News Archives

Thursday, June 30, 2016

Commission Pressing Ahead with Privacy Shield Launch

On June 24, after months of difficult negotiations with U.S. authorities, the European Commission sent the text of a revised Privacy Shield agreement to the members of the Article 31 Committee for a vote scheduled to occur on July 4.  Should the agreement receive the Committee’s approval and subsequent pro forma endorsement by the College of Commissioners, Privacy Shield could be officially launched prior to the August recess.  According to EU Justice Commissioner Vera Jourova, “We reached an accord on more precise listing of cases when bulk collection can occur and a better definition of how our American partners understand the difference between bulk collection which may be justified and mass surveillance without any purpose, which is not tolerable.” Other issues addressed by the revised draft were said to include the independence of the special ombudsman and limits on the retention of transferred data by companies.

Significantly, the Commission is not seeking an evaluation of the new draft from the Article 29 Working Party nor giving the Parliament much time to respond to it.  Instead, the Commission appears to be resigned to facing the legal challenges to Privacy Shield that are all but certain to come, even though the cloud of uncertainty they and criticisms of the agreement create over the program may dissuade many U.S. companies from signing-up.  

Whether the Commission will be able to secure the approval of the Article 31 Committee by the required qualified majority vote remains to be seen.  Also unclear is what impact the Brexit vote will have on the Committee’s deliberations.  While the UK remains a full member of the EU, suppose the qualified majority would be reached only with the UK’s backing of the proposed agreement.  Would other member states take this into account in determining their own stance on the new text?

Brexit Vote: Short-term Continuity, Long-Term Uncertainty

The June 23 referendum vote by the UK electorate to leave the European Union has muddled the waters around a host of regulatory and business issues, not least of all that of how data transfers in and out of the UK will be handled in the future.  As Scott Blackmer points out in an excellent summary of the daunting complexities raised by Brexit, the timing of the UK’s departure could be awkward, since the General Data Protection Regulation (GDPR) will come into force on May 25, 2018, months ahead of the earliest projected date for the actual separation.  While the exact form and terms of any new relationship between the UK and the EU remains to be determined, the UK’s Information Commissioner has confirmed the country’s desire to have a data protection standard in place that is equivalent to that of the GDPR.  With so much up in the air, the ICO’s advice to companies following the October 2015 Schrems ruling seems even more apt at this time: keep calm and carry-on.

CJEU to Address Bulk Surveillance Issues This Fall

The Court of Justice of the European Union (CJEU) is expected to rule in two cases this fall that will compel it to examine the issue of bulk collection of personal data by law enforcement and security agencies in greater detail than it did in the Schrems case.  The first is a challenge to the Canada-EU Passenger Name Record (PNR) Agreement and the second involves the data retention laws of the UK and Sweden.  A thoughtful analysis by Kenneth Propp, former legal counselor to the US Mission to the EU, outlines the broader risks rulings in the cases could pose to the 2011 PNR and the 2009 Terrorist Finance Tracking Program (TFTP) Agreements between the US and the EU, let alone to the proposed Privacy Shield framework.

With so much at stake, it is not surprising that on June 13 the US government announced that it had asked the Irish High Court to be joined as an amicus in Max Schrems’s latest complaint concerning the validity of standard contractual clauses as a basis for data transfers to the US.  Since the Irish DPA had previously announced that it was referring the matter to the CJEU, the amicus status will provide the US with an opportunity to describe and defend its surveillance practices directly in a court of law.  The development was welcomed by Max Schrems, who said ““This is a huge chance to finally get solid answers in a public procedure. I am very much looking forward to raise all the uncomfortable questions on US surveillance programs in this procedure. It will be very interesting how the US government will react to the clear evidence already before the court.”

Hamburg DPA Fines Three Companies for Reliance on Safe Harbor


Reports of enforcement actions against companies based upon continued reliance on Safe Harbor for data transfers to the US have been few and far between.  One German regulator, however, broken the ice.

On June 6, the Hamburg data protection authority announced that it had fined three companies – Adobe, Pepsi subsidiary Punica and Unilever – for continuing to rely on Safe Harbor as their legal basis for transferring personal data to the US. While the fines could have been as large as €300,000, they were reduced to €11,000 or less because each of the companies switched to the use of alternative transfer mechanisms during the course of the authority's proceedings.


The fines were the outcome of an inspection of the data transfer procedures of 35 internationally active Hamburg-based companies.  According to the authority, the vast majority of the companies switched to the use of standard contractual clauses within several months of the invalidation of Safe Harbor by the European Court of Justice in October 2015.  Proceedings against a few companies continue, with Commissioner Johannes Caspar warning that stricter sanctions would be imposed if alternative transfer measures were not adopted.  Caspar also indicated that his office would look into the admissibility of alternative transfer mechanisms, and standard contractual clauses in particular, should negotiations over the Privacy Shield not succeed.


China Developing Personal Information Security Standard

China’s National Information Security Standardization Technical Committee was reported on May 31st to have organized a meeting to launch a working group, comprised of representatives from government, academia and industry, tasked with drafting a national Personal Information Security Standard.  The standard would serve as a non-binding baseline for the data privacy and security practices of companies operating in China.  It could influence future data privacy and security-related legislation, while also providing regulators with guidance on current laws and regulations that are often vaguely worded.

EEOC Issues Final Rules on Employer Wellness Programs

In mid-May, the Equal Employment Opportunities Commission (EEOC) published final rules on employer wellness programs describing how the American with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) apply to wellness programs offered by employers.  According to some of the key provisions of the rules, employee wellness or health programs must be “reasonably designed to promote health or prevent disease,” prohibiting measurements, tests, screening or information collection that does not lead to follow-up advice.  In addition, the programs must be voluntary and while incentives may be offered for participation in a program, they cannot be so great as to be coercive.  In accordance with principles of fair information practice, participants must receive in advance written notice describing in plain language what medical information will be collected, how it will be used and restrictions on its use.  Finally, all information collected must be held confidentially and not provided to an employer in a form that would disclose the identity of particular individuals.