The EU-U.S. Privacy Shield has been formally adopted by the European Commission, enabling U.S. companies who sign up to the framework to receive personal data from the EU. The new deal replaces the previous Safe Harbor framework, which was invalidated by the Court of Justice of the European Union (CJEU) last October.
The new framework
Learn more about data protection laws in light of BREXIT. The conference is designed for in-house counsel, risk managers, security officers, regulatory and compliance officers, directors, financial officers, information officers, human resource officers and managers of corporations with cross-border operations. A full agenda is under development, but topics and speakers
The European Commission adopted on July 12, 2016 its long-awaited decision recognizing the U.S. Privacy Shield as providing adequate protection for personal data of EU citizens transferred to the United States. The Privacy Shield is a set of rules and commitments issued by the U.S. Department of Commerce (DOC) and State Department primarily. This new framework will become operational on August 1, 2016.
It replaces the Safe Harbor, an earlier scheme that the European Commission had considered to provide adequate protection to personal data transferred to the United States and that many operators relied on to transfer data across the Atlantic. The Commission decision recognizing Safe Harbor as providing adequate protection was declared invalid on October 6, 2015 by the Court of Justice of the European Union (the Highest Court of the EU) in the Schrems case.
The Court of Justice annulled the Safe Harbor decision on the ground that Safe Harbor did not provide “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union.” More specifically, the Court of Justice took issue with the fact that companies subscribing to the Safe Harbor and receiving personal data from the EU were bound to disregard the Safe Harbor principles anytime they would conflict with U.S. national security, public interest, or law enforcement requirements, without any limitation. It also criticized the fact that there was no rule or procedure to limit interferences with fundamental rights and freedoms of EU data subjects to what is strictly necessary to national security, public interest, or law enforcement; and no procedures to enable data subjects to exercise their right to know what data relating to them is being processed, and to have that data corrected or erased.
The Privacy Shield was negotiated between the European Commission and the U.S. authorities in order to reintroduce a scheme facilitating the transfer of personal data from the EU to U.S., which businesses need, while at the same time addressing the concern of the Court of Justice, which was necessary in order for the new scheme to withstand legal challenge. Before being formally adopted by the Commission, the new scheme was submitted to the data protection authorities of EU’s member states, which approved it on July 8th.
The Privacy Shield introduces significant changes to the defunct Safe Harbor. It imposes new obligations on the companies in the US receiving and processing personal data, in particular by restricting the onward transfer of personal data to third parties and by explicitly requiring companies to delete data once the purpose for which it was obtained expires.
Effective enforcement of EU data protection principles is ensured through regular reviews by the DOC of how companies subscribing to the Privacy Shield really comply with the rules and by more effective supervision mechanisms. Data subjects will also have the opportunity to file complaints with their home data protection authority in the EU, which will then forward them to the DOC or the International Trade Commission in the US for proper resolution. If this fails, disputes will be resolved through a binding arbitration mechanism (the Privacy Shield Panel).
The Privacy Shield also sets out limits on the bulk processing of personal data by the US authorities for intelligence and law enforcement purposes. Complaints of EU data subjects will be handled by an Ombudsman in the State Department, independent from the US intelligence services.
For more information about the Privacy Shield, see the Commission’s press release here, or feel free to contact our data protection team.
Continue Reading EU-US Data Protection: the Safe Harbor is dead, long live the Privacy Shield!
While we wait to see what the BREXIT result will mean for the UK’s data protection regime, it is important to recognize that the result will not change anything immediately. The exact nature of the post-BREXIT UK-EU relationship will influence any UK data protection reform, and it is highly likely that the UK will continue
Following twenty-seven EU and U.S. non-profit organizations in their letter of March 16, the Article 29 Working Party (WP29) in its opinion n° 01/2016 of April 13 and the EU Parliament in its resolution of May 26, it is now the turn of the European Data Protection Supervisor (EDPS) to express, in its opinion n°
Since 2013 revelations about U.S. mass surveillance, the transfers of personal data between the EU and the U.S. have encountered regular legal threats: cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) in the Schrems case in October 2015, serious criticism from some EU institutions and national data protection
On April 8, 2016, the Council of the EU adopted the final text of the General Data Protection Regulation (GDPR). On April 14, the EU Parliament approved the Council’s decision. Twenty days after its publication in the Official Journal of the EU, the GDPR will enter into force (very likely in May 2016) and two
Effective immediately, most UK companies, Societates Europaeae and UK Limited Liability Partnerships (LLPs) are required to maintain a register of People with Significant Control (“PSC Register”). Set out below is a brief summary of some of the requirements. The rules are complex, and you should take immediate steps to seek appropriate advice and put in
This April 13, the Article 29 Working Party (WP 29, which includes the EU national data protection authorities) expressed its concerns regarding the Privacy Shield during a press conference. The WP 29 will publish its detailed written position at a future date. In short, WP 29 considers, among other things, that:
Only a few weeks ago, EU Competition Commissioner Vestager said in a speech, “We continue to look carefully at this issue, but we haven’t found a competition [antitrust] problem yet” (see here). She was referring to antitrust issues arising out of big data, in her words “the huge collections of information that companies can use to understand their environment in a way they never could before.”
Finally, there is a case, not from the European Commission (EC; Vestager’s fiefdom, which deals with antitrust issues EU-wide), but from the German antitrust regulator, the Bundeskartellamt or BKA. The BKA, perhaps emboldened by representing the EU’s largest economy, is known for pushing the boundaries of antitrust enforcement, so the source is perhaps not too surprising. The target is also not particularly surprising; a large U.S. technology company, Facebook. However, the type of case, based on infringement of the data protection rules as opposed to “big data” per se, is more surprising.
The BKA, which applies EU and German competition law, announced its investigation into Facebook on March 2, 2016, via a press release, see here. The BKA is investigating suspicions that, due to its terms and conditions (Ts & Cs) relating to users’ data, Facebook has abused its (possibly) dominant position in the market for social networks.
The BKA’s initial view is that certain of the Ts & Cs violate EU data protection rules. It points out that, while not every infringement of the law on the part of a dominant company is also relevant under competition/antitrust law in the EU and Germany, in this case Facebook’s use of unlawful Ts & Cs could represent an abusive imposition of unfair conditions on users.
The imposition of unfair trading conditions is a well-established example of the abuse of a dominant position under EU and therefore German antitrust law. (Indeed, the basic EU Treaty provision on abuse of dominance refers to this as an example of a prohibited activity.)
But is Facebook dominant (in a relevant market or markets in the EU and/or Germany) in the first place? Absent this, there can be no abuse and therefore no antitrust infringement as a result of the alleged activity.
On this issue, the BKA stated that it “has indications” that Facebook has a dominant market position in a market for social networks. This may be difficult for the BKA to establish. In the EU merger case Facebook/WhatsApp (see here), the EC considered the market for social networking services and left open the boundaries of what is included within this.
However, the EC still analyzed this market and concluded that Facebook faced plenty of competition, stating, “A large number of companies offer online services which include a social networking functionality …. The results of the market investigation indicate that the companies which are most clearly perceived by respondents as providers of social networking services are Facebook, Google+, LinkedIn, Twitter and MySpace.”
Assuming the BKA can show dominance, what about part two of the analysis (i.e., assuming Facebook is dominant, what exactly is the alleged abuse)?
Continue Reading The Intersection of Big Data and Antitrust Law − Finally a Case in the EU