News Archives

Friday, April 29, 2016

US Digging In on Privacy Shield, German DPAs Seek Fast Track to CJEU

On April 20, Reuters reported that the U.S. does not want to change the substance of the Privacy Shield agreement, strong objections from the Article 29 Working Party notwithstanding.  According to Stefan Selig, U.S. Undersecretary of Commerce for International Trade, the U.S. would be wary of reopening the agreement.  In the face of such official lowering of expectations, on April 28 even Christopher Graham, the UK Information Commissioner who has staked out a laissez-faire posture with respect to enforcement actions against companies still relying upon Safe Harbor, called on the U.S. to answer the questions raised by the Working Party “as a first priority.”  Speaking at a conference in London, Graham went so far as to urge U.S. corporations to pressure their government to address the objections that have been raised.

In another sign of the frustration of data protection authorities with the current standoff over the legality of data transfers, German DPAs were said to have collectively adopted a resolution on April 20 calling upon the Federal Parliament to establish an independent right to legal action for data protection authorities against adequacy decisions of the European Commission.  Taking this initiative suggests that the DPAs anticipate that U.S. intransigence is backing the European Commission into a corner with no alternative but to proceed with an adequacy decision for the Privacy Shield agreement.  While the CJEU Schrems decision affirmed that DPAs have the authority to take enforcement actions in individual cases – including requiring the suspension of data transfers – the court also made clear that it alone had the ability to overturn and nullify an adequacy decision. Whether the Parliament will be responsive to the request of the DPAs remains to be seen. 

Friday, April 15, 2016

EU Parliament Passes GDPR

On April 14, the EU Parliament passed the General Data Protection Directive.  It is expected to come into force in July, and be directly applicable to all member states two years later.

Following by one day the rejection of the proposed Privacy Shield agreement  by three Article 29 Working Party, what a week in the annals of European data protection!

Thursday, April 14, 2016

Art 29 WP Finds Privacy Shield Unacceptable

On April 13, the Article 29 Working Party issued a statement expressing "strong concerns" about both what it termed the "commercial" aspects of the Privacy Shield agreement and the surveillance of transferred personal data that it allows by U.S. public authorities.

Amongst the commercial issues that it asserted needed further clarification and improvement were purpose limitation, data retention, decisions based solely upon automated processing, onward transfers to third countries and overly complex recourse mechanisms for complainants. With respect to the proposed establishment of an ombudsman,  the Working Party voiced doubts that such an individual would have the authority and independence to be effective.  On the surveillance side, the Working Party asserted that the assurances provided by U.S. authorities do not go far enough to ensure that massive and indiscriminate surveillance will not occur.

All in all, while welcoming those aspects of the agreement that strengthen protections found in the invalidated Safe Harbor, the Working Party urged the European Commission to resolve the concerns it has expressed and provide the clarifications needed to improve its adequacy decision.  

Conspicuously lacking were any mention of model contracts, BCRS, enforcement actions or deadlines for the Commission to secure a stronger agreement with U.S. authorities, suggesting that the DPAS were unable to reach a consensus position on these difficult matters.  As a result, thousands of companies transferring data to the U.S. face an indefinite period of legal uncertainty and jeopardy that could last for months and longer.  While the UK ICO has already indicated that he will continue to give companies still relying upon Safe Harbor a pass, DPAS in Germany, Spain and France are unlikely to be so tolerant.

Saturday, April 9, 2016

German DPA: Privacy Shield Will Not be Approved by Art 29 WP

Next week is shaping up to be pivotal in the annals of European data protection.  Besides the expected final approval and promulgation of the General Data Protection Regulation, it appears that the week will also see the Article 29 Working Party reject the EU-U.S. Privacy Shield agreement.  According to a leak by the data protection authority of Baden-Württemberg, the Working Party will identify a number of issues that need to be addressed before it will be in a position to reach an overall conclusion on the draft adequacy decision for Privacy Shield prepared by the European Commission.  Less diplomatically and more pointedly, the Working Party was reported to be prepared to turn to the Court of Justice of the European Union if the Commission decides to launch the Privacy Shield program without fixing the problems that have been identified.
There was no mention in the leaked documents of what the regulators plan to do about enforcement actions against companies still relying upon Safe Harbor, during the time that the prospects for Privacy Shield remain in question.  In the absence of serious and significant enforcement actions, however, what incentive is there for the U.S. government to address the deficiencies in Privacy Shield should the Commission decide to continue negotiating?  From the U.S. perspective, a de facto indefinite grace period vis-à-vis enforcement is a desirable outcome.

Bottom line:  companies receiving personal data from Europe are likely to face at the very least an extended period of uncertainty about compliance with European data protection law and quite possibly significant enforcement actions should they continue to rely upon Safe Harbor.

Friday, April 8, 2016

GDPR About to be Approved

On Thursday, April 7, the EU Council of Ministers published the final text of the General Data Protection Regulation (GDPR) and initiated a highly expedited written procedure to effect its adoption by the Council no later than midnight on Friday, April 8.  Following its adoption, the text, translated into all the official languages of the member states, will be forwarded to the EU Parliament.  The Parliament is expected to approve the GDPR, along with the EU Policing and Criminal Justice Data Protection Directive, next week during its April 11-14 plenary sessions.                                                                                                                                              
The glacial pace of reform of Europe’s data protection legislation, initiated by the European Commission’s first stakeholder consultation back in 2009, will now continue for two more years, until the GDPR comes into effect.  As of today, however, for the first time, there can be no debate about what the contents of the Regulation are, nor can companies claim they didn't know what was coming.