1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Germany to audit 500 companies on data transfers

Germany to audit 500 companies

The German data protection authorities have announced today that they have chosen 500 companies throughout Germany to audit their transfer of personal data to the US and other countries (eg. India).  The targets were chosen by random and cover small, medium-size and also large companies known to transfer data of their customers or employees from Germany to the US. Cloud computing and office software applications are in their focus. The different approach towards data privacy in the US – especially made apparent by Snowden –  has made many EU authorities criticize the US use of personal data as not being adequate to the data protection level of the EU.

Context

The Safe Harbor self-certification option for commercial entities in the US, a commonly used tool agreed between the EU Commission and the US Department of Commerce to safeguard an EU data protection level at US companies, was declared void by the CJEU in its Schrems decision. The new regime known as the “EU US Privacy Shield” went live is August. Also, companies have the option to agree bilateral EU Standard Contractual Clauses or to establish binding corporate rules.

Beware Cloud and SaaS

Now, the German authorities want to audit German companies and German branches of companies from abroad to check if and how they are complying. Especially it is expected that they want to investigate if there are transfer regimes in place and if the old Safe Harbor approach is still in use. Use of the cloud and SaaS vendors will be a focus.

Once more this is a warning sign that authorities of EU Member States are using their administrative authorities to enforce EU data protection law especially of consumers but also employees. Germany is being particularly active.

What happens next?

The German data protection authorities will approach companies by sending a letter requesting information on their practice of data transfer to the US. Depending on the response, the German authorities make more requests or site inspections may follow. The authorities will also likely direct the companies’ in-house Data Protection Officers to assist them with their requests.

If companies have received such requests they should carefully draft their response. As these requests usually provide for sufficient time to react, there may still be time to establish safeguards like EU Standard Contractual Clauses.  But planning now is key.

Prepared by Christian Schefold, Christoph Zieger and Ariane Loof of Dentons Germany

Germany to audit 500 companies on data transfers

What does BREXIT mean for data protection?

On 23 June 2016, the UK is holding a referendum as to whether to stay in the European Union or leave it. But what does a BREXIT (a British Exit from the EU) mean for data protection?

Most of the UK law on data protection comes from the EU. The UK Data Protection Act 1998 and the Privacy and Electronic Communications Regulations both implement overarching EU law. So you might think this is like “unplugging” the source of data privacy law and therefore switching it off? But UK data protection law, in fact, pre-dates the European data protection directives. In fact, the UK was a signatory to the 1981 Convention (the forerunner of modern data protection law). Enough history!

What could happen in theory?

The UK parliament could reduce (or repeal) the Data Protection Act. The Courts could decide to no longer follow EU case law. Most importantly, the UK could choose not to implement the General Data Protection Regulation (GDPR). This, as we all know, is a wholesale upgrade to EU data protection law. GDPR includes new penalties of up to 4% of worldwide turnover, new legal duties to notify of data breaches and requirements to implement an accountability framework of policies and procedures.

What will happen in practice?

The UK could leave the EU and join the European Economic Area. In this case, it would be legally obliged to maintain data protection law on an equivalent footing to the EU. So all the current law would stay. GDPR would also be a requirement.

Theoretically, the UK could go out on its own. However this would make it a non-adequate jurisdiction for international data transfers. This means it cannot receive personal data freely from the EU. It could ask the EU for an “adequacy decision” but its anyone’s guess as to how long that would take. It could be a difficult negotiation (…think about the recent story of Snowden, Schrems and the proposed Privacy Shield, which is still being worked on).

No doubt there would be huge pressure on the UK to fall into line (dare I say it) with EU-style data protection law anyway. Otherwise, this could be a significant drag on international trade.

Finally, there is the practical argument that we actually need data protection law to underpin consumer trust in the digital economy. So let’s not trash it.

For what it’s worth, the ICO say that the UK needs clear and effective data protection law regardless of whether it remains in the EU. They don’t expect to be packing their bags.

Whatever the uncertainty on a possible UK exit, the issue will, at least, be resolved in a little over 7 days.

What does BREXIT mean for data protection?

ICO releases 12 step guide on the GDPR

On Monday this week the UK Information Commissioner’s Office released its first guidance on the General Data Protection Regulation (GDPR): the 12 steps that businesses can start taking now to prepare for the GDPR.  The guide was launched as part of the ICO’s annual Data Protection Practitioners’ Conference, in Manchester.  The ICO also launched a new microsite on the GDPR (see below).

In its accompanying press release, the ICO emphasised that its role is “not just about enforcement and fines” and that the guide would help the ICO to do its work in “guiding organisations who want to make sure they’re following the new rules, and getting it right from the start”. This tallies with the message of the ICO at the conference – it is here to help organisations, but that there are steps that can be taken now to start preparing for the implementation of the GDPR.

Here is a summary::

  • Ensure there is awareness amongst key stakeholders in the organisation that the GDPR represents a major overhaul of data protection law in Europe and ensure they identify the areas of the GDPR that have the biggest impact on them.
  • document the personal data that they hold, where it came from and with whom they share it. The ICO suggests that this can be done through an information audit – this will be necessary to match the updated subject rights for the “networked world”.
  • review current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  • check existing procedures to ensure that they cover all the rights data subjects now have under the GDPR – both the enhanced rights and the additional right of data portability.
  • look at the various types of data processing they carry out, identify a legal basis under the GDPR for carrying it out and document it.
  • ensure process and procedures are documented – to help demonstrate compliance with the accountability requirements. This may also help a controller to rely on the “manifestly unfounded or excessive” exemption for subject access requests, help to readily produce the upgraded form of privacy notice or help to determine the lead supervisory authority.

Interestingly, many of these recommendations will already be in place for those with BCRs or who have done data audits following the recent Safe Harbor and Privacy Shield developments.  Clearly, now is the time to get your ‘data privacy’ house in order.

We think that the 12 step guide is a useful starting point for all businesses, especially those small-to medium-sized enterprises who may be intimidated by the (over 200-page) GDPR – it helps puts theory into practice and could hint at the ICO’s enforcement focus going forward.

We expect that it will be the first in a set of practical guidance issued by the ICO ahead of the GDPR. Indeed, the ICO has anticipated, in its accompanying blog entry, that over the next few months, it will “…be doing more work to consider the feedback we’ve received and produce a more detailed plan for the guidance, other tools and services we need to develop”. In this way, the ICO seems to be taking a phased and business-friendly approach to the GDPR.

The ICO has also launched a new microsite dpreform.org.uk – this will be the home for the ICO’s GDPR guidance; a key addition to your “favourites” bar.

It has also invited further feedback about the areas in which advice and guidance is most needed – so get in touch if you have any strong views. Watch this space as we see what else the ICO (and other European regulators) will produce on the GDPR

 

ICO releases 12 step guide on the GDPR

Article 29 WP response to “Privacy Shield”

The Article 29 Working Party (WP 29) published their initial response to the new Privacy Shield yesterday.

Here’s the good news:

  • WP 29 welcomes the conclusion of negotiations by the deadline (actually, the deal was announced on Tuesday which is a couple of days late but let’s overlook that).
  • WP 29 looks forward to receiving the relevant documents to analyse the detail. They want to look at the content and legal bindingness of the arrangement to assess whether it deals with the risk of massive and indiscriminate surveillance (as per the Schrems judgment).

Here’s another interesting development:

  • WP 29 has been assessing the current legal framework and practices of US intelligence and has decided on 4 “essential guarantees” that will be required: (a) clear, precise and accessible rules on surveillance; (b) access to be proportionate at all times; (c) independent oversight mechanism (judge/independent body); and (d) effective remedies.

Next Steps

The Commission now has to deliver on the detail. It will communicate all documents pertaining to the new arrangement to WP 29 by the end of February.  WP 29 will then run its assessment on the Privacy Shield proposal (it’s not the law yet).  It will also review other transfer mechanisms such as model clauses and BCRs.

What does this mean for business now?

  • Don’t rely on the Privacy Shield just yet. It’s not an “adequacy decision” and the detail needs to be provided and assessed.
  • Ensure data transfers are either covered by model clauses or BCRs or one of the other derogations.
  • As we recommended previously: do a “fact find” (to identify what data is collected and shared, data flows, data centres and purposes of onward transfer);
  • Consider prioritising data flows to ensure that model contracts are applied to the important data flows as early as possible;
  • Unless an alternative transfer mechanism in place, there is a risk of enforcement action. WP 29 is clear that you can no longer rely on old Safe Harbor.
Article 29 WP response to “Privacy Shield”

EU-US Privacy Shield Announced

Today, political agreement has been reached on the new solution to replace the Safe Harbor regime, the so-called “EU-US Privacy Shield”. The College of Commissioners have approved the new framework which, according to the European Commission press release, “will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses“.

This sudden announcement comes hours after it was announced that there was no deal yet on “Safe Harbor 2.0”.

According to the European Commission, the EU-US Privacy Shield reflects the CJEU’s recommendations as set out in the Schrems decision. In particular, the new framework will include the following:

  • Strong obligations on companies handling Europeans’ personal data and robust enforcement (including that companies importing EU data will need to commit to “robust” obligations which will be monitored by the Department of Commerce and ultimately enforced by the FTC);
  • Clear safeguards and transparency obligations on US government access (including, for the first time, assurances that there will be limitations, safeguards and oversights placed on public bodies having access to EU data);
  • Effective protection of EU citizens’ rights with several redress possibilities (including the creation of a new “Ombudsperson” to deal with any complaints about access for surveillance purposes).

No draft has been issued yet. The next step is for a “adequacy decision” to be drafted by Vice-President Ansip and Commissioner Jourova. The intention is then for this draft to be adopted by the College of Commissioners following “advice” from the Article 29 Working Party and further representatives of Member States. During the Q&A session yesterday with Commissioner Jourova, it was also hinted at that the new solution may need to be reviewed by the CJEU to pre-empt another complaint being received. This was not mentioned in the Commission’s Press Release today.

Next question: how will the A29WP react?  We find out tomorrow.

EU-US Privacy Shield Announced