Which European DPA is in charge of supervising Amazon?

28. July 2016

In the case Verein für Konsumenteninformation v. Amazon, the Court of Justice of the European Union has to decide which Member State’s data protection law should apply in case goods are sold across national borders but within the EU. In the respective case goods are sold from a German or Luxembourgish website to an Austrian consumer.

This can be seen as one of the more significant data protection cases of 2016. The judgement will be significant due to the fact that the EU is in the process of implementing the new General Data Protection Regulation. As a consequence an European Data Protection Board (EDPB) will be established, which will represent Data Protection Authorities of different Member States. The EDPB will also be responsible for conflicts of jurisdiction. However, this process has been described as a “ (…) hyper bureaucratic procedure that will lead to more complexity and longer procedures.”

In case the Court of Justice of the European Union clarifies the jurisdiction of Data Protection Authorities, there may be less need to utilise these hyper-bureaucratic procedures. This could make the EU’s single market more efficient.

The Court of Justice of the European Union will probably rule on this matter today.

Microsoft cannot be compelled to turn over customer emails stored outside the U.S.

27. July 2016

Last week the U.S. Court of Appeals for the Second Circuit held that Microsoft Corporation cannot be compelled to turn over customer emails stored outside the U.S. to U.S. law enforcement authorities.

The original case addressed a search warrant concerning the contents of all emails, records and other information regarding one of Microsoft’s email users. Although Microsoft generally complied, it refused to turn over the contents of the emails stored on a server in Ireland. Microsoft opinion was that U.S. courts are not authorized to issue such warrants. However, in April 2014 a judge in the U.S. District Court for the Southern District of New York held that Microsoft has to turn over the contents of the emails to U.S. law enforcement in case of search warrant is issued under the Stored Communications Act and although the data is stored outside of the U.S.

The Second Circuit ruled that “Congress did not intend the (Stored Communications Act’s) warrant provisions to apply extraterritorially…(and) the Stored Communications Act does not authorize a U.S. court to issue and enforce an Stored Communications Act warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.”

Article 29 WP issues statement about the adopted EU-U.S. Privacy Shield

The Article 29 WP issued on the 26th July a statement about the adopted EU-U.S. Privacy Shield. After its previous opinion on the Privacy Shield (opinion WP 238), the WP 29 welcomes the improvements brought by the final draft, but it remarks that there are still some concerns, already addressed in the Opinion WP 238, that have not been clarified yet.

Regarding commercial aspects, the Privacy Shield does not specifically address issues related to automated decision making or the general right to object. Furthermore, it is not clear the impact that the Privacy Shield shall have on data processors.

A further concern relates to the access to personal data by American public authorities. The WP 29 had expected stricter assurances that the institution of the Ombudsman is independent. Additionally, there are neither enough assurances, that a massive collection of EU citizens’ personal data will not take place.

Despite the lack of clarity in some aspects of this new framework, the WP 29 will wait until the first annual review takes place to assess the effectiveness of the EU-U.S. Privacy Shield. The result of the first annual joint review may also involve considering the effectiveness of Binding Corporate Rules and Standard Contractual Clauses.

In order to prepare for the GDPR the ICO advises companies to establish internal data breach procedures

22. July 2016

The ICO has advised organisations to implement internal data breach procedures, which should be encouraged by employee trainings, in order to be prepared as soon as the General Data Protection Directive (GDPR) comes into effect in 2018.

Therefore, the recommendation made by the ICO in terms of its breach notification recommendation instruct companies to be compliant from the first day the GDPR is implemented. Furthermore, the recommendation states that “You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data” and goes on by saying that “You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision making about whether you need to notify the relevant supervisory authority or the public. In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place.” On top of this, the ICO points out that companies will not have much time to notify the authorities of any data breach due to the fact that article 33 of the GDPR requires notification to take place “without undue delay and, where feasible, not later than 72 hours after having become aware of it (…) unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.

A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

 

U.S. Negotiators clarify EU-U.S. Privacy Shield

19. July 2016

Recently, the European online newspaper POLITICO published an interview conducted with the two lead U.S. negotiators of the Privacy Shield: Justin Antonipillai, counselor to Commerce Secretary Penny Pritzker and acting undersecretary of commerce for economic affairs, and Ted Dean, a deputy assistant secretary in the department.

Antonipillai explained the EU-U.S. Privacy Shield as “a program to allow companies to transfer data from the EU to the U.S. in a way that meets requirements under European privacy laws”. He remarked that the main objective of the Privacy Shield is to make both, companies and EU citizens, confident that the requirements to transfer personal data are being meet.

He also explained how American and European different methodologies to ensure privacy and data protection have converged in order to agree on the Privacy Shield. According to Antonipillai, an important fact is that companies are certifying and following the principles voluntarily.

Dean also recognizes that the Privacy Shield may be challenged in court. But he adds that the current framework has been built up and discussed with EU Institutions and European DPAs and there is an interest from both sides on a long-term duration of the new framework. Finally, he stated that the impact of the “Brexit” on international personal data transfers cannot be predicted in advance.

75.4% of Cloud Apps are not compliant with GDPR

18. July 2016

According to the Netskope Cloud Report from June 2016, almost 75.4% of the cloud apps are not compliant with the GDPR. The main reason for this incompliance is the lack of awareness that most organizations have about the amount of cloud apps being used at the company.

The compliance evaluation was based on eight aspects of the GDPR: geographic requirements, data retention, data privacy, terms of data ownership, data protection, data processing agreement, auditing and certifications.

Compliance with the GDPR involves not only that customers as data controllers implement the provisions of the GDPR accordingly, but also that cloud apps vendors (as data controllers) are also compliant. This compliance requirement of the data processor is one of the new requirements that the GDPR imposes. Data processors are also subject to strict data processing requirements and are liable for breach of their obligations. This way, customers are liable for the use they make of the cloud apps and cloud vendors are liable for inherent security and enterprise-readiness.

The report reveals that the main incompliances relate to the data export requirements after termination of service, to excessively long retention periods and to data ownership terms. Moreover, malware also represents an increasing problem regarding cloud apps.

Upon the entry into force of the GDPR, companies shall be able to

  • Identify existing cloud apps in their organization and analyze the risks involved
  • Identify cloud apps storing sensitive data
  • Adopt measures in order to be compliant according to the eight main aspects mentioned above
  • Identify cyber threats and implement adequate measures to safeguard personal data

EU Commission announces formal adoption of the EU-U.S. Privacy Shield

13. July 2016

The EU Commission announced yesterday the formal adoption of the EU-U.S. Privacy Shield. Both, the EU Commission Vice-President, Andrus Ansip, and the EU Commissioner Vera Jourová highlighted the positive impact of the Privacy Shield not only for businesses, but especially for EU citizens, whose right to data protection will be enforced and several mechanisms will implemented in order to safeguard their rights.

The main aspects of the final draft of the EU-U.S. Privacy Shield are:

  • U.S. companies handling EU personal data will be subject to stricter obligations. For instance, the American Department of Commerce will review regularly that the participating companies comply in practice with the commitments of the Privacy Shield. In case of incompliance, the company will face not only fines, but will be also removed from the list.
  • The U.S. has ensured that bulk collection of EU citizens’ data will be carried out only if certain conditions are met and it will be as targeted and focused as possible. Also, a redress mechanism will be available for EU citizens to solve this kind of issues.
  • Individual rights will be effectively protected through the implementation of dispute resolution mechanisms, which will be affordable and accessible for EU citizens. In case that the dispute is not resolved, an arbitration mechanism will be also available. If the dispute refers to U.S. national security Authorities, an independent Ombudsperson will handle the issue.
  • The Privacy Shield will be subject to an annual review by the EU Commission and the U.S. Department of Commerce in order to monitor its functioning.

Next steps

The Privacy Shield constitutes an “adequacy decision”. This decision has been notified to the EU Member States by the EU Commission and will enter into force immediately. Additionally, it will also be published on the U.S. Official Journal.

Starting August 1st, the U.S. Department of Commerce will start processing membership requests. This means that companies that wish to certify and become members of the EU-U.S. Privacy Shield will have to review and if appropriate update their privacy programs.

Furthermore, the EU Commission will publish a guidance in order to inform EU citizens about the dispute resolution mechanisms available under the Privacy Shield.

What happens with the GDPR?

The GDPR lays down stricter requirements to carry out international data transfers than those of the Privacy Shield. As the GDPR will enter into force in two years, U.S. companies will have to be compliant also with the requirements of the GDPR.

However, this situation has been already addressed in two directions: on the one hand, the Privacy Shield will be subject to an annual review, as mentioned above; and on the other hand, the Privacy Shield states that its scope of application refers to data transfers and processing of personal data by U.S. companies as far as the processing does not fall under the scope of EU legislation.

NIS Directive has been adopted by the EU Commission

12. July 2016

On the 6th July 2016, the Vice-President of the EU Commission, Andrus Ansip, and Commissioner Günther H. Oettinger announced the approval of the NIS Directive, this is the Directive on Security of Network and Information Systems.

NIS Directive is one of the main legislative proposals in the context of the Cybersecurity Strategy developed by the EU and focuses on the following aspects:

  • The development of a national system to face cybersecurity attacks such as a Computer Security Incident Response (CSIRT) and a competent authority in cybersecurity issues.
  • A strategic cooperation mechanism between Member States and a development of a CSIRT Network in order to share information about risks.
  • To promote a culture of IT-security in all industry sectors, especially those identified as being “operators of essential services”. This also means to adopt adequate incident response plans. The Directive will apply also to digital service providers such as cloud computing, search engines and e-commerce businesses.

The Directive will enter into force in August 2016 and EU Member States will have 21 months to implement it into their national laws.

The EU-U.S. Privacy Shield has been approved

11. July 2016

On the 8th July 2016, the Vice-President of the EU Commission, Andrus Ansip, and the Commissioner Vera Jourová announced in a joint statement that the EU Member States have approved the updated draft of the EU-U.S. Privacy Shield. However, Austria, Bulgaria, Croatia, and Slovenia abstained from voting.

The statement remarks that the Privacy Shield will ensure a high data protection level for EU citizens, because it imposes stronger obligations for U.S. companies. Specially regarding the bulk collection of personal data from EU citizens by American authorities.

The formal adoption of the Privacy Shield is expected this week.

Although the EU-U.S. Privacy Shield has been approved, the legality of the agreement could be challenged, as occurred with the former Safe Harbor Framework.

Agreement on cybersecurity signed between the EU Commission and the industry

7. July 2016

On Wednesday, the EU Commission announced the launch of a public-private partnership with the cybersecurity industry as part of its Digital Single Market strategy. This partnership aims at providing the industry with better equipment and infrastructure to reduce cybersecurity threats.

Recent surveys have revealed that around 80% of European companies have suffered at least one cybersecurity incident during 2015. Worldwide, the number of cybersecurity incidents increased up to 38%. Andrus Ansip, Vice-President for the Digital Single Market, stated that “without trust and security, there can be no Digital Single Market”. Therefore several measures haven been proposed in order to tackle the increasingly sophisticated threats.

The initiative focuses on the following aspects:

  • Reinforcement of cooperation across borders and between all sectors of the cybersecurity branch
  • Support the development of innovative and secure products and services
  • Creation of a possible certification framework for information and communications technology security products
  • Ease access to the cybersecurity market for smaller business
  • Assessment of the capabilities and mandate of European Union Agency for Network and Information Security (ENISA) to achieve its mission to support EU Member States in reinforcing cyber-resilience
  • Evaluation of methods to strengthen cybersecurity cooperation, trainings and education

Both, the EU and the cybersecurity industry actors, represented by the European Cybersecurity Organization (ECSO), will invest around €1.8 billion in this initiative. Members from national, regional and local public administration, as well as research centres and academies will also participate.

The main industry sectors to which this partnership is focused are finance, health, energy and transport.

The EU Digital Single Market strategy also includes the 2013 EU Cybersecurity strategy and the Network and Information Security Directive (NIS Directive), which is expected to be approved within the next weeks.

Pages: Prev 1 2 3 ... 28 29 30 31 32 33 34 35 36 37 38 Next
1 28 29 30 31 32 38