News Archives

Wednesday, December 28, 2016

CJEU Rejects Mass Surveillance Again in UK Case

On December 21, the Court of Justice of the European Union unequivocally re-affirmed that “general and indiscriminate retention of traffic data and location data” was contrary to EU law, echoing its invalidation of the Data Retention Directive in the 2014 Digital Rights Ireland case.  The current decision, in a case variously referred to as either Tele2 or Watson, arose as a challenge within the UK against the 2014 Data Retention and Investigatory Powers Act (DRIPA), brought by Tom Watson, deputy leader of the Labour Party, amongst others. Since the DRIPA was superseded by the enactment of the 2016 Investigatory Powers Act 2016 last month, and the IPA – dubbed by critics the Snooper’s Charter – gives even wider and more intrusive powers of mass surveillance to the government, the IPA is also likely to be unlawful under EU law.  While the CJEU decision does not directly address the legality of the IPA, it clearly supports legal challenges against it likely to come from privacy groups.

Given Brexit, the new ruling places the UK in a difficult bind at a time when Brexit itself is enormously challenging.  The government can ignore the ruling but thereby risk not obtaining a future adequacy ruling from the European Commission that will be needed to ensure the continuance of data exchanges with the EU, or it can re-open what was a wrenching and divisive debate on the Investigatory Powers Act with a view of bringing it into conformity with EU law. 

Tuesday, December 27, 2016

Eyeing GDPR, EU Member States Updating DP Laws

The EU General Data Protection Regulation comes into force directly and immediately across all member states of the European Union on May 25, 2018, without any need for enabling legislation to be passed by national governments.  It is a Regulation after all, not a Directive, and is designed to establish a single and consistent base DP law across the EU. So what should be made of all the reports by reliable media sources about this or that member state – Germany, France, Spain, the Netherlands – working on new data protection laws to implement the Regulation? The simple answer is that reporters on arcane matters like data protection law can easily choose the wrong words.  But more importantly, what is really going on?  What are these mis-identified “implementing” laws all about?

In general, these new member state laws, which anticipate the GDPR and amend current national data protection legislation, have one or both of the following objectives:
  • to bring certain provisions of the GDPR into effect prior to May 25, 2018; or
  • to legislate in areas not directly addressed by the GDPR but in which the GDPR allows member states a margin of maneuver or derogation to enact supplemental laws.
Examples of member states advancing the effective date of certain GDPR provisions include The Netherlands (which implemented a data breach notification requirement in January) and France (where the Digital Republic Bill enacted in October increased the fines that can be imposed by CNIL to €3 million - still far below the maximum level set by the GDPR – and also introduced the right to data portability).

Examples of member states working on supplemental or complimentary legislation include Spain (which is reported to be preparing a draft bill for consultation in February 2017 to harmonize its broad-based Organic Law on Data Protection with the GDPR) and Germany (which is attempting once again to legislate protections specifically directed to the employment context).

Multi-national companies have an easer time dealing with legislative changes in the first category, since these are basically timing issues.  Those in the second category are more troublesome, since they detract from the promise of a single, consistent data protection standard across the EU.  On the bright side, the differences between member states are likely to be far less stark and frustrating than those that have prevailed over the past 20 years.

Working Party Issues Guidance on GDPR Implementation

Following a plenary meeting in mid-December, the Article 29 Working Party released guidelines and FAQs on three major implementation topics under the General Data Protection Regulation:  the right to data portability, Data Protection Officers, and the lead supervisory authority (“one-stop-shop”). The 61 pages of guidance need to be closely analyzed by companies preparing for the May 2018 effective date of the GDPR. The WP29 invited comments on the guidance from stakeholders through the end of January 2017, suggesting that they were open to further refinements.  Additional guidance, on data protection impact assessments and on certification, is scheduled for release in 2017.  The Working Party also indicated that it is working on steps necessary to establish the European Data Protection Board called for by the GDPR, and announced that it will take on the role of the “EU centralized body” referenced in the Privacy Shield framework as the EU complaint-handling entity.

Dutch Court Ruling a Threat to App Deployment in the EU

In late November, the Administrative Court in The Hague upheld a penalty imposed by the country’s DPA against WhatsApp for its failure to appoint a representative in the Netherlands.  The requirement to do so is found in Article (4)(2) of the EU Data Protection Directive, applicable whenever a data controller not established in the EU makes use of equipment situated in a member state for the purpose of processing personal data.  Although some observers have characterized the court’s ruling as “extreme”, it is consistent with guidance issued by the Article 29 Working Party in 2013 and in 2010, as well as with court rulings such as that of the High Court of Berlin in 2014 that Facebook was subject to German law due to its use of cookies on German computers.

WhatsApp could have satisfied the requirement to have an in-country representative by contracting with a Dutch entity and indemnifying them in case a fine or penalty was imposed as the result of a violation of data protection law.  However, the larger challenge faced by the company, owned since 2014 by Facebook, is that it would need to have a representative located in each EU member state in which its app is used.  The General Data Protection Directive, coming into effect in May 2018, eases this burden by allowing the appointment of one local representative covering all member states.  WhatsApp may appeal the court’s decision against it to the Dutch State Council, hoping that it has the exceptional case in which enforcement actions of a DPA are overturned. It may also be reluctant to have a legal representative through whom even larger fines for other legal violations – such as those involved in the merging of personal data across Facebook and WhatsApp accounts – could be extracted.