1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Privacy Shield gets approval: certainty at last?

The European Commission yesterday issued an adequacy decision adopting the EU-US Privacy Shield, which replaces Safe Harbor as a framework for protecting European data transferred to the United States. Adoption had been expected since the European Commission announced on Friday that Member States had given their “strong support” to the new framework (although we note that Austria, Bulgaria, Croatia and Slovenia abstained from voting).

Are there any final changes?

There have been some tweaks to the Privacy Shield regime since the draft adequacy decision was issued in February. These include:

  • additional clarifications on the bulk collection of data. In particular, the Office of the Director of National Intelligence has clarified that the bulk collection of EU data can only be used under specific preconditions and must be “as targeted and focused” as possible;
  • introducing more explicit obligations on companies as regards limits on retention and collection of data. Specifically, companies now have to delete data that no longer serves the purpose for which it was collected; and
  • strengthening the Ombudsperson mechanism. In its press release, the Commission makes clear that the Ombudsperson is independent from the US intelligence services.

What were the criticisms?

The changes are intended to address a critique of Privacy Shield issued in April by European data protection regulators (aka the Article 29 Working Party), which concluded that Privacy  Shield – while a huge improvement on Safe Harbor – still did not meet EU privacy standards. This was largely because:

  • massive and indiscriminate data collection by American authorities was still not fully excluded;
  • the Privacy Shield lacked an explicit data retention principle; and
  • the powers and independent position of the Ombudsperson (who deals with national security-related complaints) were not made clear.

What does the future look like for Privacy Shield?

The Commission’s tweaks will address the A29WP’s concerns to some degree, but that mightn’t be enough to keep the privacy wolves at bay.

Privacy Shield may well be subject to a future challenge on the basis of “equivalence” with EU law, and it will almost certainly undergo further A29WP review. Potential issues remain, such as the fact that Privacy Shield (like Safe Harbor) is largely self-certified. Indeed, one of the main privacy advocates in the European Parliament (MEP Jan Philipp Albrecht) commented that the European Commission has “just signed a blank cheque for the transfer of personal data of EU citizens to the US, without delivering equivalent data protection rights”.  Max Schrems has said he will challenge it.

In the medium term, inconsistencies between Privacy Shield and the upcoming GDPR requirements could also limit Privacy Shield’s shelf life. Therefore, the climate seems ripe for challenge. Max Schrems has also sought to challenge model clauses in an application by the Irish DPA to the Irish High Court.

Privacy observers will also be keeping an eye on how Brexit plays out: will the UK find itself negotiating its own form of Privacy Shield to ensure EU adequacy?

Even so, Privacy Shield will be a valid solution for transfers to the US.  American companies may begin to self-certify with the US Commerce Department from 1 August, and we expect to see many large US vendors taking up this option. Microsoft has concluded on its official blog that the Privacy Shield “meets each of [the] requirements…of… European data protection law”.

Privacy Shield gets approval: certainty at last?

What does BREXIT mean for data protection?

On 23 June 2016, the UK is holding a referendum as to whether to stay in the European Union or leave it. But what does a BREXIT (a British Exit from the EU) mean for data protection?

Most of the UK law on data protection comes from the EU. The UK Data Protection Act 1998 and the Privacy and Electronic Communications Regulations both implement overarching EU law. So you might think this is like “unplugging” the source of data privacy law and therefore switching it off? But UK data protection law, in fact, pre-dates the European data protection directives. In fact, the UK was a signatory to the 1981 Convention (the forerunner of modern data protection law). Enough history!

What could happen in theory?

The UK parliament could reduce (or repeal) the Data Protection Act. The Courts could decide to no longer follow EU case law. Most importantly, the UK could choose not to implement the General Data Protection Regulation (GDPR). This, as we all know, is a wholesale upgrade to EU data protection law. GDPR includes new penalties of up to 4% of worldwide turnover, new legal duties to notify of data breaches and requirements to implement an accountability framework of policies and procedures.

What will happen in practice?

The UK could leave the EU and join the European Economic Area. In this case, it would be legally obliged to maintain data protection law on an equivalent footing to the EU. So all the current law would stay. GDPR would also be a requirement.

Theoretically, the UK could go out on its own. However this would make it a non-adequate jurisdiction for international data transfers. This means it cannot receive personal data freely from the EU. It could ask the EU for an “adequacy decision” but its anyone’s guess as to how long that would take. It could be a difficult negotiation (…think about the recent story of Snowden, Schrems and the proposed Privacy Shield, which is still being worked on).

No doubt there would be huge pressure on the UK to fall into line (dare I say it) with EU-style data protection law anyway. Otherwise, this could be a significant drag on international trade.

Finally, there is the practical argument that we actually need data protection law to underpin consumer trust in the digital economy. So let’s not trash it.

For what it’s worth, the ICO say that the UK needs clear and effective data protection law regardless of whether it remains in the EU. They don’t expect to be packing their bags.

Whatever the uncertainty on a possible UK exit, the issue will, at least, be resolved in a little over 7 days.

What does BREXIT mean for data protection?

ICO releases 12 step guide on the GDPR

On Monday this week the UK Information Commissioner’s Office released its first guidance on the General Data Protection Regulation (GDPR): the 12 steps that businesses can start taking now to prepare for the GDPR.  The guide was launched as part of the ICO’s annual Data Protection Practitioners’ Conference, in Manchester.  The ICO also launched a new microsite on the GDPR (see below).

In its accompanying press release, the ICO emphasised that its role is “not just about enforcement and fines” and that the guide would help the ICO to do its work in “guiding organisations who want to make sure they’re following the new rules, and getting it right from the start”. This tallies with the message of the ICO at the conference – it is here to help organisations, but that there are steps that can be taken now to start preparing for the implementation of the GDPR.

Here is a summary::

  • Ensure there is awareness amongst key stakeholders in the organisation that the GDPR represents a major overhaul of data protection law in Europe and ensure they identify the areas of the GDPR that have the biggest impact on them.
  • document the personal data that they hold, where it came from and with whom they share it. The ICO suggests that this can be done through an information audit – this will be necessary to match the updated subject rights for the “networked world”.
  • review current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  • check existing procedures to ensure that they cover all the rights data subjects now have under the GDPR – both the enhanced rights and the additional right of data portability.
  • look at the various types of data processing they carry out, identify a legal basis under the GDPR for carrying it out and document it.
  • ensure process and procedures are documented – to help demonstrate compliance with the accountability requirements. This may also help a controller to rely on the “manifestly unfounded or excessive” exemption for subject access requests, help to readily produce the upgraded form of privacy notice or help to determine the lead supervisory authority.

Interestingly, many of these recommendations will already be in place for those with BCRs or who have done data audits following the recent Safe Harbor and Privacy Shield developments.  Clearly, now is the time to get your ‘data privacy’ house in order.

We think that the 12 step guide is a useful starting point for all businesses, especially those small-to medium-sized enterprises who may be intimidated by the (over 200-page) GDPR – it helps puts theory into practice and could hint at the ICO’s enforcement focus going forward.

We expect that it will be the first in a set of practical guidance issued by the ICO ahead of the GDPR. Indeed, the ICO has anticipated, in its accompanying blog entry, that over the next few months, it will “…be doing more work to consider the feedback we’ve received and produce a more detailed plan for the guidance, other tools and services we need to develop”. In this way, the ICO seems to be taking a phased and business-friendly approach to the GDPR.

The ICO has also launched a new microsite dpreform.org.uk – this will be the home for the ICO’s GDPR guidance; a key addition to your “favourites” bar.

It has also invited further feedback about the areas in which advice and guidance is most needed – so get in touch if you have any strong views. Watch this space as we see what else the ICO (and other European regulators) will produce on the GDPR

 

ICO releases 12 step guide on the GDPR

The new Polish Surveillance Act – back door for law enforcement

While US mass surveillance is heavily debated across Europe, the new Polish government swiftly moved to adopt a new set of laws which allow Polish law enforcement authorities extensive access to electronic communications. The new law, generally known as the “Surveillance Act”, came into effect on February 7, 2016.

Who are caught by new rules?

The new law applies mostly to domestic service providers, however due to the lack of clarity of the provisions, it is still unclear whether foreign service providers will be caught as well. Much will depend on the interpretation of the law enforcement authorities.

Main highlights:

  • The “uniformed” enforcement authorities (e.g. Polish Police, Intelligence Agency, tax intelligence services etc.) will now have increased rights of access to digital data.
  • Their access will only be monitored in limited circumstances by regional courts.
  • Telecom companies, postal operators and e-service providers will be required to provide the data free of charge by establishing and maintaining an “access route”.
  • New rules for handling data containing or likely to contain client-attorney privileged content – investigators will now be able to access all data, before the court approves the use of such data in the investigation. This change will make the control exercised by court an illusion.
  • Surveillance by enforcement authorities can last up to 18 months; during this time the suspect is not aware of the surveillance, neither is he/she informed when the surveillance ends.
  • The issue of encryption is not addressed, so Polish law still allows encryption.

What is the concern?

  • Vast scope of data which may be “covertly” accessed by the Polish authorities. This new law considerably impairs an individual’s ability to protect their private or confidential information, including legally privileged secrets, intellectual property. The amendments provide that the Polish authorities will now have a right to obtain and record, e.g.:
    • Correspondence, including emails (prior court approval is however required for emails) : this category may include correspondence sent by means of computer applications (e.g. mobile) and certain internet portal functionalities (e.g. chat).
    • Data stored on IT systems – it is possible that the Polish authorities may be authorised to use malware installed on the users’ devices to systematically access and download data stored in these systems
    • Data regarding the use of e-services – this includes the user’s full name, PESEL number, residential address, e-mail address, IP address, as well as information on scope of use of the e-service (i.e. “meta-data”). This raises concerns that use of social media, websites and cloud services will be monitored.

What should you do?

We recommend you take the following action:

  • Introduce a “risk assessment system/process” to evaluate the risk associated with the processing of certain business information, implement or scrutinize your current policies (e.g. information security policies, IT procedures etc.) and revisit contracts with IT solution providers.
  • Consider increasing the level of security of your confidential information by using adequate IT data protection technologies (including data or email message encryption software).
  • When in doubt – consider limiting electronic communications for certain types of data (i.e. communications with your lawyers), storing certain categories of documents separately to avoid access.

Challenges?

The Commissioner for Human Rights (Polish Ombudsman) filed a petition to the Constitutional Court to assess the legality of the new law. Until the verdict of the Constitutional Court is issued, this law is deemed to be lawful and binding in Poland.

The new Polish Surveillance Act – back door for law enforcement

New German Consumer Action risk; now in force

With the entry into force of the new Unterlassungsklagengesetz (UKlaG) [otherwise known as the “Gesetz zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrecht”/”Act to improve the private enforcement of consumer protection rules of data protection law”] on February 24, 2016 consumer protection and other qualified associations are allowed to send warning letters or to sue companies that breach data protection law. This particularly applies to data processing for advertising, personality profiles, address and data trade, market and opinion research. It also applies when companies illegally collect and store a lot of data or do not delete the data after use.

So far, such associations only had a very limited right of action and could only be active when companies have violated the Terms and Conditions (Allgemeine Geschäftsbedingungen).  So this creates a new German enforcement risk in addition to action by German DPAs.

The detail

From now on, all data protection regulations that apply to companies when collecting, processing or using personal information of consumers are considered as being applicable under the Consumer Protection Act (Verbaucherschutzgesetz) by inserting a new § 2 para. 2 number 11 UKlaG. The aim is to protect consumers better.

Potential associations need to register

Before an association can bring an action, it must meet a number of conditions and needs to be registered at the Federal Office of Justice (§ 3 para. 1 sentence 1 number 1, § 4 UklaG).

Reactions and possible consequences 

German consumer protection associations were greeting the new legal instrument as an important improvement of data protection in Germany. The new legal regime is likely to trigger a new wave of warning letters to business. Under German law, the recipient of a warning letter has to react to the letter. If he fails to do so or the reaction is unsatisfactory from the point of view of the sender, interim injunctions and further litigation may be the result. 

Further changes

The new law also leads to a significant simplification of rules for the termination of online contracts. These may be terminated in the same form as they have been concluded, thus by a web form or an e-mail. A more formal approach, the so-called written form, may no longer be required in the Terms and Conditions.

So?

German enforcement of DP laws just become higher risk!  Beware the new risk from the German consumer associations.

New German Consumer Action risk; now in force