Tag: EU – US Privacy Shield

Privacy Activist Schrems unleashes 101 Complaints

21. September 2020

Lawyer and privacy activist Maximilian Schrems has become known for his legal actions leading to the invalidation of “Safe Harbor” in 2015 and of the “EU-U.S. Privacy Shield” this year (we reported). Following the landmark court decision on the “EU-U.S. Privacy Shield”, Schrems recently announced on the website of his NGO “noyb” (non-of-your-business) that he has filed 101 complaints against 101 European companies in 30 different EU and EEA countries with the responsible Data Protection Authorities. Schrems exercised the right to lodge a complaint with the supervisory authority that every data subject has if he or she considers that the processing of personal data relating to him or her infringes the Regulation, pursuant to Art. 77 GDPR.

The complaints concern the companies’ continued use of Google Analytics and Facebook Connect that transfer personal data about each website visitor (at least IP-address and Cookie data) to Google and Facebook which reside in the United States and fall under U.S. surveillance laws, such as FISA 702. Schrems also published a list of the 101 companies which include Sky Deutschland, the University of Luxembourg and the Cyprus Football Association. With his symbolic action against 101 companies, Schrems wanted to point to the widespread inactivity among many companies that still do not take the data protection rights of individuals seriously despite the recent ruling by the Court of Justice of the European Union.

In response, the European Data Protection Board (“EDPB”) has set up a “task force” to handle complaints against European companies using Google Analytics and Facebook services. The taskforce shall analyse the matter and ensure a close cooperation among the members of the Board which consists of all European supervisory authorities as well as the European Data Protection Supervisor.

U.S. Commerce Department publishes FAQs on EU-US Privacy Shield

12. August 2020

The U.S. Commerce Department has released a frequently asked questions page (FAQ) with regards to the EU-US Privacy Shield, following the latest decision of the Court of Justice of the European Union (CJEU) in the Schrems II case.

The FAQ consists of five questions which revolve around the situation after the invalidation of the Privacy Shield by the CJEU, especially the status of companies already certified under the Privacy Shield.

The Commerce Department states in its FAQ that despite the invalidity of the Privacy Shield certification as a GDPR compliant transfer mechanism, the decision of the CJEU does not relieve companies certified under the Privacy Shield from their obligations. On July 21, 2020, the Federal Trade Commission (FTC) stated that they expect controllers to continue to follow the obligations laid out under the Privacy Shield Framework for transfers.

Further, the Commerce Department will continue to administer certification and re-certification under the Privacy Shield despite the new development. The Commerce Department emphasizes that the continued dedication to the Privacy Shield will show the commitment of the parties and the controllers certified under it to the Data Protection cause.

However, the Commerce Department also notes that the costs coming along with a Privacy Shield certification will remain, which could have an effect on the motivation for companies to get self- and re-certified.

Transatlantic Data Transfers in light of the Two Year Anniversary of GDPR Application

7. July 2020

In the last two years since the General Data Protection Regulation (GDPR) came into effect on May 25, 2018, it has received an overall positive feedback and structured the data protection culture not only in the European Union, but has set an example for international privacy standards.

However, especially from the American side of the world, criticism has been constant. Different principles are a prerequisite for different opinions and priorities, and the effort to bring European data protection standards and American personal data business together has been a challenge on both sides.

One of the main criticisms coming from the US government is the increasing obstacles the GDPR poses in case of cybercrime investigations and law enforcement. Not only the restrictive implications of the GDPR are an issue, but also the divergent interpretations due to national adaptations of the GDPR are seen as a problem by government officials.

In the cases of cybercrime, the main issue for the US critics is the now less effective database of domain name owners, WHOIS. The online directory, which was created in the 1970s, is an important tool for law enforcement combatting cybercrime. Before the GDPR came into effect in 2018, the request for information on domain owners was straightforward. Now, due to the restrictions of the GDPR, this process has been made long and tedious.

But fighting cybercrime is not the only tension between the EU and the USA concerning data protection. In a judgement in the Schrems II case, expected for July 16, 2020, the European Court of Justice (ECJ) is expected to take a stance on transatlantic data transfers and the current Privacy Shield, which is the basis for the EU-US dataflows under adequate data protection standards. If the Privacy Shield is deemed insufficient protection, it will have a major effect on EU-US business transactions.

However, these are issues that the European Commission (EC) is very aware of. In their communication concerning the two-year review of the GDPR, the Commission stated that they are planning to balance out diverging and fragmented interpretations of the GDPR on national levels and find a common data protection culture within Europe.

In addition, the restrictions the GDPR poses to law enforcement are another point the European Commission knows it needs to fix. The plan for the future is a bilateral and multilateral framework that can allow for simple requests to share data for law enforcement purposes and avoid conflicts of law, while keeping data protection safeguards intact.

The upcoming judgement of the ECJ is seen with watchful eyes by the Commission, and will be incorporated in their upcoming adequacy decisions and re-evaluations, as well as their development of a modern international transfer toolbox, which includes a modernized version of the standard contractual clauses.

Overall, the two-year mark of the existence of the GDPR is seen more as a success, despite the clear areas for future improvement. One of the big challenges in transatlantic data transfers ahead is without a doubt the outcome of the judgement in the Schrems case in mid-July, the implications of which are, at this point in time, not yet able to be defined.

FTC reaches settlements with companies regarding Privacy Shield misrepresentations

10. December 2019

On December 3, 2019, the Federal Trade Commission (FTC) announced that it had reached settlements in four different cases of Privacy Shield misrepresentation. The FTC alleged that in particular Click Labs, Inc., Incentive Services, Inc., Global Data Vault, LLC, and TDARX, Inc. each falsely claimed to have participated in the framework agreements of the EU-US Privacy Shield. According to the FTC, Global Data and TDARX continued to claim participation in the EU-U.S. Privacy Shield upon expiration of their Privacy Shield certifications. Click Labs and Incentive Services have also erroneously claimed to participate in the Swiss-U.S. Privacy Shield Framework. In addition, Global Data and TDARX have violated the Privacy Shield Framework by failing to follow the annual review of whether statements about their privacy shield practices were accurate. Also, according to the complaints, they did not affirm that they would continue to apply Privacy Shield protection to personal information collected during participation in the program.

As part of the proposed settlements, each of the companies is prohibited from misrepresenting its participation in the EU-U.S. Privacy Shield Framework or any other privacy or data security program sponsored by any government or self-regulatory or standard-setting organization. In addition, Global Data Vault and TDARX are required to continue to apply Privacy Shield protection to personal information collected during participation in the program. Otherwise, they are required to return or delete such information.

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks allow companies to legally transfer personal data from the EU or Switzerland to the USA. Since the framework was established in 2016, the FTC has initiated a total of 21 enforcement measures in connection with the Privacy Shield.

A description of the consent agreements is published in the Federal Register and publicly commented on for 30 days. The FTC will then decide whether the proposed consent orders are final.

EU-US Privacy Shield and SCCs facing legal challenge before the EU High Courts

3. July 2019

Privacy Shield, established between the European Union (EU) and the United States of America (US) as a replacement of the fallen Safe Harbor agreement, has been under scrutiny from the moment it entered into effect. Based on the original claims by Max Schrems in regards to Safe Harbor (C-362/14), the EU-US data transfer agreement has been challenged in two cases, one of which will be heard by the Court of Justice of the European Union (CJEU) in early July.

In this case, as in 2015, Mr. Schrems bases his claims elementally on the same principles. The contention is the unrestricted access of US agencies to European’s personal data. Succeeding hearings in 2017, the Irish High Court found and raised 11 questions in regards to the adequacy of the level of protection to the CJEU. The hearing before the CJEU is scheduled for July 9th. The second case, originally planned to be heard on July 1st and 2nd, has been brought to the General Court of the European Union by the French digital rights group La Quadrature du Net in conjunction with the French Data Net and Fédération FDN. Their concerns revolve around the inadequacy of the level of protection given by the Privacy Shield and its mechanisms.
This hearing, however, has been cancelled by the General Court of the EU only days prior to its date, which was announced by La Quadrature du Net through tweet.

Despite the criticism of the agreement, the European Commission has noted improvements to the level of security of the Privacy Shield in their second review of the agreement dating from December 2018. The US Senate confirmed Keith Krach as Under Secretary for Economic Growth, Energy and Environment, with his duties to include being the permanent ombudsman in regards to the Privacy Shield and the EU data protection, on June 20th 2019.

As it is, both cases are apt to worry companies that rely on being certified by the Privacy Shield or the use of SCCs. With the uncertainty that comes with these questions, DPOs will be looking for new ways to ensure the data flow between Europe and the US. The European Commission stated that it wants to make it easier for companies in the future to comply with data transfers under the GDPR. It plans to update the SCCs to the requirements of the GDPR, providing a contractual mechanism for international transfers. Nonetheless, it is unclear when those updates are happening, and they may be subject to legal challenge based on the future Schrems ruling.

FTC takes action against companies claiming to participate in EU-U.S. Privacy Shield and other international privacy agreements

24. June 2019

The Federal Trade Commission (FTC) announced that it had taken action against several companies that pretended to be compliant with the EU-U.S. Privacy Shield and other international privacy agreements.

According to the FTC, SecureTest, Inc., a background screening company, has falsely claimed on its website to have participated in the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield. These framework agreements allow companies to transfer consumer data from member states of the European Union and Switzerland to the United States in accordance with EU or Swiss law.

In September 2017, the company applied to the U.S. Department of Commerce for Privacy Shield certification. However, it did not take the necessary steps to be certified as compliant with the framework agreements.

Following the FTC’s complaint, the FTC and SecureTest, Inc. have proposed a settlement agreement. This proposal includes a prohibition for SecureTest to misrepresent its participation in any privacy or security program sponsored by any government or self-regulatory or standardization organization. The proposed agreement will be published in the Federal Register and subject to public comment for 30 days. Afterwards the FTC will make a determination regarding whether to make the proposed consent order final.

The FTC has also sent warning letters to 13 companies that falsely claimed to participate in the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor frameworks, which were replaced in 2016 by the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks. The FTC asked companies to remove from their websites, privacy policies or other public documents any statements claiming to participate in a safe harbor agreement. If the companies fail to take action within 30 days, the FTC warned that it would take appropriate legal action.

The FTC also sent warning letters with the same request to two companies that falsely claimed in their privacy policies that they were participants in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system. The APEC CBPR system is an initiative to improve the protection of consumer data moving between APEC member countries through a voluntary but enforceable code of conduct implemented by participating companies. To become a certified participant, a designated third party, known as an APEC-approved Accountability Agent, must verify and confirm that the company meets the requirements of the CBPR program.

EU-U.S. Privacy Shield is being challenged

28. October 2016

As the website of the European Court of Justice just released, is the EU-U.S. Privacy Shield being challenged by Digital Rights Ireland, an Irish privacy advocacy group.

The facts of this case (Digital Rights Ireland v Commission; Case T-670/16) are as follows:

  • Digital Rights Ireland has filed an action for annulment against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield.
  • There has been no comment from Digital Rights Ireland yet.
  • No documents have been published with regard to the case so far.
  • However, as HuntonPrivacyBlog reported “(…) media sources quote a spokesperson for the European Commission acknowledging the case and stressing the European Commission’s conviction that the Privacy Shield meets all legal requirements.”

Google Analytics joins EU-U.S. Privacy Shield

31. August 2016

On its blog Google Analytics announced on the 29th of August that they have self-certified to the EU-U.S. Privacy Shield.

The statement describes the EU-U.S. Privacy Shield as a new framework for transfers of personal data from Europe to the United States, which can be seen as a significant milestone for the protection of Europeans’ personal data, legal certainty of transatlantic businesses, and trust in the digital economy.

Therefore, Google has now committed that they comply with the Privacy Shield’s principles and furthermore that they will safeguard the transfers of personal data, whereas no action is required from their customers.

EU Commission announces formal adoption of the EU-U.S. Privacy Shield

13. July 2016

The EU Commission announced yesterday the formal adoption of the EU-U.S. Privacy Shield. Both, the EU Commission Vice-President, Andrus Ansip, and the EU Commissioner Vera Jourová highlighted the positive impact of the Privacy Shield not only for businesses, but especially for EU citizens, whose right to data protection will be enforced and several mechanisms will implemented in order to safeguard their rights.

The main aspects of the final draft of the EU-U.S. Privacy Shield are:

  • U.S. companies handling EU personal data will be subject to stricter obligations. For instance, the American Department of Commerce will review regularly that the participating companies comply in practice with the commitments of the Privacy Shield. In case of incompliance, the company will face not only fines, but will be also removed from the list.
  • The U.S. has ensured that bulk collection of EU citizens’ data will be carried out only if certain conditions are met and it will be as targeted and focused as possible. Also, a redress mechanism will be available for EU citizens to solve this kind of issues.
  • Individual rights will be effectively protected through the implementation of dispute resolution mechanisms, which will be affordable and accessible for EU citizens. In case that the dispute is not resolved, an arbitration mechanism will be also available. If the dispute refers to U.S. national security Authorities, an independent Ombudsperson will handle the issue.
  • The Privacy Shield will be subject to an annual review by the EU Commission and the U.S. Department of Commerce in order to monitor its functioning.

Next steps

The Privacy Shield constitutes an “adequacy decision”. This decision has been notified to the EU Member States by the EU Commission and will enter into force immediately. Additionally, it will also be published on the U.S. Official Journal.

Starting August 1st, the U.S. Department of Commerce will start processing membership requests. This means that companies that wish to certify and become members of the EU-U.S. Privacy Shield will have to review and if appropriate update their privacy programs.

Furthermore, the EU Commission will publish a guidance in order to inform EU citizens about the dispute resolution mechanisms available under the Privacy Shield.

What happens with the GDPR?

The GDPR lays down stricter requirements to carry out international data transfers than those of the Privacy Shield. As the GDPR will enter into force in two years, U.S. companies will have to be compliant also with the requirements of the GDPR.

However, this situation has been already addressed in two directions: on the one hand, the Privacy Shield will be subject to an annual review, as mentioned above; and on the other hand, the Privacy Shield states that its scope of application refers to data transfers and processing of personal data by U.S. companies as far as the processing does not fall under the scope of EU legislation.

The EU-U.S. Privacy Shield has been approved

11. July 2016

On the 8th July 2016, the Vice-President of the EU Commission, Andrus Ansip, and the Commissioner Vera Jourová announced in a joint statement that the EU Member States have approved the updated draft of the EU-U.S. Privacy Shield. However, Austria, Bulgaria, Croatia, and Slovenia abstained from voting.

The statement remarks that the Privacy Shield will ensure a high data protection level for EU citizens, because it imposes stronger obligations for U.S. companies. Specially regarding the bulk collection of personal data from EU citizens by American authorities.

The formal adoption of the Privacy Shield is expected this week.

Although the EU-U.S. Privacy Shield has been approved, the legality of the agreement could be challenged, as occurred with the former Safe Harbor Framework.

Pages: 1 2 3 Next
1 2 3