1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Privacy Shield gets approval: certainty at last?

The European Commission yesterday issued an adequacy decision adopting the EU-US Privacy Shield, which replaces Safe Harbor as a framework for protecting European data transferred to the United States. Adoption had been expected since the European Commission announced on Friday that Member States had given their “strong support” to the new framework (although we note that Austria, Bulgaria, Croatia and Slovenia abstained from voting).

Are there any final changes?

There have been some tweaks to the Privacy Shield regime since the draft adequacy decision was issued in February. These include:

  • additional clarifications on the bulk collection of data. In particular, the Office of the Director of National Intelligence has clarified that the bulk collection of EU data can only be used under specific preconditions and must be “as targeted and focused” as possible;
  • introducing more explicit obligations on companies as regards limits on retention and collection of data. Specifically, companies now have to delete data that no longer serves the purpose for which it was collected; and
  • strengthening the Ombudsperson mechanism. In its press release, the Commission makes clear that the Ombudsperson is independent from the US intelligence services.

What were the criticisms?

The changes are intended to address a critique of Privacy Shield issued in April by European data protection regulators (aka the Article 29 Working Party), which concluded that Privacy  Shield – while a huge improvement on Safe Harbor – still did not meet EU privacy standards. This was largely because:

  • massive and indiscriminate data collection by American authorities was still not fully excluded;
  • the Privacy Shield lacked an explicit data retention principle; and
  • the powers and independent position of the Ombudsperson (who deals with national security-related complaints) were not made clear.

What does the future look like for Privacy Shield?

The Commission’s tweaks will address the A29WP’s concerns to some degree, but that mightn’t be enough to keep the privacy wolves at bay.

Privacy Shield may well be subject to a future challenge on the basis of “equivalence” with EU law, and it will almost certainly undergo further A29WP review. Potential issues remain, such as the fact that Privacy Shield (like Safe Harbor) is largely self-certified. Indeed, one of the main privacy advocates in the European Parliament (MEP Jan Philipp Albrecht) commented that the European Commission has “just signed a blank cheque for the transfer of personal data of EU citizens to the US, without delivering equivalent data protection rights”.  Max Schrems has said he will challenge it.

In the medium term, inconsistencies between Privacy Shield and the upcoming GDPR requirements could also limit Privacy Shield’s shelf life. Therefore, the climate seems ripe for challenge. Max Schrems has also sought to challenge model clauses in an application by the Irish DPA to the Irish High Court.

Privacy observers will also be keeping an eye on how Brexit plays out: will the UK find itself negotiating its own form of Privacy Shield to ensure EU adequacy?

Even so, Privacy Shield will be a valid solution for transfers to the US.  American companies may begin to self-certify with the US Commerce Department from 1 August, and we expect to see many large US vendors taking up this option. Microsoft has concluded on its official blog that the Privacy Shield “meets each of [the] requirements…of… European data protection law”.

Privacy Shield gets approval: certainty at last?

The FCC Rules Federal Government (and maybe its Contractors) Are Immune from the TCPA

FCCpicThe Federal Communications Commission (FCC) issued its highly anticipated declaratory ruling on July 5, 2016 in which it determined that the Telephone Consumer Protection Act (TCPA) does not apply to calls made by or on behalf of the federal government when such calls are made for official purposes.

What is the TCPA?

The TCPA prohibits “any person,” defined as an “individual, partnership, association, joint-stock company, trust or corporation,” from initiating calls to wireless numbers using automated technology without prior express consent.  47 U.S.C. § 153(39).  Relying on the Supreme Court’s recent decision in Campbell-Ewald v. Gomez, 136 S. Ct. 663 (2016),  in which the Court held that the federal government and its agencies are exempt from the TCPA because “no statute lifts their immunity,” the FCC likewise ruled that the TCPA does not apply to calls made by government entities based on the express definition of “person,” which does not include the sovereign.  Therefore, calls made by or on behalf of government entities, including legislative, judicial, and executive bodies, and those working on behalf of government entities and officials, are not subject to the TCPA.   The FCC’s ruling, however, does not extend to calls made by state and local governments or their agents, nor does it provide an exemption for political campaigning.

What About Federal Third-Party Contractors?

Of particular importance, third-party contractors who send messages on behalf of the federal government are not necessarily in the clear.  Derivative sovereign immunity, a doctrine predicated on the principle that a federal government contractor should not be subjected to private party damages in litigation, may be extended to third-party government contractors only when they act under authority validly conferred on them by the federal government.  As the Supreme Court found in Campbell-Ewald, derivative immunity cannot shield a contractor when it “violates both federal law and the Government’s explicit instructions.”  There, the Court determined that Campbell-Ewald was not entitled to derivative immunity because the record revealed that the company had exceeded its authority by sending messages that the government had not authorized it to send, i.e., the messages were sent to individuals who had not “opted in” to receiving text messages.  Accordingly, Campbell-Ewald could not claim to be acting on behalf of the government.

What Does This Mean in Practice?

Based on the FCC’s ruling, the federal government can now robocall and text message consumers without consent, so long as the calls are made for official purposes, and are not, for example, as part of a campaign for re-election.  Surveys, polls, and other informational messaging are all now fair game, however.


The FCC Rules Federal Government (and maybe its Contractors) Are Immune from the TCPA

What does BREXIT mean for data protection?

On 23 June 2016, the UK is holding a referendum as to whether to stay in the European Union or leave it. But what does a BREXIT (a British Exit from the EU) mean for data protection?

Most of the UK law on data protection comes from the EU. The UK Data Protection Act 1998 and the Privacy and Electronic Communications Regulations both implement overarching EU law. So you might think this is like “unplugging” the source of data privacy law and therefore switching it off? But UK data protection law, in fact, pre-dates the European data protection directives. In fact, the UK was a signatory to the 1981 Convention (the forerunner of modern data protection law). Enough history!

What could happen in theory?

The UK parliament could reduce (or repeal) the Data Protection Act. The Courts could decide to no longer follow EU case law. Most importantly, the UK could choose not to implement the General Data Protection Regulation (GDPR). This, as we all know, is a wholesale upgrade to EU data protection law. GDPR includes new penalties of up to 4% of worldwide turnover, new legal duties to notify of data breaches and requirements to implement an accountability framework of policies and procedures.

What will happen in practice?

The UK could leave the EU and join the European Economic Area. In this case, it would be legally obliged to maintain data protection law on an equivalent footing to the EU. So all the current law would stay. GDPR would also be a requirement.

Theoretically, the UK could go out on its own. However this would make it a non-adequate jurisdiction for international data transfers. This means it cannot receive personal data freely from the EU. It could ask the EU for an “adequacy decision” but its anyone’s guess as to how long that would take. It could be a difficult negotiation (…think about the recent story of Snowden, Schrems and the proposed Privacy Shield, which is still being worked on).

No doubt there would be huge pressure on the UK to fall into line (dare I say it) with EU-style data protection law anyway. Otherwise, this could be a significant drag on international trade.

Finally, there is the practical argument that we actually need data protection law to underpin consumer trust in the digital economy. So let’s not trash it.

For what it’s worth, the ICO say that the UK needs clear and effective data protection law regardless of whether it remains in the EU. They don’t expect to be packing their bags.

Whatever the uncertainty on a possible UK exit, the issue will, at least, be resolved in a little over 7 days.

What does BREXIT mean for data protection?

Office of the Privacy Commissioner announces first investigation under the address harvesting provisions

Today, the Office of the Privacy Commissioner (OPC) announced its report of findings against Compu-Finder, a Quebec-based company that offers face-to-face professional training courses.

The OPC alleges Compu-Finder used address harvesting programs to search and collect e-mails on the internet. This marks the first investigation by the OPC involving its address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). The OPC concluded that Compu-Finder did use e-mail addresses of individuals to send e-mails promoting its business activities, without the consent of the individuals concerned. Compu-Finder was unable to demonstrate it had the appropriate consent for the collection and use for many of the e-mail addresses. Further, the OPC found Compu-Finder lacked basic privacy knowledge of its obligations and failed in demonstrating accountability and openness of its privacy practices.

This investigation also debuts the OPC’s compliance agreement power since the tool was added by the Digital Privacy Act on June 18, 2015. The compliance agreement between the Privacy Commissioner of Canada and Compu-Finder lists over ten remedial measures imposed on Compu-Finder. Some of the following measures that Compu-Finder has agreed to implement, include:

  • collect and use only e-mail addresses with proper consent;
  • destroy all e-mail addresses in its possessions which were collected without obtaining consent;
  • refrain from collecting any electronic addresses of individuals through the use of a harvesting computer program;
  • develop and implement a privacy program; and
  • obtain a third-party audit of its privacy program.

Compu-Finder is also under investigation by the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC issued a Notice of Violation against Compu-Finder pursuant to Canada’s Anti-Spam Legislation (CASL) on March 5, 2016.  The OPC acknowledged the CRTC shared investigative information with the OPC pursuant to CASL and a Memorandum of Understanding between the two agencies.

The CRTC’s proceedings against Compu-Finder are still on going.

You can read the full report of findings and compliance agreement online  here.

Office of the Privacy Commissioner announces first investigation under the address harvesting provisions

Supreme Court rules technical statutory violations do not establish standing without actual injury

In a decision that will impact a consumer’s standing to bring a claim under a number of federal statutes that allow for significant statutory penalties, such as the Video Privacy Protection Act, the Stored Communications Act, and others, the Supreme Court held in Spokeo v. Robins, 578 U.S. ___, 2016 WL 2842447 (May 16, 2016), that “Article III standing requires a concrete injury even in the context of a statutory violation.”  Accordingly, the Court found that the plaintiff “could not, for example, allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.”

The plaintiff had alleged that Spokeo, a “people search engine,” had violated the Fair Credit Reporting Act (“FCRA”) by including false facts about him in its search results, and brought a putative class action in the Central District of California.  The district court found that Robins had not pled an injury-in-fact as required by Article III.  The Court of Appeals for the Ninth Circuit disagreed, finding that the “violation of a statutory right is usually sufficient injury in fact to confer standing.”

But the Supreme Court reversed, finding that the Ninth Circuit “elided” the “concreteness” requirement of injury in fact, which requires analysis of the nature of the violation – not the bald assertion that a violation occurred. The Court explained that  “[a] ‘concrete’ injury must be ‘de facto’; that is, it must actually exist. . . . When we have used the adjective ‘concrete,’ we have meant to convey the usual meaning of the term—‘real,’ and not ‘abstract.’” The Court emphasized that a plaintiff does not “automatically satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right” and that a plaintiff “cannot satisfy the demands of Article III by alleging a bare procedural violation.”

The Supreme Court then remanded for determination of whether the falsities alleged in the case “entail a degree of risk” of harm “sufficient to meet the concreteness requirement.”  In dicta, the Court noted that dissemination of certain false information, like an incorrect zip code, for example, would clearly not satisfy the test for a concrete injury.

The decision will be particularly impactful to class actions brought under statutes like the FCRA, as it will make class certification difficult in the absence of uniform violations that would clearly create harm.

Supreme Court rules technical statutory violations do not establish standing without actual injury