1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Germany to audit 500 companies on data transfers

Germany to audit 500 companies

The German data protection authorities have announced today that they have chosen 500 companies throughout Germany to audit their transfer of personal data to the US and other countries (eg. India).  The targets were chosen by random and cover small, medium-size and also large companies known to transfer data of their customers or employees from Germany to the US. Cloud computing and office software applications are in their focus. The different approach towards data privacy in the US – especially made apparent by Snowden –  has made many EU authorities criticize the US use of personal data as not being adequate to the data protection level of the EU.

Context

The Safe Harbor self-certification option for commercial entities in the US, a commonly used tool agreed between the EU Commission and the US Department of Commerce to safeguard an EU data protection level at US companies, was declared void by the CJEU in its Schrems decision. The new regime known as the “EU US Privacy Shield” went live is August. Also, companies have the option to agree bilateral EU Standard Contractual Clauses or to establish binding corporate rules.

Beware Cloud and SaaS

Now, the German authorities want to audit German companies and German branches of companies from abroad to check if and how they are complying. Especially it is expected that they want to investigate if there are transfer regimes in place and if the old Safe Harbor approach is still in use. Use of the cloud and SaaS vendors will be a focus.

Once more this is a warning sign that authorities of EU Member States are using their administrative authorities to enforce EU data protection law especially of consumers but also employees. Germany is being particularly active.

What happens next?

The German data protection authorities will approach companies by sending a letter requesting information on their practice of data transfer to the US. Depending on the response, the German authorities make more requests or site inspections may follow. The authorities will also likely direct the companies’ in-house Data Protection Officers to assist them with their requests.

If companies have received such requests they should carefully draft their response. As these requests usually provide for sufficient time to react, there may still be time to establish safeguards like EU Standard Contractual Clauses.  But planning now is key.

Prepared by Christian Schefold, Christoph Zieger and Ariane Loof of Dentons Germany

Germany to audit 500 companies on data transfers

US Officially Blames Russia For DNC Hack

The United States (US) Department of Homeland Security (DHS) and Office of the Director of National Intelligence (ODNI) issued a joint statement on Friday, October 7, 2016, publicly stating for the first time that the US Intelligence Community is “confident” that the “Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.”

DNC Attack Background

Last April, after the DNC discovered malware on its computer systems, it hired third party cybersecurity firm CrowdStrike to investigate the breach.  After completing its investigation, CrowdStrike issued a report in June 2016 linking the attacks to two groups associated with Russia:

  • “Cozy Bear,” a group suspected of previously attacking networks at the White House, State Department and Joint Chiefs of Staff; and
  • “Fancy Bear,” a group suspected to have targeted public and private entities for decades.

CrowdStrike linked the attacks of Cozy Bear and Fancy Bear to Russia because their programming code sometimes matched the code used in earlier hacks by Russia, and their behavior matched that of Russia’s in its historic efforts to increase Russian sphere of influence in Eastern Europe.  Thousands of stolen e-mails from the DNC were subsequently published on a source called DC Leaks, which ThreatConnect, a separate cybersecurity firm, has linked to Fancy Bear.

A day after the report, someone calling themselves Guccifer 2.0 claimed responsibility for the hack in a blog post.

Joint Statement Blames Russia For DNC Hack

In Friday’s joint statement, the DHS and ODNI stated for the first time that the “recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guiccer 2.0 online persona are consistent with the methods and motivations of Russia-directed efforts.”  The agencies found that the “thefts and disclosures are intended to interfere with the US election process[,]” which is activity that is not “new to Moscow – the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there.”  Based on the “scope and sensitivity” of such efforts, the agencies concluded that only “Russia’s senior-most officials could have authorized these activities.”

No Conclusion On Voting Machine Hacks

The joint statement stopped short of attributing the recent state election data system breaches to Russia.  These breaches, which have seen at least Illinois and Arizona experience scanning and probing of their election systems, have been tied back to servers operated by a Russian company.  The FBI is currently investigating this claim, but the DHS and ODNI said the US Intelligence Community is not “now in a position to attribute this activity to the Russian Government.”

The joint statement came on the same day as a ceasefire in Syria fell apart and the US accused Russia of war crimes in Aleppo.   A copy of the joint report can be found here.

US Officially Blames Russia For DNC Hack

Privacy Shield gets approval: certainty at last?

The European Commission yesterday issued an adequacy decision adopting the EU-US Privacy Shield, which replaces Safe Harbor as a framework for protecting European data transferred to the United States. Adoption had been expected since the European Commission announced on Friday that Member States had given their “strong support” to the new framework (although we note that Austria, Bulgaria, Croatia and Slovenia abstained from voting).

Are there any final changes?

There have been some tweaks to the Privacy Shield regime since the draft adequacy decision was issued in February. These include:

  • additional clarifications on the bulk collection of data. In particular, the Office of the Director of National Intelligence has clarified that the bulk collection of EU data can only be used under specific preconditions and must be “as targeted and focused” as possible;
  • introducing more explicit obligations on companies as regards limits on retention and collection of data. Specifically, companies now have to delete data that no longer serves the purpose for which it was collected; and
  • strengthening the Ombudsperson mechanism. In its press release, the Commission makes clear that the Ombudsperson is independent from the US intelligence services.

What were the criticisms?

The changes are intended to address a critique of Privacy Shield issued in April by European data protection regulators (aka the Article 29 Working Party), which concluded that Privacy  Shield – while a huge improvement on Safe Harbor – still did not meet EU privacy standards. This was largely because:

  • massive and indiscriminate data collection by American authorities was still not fully excluded;
  • the Privacy Shield lacked an explicit data retention principle; and
  • the powers and independent position of the Ombudsperson (who deals with national security-related complaints) were not made clear.

What does the future look like for Privacy Shield?

The Commission’s tweaks will address the A29WP’s concerns to some degree, but that mightn’t be enough to keep the privacy wolves at bay.

Privacy Shield may well be subject to a future challenge on the basis of “equivalence” with EU law, and it will almost certainly undergo further A29WP review. Potential issues remain, such as the fact that Privacy Shield (like Safe Harbor) is largely self-certified. Indeed, one of the main privacy advocates in the European Parliament (MEP Jan Philipp Albrecht) commented that the European Commission has “just signed a blank cheque for the transfer of personal data of EU citizens to the US, without delivering equivalent data protection rights”.  Max Schrems has said he will challenge it.

In the medium term, inconsistencies between Privacy Shield and the upcoming GDPR requirements could also limit Privacy Shield’s shelf life. Therefore, the climate seems ripe for challenge. Max Schrems has also sought to challenge model clauses in an application by the Irish DPA to the Irish High Court.

Privacy observers will also be keeping an eye on how Brexit plays out: will the UK find itself negotiating its own form of Privacy Shield to ensure EU adequacy?

Even so, Privacy Shield will be a valid solution for transfers to the US.  American companies may begin to self-certify with the US Commerce Department from 1 August, and we expect to see many large US vendors taking up this option. Microsoft has concluded on its official blog that the Privacy Shield “meets each of [the] requirements…of… European data protection law”.

Privacy Shield gets approval: certainty at last?

What does BREXIT mean for data protection?

On 23 June 2016, the UK is holding a referendum as to whether to stay in the European Union or leave it. But what does a BREXIT (a British Exit from the EU) mean for data protection?

Most of the UK law on data protection comes from the EU. The UK Data Protection Act 1998 and the Privacy and Electronic Communications Regulations both implement overarching EU law. So you might think this is like “unplugging” the source of data privacy law and therefore switching it off? But UK data protection law, in fact, pre-dates the European data protection directives. In fact, the UK was a signatory to the 1981 Convention (the forerunner of modern data protection law). Enough history!

What could happen in theory?

The UK parliament could reduce (or repeal) the Data Protection Act. The Courts could decide to no longer follow EU case law. Most importantly, the UK could choose not to implement the General Data Protection Regulation (GDPR). This, as we all know, is a wholesale upgrade to EU data protection law. GDPR includes new penalties of up to 4% of worldwide turnover, new legal duties to notify of data breaches and requirements to implement an accountability framework of policies and procedures.

What will happen in practice?

The UK could leave the EU and join the European Economic Area. In this case, it would be legally obliged to maintain data protection law on an equivalent footing to the EU. So all the current law would stay. GDPR would also be a requirement.

Theoretically, the UK could go out on its own. However this would make it a non-adequate jurisdiction for international data transfers. This means it cannot receive personal data freely from the EU. It could ask the EU for an “adequacy decision” but its anyone’s guess as to how long that would take. It could be a difficult negotiation (…think about the recent story of Snowden, Schrems and the proposed Privacy Shield, which is still being worked on).

No doubt there would be huge pressure on the UK to fall into line (dare I say it) with EU-style data protection law anyway. Otherwise, this could be a significant drag on international trade.

Finally, there is the practical argument that we actually need data protection law to underpin consumer trust in the digital economy. So let’s not trash it.

For what it’s worth, the ICO say that the UK needs clear and effective data protection law regardless of whether it remains in the EU. They don’t expect to be packing their bags.

Whatever the uncertainty on a possible UK exit, the issue will, at least, be resolved in a little over 7 days.

What does BREXIT mean for data protection?

GDPR APPROVED

The General Data Protection Regulation (GDPR) has been approved by the European Parliament today. The Parliament did not make any amendments or proposals to the European Council’s final text which was published last week.

A very happy Jan Philipp Albrecht declared this vote as a “huge step forward” for the fundamental rights of individuals in the new digital economy.

So what’s next: There is one final (small) hurdle of administration before the GDPR is in effect. The text of the GDPR needs to be published in the Official Journal and will then take effect twenty days from this publication. The two year “transition” period will then be triggered, which means that the new law will enter into force around mid 2018.

The final text can be found here.

GDPR APPROVED