Tag: EU-U.S. Privacy Shield

Danish watchdogs ban Google Chromebooks and Google Workspace in municipality

26. August 2022

In July 2022, after an investigation related to a data breach was carried out by the Danish Data Protection Authority (Datailsynet), Google Chromebooks and Google Workspace were banned in schools in the municipality of Helsingor. The DPA ruled that the risk assessment carried out by city officials shows that the processing of personal data by Google does not meet GDPR requirements. In particular, data transfers have been targeted by the Authority: the Data Processing Agreement allows data transfer to third countries for analytical and statistical support, though the data are primarily stored in Google’s European facilities.

This decision comes in a moment of tension in the world of personal data between Europe and the United States of America: other notorious cases (some still ongoing) are the case of the Irish Data Protection Authority vs. Facebook (now part of Meta Inc.), and the case of the German Federal Cartel Office vs. Facebook. European watchdogs have found that in many cases the American tech giants’ policies do not meet the requirements established by the GDPR. This could be traced back to a lack of legal framework in the field of privacy and personal data protection in the United States, were these companies are based.

This decision was taken in the aftermath of the Schrems II ruling by the European Court of Justice, which stated that the pre-existing agreement on data transfers between Europe and the US (so-called Privacy Shield)was not compatible with the GDPR. A new deal is on the table, but not yet approved nor effective.

Google is becoming the target of various investigations by European data watchdogs, above all because of its tool Google Analytics. In January the Austrian Data Protection Authority published an opinion in which it stated that companies using Google Analytics inadvertently transferred customers’ personal data such as IP addresses to the United States, in breach of the GDPR. Italy’s Garante per la Protezione dei Dati Personali published a similar opinion a few weeks later, stating that “the current methods adopted by Google do not guarantee an adequate level of protection of personal data”.

High Court dismisses Facebook’s procedural complaints in Data Transfer Case

18. May 2021

On Friday, May 14th 2021, the Irish High Court dismissed all of Facebook’s procedural complaints in a preliminary decision from Ireland’s Data Protection Commission regarding data transfers from the EU to the U.S. It rejected Facebook’s claims that the privacy regulator had given it too little time to respond or issued a judgment prematurely.

If finalized, the preliminary decision could force the social-media company to suspend sending personal information about EU users to Facebook’s servers in the U.S. While the decision of the High Court was only a procedural one, experts warn that the logic in Ireland’s provisional order could apply to other large tech companies that are subject to U.S. surveillance laws. This could potentially lead to a widespread disruption of trans-Atlantic data flows.

Facebook addressed the preliminary decision, stating that Friday’s court decision was procedural and that it planned to defend its data transfers before the Irish Data Protection Commission (DPC). It added that the regulator’s preliminary decision could be “damaging not only to Facebook, but also to users and other businesses.”

However, the Irish DPC still needs to finalize its draft decision ordering a suspension of data transfers and submit it to other EU privacy regulators for approval before it comes into effect. That process could take months, not counting potential other court challenges by Facebook.

European Commission issues draft on Standard Contractual Clauses

18. November 2020

A day after the European Data Protection Board (EDPB) issued its recommendations on supplementary measures, on November 12th the European Commission issued a draft on implementing new Standard Contractual Clauses (SCCs) for data transfers to non-EU countries (third countries). The draft is open for feedback until December 10th, 2020, and includes a 12-month transition period during which companies are to implement the new SCCs. These SCCs are supposed to assist controllers and processors in transferring personal data from an EU-country to a third-country, implementing measures that guarantee GDPR-standards and regarding the Court of Justice of the European Union’s (CJEU) “Schrems II” ruling.

The Annex includes modular clauses suitable for four different scenarios of data transfer. These scenarios are: (1) Controller-to-controller-transfer; (2) Controller-to-processor-transfer; (3) Processor-processor-transfer; (4) Processor-to-controller-transfer. Newly implemented in these SCCs are the latter two scenarios. Since the clauses in the Annex are modular, they can be mixed and matched into a contract fitting the situation at hand. Furthermore, more than two parties can adhere to the SCC and the modular approach even allows for additional parties to accede later on.

The potential of government access to personal data is distinctly addressed, since this was a main issue following the “Schrems II” ruling. Potential concerns are met by implementing clauses that address how the data importer must react when laws of the third country impinge on his ability to comply with the contract, especially the SCCs, and how he must react in case of government interference.  Said measures include notifying the data exporter and the data subject of any government interference, such as legally binding requests of access to personal data, and, if possible, sharing further information on these requests on a regular basis, documenting them and challenging them legally. Termination clauses have been added, in case the data importer cannot comply further, e.g. because of changes in the third country’s law.

Further clauses regard matters such as data security, transparency, accuracy and onwards transfer of personal data, which represent issues that have all been tackled in the older SCCs, but are to be updated now.

U.S. Commerce Department publishes FAQs on EU-US Privacy Shield

12. August 2020

The U.S. Commerce Department has released a frequently asked questions page (FAQ) with regards to the EU-US Privacy Shield, following the latest decision of the Court of Justice of the European Union (CJEU) in the Schrems II case.

The FAQ consists of five questions which revolve around the situation after the invalidation of the Privacy Shield by the CJEU, especially the status of companies already certified under the Privacy Shield.

The Commerce Department states in its FAQ that despite the invalidity of the Privacy Shield certification as a GDPR compliant transfer mechanism, the decision of the CJEU does not relieve companies certified under the Privacy Shield from their obligations. On July 21, 2020, the Federal Trade Commission (FTC) stated that they expect controllers to continue to follow the obligations laid out under the Privacy Shield Framework for transfers.

Further, the Commerce Department will continue to administer certification and re-certification under the Privacy Shield despite the new development. The Commerce Department emphasizes that the continued dedication to the Privacy Shield will show the commitment of the parties and the controllers certified under it to the Data Protection cause.

However, the Commerce Department also notes that the costs coming along with a Privacy Shield certification will remain, which could have an effect on the motivation for companies to get self- and re-certified.

Advocate General releases opinion on the validity of SCCs in case of Third Country Transfers

19. December 2019

Today, Thursday 19 of December, the European Court of Justice’s (CJEU) Advocate General Henrik Saugmandsgaard Øe released his opinion on the validity of Standard Contractual Clauses (SCCs) in cases of personal data transfers to processors situated in third countries.

The background of the case, on which the opinion builds on, originates in the proceedings initiated by Mr. Maximillian Schrems, where he stepped up against Facebook’s business practice of transferring the personal data of its European subscribers to servers located in the United States. The case (Schrems I) led the CJEU on October 6, 2015, to invalidate the Safe Harbor arrangement, which up to that point governed data transfers between the EU and the U.S.A.

Following the ruling, Mr. Schrems decided to challenge the transfers performed on the basis of the EU SCCs, the alternative mechanism Facebook has chosen to rely on to legitimize its EU-U.S. data flows, on the basis of similar arguments to those raised in the Schrems I case. The Irish DPA brought proceedings before the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling, the Schrems II case.

In the newly published opinion, the Advocate General validates the established SCCs in case of a commercial transfer, despite the possibility of public authorities in the third country processing the personal data for national security reasons. Furthermore, the Advocate General states that the continuity of the high level of protection is not only guaranteed by the adequacy decision of the court, but just as well by the contractual safeguards which the exporter has in place that need to match that level of protection. Therefore, the SCCs represent a general mechanism applicable to transfers, no matter the third country and its adequacy of protection. In addition, and in light of the Charter, there is an obligation for the controller as well as the supervisory authority to suspend any third country transfer if, because of a conflict between the SCCs and the laws in the third country, the SCCs cannot be complied with.

In the end, the Advocate General also clarified that the EU-U.S. Privacy Shield decision of 12 July 2016 is not part of the current proceedings, since those only cover the SCCs under Decision 2010/87, taking the questions of the validity of the Privacy Shield off the table.

While the Advocate General’s opinion is not binding, it represents the suggestion of a legal solution for cases for which the CJEU is responsible. However, the CJEU’s decision on the matter is not expected until early 2020, setting the curiosity on the outcome of the case high.

Advocate General’s opinion on “Schrems II” is delayed

11. December 2019

The Court of Justice of the European Union (CJEU) Advocate General’s opinion in the case C-311/18 (‘Facebook Ireland and Schrems’) will be released on December 19, 2019. Originally, the CJEU announced that the opinion of the Advocate General in this case, Henrik Saugmandsgaard Øe, would be released on December 12, 2019. The CJEU did not provide a reason for this delay.

The prominent case deals with the complaint to the Irish Data Protection Commission (DPC) by privacy activist and lawyer Maximilian Schrems and the transfer of his personal data from Facebook Ireland Ltd. to Facebook Inc. in the U.S. under the European Commission’s controller-to-processor Standard Contractual Clauses (SCCs).

Perhaps, the most consequential question that the High Court of Ireland set before the CJEU is whether the transfers of personal data from the EU to the U.S. under the SCCs violate the rights of the individuals under Articles 7 and/or 8 of the Charter of Fundamental Rights of the European Union (Question No. 4). The decision of the CJEU in “Schrems II” will also have ramifications on the parallel case T-738/16 (‘La Quadrature du net and others’). The latter case poses the question whether the EU-U.S. Privacy Shield for data transfers from the EU to the U.S. protects the rights of EU individuals sufficiently. If it does not, the European Commission would face a “Safe Harbor”-déjà vu after approving of the new Privacy Shield in its adequacy decision from 2016.

The CJEU is not bound to the opinion of the Advocate General (AG), but in some cases, the AG’s opinion may be a weighty indicator of the CJEU’s final ruling. The final decision by the Court is expected in early 2020.

FTC reaches settlements with companies regarding Privacy Shield misrepresentations

10. December 2019

On December 3, 2019, the Federal Trade Commission (FTC) announced that it had reached settlements in four different cases of Privacy Shield misrepresentation. The FTC alleged that in particular Click Labs, Inc., Incentive Services, Inc., Global Data Vault, LLC, and TDARX, Inc. each falsely claimed to have participated in the framework agreements of the EU-US Privacy Shield. According to the FTC, Global Data and TDARX continued to claim participation in the EU-U.S. Privacy Shield upon expiration of their Privacy Shield certifications. Click Labs and Incentive Services have also erroneously claimed to participate in the Swiss-U.S. Privacy Shield Framework. In addition, Global Data and TDARX have violated the Privacy Shield Framework by failing to follow the annual review of whether statements about their privacy shield practices were accurate. Also, according to the complaints, they did not affirm that they would continue to apply Privacy Shield protection to personal information collected during participation in the program.

As part of the proposed settlements, each of the companies is prohibited from misrepresenting its participation in the EU-U.S. Privacy Shield Framework or any other privacy or data security program sponsored by any government or self-regulatory or standard-setting organization. In addition, Global Data Vault and TDARX are required to continue to apply Privacy Shield protection to personal information collected during participation in the program. Otherwise, they are required to return or delete such information.

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks allow companies to legally transfer personal data from the EU or Switzerland to the USA. Since the framework was established in 2016, the FTC has initiated a total of 21 enforcement measures in connection with the Privacy Shield.

A description of the consent agreements is published in the Federal Register and publicly commented on for 30 days. The FTC will then decide whether the proposed consent orders are final.

European Commission releases third annual Privacy Shield Review report

25. October 2019

The European Commission has released a report on the E.U.-U.S. Privacy Shield, which represents the third annual report on the performance of the supranational Agreement, after it came into effect in July 2016. The discussions on the review were launched on 12 September 2019 by Commissioner for Justice, Consumers and Gender Equality Věra Jourová, with the U.S. Secretary of Commerce Wilbur Ross in Washington, DC.

The Privacy Shield protects the fundamental rights of anyone in the European Union whose personal data is transferred to certified companies in the United States for commercial purposes and brings legal clarity for businesses relying on transatlantic data transfer. The European Commission is commited to review the Agreement on an annual basis to ensure that the level of protection certified under the Privacy Shield continues to be at an adequate level.

This year’s report validates the continuous adequacy of the protection for personal data transferred to certified companies in the U.S. from the Europan Union under the Privacy Shield. Since the Framework was implemented, about 5000 companies have registered with the Privacy Shield. The EU Commissioner for Justice, Consumers and Gender Equality stated that “the Privacy Shield has become a success story. The annual review is an important health check for its functioning“.

The improvements compared to the last annual review in 2018 include the U.S. Department of Commerce’s efforts to ensure necessary oversight in a systematic manner. This is done by monthly checks with samply companies that are certified unter the Privacy Shield. Furthermore, an increasing number of European Citizens are making use of their rights under the Framework, and the resulting response mechanisms are functioning well.

The biggest criticism the European Commission has stated came in the form of the recommendation of firm steps to ensure a better process in the (re)certification process under the Privacy Shield. The time of the (re)certification process allows companies to get recertified within three months after their certification has run out, which can lead to a lack of transparency and confusion, since those companies will still be listed in the registry. A shorter time frame has been proposed by the European Commission to guarantee a higher level of security.

Overall, the third annual review has been seen as a success in the cooperation between the two sides, and both the U.S. and the European officials agree that there is a need for strong and credible enforcement of privacy rules to protect the respective citizens and ensure trust in the digital economy.

FTC takes action against companies claiming to participate in EU-U.S. Privacy Shield and other international privacy agreements

24. June 2019

The Federal Trade Commission (FTC) announced that it had taken action against several companies that pretended to be compliant with the EU-U.S. Privacy Shield and other international privacy agreements.

According to the FTC, SecureTest, Inc., a background screening company, has falsely claimed on its website to have participated in the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield. These framework agreements allow companies to transfer consumer data from member states of the European Union and Switzerland to the United States in accordance with EU or Swiss law.

In September 2017, the company applied to the U.S. Department of Commerce for Privacy Shield certification. However, it did not take the necessary steps to be certified as compliant with the framework agreements.

Following the FTC’s complaint, the FTC and SecureTest, Inc. have proposed a settlement agreement. This proposal includes a prohibition for SecureTest to misrepresent its participation in any privacy or security program sponsored by any government or self-regulatory or standardization organization. The proposed agreement will be published in the Federal Register and subject to public comment for 30 days. Afterwards the FTC will make a determination regarding whether to make the proposed consent order final.

The FTC has also sent warning letters to 13 companies that falsely claimed to participate in the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor frameworks, which were replaced in 2016 by the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks. The FTC asked companies to remove from their websites, privacy policies or other public documents any statements claiming to participate in a safe harbor agreement. If the companies fail to take action within 30 days, the FTC warned that it would take appropriate legal action.

The FTC also sent warning letters with the same request to two companies that falsely claimed in their privacy policies that they were participants in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system. The APEC CBPR system is an initiative to improve the protection of consumer data moving between APEC member countries through a voluntary but enforceable code of conduct implemented by participating companies. To become a certified participant, a designated third party, known as an APEC-approved Accountability Agent, must verify and confirm that the company meets the requirements of the CBPR program.

Trust in current mechanisms to carry out international data transfer decreases

1. September 2016

According to a survey conducted recently by the International Association of Privacy Professionals (IAPP), trust in current legal mechanisms to carry out data transfers to third countries, such as Standard Contractual Clauses and the EU-U.S. Privacy Shield, has decreased.

The results of this survey reveal that 80 percent of companies relies on the Standard Contractual Clauses approved by the EU Commission to carry out international data transfers, especially to the U.S.A. However, there is currently uncertainty regarding the validity of the Standard Contractual Clauses, which may be also invalidated by the ECJ, as already occurred with the former Safe Harbor framework.

Regarding the EU-U.S. Privacy Shield, which is operative since 1st August, the survey reveals that only 42 percent of U.S. companies plan to self-certify through this new framework, compared to the 73 percent that conducted self-certification with the Safe Harbor framework. The main reason for this may be related to the uncertainty regarding its validity. The Article 29 WP stated recently that the first annual review of the Privacy Shield will be decisive.

Finally, Binding Corporate Rules (BCR) are also used by companies to carry out intra-group data transfers. However, there are several reasons why not many companies implement them. One of these reasons relates to the high costs involved with the implementation. Moreover, the implementation process can last over one year. Also, BCR can be only used for international data transfers within the group, so that other mechanisms shall be used if data transfers outside the group take place.

Pages: 1 2 Next
1 2