Tag: EDPS

EDPS considers Privacy Shield replacement unlikely for a while

18. December 2020

The data transfer agreements between the EU and the USA, namely Safe Harbor and its successor Privacy Shield, have suffered a hard fate for years. Both have been declared invalid by the European Court of Justice (CJEU) in the course of proceedings initiated by Austrian lawyer and privacy activist Max Schrems against Facebook. In either case, the court came to the conclusion that the agreements did not meet the requirements to guarantee equivalent data protection standards and thus violated Europeans’ fundamental rights due to data transfer to US law enforcement agencies enabled by US surveillance laws.

The judgement marking the end of the EU-US Privacy Shield (“Schrems II”) has a huge impact on EU companies doing business with the USA, which are now expected to rely on Standard Contractual Clauses (SCCs). However, the CJEU tightened the requirements for the SCCs. When using them in the future, companies have to determine whether there is an adequate level of data protection in the third country. Therefore, in particular cases, there may need to be taken additional measures to ensure a level of protection that is essentially the same as in the EU.

Despite this, companies were hoping for a new transatlantic data transfer pact. Though, the European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski expressed doubts on an agreement in the near future:

I don’t expect a new solution instead of Privacy Shield in the space of weeks, and probably not even months, and so we have to be ready that the system without a Privacy Shield like solution will last for a while.

He justified his skepticism with the incoming Biden administration, since it may have other priorities than possible changes in the American national security laws. An agreement upon a new data transfer mechanism would admittedly depend on leveling US national security laws with EU fundamental rights.

With that in mind, the EU does not remain inactive. It is also trying to devise different ways to maintain its data transfers with the rest of the world. In this regard, the EDPS appreciated European Commission’s proposed revisions to SCCs, which take into consideration the provisions laid down in CJEU’s judgement “Schrems II”.

The proposed Standard Contractual Clauses look very promising and they are already introducing many thoughts given by the data protection authorities.

EDPS publishes opinion on future EU-UK partnership

3. March 2020

On 24 February 2020, the European Data Protection Supervisor (EDPS) published an opinion on the opening of negotiations for the future partnership between the EU and the UK with regards to personal data protection.

In his opinion, the EDPS points out the importance of commitments to fully respect fundamental rights in the future envisaged comprehensive partnership. Especially with regards to the protection of personal data, the partnership shall uphold the high protection level of the EU’s personal data rules.

With respect to the transfer of personal data, the EDPS further expresses support for the EU Commission’s recommendation to work towards the adoption of adequacy decisions for the UK if the relevant conditions are met. However, the Commission must ensure that the UK is not lowering its data protection standard below the EU standard after the Brexit transition period. Lastly, the EDPS recommends the EU Institutions to also prepare for a potential scenario in which no adequacy decisions exist by the end of the transition period on 31 December 2020.

EDPS investigates into contractual agreements between EU institutions and Microsoft

10. April 2019

The European Data Protection Supervisor (EDPS) is the supervisory authority for all EU institutions and therefore responsible for their compliance with data protection laws. It is currently investigating the compliance of contractual agreements between EU institutions and Microsoft as the different institutions use Microsoft products and services to conduct their day-to-day businesses including the processing of huge amounts of personal data.

The EDPS refers to a Data Processing Impact Assessment carried out last November by the Dutch Ministry of Justice and Security (we reported) in which they concluded that Microsoft collects and stores personal data of Office users on a large scale without informing them.

Wojciech Wiewiórowski, Assistant EDPS, said: “New data protection rules for the EU institutions and bodies came into force on 11 December 2018. Regulation 2018/1725 introduced significant changes to the rules governing outsourcing. Contractors now have direct responsibilities when it comes to ensuring compliance. However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks. It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny.”

The investigation should reveal which products and systems are used right now and whether the existing contractual agreements are compliant with current Data Protection Laws, especially the GDPR.

Category: EU · GDPR · General
Tags: ,

Accountability initiative by the EDPS: achieving compliance with the GDPR

8. June 2016

The EDPS announced yesterday the launch of a new initiative that may help EU institutions, public bodies and private organizations to be compliant and prepare for the GDPR. This initiative relates to the accountability principle, which is explicitly mentioned in the GDPR. Accountability regarding the processing of personal data means:

  • Implementing policies within the organization in order to achieve transparency
  • Training employees and persons within the organization with regard to the implementation of the policies
  • Monitoring the implementation of the policies
  • Establishing procedures in order to identify incompliances and act against data breaches

The EDPS states that the accountability principle involves a culture change within organizations and means the promotion of sustainable data processing. This means that organizations should assess the fairness and legality of complex data processing operations. This involve that both, public bodies and private organizations, should develop a risk management strategy that addresses their specific needs, so that they are compliant with the GDPR upon its entry into force in May 2018.

This initiative has been firstly implemented at the EDPS institution itself by using questionnaires addressed to the Supervisors, the Director, the staff responsible for processing operations and the DPO. The implemented actions were also documented and followed up on a regular basis. The questions aimed at ensuring a control over the processing of personal data and the lawfulness of the processing.

European Data Protection Supervisor issues opinion on EU-U.S. Privacy Shield

1. June 2016

The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued this week his opinion on the EU-U.S. Privacy Shield. The EDPS is an independent EU institution created in 2004 that assesses EU institutions on policies and legislation related to privacy and data protection and cooperates with authorities in these matters.

The EDPS emphasized on the following key aspects related to the EU-U.S. Privacy Shield:

  • The current draft is not solid enough and improvements should be made in order to withstand scrutiny before the ECJ.
  • The Privacy Shield should offer a long-term solution regarding international data transfers to the U.S.
  • The protection provided by the Privacy Shield should ensure the rights to redress, transparency, data privacy and oversight.
  • It should also prevent from indiscriminate surveillance by American authorities.
  • The draft should comply with the GDPR, including international data transfers.
  • International companies should be aware of and comply with their obligations on privacy and data protection issues.

To sum up, the Privacy Shield should offer an equivalent data protection level to that existing in the EU.

Category: EU · General
Tags: ,