News Archives

Friday, July 29, 2016

CJEU Finds Terms of Use Irrelevant as Basis for Determining Applicable DP Law

In a July 28 ruling in VKI v. Amazon EU, the Court of Justice of the European Union reaffirmed the reasoning about applicable data protection law it advanced in the Weltimmo and Google Spain cases.  Ignoring the contract between Amazon and its customers, which provided that Luxembourg law shall apply, the court held that “the processing of data in the context of the activities of an establishment is governed by the law of the Member State in whose territory that establishment is situated.”  Furthermore, the court found that it is up to national courts to determine whether Amazon is carrying out the data processing in question in the context of the activities of an establishment situated in their Member States.  As to when a company may be regarded as having an establishment, the CJEU reiterated its position that the establishment of a data processing operation “extends to any real and effective activity, even a minimal one, exercised through stable arrangements.”  The Court also held that a data processing operation will not be established “merely because the undertaking’s website is accessible” in a particular Member State.

Game On: Dept. of Commerce Launches Privacy Shield Website

On July 26, the same day as the Article 29 Working Party issued its statement of ongoing concerns about Privacy Shield, the U.S. Department of Commerce launched its website for the new data transfer framework.  The website contains the full text of the Privacy Shield Principles (both basic and supplemental), Annex I, and related letters and attachments from the Department of Commerce, the International Trade Association, the FTC, the Department of Transportation, the Department of State, the Office of the Director of National Intelligence and the Department of Justice.  It also contains guidance for organizations on how to self-certify for the program, for European companies and individuals on how to determine if a U.S. company is a Privacy Shield participant, and for European individuals to submit either a complaint or a request relating to U.S. national security access to their data.  (Note:  When launched, the website indicated, in a departure from Safe Harbor requirements, that the HR privacy policies of participants would have to be publicly available; however, this statement was subsequently retracted.)  A procedure for direct contact by DPAs to the DOC’s Privacy Shield team, as well as a link to a new FTC website about their oversight and enforcement activities, is also included. The Department of Commerce will begin accepting self-certifications under Privacy Shield on August 1.

Thursday, July 28, 2016

Art 29 WP Remains Concerned about Privacy Shield

On July 26, the Article 20 Working Party issued a statement praising improvements in the Privacy Shield mechanism secured by the European Commission over the past three months, but also indicating that “a number of concerns remain regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU.”  As examples of concerns with respect to commercial activities, the Working Party cited the lack of: (a) specific rules on automated decisions; (b) a general right to object; and (c) clarity as to how the Privacy Shield Principles apply to processors.  With respect to access by U.S. public authorities, the WP29 remains uncomfortable concerning the independence and powers of the Ombudsperson and regrets the lack of concrete assurances that mass and indiscriminate surveillance does not take place.

These concerns notwithstanding, the Working Party stated that the robustness and efficiency of the Privacy Shield mechanism will be best assessed during the first joint annual review, insofar as all members of the review team “shall have the possibility to directly access all the information necessary” to carry out the review.  The WP29 concluded its statement with a commitment to “proactively and independently” assist data subjects with exercising their rights under the Privacy Shield mechanism.  In addition, the Working Party stated that it would soon provide guidance on the mechanism to both data controllers and to citizens, along with its suggestions on the composition of the EU centralized body envisaged by the agreement and the practical organization of the joint annual review.

Contrary to numerous reports in the press, a careful reading of the Working Party statement reveals that they did not approve or endorse the Privacy Shield framework, nor did they say that they would not challenge the adequacy of the agreement for at least one year.  With the Commission formally adopting the mechanism on July 12, the WP29, as an advisory body, was not in a position to either approve or reject it.  Given the independence of data protection authorities, as well as their obligations to protect the privacy of data subjects, the Working Party was also not in a position to pledge to refrain from taking such steps as may be necessary to fulfill their responsibilities.  Buttressed by the Schrems ruling that affirmed their independence even in the face of an adequacy decision, one or more of the EU’s DPAs, such as those in Germany, may not be as patient as the Working Party appears to be.

A fairer summation of the position of the Working Party is that its assessment of Privacy Shield remains incomplete, that it looks forward to completing that assessment during the joint annual review, and that in the meantime it will vigorously and independently investigate any complaints from data subjects about how their personal data is handled under the mechanism. To read this as a "tepid endorsement," "temporary green light" or "moratorium" on challenging Privacy Shield reflects wishful thinking.

It is true that Isabelle Falque-Pierrotin, chairman of the Article 29 Working Party, stated verbally at a press conference on July 26 that the EU DPAs would not launch legal action on their own initiative in the next year.  However, this is not to say that they may not be involved in a legal action brought by another party, such as an individual, a Member State, the EU Parliament or another EU institution, that challenges the Privacy Shield mechanism.  Should a complaint from an individual come forth, such as the one promised by Max Schrems, they may feel obligated to request guidance from the courts as to the adequacy of Privacy Shield.

Thursday, July 14, 2016

Appeals Court Backs Microsoft in Overseas Email Case

Reversing an April 2014 ruling by the District Court for the Southern District of New York, the U.S. Court of Appeals for the Second Circuit in New York quashed a search warrant that would have required Microsoft to disclose contents of emails stored on a server in Ireland.  The Court ruled that the U.S. Stored Communications Act neither explicitly nor implicitly envisioned the applications of its warrant provisions overseas, which was the government's central argument in the case, agreeing with Microsoft that inter-governmental mutual legal assistance treaties should be relied upon in cases such as this. Tech companies, lobbying groups and media associations had submitted briefs to support Microsoft’s position, arguing that allowing a warrant to be served would undermine their business prospects abroad and lead to tit-for-tat retaliation by foreign governments with respect to emails stored in the US.  At a time of great uncertainty over the legality of trans-atlantic data flows, the ruling removes a key obstacle to reaching a viable accord with the EU and demonstrates the independence of the US judicial system.  Whether the US government will appeal the ruling remains to be seen.

Friday, July 8, 2016

Article 31 Committee Approves Privacy Shield

On July 8, the Article 31 Committee, comprised of ministerial representatives of the 28 EU member states, approved the revised version of the EU-US Privacy Shield. Four member states abstained from the vote:  Austria, Bulgaria, Croatia and Slovenia. Ratification by the College of Commissioners is expected on Monday, followed shortly by the official launch of the new data transfer framework by EU Justice Commissioner Vera Jourova and US Secretary of Commerce Penny Pritzker.

According to the European Commission, the arrangement “is fundamentally different” from the former “safe harbor” pact because “it imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.”  Critics claim that the agreement will not withstand legal challenges - for example, Max Schrems was quoted as saying "they walked a mile but they should have walked one hundred miles" - which may dissuade many US companies from participating in it.

The complete 158-page text of the Privacy Shield agreement, in an undated and unofficial version, is available here