News Archives

Tuesday, May 31, 2016

Privacy Shield on Life Support

Developments in the six weeks since the Article 29 Working Party panned the proposed EU-U.S. Privacy Shield agreement have left it in a critical state, with little chance that it will ever be successfully launched as the replacement for Safe Harbor.  

Here are the developments:

  • At the end of April, the U.S. Supreme Court unilaterally amended Rule 41 of the Federal Rule of Criminal Procedure to allow judges to sign warrants allowing federal authorities to hack into computers outside a judge's jurisdiction as part of a criminal investigation and to use one warrant to search multiple computers anywhere.  This massive new surveillance capability will come into effect on December 1, unless Congress takes it up before then and votes it down.  At a time when the EU has been pressing the U.S. to limit indiscriminate surveillance of its citizens, the new rule clearly bolsters the arguments of European critics about the unreliability of legal protections in the U.S. and could prove to be the nail in the coffin of any new data transfer agreement.
  • On May 19, the Article 31 Committee, comprised of ministerial representatives of each of the EU’s 28 member states, met and failed to reach an agreement on the Privacy Shield.  The Committee, whose approval is needed if Privacy Shield is to go forward, concluded that more time was needed to consider the implications of the proposal.  A qualified majority, or 16 member states representing at least 65% of the EU’s population, must approve the pact.
  • On May 23, an open letter from ministers in 14 member states was released, calling for more flexibility for businesses with respect to data protection. A quick check of the population of the signatory countries - Belgium, Bulgaria, Czech Republic, Denmark, Estonia, Finland, Ireland, Latvia, Luxembourg, Lithuania, Poland, Slovenia, Sweden and the UK – reveals that they comprise only 33% of the EU’s population.  Achieving the approval of the Article 31 Committee for Privacy Shield appears most unlikely.
  • On May 26, the European Parliament approved a resolution calling for the European Commission to reopen negotiations with the U.S. and to fully implement the recommendations of the Article 29 Working Party.  The non-binding act was approved by 77% of the MEPs (501 votes to 119, with 31 abstentions).
  • On May 30, Giovanni Buttarelli, Europe’s top data protection advisor, slammed the proposed agreement as being “not robust enough to withstand future legal scrutiny before the Court” and called for significant improvements in it.  He also argued that the Privacy Shield would be only a short term solution, since it is not compliant with the General Data Protection Regulation, which will enter into force in May 2018.
In response to these developments, the European Commission has reportedly pushed back its target date for the launching of the Privacy Shield from June until “sometime this summer.”  With the Commission attempting to resolve surveillance issues with the U.S. government since 2013, the prospects for meeting this target date are next to nil.

Chicken Little May be Right

The sky may indeed be falling, with the May 25 report that the Irish Data Protection Commissioner was referring the question of the validity of standard contractual clauses as a basis for data transfers to countries lacking an adequate level of data protection to Europe’s top court, the Court of Justice of the European Union (CJEU).  Once again, it is Max Schrems’ complaint against Facebook, which led to the court’s invalidation of the Safe Harbor framework last October, that is driving the referral.  Most observers agree with Schrems that the lack of protection for personal data stemming from U.S. government surveillance of data transferred under Safe Harbor applies equally well to data transferred under model contracts.  

CJEU invalidation of the use of standard contractual clauses for data transfers to the U.S. would exponentially increase the risks of profound disruptions in international business, since it is widely believed that more companies, and certainly larger companies, rely upon such clauses than upon Safe Harbor as the legal basis for their data transfers.  In addition, model contracts are the chief mechanism used by European companies to transfer personal data to third countries around the world.  A CJEU ruling that standard contractual clauses cannot be utilized without consideration of the recipient country’s surveillance practices could jeopardize far more than business relationships with the United States.

And if model contracts go, can Binding Corporate Rules be far behind?  Or consent?  We live in interesting times.  Hang on!

France Edges Closer to Data Localization

In another sign of the significant and ongoing impact of the CJEU ruling on Safe Harbor and concerns about surveillance by governments in the U.S. and elsewhere, the French Senate on May 3 amended a “Digital Republic” bill, previously passed by the National Assembly, with a provision that would require the storage of personal data in data centers located in the European Union and prohibit the transfer of personal data to a non-EU third country. The bill also accelerates the applicability of a number of provisions of the General Data Protection Regulation, which will come into effect on May 25, 2018.  Given certain incompatibilities between the language of the bill and the GDPR, which prohibits member states from restricting transfers to third countries, the final language of the bill is expected to change.

UK High Court: Employers Vicariously Liable for Data Breaches

Ruling in April in in Axon v Ministry of Defence, the High Court of England and Wales found that employers can be liable for data breaches caused by rogue employees.  The case involved a MoD employee who received compensation for passing on information about a Royal Navy frigate commander’s sacking to journalists without the permission of her employer.  Although the charges against the employer were dismissed on other grounds, the court parenthetically concluded that had the claimant had a valid claim, the MoD would have been vicariously liable for any damages arising out of its employee’s wrongdoing.  The decision underscores the need for employers to have data protection policies, programs and training in place to guard against inappropriate actions by employees who have access to sensitive personal information.