Data Protection Act.

After Facebook informed about changes in its privacy policy at the beginning of 2015, a group formed by the French, the Belgian, the Dutch, the Spanish and the DPA of the German Federal State of Hamburg carried out online and on site audits in order to find out if the updated privacy policy is compliant with the respective data protection legislations.

These audits revealed several incompliances with the French Data Protection Act regarding Facebook´s data processing activities:

  • Facebook collects data of internet users that do not have a Facebook account by using cookies when these users visit a public Facebook page, such as public events or the page of a friend. As a result, the cookie provides Facebook with information about third-party websites with Facebook plug-in buttons, such as “like” button, that are visited by the user.
  • Sensitive data such as religious beliefs or sexual orientation are also processed by Facebook without prior explicit consent of the account holders.
  • Users are not informed in the sign up page about their rights as data subjects and the processing of their personal data.
  • Cookies are also set up in the Facebook website without informing users properly and obtaining their consent.
  • The company does not provide its users with tools to opt-out targeted advertising.
  • Data transfers to U.S. take place on the basis of the Safe Harbor Decision, although it was declared invalid by the ECJ in October 2015.

According to CNIL, this formal notice is not a sanction. However, if Facebook fails to rectify these incompliances within 3 months, the matter will be referred to the CNIL´s Select Committee in order to impose the corresponding sanction.

These findings are also being analyzed by the Belgian, the Dutch, the Spanish and the the DPA of the German Federal State of Hamburg within a cooperation framework in order to act accordingly.

Statement of the U.S. Department of Commerce on the „EU – U.S. Privacy Shield“

5. February 2016

Not only European negotiators and institutions have given their opinion on the EU – U.S. Privacy Shield, also the U.S. Department of Commerce and the FTC Commissioner, Julie Brill, have made a public statement on the on the advantages of the implementation of the Privacy Shield.

On the 2nd February, the U.S. Department of Commerce stated that the EU – U.S. Privacy Shield improves, on the one hand, the commercial oversight and enhances privacy protections and, on the other hand, it demonstrates the U.S. commitment to limitations on national security. The statement of the Department of Commerce remarks the cooperation between the FTC and EU Data protection Authorities and its commitment to review the Agreement on an annual basis. Also, it ensures that the U.S. Intelligence Community has described in writing the constitutional, statutory and policy safeguards applied to its operations.

The FTC offered a live webcast on the 4th February in which the EU – U.S. Privacy Shield was explained by FTC Commissioner Julie Brill. During the webcast the main aspects of the EU – U.S. privacy Shield were explained. Julie Brill remarked the commercial relevance of this agreement and the acknowledgement by U.S Authorities that the rights of the individuals and national security should be balanced.

 

Statement of the WP29 on the “EU – U.S. Privacy Shield”

4. February 2016

After the Press Conference held by Věra Jourová and Andrus Ansip from the European Commission about the proposal for a new agreement between EU and U.S. to carry out international data transfers, the WP29 met on the 2-3 February in order to discuss the consequences of the sentence from the ECJ and the future of international data transfers between EU and the U.S.

The WP29 has remarked that the following four guarantees should be ensured when international data transfers take place:

a) Transparency: the data subject whose data is processed should be informed so that he/she is able to foreseen the consequences of the data transfer.

b) Proportionality and necessity: the finality for which personal data is collected and accessed and the rights of the data subject should be balanced.

c) Independency of a control body that carries out checks in an effective and impartial manner.

d) Effective remedies: the individual should have the possibility to defend his/her rights before an independent body.

The WP29 will also analyze the existing mechanisms to carry out international data transfers, which currently can only take place if Standard Contractual Clauses or Binding Corporate Rules (BCR) are used. In any case, European DPAs will examine data transfers on a case-by-case basis.

However, the WP29 is still looking forward to receive the relevant documents related to the EU – U.S. Privacy Shield in order to analyze its content and to determine to which extent the agreement is legally binding.

 

If you would like to be updated on a regular basis on this and other data protection issues such as the General Data Protection Directive (GDPR), sign in for one of our newsletters:

German / European Data Protection http://www.datenschutzticker.de/newsletter/ (German Language)

International Data Protection http://www.privacy-ticker.com/newsletter/ (English language)

For how to proceed with your companies´ policies on internal or external data protection transfers to third countries and prepare for the GDPR seek individual advice.

 

The “EU – U.S. Privacy Shield”, a new agreement for international data transfers

3. February 2016

After continuous negotiations during the last months to agree on a new framework for international data transfers, since the ECJ invalidated the Safe Harbor Decision, Andrus Ansip (EU Commission Vice-President) and Věra Jourová (Commissioner) announced yesterday in a Press Conference that a new agreement (EU – U.S. Privacy Shield) to carry out international data transfers has been reached.

Under the EU – U.S. Privacy Shield, the following elements will be regulated:

  • Several redress possibilities will be guaranteed to EU citizens when data transfers to U.S. take place and companies, as first redress possibility, will have deadlines to resolve complaints.
  • The resolution includes a “multi-layered” approach in order to avoid that any complaints remain unresolved by offering different resolution mechanisms. Also the European DPAs will have the possibility to refer complaints to the U.S. Department of Commerce and to the Federal Trade Commission.
  • Companies will be subject to strong obligations regarding the processing of personal data imported from EU Member States. Particularly, personal data processed for HR purposes in the U.S. will have to comply with the decisions of EU DPAs.
  • It will be ensured that national authorities only have access to personal data from EU citizens in exceptional cases and subject to the principles of necessity and proportionality.
  • The figure of the “ombudsman” will be created, in order to make possible that EU citizens can complain regarding surveillance activities by national authorities.

This new framework should be reviewed in an annual basis, so that the rights of EU citizens regarding data protection are continuously ensured. This is an important step forward in comparison with the invalidated Safe Harbor Decision.

Although the main points of this agreement have been discussed, the written draft may take up to three months, as Commissioner Věra Jourová said. The Working Party 29 will advise the College of Commissioners on this issue before adopting the official decision. Additionally, the agreement will have to withstand scrutiny from the ECJ.

Pages: Prev 1 2 3 ... 17 18 19 20 21 22 23 24 25 26 27 Next
1 24 25 26 27