News Archives

Friday, April 29, 2016

US Digging In on Privacy Shield, German DPAs Seek Fast Track to CJEU

On April 20, Reuters reported that the U.S. does not want to change the substance of the Privacy Shield agreement, strong objections from the Article 29 Working Party notwithstanding.  According to Stefan Selig, U.S. Undersecretary of Commerce for International Trade, the U.S. would be wary of reopening the agreement.  In the face of such official lowering of expectations, on April 28 even Christopher Graham, the UK Information Commissioner who has staked out a laissez-faire posture with respect to enforcement actions against companies still relying upon Safe Harbor, called on the U.S. to answer the questions raised by the Working Party “as a first priority.”  Speaking at a conference in London, Graham went so far as to urge U.S. corporations to pressure their government to address the objections that have been raised.

In another sign of the frustration of data protection authorities with the current standoff over the legality of data transfers, German DPAs were said to have collectively adopted a resolution on April 20 calling upon the Federal Parliament to establish an independent right to legal action for data protection authorities against adequacy decisions of the European Commission.  Taking this initiative suggests that the DPAs anticipate that U.S. intransigence is backing the European Commission into a corner with no alternative but to proceed with an adequacy decision for the Privacy Shield agreement.  While the CJEU Schrems decision affirmed that DPAs have the authority to take enforcement actions in individual cases – including requiring the suspension of data transfers – the court also made clear that it alone had the ability to overturn and nullify an adequacy decision. Whether the Parliament will be responsive to the request of the DPAs remains to be seen. 

Friday, April 15, 2016

EU Parliament Passes GDPR

On April 14, the EU Parliament passed the General Data Protection Directive.  It is expected to come into force in July, and be directly applicable to all member states two years later.

Following by one day the rejection of the proposed Privacy Shield agreement  by three Article 29 Working Party, what a week in the annals of European data protection!

Thursday, April 14, 2016

Art 29 WP Finds Privacy Shield Unacceptable

On April 13, the Article 29 Working Party issued a statement expressing "strong concerns" about both what it termed the "commercial" aspects of the Privacy Shield agreement and the surveillance of transferred personal data that it allows by U.S. public authorities.

Amongst the commercial issues that it asserted needed further clarification and improvement were purpose limitation, data retention, decisions based solely upon automated processing, onward transfers to third countries and overly complex recourse mechanisms for complainants. With respect to the proposed establishment of an ombudsman,  the Working Party voiced doubts that such an individual would have the authority and independence to be effective.  On the surveillance side, the Working Party asserted that the assurances provided by U.S. authorities do not go far enough to ensure that massive and indiscriminate surveillance will not occur.

All in all, while welcoming those aspects of the agreement that strengthen protections found in the invalidated Safe Harbor, the Working Party urged the European Commission to resolve the concerns it has expressed and provide the clarifications needed to improve its adequacy decision.  

Conspicuously lacking were any mention of model contracts, BCRS, enforcement actions or deadlines for the Commission to secure a stronger agreement with U.S. authorities, suggesting that the DPAS were unable to reach a consensus position on these difficult matters.  As a result, thousands of companies transferring data to the U.S. face an indefinite period of legal uncertainty and jeopardy that could last for months and longer.  While the UK ICO has already indicated that he will continue to give companies still relying upon Safe Harbor a pass, DPAS in Germany, Spain and France are unlikely to be so tolerant.

Saturday, April 9, 2016

German DPA: Privacy Shield Will Not be Approved by Art 29 WP

Next week is shaping up to be pivotal in the annals of European data protection.  Besides the expected final approval and promulgation of the General Data Protection Regulation, it appears that the week will also see the Article 29 Working Party reject the EU-U.S. Privacy Shield agreement.  According to a leak by the data protection authority of Baden-Württemberg, the Working Party will identify a number of issues that need to be addressed before it will be in a position to reach an overall conclusion on the draft adequacy decision for Privacy Shield prepared by the European Commission.  Less diplomatically and more pointedly, the Working Party was reported to be prepared to turn to the Court of Justice of the European Union if the Commission decides to launch the Privacy Shield program without fixing the problems that have been identified.
There was no mention in the leaked documents of what the regulators plan to do about enforcement actions against companies still relying upon Safe Harbor, during the time that the prospects for Privacy Shield remain in question.  In the absence of serious and significant enforcement actions, however, what incentive is there for the U.S. government to address the deficiencies in Privacy Shield should the Commission decide to continue negotiating?  From the U.S. perspective, a de facto indefinite grace period vis-à-vis enforcement is a desirable outcome.

Bottom line:  companies receiving personal data from Europe are likely to face at the very least an extended period of uncertainty about compliance with European data protection law and quite possibly significant enforcement actions should they continue to rely upon Safe Harbor.

Friday, April 8, 2016

GDPR About to be Approved

On Thursday, April 7, the EU Council of Ministers published the final text of the General Data Protection Regulation (GDPR) and initiated a highly expedited written procedure to effect its adoption by the Council no later than midnight on Friday, April 8.  Following its adoption, the text, translated into all the official languages of the member states, will be forwarded to the EU Parliament.  The Parliament is expected to approve the GDPR, along with the EU Policing and Criminal Justice Data Protection Directive, next week during its April 11-14 plenary sessions.                                                                                                                                              
The glacial pace of reform of Europe’s data protection legislation, initiated by the European Commission’s first stakeholder consultation back in 2009, will now continue for two more years, until the GDPR comes into effect.  As of today, however, for the first time, there can be no debate about what the contents of the Regulation are, nor can companies claim they didn't know what was coming.

Thursday, March 31, 2016

Turkey Enacts Data Protection Law

On March 24, the Turkish Parliament adopted the Law on Personal Data Protection, legislation modeled upon the EU Data Protection Directive that had been under consideration for nine years.  The move followed the ratification, five weeks earlier, of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), some 35 years after Turkey first signed it.  The new law is expected to be ratified by the President and published in the Official Gazette within a few weeks, according to attorneys with BTS Legal.  Furthermore, while there will be a two-year transitional period before the law comes into effect for existing data processing operations, new processing will have to be carried out in compliance with the law immediately.  In a sign of commitment to enforcement, a Personal Data Protection Authority will be established with a staff of 200 and the power to impose fines of up to 300,000 euros and prison sentences of up to four years in cases of non-compliance.
The recent summit meetings of European and Turkish leaders over the refugee crisis, which led to a commitment by the EU to accelerate accession talks with Turkey, clearly were instrumental in moving data protection legislation forward.  Given the instability in Turkey stemming from millions of Syrian refugees and what borders on a civil war with Kurdish separatists, as well as the increasingly autocratic actions by Turkey’s government, the passage of long-deferred data protection legislation is certainly an unexpected but positive development.  It is also an affirmation that respect for privacy can be acknowledged even by repressive governments.

Update:  Following ratification by the President, the Law on Personal Data Protection was published in the Official Gazette on April 7 and came into force.

Google Fined in France over ‘Right to be Forgotten’

On March 24, the French data protection agency (CNIL) announced it had fined Google 100,000 euros  (about $117,000) for failing to adequately remove links to inaccurate, out-of-date and irrelevant data from its search engine results.  Google had responded to the CNIL’s orders, which were based upon the landmark Court of Justice of the European Union ruling in the 2014 Costeja case, by incrementally expanding the scope of its link-scrubbing.  At first it made the links unavailable only to individuals searching the national versions of its search engine, such as and  Then, under continued pressure from the CNIL, the company began using geo-location data, such as ISP addresses, to make the links unavailable to anyone searching from the EU member state where the take-down request originated.  Pointing out that a web searcher can easily cross member state lines in Europe or use a VPN connection to mask his or her location, the CNIL rejected this compromise and issued its fine.  If its past actions are any guide, Goggle is likely to challenge the fine in court.