News Archives

Sunday, February 7, 2016

Moment of Truth for the DPAs


In the six days since the European Commission announced an agreement with the US on a new framework for transatlantic data flows, the following developments are the most salient:
  • No new details about the framework have emerged.
  • Neither the Commission nor US officials have established any deadline for completion of the negotiations or indicated any limit to how long the talks may continue.
  • Isabel Falque-Pierrotin, the chair of the Article 29 Working Party, has said that it is likely to be at least mid-to-late April before the Working Party is able to reach a position on whether the Privacy Shield offers sufficient protection for European data. Her estimate assumes that the agreement will be finalized and all relevant documents provided to the Working Party by the end of February.
  • Falque-Pierrotin re-affirmed previous statements from the Working Party that companies continuing to rely upon Safe Harbor risk being subject to enforcement action immediately, while those relying upon model contracts or BCRs may continue to do so until the Working Party’s evaluation of the Privacy Shield has been completed.
  • Even if the agreement is finalized at some point, it will take additional months to put the guarantees it calls for, such as the creation of an Ombudsman in the US State Department and enactment of the Judicial Redress Act, in place.  Companies will not be able to participate in the new framework until such measures have been implemented.
  • Both supporters and critics of the Privacy Shield expect it to face significant legal challenges from privacy advocates and consumer groups in Europe.
After three months of anticipation that a definitive moment of regulatory clarity was at hand, where do these developments leave us?  Sadly, in a state of murk, confusion and uncertainty that could last for many months.  Whether the EU’s 44 independent data protection authorities will swallow further delays that could be indefinite and defer enforcement actions that are within their powers is the big question.  Prognostication in these matters is always risky, but it is difficult to imagine that they will not initiate coordinated enforcement actions within the next few weeks against companies still relying upon Safe Harbor.

Update:  On February 8, Forbes reported that Commissioner Jourova had tweeted the previous day that the texts of the Privacy Shield are "being finalized" and will be "unveiled" during the second half of February.  Whether this time frame represents her aspiration or something more concrete remains to be seen.  

Wednesday, February 3, 2016

EU-US Agreement Reached but Details Lacking

On Monday, February 2 the European Commission announced that it had reached an agreement with the US on a new framework for transatlantic data flows.  Details of the agreement, to be called the EU-US Privacy Shield, have not been released and judging from testimony by Justice Commissioner Vera Jourova before the Parliament’s LIBE Committee, these details have not been finalized between the EU and the US.  As might be expected, the very sketchy announcement drew expressions of support from industry trade groups in the US and expressions of doubt from privacy advocates in the EU Parliament and elsewhere.  That “the devil is in the details” was a frequent refrain heard from the parliamentarians. 

Under these circumstances, with the Commission barely meeting the Article 29 Working Party’s end-of-January deadline, the Working Party had little choice but to allow more time to evaluate the agreement.  According to a statement released on February 3, the Working Party welcomes the conclusion of the negotiations between the EU and the US and looks forward to receiving the documents it needs to evaluate its viability, requesting receipt of them by the end of February.  In the meantime, the Working Party re-affirms that data transfers under Safe Harbor are unacceptable and that standard contractual clauses and BCRs may be relied upon for the time being. 

Phil Lee from Fieldfisher was first out of the box with an excellent blog on issues relating to the new agreement, not the least of which is market acceptance.  However, one issue not discussed anywhere, as far as I can tell, is what the obligations of US companies will be under the Privacy Shield and how they will become operative.  As announced, the agreement addresses only high-level questions associated with surveillance and its aftermath, making no mention of what privacy standards and practices will be required of companies that may want to avail themselves of its protections.  What has become of the thirteen recommendations for Safe Harbor reform advanced by the Commission back in 2013?  In short, where is the beef on the Privacy Shield bone?   

Friday, January 29, 2016

Crunch Time in Brussels for Safe Harbor Talks

With the official work week now over in Europe, the International Business Times reported that EU and US officials were engaged in intensive negotiations in Brussels, with the talks expected to continue through the weekend, in an effort to reach agreement on a new Safe Harbor framework.  While the Judiciary Committee of the US Senate finally approved the Judicial Redress Act yesterday, January 28, a crippling amendment, sponsored by Sen. John Cornyn (R-TX), was included that undercut whatever good will final ultimate passage of the bill might achieve.  Meanwhile, EU Justice Commissioner Vera Jourova is expected to update the European Parliament on the status of the negotiations on Monday at 2:45 EST. The Article 29 Working Party will meet on Tuesday and Wednesday, February 2 and 3, to discuss the outcome of the talks and to plan for coordinated enforcement actions should no agreement be reached.

Friday, January 22, 2016

Little Hope with Ten Days Left in Safe Harbor Talks

The EU’s data protection authorities have set January 31 as the deadline for achieving a successful conclusion to the US-EU negotiations over a strengthened Safe Harbor framework.
  
With only ten days to go, here are the latest reported developments:
  • On January 21, Reuters reported that the DPAs are “leaning towards the restriction of personal data transfers to the US because of the risk of U.S. surveillance,” with their February 2 meeting to decide the extent of the restrictions.  During a preparatory meeting held on January 20, a consensus may be forming around prohibiting any new data transfers relying upon model contracts or BCRs. 
  • Should this prove to be the position of the Article 29 Working Party, it would be a bitter pill for companies that decided to put off securing an alternative legal basis for data transfers until the outcome of the Safe Harbor talks was known.  Had they acted promptly after the October 6 Schrems ruling, and developed contractual solutions, for example, they would not face a business-crushing cut-off in data transfers should a bar against new authorizations be announced.  According to a survey of over 300 businesses carried out in December by TRUSTe, 78% of companies are continuing with Safe Harbor and awaiting a new Safe Harbor 2.0. The fact that the US Dept. of Commerce has kept Safe Harbor open for business, and not advised participants to seek the alternative mechanisms recommended by the DPAs, would be a major contributing factor to such a debacle.
  • Also on January 21, The Hill reported that the Judicial Redress Act, having passed the House, is stalled in the Senate.  Many observers believe that enactment of the bill would be more symbolic than substantive, since extending the same protections against government surveillance enjoyed by Americans to Europeans would only create equity in the lack of effective protection enjoyed by anyone.  In addition, both former DOC official Cameron Kerr and the US Chamber of Commerce agree that passage of the Act would not have a direct impact upon the negotiations (a point confirmed by one of the EU's negotiators, Andre Glorioso, a few days later). At the same time, its passage might at least have bought some good will in Europe and more time for talks to continue.  
  • On January 22, Forbes reported that according to European Commission spokesperson Christian Wigand, intense negotiations are occurring and are ongoing. Although US Commerce Secretary Penny Pritzker was said to have recently presented at least two packages stating the US position to the Commission, details of these packages have been withheld.  According to Forbes, the assurances against inappropriate surveillance contained in Pritzker’s proposals “fall far short of what EU law requires.”  As an indication of the immensity of the gap separating the two sides, Paul Nemitz, director for fundamental rights at the Commission’s Justice directorate and one of the negotiators in the Safe Harbor talks, said that it would be “a misunderstanding to say we’re only talking about national security right now.” 

Monday, January 18, 2016

European Commission: No Breakthrough as January 31 Deadline Looms

Additional details about the status of the US-EU Safe Harbor negotiations have emerged, with a report in Politico that the European Commission informed a committee of EU member states on January 14 that while some progress had been made, there had been no breakthrough in the talks.  Several participants in the Commission briefing described successfully meeting the January 31 deadline as unrealistic and unlikely, with the overall message being pessimistic.  A general political agreement could conceivably be reached by the end of the month, and might be sufficient to buy more time from the Article 29 Working Party.  Whether the Working Party would place much credence in a political agreement, after years of negotiations have passed without agreement being reached on a narrower set of issues, remains to be seen.

Sunday, January 17, 2016

Safe Harbor Talks Stall; Article 29 WP to Meet February 2


According to a Bloomberg News report on January 14, talks between the US and the EU over a revised Safe Harbor framework have stalled, two weeks ahead of the January 31 deadline set by the Article 29 Working Party for avoiding coordinated enforcement actions.  Some US officials were said to have hoped that the attacks in Paris would lead the EU to “tone down its demands,” revealing ignorance on their part that the stand-off over Safe Harbor is driven by legal rather than policy differences.  One has to wonder what these unnamed officials believe about the rule of law, given their opinion that the EU’s position is malleable and that the confrontation might be resolved by some high-level discussions in Davos.  Indeed, another strong warning shot was fired from Europe a few days later by Margrethe Vestager, the EU’s antitrust chief, who said that the collection of a vast amount of users’ data by a small number of tech companies like Google and Facebook could be in violation of EU competition rules.  

Also on January 14, Reuters reported that the Article 29 Working Party plans to meet in Brussels on February 2 to determine whether and how data transfers to the U.S. can continue in the absence of Safe Harbor.  Since disagreement exists among the data protection authorities about the viability of model contracts and BCRs in light of the CJEU Schrems decision, it is questionable whether they will be able to reach a common position in this matter.  While coordinated enforcement actions are likely to be announced against companies continuing to rely upon Safe Harbor, this being pretty much a slam dunk, coordinated enforcement in other areas may prove more difficult.

Thursday, January 14, 2016

How to Screw Up Employee Monitoring

The UK newspaper Daily Telegraph has provided a brilliant example of how NOT to engage in monitoring employees when it covertly installed motion and heat sensors recently on the under side of the desks of employees.  Arriving at work on January 11, journalists discovered the devices, googled the device's brand name, OccupEye, and found that they provided management with complete data about whether and when an employee is at their desk.  In the face of the ensuing firestorm of protest, with HR reported to be "frantically rowing back on it," the company claimed that the sensors had been installed for only four weeks as an environmental measure to determine office usage and to lower heating, cooling and lighting costs at times of low usage.  Four hours after BuzzFeed News contacted the Telegraph about the sensors, management announced that it was withdrawing them immediately.

So what did the Telegram do wrong?  Not informing employees of the monitoring would be at the top of the list.  Not consulting with union representatives would be another.  Failing to inform employees about how the desk usage data would, and would not, be used and retained, would be a third.  Put all these together and the result was that employees felt they were being spied on.  What a shame, given the highly plausible objective management claims to have been pursuing!

Stories like this reverberate around the globe.  In New Zealand, a rather naive tech journalist for Stuff.co.nz said that "while the Daily Telegraph has tried and failed at covertly monitoring its workers , it seems privacy laws would prevent any New Zealand employer from trying the same trick."  Uh, isn't what the Telegram did a violation of UK data protection law?  And since when did the existence of privacy laws "prevent" employers from violating them?  In Australia, the Telegram debacle led to an analysis of inconsistencies in privacy protections for employees across various states and territories.  The Australian Law Reform Commission (ALRC) called for uniform national laws on surveillance in the workplace in June 2014, but the federal government has not introduced the legislation that would be required.