News Archives

Friday, February 24, 2017

Irish High Court Hears Challenge to Model Contracts

On February 2, the High Court of Ireland began hearing a case brought by the country’s Data Protection Commissioner, Helen Dixon, urging the court to request a ruling from the Court of Justice of the European Union (CJEU) as to the validity of standard contractual clauses as a mechanism for the transfer of personal data to the U.S. from the EU.  The case first arose as a complaint to the Commissioner from privacy activist Maximillian Schrems about access by U.S. government security agencies to information in his Facebook account that had been transferred from Ireland utilizing standard contractual clauses.  Through his attorney, Schrems has argued that the Commissioner, having made a draft finding in May 2016 that his objections were well-founded, has the authority to suspend the data transfers and that there is no need to send the matter to the CJEU.  An attorney for Facebook contended that the Commissioner’s draft finding was deeply flawed and overtaken by developments such as the conclusion of the Privacy Shield framework agreement.  Submissions to the court were also made by the U.S. government, a US privacy law expert, EPIC, the ACLU, the Business Software Alliance and Digital Europe.  The proceedings, originally expected to run for three weeks, appear to be headed for at least five.

Invalidation of standard contractual clauses would have a profound, if not devastating, impact upon nearly a trillion dollars of trans-Atlantic trade, since model contracts are by far the primary data transfer mechanism used by U.S. companies.  Should the High Court refer the issue of the validity of model contracts to the CJEU, that court may decide to first take up the challenge to Privacy Shield pending before it by Digital Rights Ireland.  Since the EU Data Protection Directive was enacted 22 years ago, there has never been a more turbulent and uncertain regulatory environment around data transfers to the U.S.

Friday, January 13, 2017

Surveillance Developments May Doom Privacy Shield

As the clock ticks towards to the first annual joint review of how U.S. surveillance activities can be reconciled with the EU-U.S. Privacy Shield framework, recent developments are hardly promising:
  • On December 1, the government received new hacking powers when Congress failed to block the changes to Rule 41 of Federal Criminal Procedure that were approved by the Supreme Court in April. Sen. Ron Wyden (D-OR) called this “one of the biggest mistakes in surveillance policy in years,” with one judge being able to use a single warrant to hack thousands and possibly millions of cellphones and tablets.
  • On January 11, EU Justice Commissioner Vera Jourova stated that the U.S. has not satisfied the EU’s concerns about Yahoo's scanning of all customers' incoming emails for intelligence purposes.  The European Commission had asked the U.S. in November for an explanation of the Yahoo scanning, making this a test case for how forthcoming the U.S. would be in clarifying its surveillance practices.  According to Jourova, "I am not satisfied because to my taste the answer came relatively late and relatively general, and I will make clear at the first possible opportunity to the American side that this is not how we understand good, quick and full exchange of information."
Mass and indiscriminate surveillance by U.S. authorities was what led to the invalidation of the Safe Harbor framework by the European Court of Justice in October 2015.  With President-elect Trump speaking in favor of stronger surveillance measures during his campaign, it is becoming increasingly difficult to see how the Privacy Shield framework will be able to survive its first annual joint review. 

Update:  On January 25, President Trump issued an executive order on enhancing public safety that directed agencies to exclude non-U.S. citizens from Privacy Action protections.  Since legal redress via the Privacy Act is one of the underpinnings of Privacy Shield, the order prompted broad debate as to whether it would lead to the collapse of the framework.  Most observers subsequently concluded that because of an exception made for applicable law, the order did not withdraw Privacy Act protection from personal data transferred from Europe.  Nevertheless, the European Commission was reported to be seeking written confirmation of this interpretation of the order. 

Swiss Reach Privacy Shield Agreement with U.S.

On January 11, Switzerland announced that it has reached a Privacy Shield agreement with the U.S., paralleling the one reached between the U.S. and the EU and succeeding the U.S.-Swiss Safe Harbor Framework.  The documents comprising the framework were published on the website of the Federal Data Protection and Information Commissioner (FDPIC).  According to the FDPIC:  "Following finalisation of Privacy Shield, US companies can start the certification process with the DOC within a 3-month period, during which the FDPIC will not undertake enforcement actions. The DOC will then publish a list of all certified companies on its website. The FDPIC will provide a link to this list and to all the relevant documents on its website as soon as this information is available."  In a statement released the following day, the International Trade Administration of the Dept. of Commerce indicated that it would begin accepting certifications under the new framework on April 12 and that additional information would be forthcoming on the Privacy Shield website.

Sunday, January 1, 2017

Right to Disconnect Law Enacted in France

As of January 1, French workers have the right to ignore work-related communications outside of typical working hours, courtesy of a provision in a new employment law designed to combat the intrusion of work into private life. The so-called “right to disconnect” law addresses the health and social impacts of an always-on work culture increasingly leading to “info-obesity” in the workforce. Companies with 50 or more employees will be obliged to negotiate over off-hour communications and at the very least, publish a policy making explicit the demands on, and rights of, employees outside of working hours.  While there are no penalties for companies failing to observe the law, this could change should compliance lag. Companies that had previously implemented measures to limit the role of out-of-hours messaging in worker burnout include telecom firm Orange, nuclear power company Areva and insurer Axa in France, and automakers Volkswagen and Daimler in Germany.

Wednesday, December 28, 2016

CJEU Rejects Mass Surveillance Again in UK Case

On December 21, the Court of Justice of the European Union unequivocally re-affirmed that “general and indiscriminate retention of traffic data and location data” was contrary to EU law, echoing its invalidation of the Data Retention Directive in the 2014 Digital Rights Ireland case.  The current decision, in a case variously referred to as either Tele2 or Watson, arose as a challenge within the UK against the 2014 Data Retention and Investigatory Powers Act (DRIPA), brought by Tom Watson, deputy leader of the Labour Party, amongst others. Since the DRIPA was superseded by the enactment of the 2016 Investigatory Powers Act 2016 last month, and the IPA – dubbed by critics the Snooper’s Charter – gives even wider and more intrusive powers of mass surveillance to the government, the IPA is also likely to be unlawful under EU law.  While the CJEU decision does not directly address the legality of the IPA, it clearly supports legal challenges against it likely to come from privacy groups.

Given Brexit, the new ruling places the UK in a difficult bind at a time when Brexit itself is enormously challenging.  The government can ignore the ruling but thereby risk not obtaining a future adequacy ruling from the European Commission that will be needed to ensure the continuance of data exchanges with the EU, or it can re-open what was a wrenching and divisive debate on the Investigatory Powers Act with a view of bringing it into conformity with EU law. 

Tuesday, December 27, 2016

Eyeing GDPR, EU Member States Updating DP Laws

The EU General Data Protection Regulation comes into force directly and immediately across all member states of the European Union on May 25, 2018, without any need for enabling legislation to be passed by national governments.  It is a Regulation after all, not a Directive, and is designed to establish a single and consistent base DP law across the EU. So what should be made of all the reports by reliable media sources about this or that member state – Germany, France, Spain, the Netherlands – working on new data protection laws to implement the Regulation? The simple answer is that reporters on arcane matters like data protection law can easily choose the wrong words.  But more importantly, what is really going on?  What are these mis-identified “implementing” laws all about?

In general, these new member state laws, which anticipate the GDPR and amend current national data protection legislation, have one or both of the following objectives:
  • to bring certain provisions of the GDPR into effect prior to May 25, 2018; or
  • to legislate in areas not directly addressed by the GDPR but in which the GDPR allows member states a margin of maneuver or derogation to enact supplemental laws.
Examples of member states advancing the effective date of certain GDPR provisions include The Netherlands (which implemented a data breach notification requirement in January) and France (where the Digital Republic Bill enacted in October increased the fines that can be imposed by CNIL to €3 million - still far below the maximum level set by the GDPR – and also introduced the right to data portability).

Examples of member states working on supplemental or complimentary legislation include Spain (which is reported to be preparing a draft bill for consultation in February 2017 to harmonize its broad-based Organic Law on Data Protection with the GDPR) and Germany (which is attempting once again to legislate protections specifically directed to the employment context).

Multi-national companies have an easer time dealing with legislative changes in the first category, since these are basically timing issues.  Those in the second category are more troublesome, since they detract from the promise of a single, consistent data protection standard across the EU.  On the bright side, the differences between member states are likely to be far less stark and frustrating than those that have prevailed over the past 20 years.

Working Party Issues Guidance on GDPR Implementation

Following a plenary meeting in mid-December, the Article 29 Working Party released guidelines and FAQs on three major implementation topics under the General Data Protection Regulation:  the right to data portability, Data Protection Officers, and the lead supervisory authority (“one-stop-shop”). The 61 pages of guidance need to be closely analyzed by companies preparing for the May 2018 effective date of the GDPR. The WP29 invited comments on the guidance from stakeholders through the end of January 2017, suggesting that they were open to further refinements.  Additional guidance, on data protection impact assessments and on certification, is scheduled for release in 2017.  The Working Party also indicated that it is working on steps necessary to establish the European Data Protection Board called for by the GDPR, and announced that it will take on the role of the “EU centralized body” referenced in the Privacy Shield framework as the EU complaint-handling entity.