News Archives

Monday, February 29, 2016

Details of EU-U.S. Privacy Shield Released

On the last day of February, the European Commission released all of the documents and details of the newly-negotiated EU-U.S. Privacy Shield (available here).  The most relevant information for companies is contained in Annex II, EU-U.S. Privacy Shield Framework Principles Issued by the U.S. Department of Commerce.  This is the previously missing beef on the bone:  34 pages of requirements to be met by participants in the new framework. Judged by volume and weight, we appear to have a substantial new program and one that will require careful analysis to understand and evaluate.  

Thursday, February 25, 2016

French, German Legislators Increase Exposure for DP Violations

On January 26, the French National Assembly passed a bill that would immediately give the CNIL the same sanctioning power it would otherwise receive only when the General Data Protection Regulation comes into effect in 2018.  In particular, the CNIL would be empowered to impose fines of up to 20 million euros or up to 4% of an organization’s total worldwide annual turnover, far above its current maximum fine of 150,000 euros.  While the bill also adopts other requirements found in the GDPR, such as the right to data portability and new limits on data retention, the increase in potential penalties is the most significant, given that the CNIL currently has enforcement actions in various stages of development against both Facebook and Google.  The Digital Rights Bill is now pending before the Senate, where its passage is expected sometime this year.

Meanwhile, in Germany the long-heralded “Act to Improve the Civil Enforcement of Consumer Protection Provisions of Data Protection Law” came into effect on February 24. Under the new law, consumer protection organizations may initiate legal actions against companies for data protection violations in advertising and marketing, opinion research, the creation of personal profiles and the sale of addresses and personal data to third parties. While courts may not award damages in cases filed under the law, the negative publicity engendered should be a powerful penalty.  Suggesting awareness by the legislators of the present murk surrounding the EU-US Privacy Shield, consumer organizations are expressly denied the right to make claims involving data transfers made before October 6, 2015 under Safe Harbor until September 30, 2016. Consumer organizations in Germany, traditionally quite active, are expected to take advantage of the new law without delay.  A summary of key provisions of the law, which introduces legal recourse somewhat akin to class action lawsuits, may be found here.

Sunday, February 21, 2016

What Should a Safe Harbor Company Do?

Facing at least 3-4 additional months of regulatory uncertainty around transfers of personal data from Europe as Privacy Shield developments unfold, what should a US company that had previously relied upon the Safe Harbor framework do? 

The regulators on both sides of the Atlantic have offered little practical guidance.  In the U.S., the Dept. of Commerce continues its preposterous and indefensible charade that Safe Harbor remains open for business and still provides a streamlined way for participating organizations to comply with European privacy requirements.  The agency’s message seems to be that this whole Schrems brouhaha is a European problem and that Safe Harbor companies should sit tight and bide their time, while the Department sorts things out with the Europeans.  

In the EU, the DPAs have said little collectively besides indicating that new transfers under Safe Harbor are not allowed and that model contracts and BCRs are at least temporally acceptable, although they too could be found invalid in the months ahead.  The Article 29 Working Party has been silent on some very key questions, such as: What should be done with data transferred before the Schrems decision? If a company transfers the same data sets, using the same systems, after the Schrems decision that it did before, is that a “new transfer”?  Is there a grace period in enforcement while companies move towards alternatives such as model contracts and BCRs?  Or one that extends until the continued viability of these options is established?

The reason for the lack of guidance from the Article 29 Working Party is at least understandable: they have been unable to reach a consensus on what guidance to give.  Instead, we see individual DPAs proceeding in significantly different directions:

  • In the UK, the ICO has urged companies to keep calm and not rush to other transfer mechanism that may turn out to be less than ideal.  The ICO took the position in October 2015 that Safe Harbor at least provides some genuine protections for transferred data, that UK data controllers have the right under UK law to make their own adequacy assessments and that it had little appetite to go after companies continuing to rely upon Safe Harbor.  On February 11, 2016, acknowledging that companies have been seeking additional clarity about data transfers to the US, the ICO re-affirmed its hands-off approach and said that any further guidance would have to await the completion of assessments of the Privacy Shield and a European Commission decision on its adequacy.
  • In Germany, by contrast, the Schleswig-Holstein DPA announced in mid-October 2015 that data transfers to the US based upon model contracts should be terminated or suspended, with DPAs in Bremen and Berlin concurring with this definitive position the following day.  A week or so later, all the German DPAs stated that they would not approve any new transfers of data based upon BCRs or ad hoc data export contracts. 
  • In Spain, the AEPD announced on November 27 that it had sent a letter to all companies operating in Spain that had previously notified the AEPD of cross-border data transfers to Safe Harbor certified companies, given them until January 29, 2016 to inform the authority of what mechanisms for data transfers they were now using.
  • In France, the CNIL let actions speak louder than words in announcing on February 8, 2016 that it had given Facebook three months to either cease transfers of personal data to the US on the basis of Safe Harbor or face sanctions.

This divergence of enforcement stances is likely to accelerate in the months ahead, in what might prove to be the largest but last display of decentralized regulatory decision-making before the General Data Protection Directive comes into effect. 

So, in this highly uncertain regulatory environment and returning to our main question, what should a US company that had previously relied upon the Safe Harbor framework do?

At a minimum, privacy policies and notices that reference Safe Harbor should be amended to acknowledge the current situation and the ongoing bi-lateral efforts to forge a new agreement, while pledging continued adherence to the Safe Harbor Privacy Principles in the processing of any personal data transferred under the framework.  Failure to make such an amendment would be indefensible, violating the basic principles of notice and choice that constitute the foundation of the Safe Harbor framework.  Such a stance could also undermine the integrity of US management in the eyes of European employees and colleagues.  In addition, a commitment to either explore or pursue use of an alternative transfer mechanism should be included in any amended notice, if in fact a decision has been reached to do so.

Beyond that, a company should take into account its jurisdictional footprint in the EU and the depth of its commitment to obey the laws of nations in which it operates.  The compliance challenge for a US company with employees only in the UK or Ireland is clearly far different from one with employees only in Germany or France.  The former can afford to follow the Dept. of Commerce-UK ICO line and sit tight, although it may not want to if it recognizes the shallowness and expediency of such an understanding of European data protection law.

Companies operating in any of the member states with a more active data protection authority need to be guided by the advice provided by each.  If model contracts or BCRs are the only available data transfer options in a particular member state, these should be evaluated and pursued if appropriate.  Nothing satisfies a European DPA more than genuine efforts being made to come into compliance, even if this takes time to achieve.  Situations in which the advice of one DPA is incompatible with that of another will require flexibility and creative problem-solving. 

Where model contracts or BCRs prove to be impractical or undesirable, there is simply no other alternative, if a company operating in the EU is avoid acting illegally, but to stop transferring personal data from the EU to the US in a bulk and recurring manner.  This could be done by processing European personal data solely within Europe, or by transferring only aggregate, statistical or pseudonymous data to the US.  Transfers of limited amounts of personal data in highly defined contexts – such as the identifying information needed for the registration and exercise of stock options – fortunately may continue on the basis of consent under existing regulatory guidance.  

As disruptive and undesirable as such changes may be, European data protection law will require them if the new Privacy Shield agreement fails to come to fruition or to pass regulatory and legal scrutiny.  Safe Harbor companies should begin planning for such an eventuality.  No one hopes it will come to this, but it could happen.

Thursday, February 11, 2016

CNIL Gives Facebook Three Months to Obey DP Law

Following onsite and online investigations, the French data protection authority, the CNIL, issued a formal notice on February 8 giving Facebook three months to stop violating the fundamental rights and interests of its users. Should Facebook fail to comply within the time limit, the CNIL will begin the process of imposing sanctions on the company. Quoting from its notice, Facebook has violated the French Data Protection Act in the following five ways:
  • FACEBOOK collects, without prior information, data concerning the browsing activity of Internet users who do not have a FACEBOOK account. Indeed, the company does not inform Internet users that it sets a cookie on their terminal when they visit a FACEBOOK public page (e.g. page of a public event or of a friend). This cookie transmits to FACEBOOK information relating to third-party websites offering FACEBOOK plug-ins (e.g. Like button) that are visited by Internet users.
  • The social network collects data concerning the sexual orientation and the religious and political views without the explicit consent of account holders. In addition, Internet users are not informed on the sign up form with regard to their rights and the processing of their personal data.
  • The website also sets cookies that have an advertising purpose without properly informing and obtaining the consent of Internet users.
  • FACEBOOK compiles all the information it has on account holders to display targeted advertising (information provided by the Internet users themselves, collected by the website and by other companies of the group, and transmitted by commercial partners). As it is, the company provides no tools for account holders to prevent such compilation, which thereby violates their fundamental rights and interests, including their right to respect for private life.
  • FACEBOOK transfers personal data to the United States on the basis of Safe Harbor, although the Court of Justice of the European Union declared invalid such transfers in its ruling of October 6, 2015.

The last bullet point is particularly interesting.  Although Facebook has stated to the media in other contexts that it uses model contracts and doesn’t rely upon Safe Harbor, it has failed to modify its Privacy Policy, which still says that it complies with the US-EU and US-Swiss Safe Harbor framework.  This should be a cautionary tale to companies that continue to rely upon Safe Harbor and have not revised their privacy policies accordingly.  Other Internet giants, such as Salesforce and Twitter, shifted to reliance upon model contracts shortly after the October 2015 CJEU ruling.  The CNIL’s formal notice is also noteworthy for being the first significant action taken against a US company over data transfers under Safe Harbor.  By keeping Safe Harbor open for business, the US Dept. of Commerce remains complicit in similar violations of European law by US companies.

According to Fortune, the larger challenge to Facebook in the CNIL notice is its clear opposition to the profiling of users, which could hammer the advertising giant’s business model and profits. Regulators in Belgium, the Netherlands, Spain and Hamburg have been working with the CNIL on these profiling issues and additional enforcement actions directed against Facebook can be anticipated from them as well.

Facebook's response to the CNIL order?  A spokesperson was quoted as saying "We are confident that we comply with European data protection law and look forward to engaging with the CNIL to respond to their concerns."  Such confidence, ill-advised and arrogant, hardly reflects well upon the acuity of Facebook's legal team if taken at face value.

Sunday, February 7, 2016

Moment of Truth for the DPAs

In the six days since the European Commission announced an agreement with the US on a new framework for transatlantic data flows, the following developments are the most salient:
  • No new details about the framework have emerged.
  • Neither the Commission nor US officials have established any deadline for completion of the negotiations or indicated any limit to how long the talks may continue.
  • Isabel Falque-Pierrotin, the chair of the Article 29 Working Party, has said that it is likely to be at least mid-to-late April before the Working Party is able to reach a position on whether the Privacy Shield offers sufficient protection for European data. Her estimate assumes that the agreement will be finalized and all relevant documents provided to the Working Party by the end of February.
  • Falque-Pierrotin re-affirmed previous statements from the Working Party that companies continuing to rely upon Safe Harbor risk being subject to enforcement action immediately, while those relying upon model contracts or BCRs may continue to do so until the Working Party’s evaluation of the Privacy Shield has been completed.
  • Even if the agreement is finalized at some point, it will take additional months to put the guarantees it calls for, such as the creation of an Ombudsman in the US State Department and enactment of the Judicial Redress Act, in place.  Companies will not be able to participate in the new framework until such measures have been implemented.
  • Both supporters and critics of the Privacy Shield expect it to face significant legal challenges from privacy advocates and consumer groups in Europe.
After three months of anticipation that a definitive moment of regulatory clarity was at hand, where do these developments leave us?  Sadly, in a state of murk, confusion and uncertainty that could last for many months.  Whether the EU’s 44 independent data protection authorities will swallow further delays that could be indefinite and defer enforcement actions that are within their powers is the big question.  Prognostication in these matters is always risky, but it is difficult to imagine that they will not initiate coordinated enforcement actions within the next few weeks against companies still relying upon Safe Harbor.

Update:  On February 8, Forbes reported that Commissioner Jourova had tweeted the previous day that the texts of the Privacy Shield are "being finalized" and will be "unveiled" during the second half of February.  Whether this time frame represents her aspiration or something more concrete remains to be seen.  

Wednesday, February 3, 2016

EU-US Agreement Reached but Details Lacking

On Monday, February 2 the European Commission announced that it had reached an agreement with the US on a new framework for transatlantic data flows.  Details of the agreement, to be called the EU-US Privacy Shield, have not been released and judging from testimony by Justice Commissioner Vera Jourova before the Parliament’s LIBE Committee, these details have not been finalized between the EU and the US.  As might be expected, the very sketchy announcement drew expressions of support from industry trade groups in the US and expressions of doubt from privacy advocates in the EU Parliament and elsewhere.  That “the devil is in the details” was a frequent refrain heard from the parliamentarians. 

Under these circumstances, with the Commission barely meeting the Article 29 Working Party’s end-of-January deadline, the Working Party had little choice but to allow more time to evaluate the agreement.  According to a statement released on February 3, the Working Party welcomes the conclusion of the negotiations between the EU and the US and looks forward to receiving the documents it needs to evaluate its viability, requesting receipt of them by the end of February.  In the meantime, the Working Party re-affirms that data transfers under Safe Harbor are unacceptable and that standard contractual clauses and BCRs may be relied upon for the time being. 

Phil Lee from Fieldfisher was first out of the box with an excellent blog on issues relating to the new agreement, not the least of which is market acceptance.  However, one issue not discussed anywhere, as far as I can tell, is what the obligations of US companies will be under the Privacy Shield and how they will become operative.  As announced, the agreement addresses only high-level questions associated with surveillance and its aftermath, making no mention of what privacy standards and practices will be required of companies that may want to avail themselves of its protections.  What has become of the thirteen recommendations for Safe Harbor reform advanced by the Commission back in 2013?  In short, where is the beef on the Privacy Shield bone?