21. September 2020
Lawyer and privacy activist Maximilian Schrems has become known for his legal actions leading to the invalidation of “Safe Harbor” in 2015 and of the “EU-U.S. Privacy Shield” this year (we reported). Following the landmark court decision on the “EU-U.S. Privacy Shield”, Schrems recently announced on the website of his NGO “noyb” (non-of-your-business) that he has filed 101 complaints against 101 European companies in 30 different EU and EEA countries with the responsible Data Protection Authorities. Schrems exercised the right to lodge a complaint with the supervisory authority that every data subject has if he or she considers that the processing of personal data relating to him or her infringes the Regulation, pursuant to Art. 77 GDPR.
The complaints concern the companies’ continued use of Google Analytics and Facebook Connect that transfer personal data about each website visitor (at least IP-address and Cookie data) to Google and Facebook which reside in the United States and fall under U.S. surveillance laws, such as FISA 702. Schrems also published a list of the 101 companies which include Sky Deutschland, the University of Luxembourg and the Cyprus Football Association. With his symbolic action against 101 companies, Schrems wanted to point to the widespread inactivity among many companies that still do not take the data protection rights of individuals seriously despite the recent ruling by the Court of Justice of the European Union.
In response, the European Data Protection Board (“EDPB”) has set up a “task force” to handle complaints against European companies using Google Analytics and Facebook services. The taskforce shall analyse the matter and ensure a close cooperation among the members of the Board which consists of all European supervisory authorities as well as the European Data Protection Supervisor.
13. January 2017
On January 10th 2017 the European Commission released a Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications.
The presented proposal pursues the implementation of the EU’s Digital Single Market strategy. The Digital Single Market strategy aims to increase trust in and the security of digital services. With the upcoming General Data Protection Regulation further legislative measures have to be implemented in order to build a coherent regulatory framework.
The proposed Regulation will repeal the Directive 2002/58/EC Regulation on Privacy and Electronic Communications, also known as the “E-Privacy Directive”, which insufficiently regards current technological developments. Especially so-called Over the Top communication services, such as the messenger services WhatsApp, Skype or Facebook Messenger, are not regulated by the E-Privacy Directive and lack sufficient privacy for its users. According to the proposed Regulation, the content of messages as well as metadata will have to remain confidential and / or anonymized unless the user consented otherwise.
In addition, the new rules set out a strategic approach relating to international data transfer. By engaging in so-called “adequacy decisions” the transfer of personal data will be simplified while a high level of privacy remains.
The proposed Regulation further contains rules to ensure that personal data, which is processed by EU institutions and bodies, is handled according to the measures of the General Data Protection Regulation.
Finally, since the nature of the Proposal is a regulation instead of a directive, it should have a stronger impact for both consumers and businesses.
Ideally the legislative process will be finalized by May 25th 2018, when the General Data Protection Regulation will enter into force.
2. August 2016
The EU Commission announced yesterday the full operability of the agreed EU-U.S. Privacy Shield as substitute of the former Safe Harbor Framework. The Department of Commerce will verify the privacy policies of the U.S. Companies that sign up the Privacy Shield in order to ensure that they comply with the standards agreed on the new framework.
Furthermore, the EU Commission has also published a citizen’s guide regarding how their rights will be ensured and how to address complaints if they consider that their rights have not been respected. Amongst others, EU citizens have the right to access the data an organization holds about them, to correct their data if this is inaccurate or incorrect, to have access to the different dispute resolution mechanisms, etc.
U.S. Secretary of Commerce Penny Pritzker also made a statement regarding the launch of the new framework: “After more than two years of discussions, it is time to implement the new EU-U.S. Privacy Shield Framework with our partners in Europe and companies on both continents. With the Privacy Shield in place, businesses will be able to protect privacy and truly seize the opportunities offered by the transatlantic digital economy. More than $260 billion in digital services trade is already conducted across the Atlantic Ocean annually, but there is significant potential for this figure to grow, resulting in a stronger economy and job creation. The Privacy Shield opens a new era in data privacy that will deliver concrete and practical results for our citizens and businesses.”
