On 12 July 2016, the European Commission issued its much awaited “adequacy decision” concerning the Privacy Shield framework for the transfer of personal data from the EU to the U.S. This adequacy decision is based on the latest version of the Privacy Shield, which was further negotiated and revised following the Article 29 Working Party’s April 2016 concerns with the terms of the original Privacy Shield framework. Many of our clients have questions about Privacy Shield—what it is, when it will be available for use, and how it differs from other data transfer mechanisms, among others. We have prepared blog post to answer these questions about the updated version of Privacy Shield and its implications for companies engaging in trans-Atlantic data flows.
The European Commission has actively promoted the importance of mHealth following their 2014 consultation. One of the initiatives to emerge from the Commission has been the Privacy Code of Conduct for mHealth apps. The Code was drafted by a working group set up in January this year and the final draft was published on 7th June and submitted to the Article 29 Working Party for their consideration and approval. If and when it receives the Working Party’s approval it could then be relied upon by app developers wishing to demonstrate a good standard of data protection compliance. The Code is an example of the type of initiative that is increasingly likely to develop under the forthcoming EU General Data Protection Regulation.
One of Harry Houdini’s most difficult tricks consisted of escaping from a nail-fastened and rope-bound wooden crate with manacles on his hands and feet, while submerged in New York’s East River. That feat is starting to look straightforward when compared to the prospect of lawfully exporting personal data out of the European Union. The restrictions on transfers of data to jurisdictions that do not provide an adequate level of protection have been in place for more than 20 years. And while these restrictions have not prevented the development of the digital economy, judging by this issue’s current direction of travel, we could be facing a situation from which not even the great Houdini could escape.
Unveiled February 29, 2016, the new EU-U.S. Privacy Shield attempts to address the shortcomings of the Safe Harbor arrangement identified originally by the European Commission and later by the Court of Justice of the European Union in its Schrems decision. The Privacy Shield proposes improved data protection principles, better enforcement by the US Department of Commerce and the Federal Trade Commission, redress mechanisms for EU citizens, and safeguards surrounding law enforcement and intelligence activities. The European Parliament adopted a resolution on May 26, 2016 praising the progress made, but highlighting shortcomings in the Privacy Shield as presented in February 2016. Now that the Irish Data Protection Controller has referred another data transfer mechanism known as Standard Contractual Clauses to the courts for review of their adequacy, greater focus will be placed on whether the criticisms of Privacy Shield are well founded.
On 12 April 2016, the European Commission launched a public consultation on the ePrivacy Directive. Interested parties who wish to participate have until 5 July 2016 to submit responses to the Commission’s 33 questions.
From the moment that the Chairman of the Article 29 Working Party, Isabelle Falque-Pierrotin, announced at a press conference on 3rd February this year that the Working Party would assess the standing of the EU-US Privacy Shield under EU law, privacy professionals have been waiting to see what the Working Party’s view would be. Earlier this week, on 13th April, the Working Party provided their initial opinion. On the one hand, the Working Party welcomed the significant improvements of the Privacy Shield as a positive step forward. Yet, on the other hand, the Working Party set out their strong concerns on the commercial aspects of the Privacy Shield and the ability for US public authorities to access data transferred under the Privacy Shield. The opinion concluded by urging the European Commission to resolve these concerns and improve the Privacy Shield.
The February 29, 2016 announcement of the new EU-U.S. data transfer framework—the Privacy Shield—was accompanied by over 130 pages of documentation and significantly more operational details than its predecessor, Safe Harbor. We have reviewed the Privacy Shield materials and published a comprehensive breakdown of the changes from Safe Harbor to Privacy Shield and the practical impact on business: Inside the New and Improved EU-U.S. Data Transfer Framework.
On February 29, 2016 and after more than two years of negotiations with the U.S. Department of Commerce, the European Commission released its draft Decision on the adequacy of the new EU–U.S. Privacy Shield program, accompanied by new information on how the Program will work. The Privacy Shield documentation is significantly more detailed than that associated with its predecessor, the EU-U.S. Safe Harbor, as it describes more specifically the measures that organizations wishing to use the Privacy Shield must implement. Importantly, the Privacy Shield provides for additional transparency and processes associated with U.S. government access to the personal data of EU individuals.
Connected cars can generate large volumes of data, including data on engine performance, location, and driver behaviour. The European Commission has convened multi-stakeholder groups to figure out how to organize access to that data in a safe, competitively neutral, and privacy-friendly way. Two recent reports shed light on the principles under consideration for data sharing infrastructures in the EU. And legislative and regulatory developments in the EU will likely have a substantial impact on connected car deployments.
The roller coaster of developments affecting the Safe Harbor framework shows no signs of slowing down. It has taken a couple of years since Edward Snowden’s revelations for the train to reach to its highest point, but once the European Court of Justice ruled on the Schrems case, we knew it would be a bumpy ride. In the past weeks, most of the attention has focused on the EU data protection authorities, which are now more emboldened than ever and keen to capitalize on the ECJ’s decision to tighten the regime affecting international dataflows. The European Commission’s communication of 6 November to the European Parliament and the Council of the EU, coupled with its practical guidance, represents yet another turn in this uncertain journey. At the same time, the Commission’s intervention is helpful in terms of the decision-making process that many organisations—for which transatlantic transfers are vital—are trying to grapple with.
On November 6, 2015, the European Commission issued its widely anticipated Communication to the European Parliament and Council about the effect of the Court of Justice of the European Union’s Schrems decision, which invalidated the U.S.-EU Safe Harbor framework. The Commission expresses a commitment to negotiate with the U.S. Government a new framework for cross-border transfers of personal data. The Commission also emphasizes that the Communication does not have binding legal effect, but concludes that companies should rely on “alternative tools” for authorizing data flows to third countries like the United States.
On 6 October 2015, the Court of Justice of the European Union declared the EU-US Safe Harbor framework invalid as a mechanism to legitimize transfers of personal data from the EU to the US. This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful. In this post, we outline the effects of the decision and a suggested plan of action, and include details for a webinar we will be hosting on Wednesday, 7 October to discuss the next steps that organisations should take.
It’s been a long way and the task is not over yet. However, there is light at the end of the EU data protection reform tunnel. The modernisation of European privacy laws has reached a critical milestone and we can now safely assume that this process will culminate in a radical new framework in a matter of months. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
The European Union’s executive branch has a brand new engine. Following the European Parliament’s election earlier this year and after months of political manoeuvring, a new European Commission is now in place and fully operational. The Commission’s functions remain as they were but under a revised structure of one president – Jean-Claude Juncker – seven vice-presidents responsible for designated policy areas and 20 commissioners. As the main policy making body in the European Union, the Commission continues to be in charge of pushing forward the ongoing data protection legislative reform that will lead to a new legal framework for privacy across the EU.
Assuming a fair amount of hard work and that the EU institutions are able to put their political skills to good use, 2015 may be the year that sees the culmination of a legal modernisation process that has been running for the best part of four years. It was in 2010 when the European Commission formally acknowledged that the 1995 Data Protection Directive was ready for a makeover to address the privacy and data protection needs of the 21 century. Since then, stakeholders covering a whole spectrum of views have participated in a process that is approaching a decisive stage. In early 2014, the European Parliament came forward with a bold proposal to amend the Commission’s original draft and put the ball firmly in the Council of the EU’s court. As the Council finalises its own proposal, a picture of what the new framework will look like is starting to emerge.
In a new turn to the Maximilian Schrems case in Ireland, the Irish High Court on 18 June 2014 decided to refer several questions to the European Court of Justice, including whether national data protection authorities in Europe may disregard the Safe Harbor decision of the European Commission when assessing whether the U.S. recipient of data ensures an adequate level of data protection required under EU law. Depending on the outcome of the case, European and U.S. companies may not be able to rely on Safe Harbor to legitimise cross-border data transfers in the future.
On 12 March 2014, the European Parliament voted overwhelmingly in favour of the European Commission’s data protection reform with 621 votes for, 10 against, and 22 abstentions for the proposed General Data Protection Regulation. The vote is significant because it confirms the approval of the European Parliament, one of the required participants in the s0-calle “trilogue” process along with the Commission and the Council, which will not change even if the composition of the Parliament changes following the European elections in May.
On November 27, the European Commission released a strategy memo on rebuilding trust in the mechanisms allowing data to flow from the European Union (“EU”) to the United States. The Commission recognizes that EU-U.S. data flows are essential to the strategic and economic partnerships between the two markets. However, revelations about U.S. surveillance programs have, according to the Commission, caused EU Member States and citizens to believe that the current data transfer mechanisms do not provide adequate protections for personal data. To address those concerns and rebuild trust in transatlantic data flows, the Commission recommends six initiatives, including specific recommendations for reforming the U.S. privacy framework. Of particular note, the Commission identified several shortcomings with the EU-U.S. Safe Harbor framework and offered 13 recommendations for reform. And the Commission once again calls on the United States to adopt comprehensive privacy legislation.
Price discrimination based on tracking of Internet Protocol addresses – numerical identifiers assigned to devices that are connected to the Internet – was in the news again this week after a Belgian Member of the European Parliament, Marc Tarabella, called for action from the European Commission to investigate the practice.
The legislative process for the European Commission’s (EC’s) proposed Data Protection Regulation is heating up. The European Parliament’s lead committee on the EU’s draft Data Protection Regulation has received more than 3,000 proposed amendments to the reform measure. As a result, the committee has moved its vote on the Regulation from April to the end of May. Some of the 3,000 amendments were submitted last week by Parliament’s Legal Affairs Committee (JURI), which has adopted an opinion generally supporting the proposed Regulation. Viviane Reding, Vice-President of the EC and EU Justice Commissioner, said that JURI’s adoption of the proposed Regulation brings the EU “another step towards the swift adoption of modern data protection reform in Europe.” In an unrelated announcement, the French Minister of Justice stated that France “actively supports” the proposed Regulation, including its provision on the right to be forgotten. The Minister said that France will be vigilant that the Regulation will “not introduce a step backwards” from current French law.
The German publication, Zeitschrift fur Datenschutz, has just published a piece authored by Christopher Wolf, director of the global Privacy and Information Management practice, entitled “A Critical Time for the EU Data Protection Regulation.” The article highlights issues that have been raised about the proposed Regulation, described as “real and substantial.” The point of the piece is […]
Jan Philipp Albrecht, the rapporteur to the European Parliament for the proposed EU Data Protection Regulation, has set forth a draft calendar that indicates how long debate over the Regulation may last. It is anticipated that by summer 2013 the Regulation should be ready for trilogue with the Council and Commission, and that the Regulation shall be put to a vote in the plenary session of the European Parliament in early 2014.
Hogan Lovells partners Quentin Archer, Roger Tym and Winston Maxwell hosted a London workshop on February 29, 2012 aimed at collecting comments for the UK Ministry of Justice’s public consultation on the proposed EU privacy Regulation. Workshop participants commented on the right to be forgotten, data portability, the accountability principle, data breach notifications, proposed requirements for consent, fining powers, and the “one-stop-shop” principle.
Despite rumors of delay, the formal announcement of a proposed comprehensive reform of the data protection framework in the European Union is now set for this Wednesday, January 25 at 12:30 CET (6:30 AM EST). This blog entry contains a link to the videostream of the announcement, as well as a synopsis and link to a video of a speech on Saturday by EU Justice Vice-President Viviene Reding. The Commission’s Data Privacy Day video on personal responsibility to protect privacy also is linked to.