News Archives

Thursday, July 14, 2016

Appeals Court Backs Microsoft in Overseas Email Case

Reversing an April 2014 ruling by the District Court for the Southern District of New York, the U.S. Court of Appeals for the Second Circuit in New York quashed a search warrant that would have required Microsoft to disclose contents of emails stored on a server in Ireland.  The Court ruled that the U.S. Stored Communications Act neither explicitly nor implicitly envisioned the applications of its warrant provisions overseas, which was the government's central argument in the case, agreeing with Microsoft that inter-governmental mutual legal assistance treaties should be relied upon in cases such as this. Tech companies, lobbying groups and media associations had submitted briefs to support Microsoft’s position, arguing that allowing a warrant to be served would undermine their business prospects abroad and lead to tit-for-tat retaliation by foreign governments with respect to emails stored in the US.  At a time of great uncertainty over the legality of trans-atlantic data flows, the ruling removes a key obstacle to reaching a viable accord with the EU and demonstrates the independence of the US judicial system.  Whether the US government will appeal the ruling remains to be seen.

Friday, July 8, 2016

Article 31 Committee Approves Privacy Shield

On July 8, the Article 31 Committee, comprised of ministerial representatives of the 28 EU member states, approved the revised version of the EU-US Privacy Shield. Four member states abstained from the vote:  Austria, Bulgaria, Croatia and Slovenia. Ratification by the College of Commissioners is expected on Monday, followed shortly by the official launch of the new data transfer framework by EU Justice Commissioner Vera Jourova and US Secretary of Commerce Penny Pritzker.

According to the European Commission, the arrangement “is fundamentally different” from the former “safe harbor” pact because “it imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.”  Critics claim that the agreement will not withstand legal challenges - for example, Max Schrems was quoted as saying "they walked a mile but they should have walked one hundred miles" - which may dissuade many US companies from participating in it.

The complete 158-page text of the Privacy Shield agreement, in an undated and unofficial version, is available here

Thursday, June 30, 2016

Commission Pressing Ahead with Privacy Shield Launch

On June 24, after months of difficult negotiations with U.S. authorities, the European Commission sent the text of a revised Privacy Shield agreement to the members of the Article 31 Committee for a vote scheduled to occur on July 4.  Should the agreement receive the Committee’s approval and subsequent pro forma endorsement by the College of Commissioners, Privacy Shield could be officially launched prior to the August recess.  According to EU Justice Commissioner Vera Jourova, “We reached an accord on more precise listing of cases when bulk collection can occur and a better definition of how our American partners understand the difference between bulk collection which may be justified and mass surveillance without any purpose, which is not tolerable.” Other issues addressed by the revised draft were said to include the independence of the special ombudsman and limits on the retention of transferred data by companies.

Significantly, the Commission is not seeking an evaluation of the new draft from the Article 29 Working Party nor giving the Parliament much time to respond to it.  Instead, the Commission appears to be resigned to facing the legal challenges to Privacy Shield that are all but certain to come, even though the cloud of uncertainty they and criticisms of the agreement create over the program may dissuade many U.S. companies from signing-up.  

Whether the Commission will be able to secure the approval of the Article 31 Committee by the required qualified majority vote remains to be seen.  Also unclear is what impact the Brexit vote will have on the Committee’s deliberations.  While the UK remains a full member of the EU, suppose the qualified majority would be reached only with the UK’s backing of the proposed agreement.  Would other member states take this into account in determining their own stance on the new text?

Brexit Vote: Short-term Continuity, Long-Term Uncertainty

The June 23 referendum vote by the UK electorate to leave the European Union has muddled the waters around a host of regulatory and business issues, not least of all that of how data transfers in and out of the UK will be handled in the future.  As Scott Blackmer points out in an excellent summary of the daunting complexities raised by Brexit, the timing of the UK’s departure could be awkward, since the General Data Protection Regulation (GDPR) will come into force on May 25, 2018, months ahead of the earliest projected date for the actual separation.  While the exact form and terms of any new relationship between the UK and the EU remains to be determined, the UK’s Information Commissioner has confirmed the country’s desire to have a data protection standard in place that is equivalent to that of the GDPR.  With so much up in the air, the ICO’s advice to companies following the October 2015 Schrems ruling seems even more apt at this time: keep calm and carry-on.

CJEU to Address Bulk Surveillance Issues This Fall

The Court of Justice of the European Union (CJEU) is expected to rule in two cases this fall that will compel it to examine the issue of bulk collection of personal data by law enforcement and security agencies in greater detail than it did in the Schrems case.  The first is a challenge to the Canada-EU Passenger Name Record (PNR) Agreement and the second involves the data retention laws of the UK and Sweden.  A thoughtful analysis by Kenneth Propp, former legal counselor to the US Mission to the EU, outlines the broader risks rulings in the cases could pose to the 2011 PNR and the 2009 Terrorist Finance Tracking Program (TFTP) Agreements between the US and the EU, let alone to the proposed Privacy Shield framework.

With so much at stake, it is not surprising that on June 13 the US government announced that it had asked the Irish High Court to be joined as an amicus in Max Schrems’s latest complaint concerning the validity of standard contractual clauses as a basis for data transfers to the US.  Since the Irish DPA had previously announced that it was referring the matter to the CJEU, the amicus status will provide the US with an opportunity to describe and defend its surveillance practices directly in a court of law.  The development was welcomed by Max Schrems, who said ““This is a huge chance to finally get solid answers in a public procedure. I am very much looking forward to raise all the uncomfortable questions on US surveillance programs in this procedure. It will be very interesting how the US government will react to the clear evidence already before the court.”

Hamburg DPA Fines Three Companies for Reliance on Safe Harbor

Reports of enforcement actions against companies based upon continued reliance on Safe Harbor for data transfers to the US have been few and far between.  One German regulator, however, broken the ice.

On June 6, the Hamburg data protection authority announced that it had fined three companies – Adobe, Pepsi subsidiary Punica and Unilever – for continuing to rely on Safe Harbor as their legal basis for transferring personal data to the US. While the fines could have been as large as €300,000, they were reduced to €11,000 or less because each of the companies switched to the use of alternative transfer mechanisms during the course of the authority's proceedings.

The fines were the outcome of an inspection of the data transfer procedures of 35 internationally active Hamburg-based companies.  According to the authority, the vast majority of the companies switched to the use of standard contractual clauses within several months of the invalidation of Safe Harbor by the European Court of Justice in October 2015.  Proceedings against a few companies continue, with Commissioner Johannes Caspar warning that stricter sanctions would be imposed if alternative transfer measures were not adopted.  Caspar also indicated that his office would look into the admissibility of alternative transfer mechanisms, and standard contractual clauses in particular, should negotiations over the Privacy Shield not succeed.

China Developing Personal Information Security Standard

China’s National Information Security Standardization Technical Committee was reported on May 31st to have organized a meeting to launch a working group, comprised of representatives from government, academia and industry, tasked with drafting a national Personal Information Security Standard.  The standard would serve as a non-binding baseline for the data privacy and security practices of companies operating in China.  It could influence future data privacy and security-related legislation, while also providing regulators with guidance on current laws and regulations that are often vaguely worded.