News Archives

Tuesday, May 31, 2016

Privacy Shield on Life Support

Developments in the six weeks since the Article 29 Working Party panned the proposed EU-U.S. Privacy Shield agreement have left it in a critical state, with little chance that it will ever be successfully launched as the replacement for Safe Harbor.  

Here are the developments:

  • At the end of April, the U.S. Supreme Court unilaterally amended Rule 41 of the Federal Rule of Criminal Procedure to allow judges to sign warrants allowing federal authorities to hack into computers outside a judge's jurisdiction as part of a criminal investigation and to use one warrant to search multiple computers anywhere.  This massive new surveillance capability will come into effect on December 1, unless Congress takes it up before then and votes it down.  At a time when the EU has been pressing the U.S. to limit indiscriminate surveillance of its citizens, the new rule clearly bolsters the arguments of European critics about the unreliability of legal protections in the U.S. and could prove to be the nail in the coffin of any new data transfer agreement.
  • On May 19, the Article 31 Committee, comprised of ministerial representatives of each of the EU’s 28 member states, met and failed to reach an agreement on the Privacy Shield.  The Committee, whose approval is needed if Privacy Shield is to go forward, concluded that more time was needed to consider the implications of the proposal.  A qualified majority, or 16 member states representing at least 65% of the EU’s population, must approve the pact.
  • On May 23, an open letter from ministers in 14 member states was released, calling for more flexibility for businesses with respect to data protection. A quick check of the population of the signatory countries - Belgium, Bulgaria, Czech Republic, Denmark, Estonia, Finland, Ireland, Latvia, Luxembourg, Lithuania, Poland, Slovenia, Sweden and the UK – reveals that they comprise only 33% of the EU’s population.  Achieving the approval of the Article 31 Committee for Privacy Shield appears most unlikely.
  • On May 26, the European Parliament approved a resolution calling for the European Commission to reopen negotiations with the U.S. and to fully implement the recommendations of the Article 29 Working Party.  The non-binding act was approved by 77% of the MEPs (501 votes to 119, with 31 abstentions).
  • On May 30, Giovanni Buttarelli, Europe’s top data protection advisor, slammed the proposed agreement as being “not robust enough to withstand future legal scrutiny before the Court” and called for significant improvements in it.  He also argued that the Privacy Shield would be only a short term solution, since it is not compliant with the General Data Protection Regulation, which will enter into force in May 2018.
In response to these developments, the European Commission has reportedly pushed back its target date for the launching of the Privacy Shield from June until “sometime this summer.”  With the Commission attempting to resolve surveillance issues with the U.S. government since 2013, the prospects for meeting this target date are next to nil.

Chicken Little May be Right

The sky may indeed be falling, with the May 25 report that the Irish Data Protection Commissioner was referring the question of the validity of standard contractual clauses as a basis for data transfers to countries lacking an adequate level of data protection to Europe’s top court, the Court of Justice of the European Union (CJEU).  Once again, it is Max Schrems’ complaint against Facebook, which led to the court’s invalidation of the Safe Harbor framework last October, that is driving the referral.  Most observers agree with Schrems that the lack of protection for personal data stemming from U.S. government surveillance of data transferred under Safe Harbor applies equally well to data transferred under model contracts.  

CJEU invalidation of the use of standard contractual clauses for data transfers to the U.S. would exponentially increase the risks of profound disruptions in international business, since it is widely believed that more companies, and certainly larger companies, rely upon such clauses than upon Safe Harbor as the legal basis for their data transfers.  In addition, model contracts are the chief mechanism used by European companies to transfer personal data to third countries around the world.  A CJEU ruling that standard contractual clauses cannot be utilized without consideration of the recipient country’s surveillance practices could jeopardize far more than business relationships with the United States.

And if model contracts go, can Binding Corporate Rules be far behind?  Or consent?  We live in interesting times.  Hang on!

France Edges Closer to Data Localization

In another sign of the significant and ongoing impact of the CJEU ruling on Safe Harbor and concerns about surveillance by governments in the U.S. and elsewhere, the French Senate on May 3 amended a “Digital Republic” bill, previously passed by the National Assembly, with a provision that would require the storage of personal data in data centers located in the European Union and prohibit the transfer of personal data to a non-EU third country. The bill also accelerates the applicability of a number of provisions of the General Data Protection Regulation, which will come into effect on May 25, 2018.  Given certain incompatibilities between the language of the bill and the GDPR, which prohibits member states from restricting transfers to third countries, the final language of the bill is expected to change.

UK High Court: Employers Vicariously Liable for Data Breaches

Ruling in April in in Axon v Ministry of Defence, the High Court of England and Wales found that employers can be liable for data breaches caused by rogue employees.  The case involved a MoD employee who received compensation for passing on information about a Royal Navy frigate commander’s sacking to journalists without the permission of her employer.  Although the charges against the employer were dismissed on other grounds, the court parenthetically concluded that had the claimant had a valid claim, the MoD would have been vicariously liable for any damages arising out of its employee’s wrongdoing.  The decision underscores the need for employers to have data protection policies, programs and training in place to guard against inappropriate actions by employees who have access to sensitive personal information.

Friday, April 29, 2016

US Digging In on Privacy Shield, German DPAs Seek Fast Track to CJEU

On April 20, Reuters reported that the U.S. does not want to change the substance of the Privacy Shield agreement, strong objections from the Article 29 Working Party notwithstanding.  According to Stefan Selig, U.S. Undersecretary of Commerce for International Trade, the U.S. would be wary of reopening the agreement.  In the face of such official lowering of expectations, on April 28 even Christopher Graham, the UK Information Commissioner who has staked out a laissez-faire posture with respect to enforcement actions against companies still relying upon Safe Harbor, called on the U.S. to answer the questions raised by the Working Party “as a first priority.”  Speaking at a conference in London, Graham went so far as to urge U.S. corporations to pressure their government to address the objections that have been raised.

In another sign of the frustration of data protection authorities with the current standoff over the legality of data transfers, German DPAs were said to have collectively adopted a resolution on April 20 calling upon the Federal Parliament to establish an independent right to legal action for data protection authorities against adequacy decisions of the European Commission.  Taking this initiative suggests that the DPAs anticipate that U.S. intransigence is backing the European Commission into a corner with no alternative but to proceed with an adequacy decision for the Privacy Shield agreement.  While the CJEU Schrems decision affirmed that DPAs have the authority to take enforcement actions in individual cases – including requiring the suspension of data transfers – the court also made clear that it alone had the ability to overturn and nullify an adequacy decision. Whether the Parliament will be responsive to the request of the DPAs remains to be seen. 

Friday, April 15, 2016

EU Parliament Passes GDPR

On April 14, the EU Parliament passed the General Data Protection Directive.  It is expected to come into force in July, and be directly applicable to all member states two years later.

Following by one day the rejection of the proposed Privacy Shield agreement  by three Article 29 Working Party, what a week in the annals of European data protection!

Thursday, April 14, 2016

Art 29 WP Finds Privacy Shield Unacceptable

On April 13, the Article 29 Working Party issued a statement expressing "strong concerns" about both what it termed the "commercial" aspects of the Privacy Shield agreement and the surveillance of transferred personal data that it allows by U.S. public authorities.

Amongst the commercial issues that it asserted needed further clarification and improvement were purpose limitation, data retention, decisions based solely upon automated processing, onward transfers to third countries and overly complex recourse mechanisms for complainants. With respect to the proposed establishment of an ombudsman,  the Working Party voiced doubts that such an individual would have the authority and independence to be effective.  On the surveillance side, the Working Party asserted that the assurances provided by U.S. authorities do not go far enough to ensure that massive and indiscriminate surveillance will not occur.

All in all, while welcoming those aspects of the agreement that strengthen protections found in the invalidated Safe Harbor, the Working Party urged the European Commission to resolve the concerns it has expressed and provide the clarifications needed to improve its adequacy decision.  

Conspicuously lacking were any mention of model contracts, BCRS, enforcement actions or deadlines for the Commission to secure a stronger agreement with U.S. authorities, suggesting that the DPAS were unable to reach a consensus position on these difficult matters.  As a result, thousands of companies transferring data to the U.S. face an indefinite period of legal uncertainty and jeopardy that could last for months and longer.  While the UK ICO has already indicated that he will continue to give companies still relying upon Safe Harbor a pass, DPAS in Germany, Spain and France are unlikely to be so tolerant.