On 7 February 2019, the German competition law regulator, the Federal Cartel Office (FCO), concluded a lengthy investigation into Facebook.  It found that the company abused its dominant market position by making the use of its social network conditional on the collection of user data from multiple sources.

The FCO’s probe into Facebook is one of the first cases in the EU concerning the intersection between the EU’s new data privacy laws (contained in the General Data Protection Regulation or GDPR) and competition law. The abuse finding under German competition law (which is broadly the same as the pan-EU competition law in this regard) relied on what was, according to the FCO, a breach of EU data protection law.
Continue Reading

The General Data Protection Regulation (GDPR) imposes strict obligations upon organizations that process the “personal data” of European individuals. Failure to comply with GDPR can result in large fines. The UK’s Information Commissioner’s Office (ICO), in recent months, issued a number of fines of £500,000 on global businesses with household names, and such fines have generated a lot of publicity. Many onlookers would be shocked by the magnitude of those fines but may not have appreciated that they were imposed under the Data Protection Act 1998, which was in force when the offending breaches occurred. Had the breaches taken place after May 25th of this year, when the GDPR took effect, those fines would more than likely have been significantly higher.

Businesses have therefore invested significant resources and money to make sure that they do not fall foul of the obligations imposed by the GDPR. Yet, within less than a year of the GDPR becoming binding law, those same businesses face further disruption as Brexit looms.
Continue Reading

The General Data Protection Regulation (GDPR) is now in effect.  On the 25th of May, the day the GDPR took effect, Commissioner Jourová made a speech, in Brussels, at the General Data Protection Regulation conference to mark the beginning of a new chapter in data protection’s history in the EU. In her speech, the Commissioner recalled that data protection is of vital importance for EU citizens as personal data protection is a fundamental right in the EU and that this matter is also crucial for businesses as personal data protection is an issue for trust in the digital market.

However, some EU countries, including Belgium, Greece and Hungary for example, missed the May 25th deadline and are not ready to fully enforce the GDPR. This creates legal uncertainty for both citizens and companies.


Continue Reading

The EU and U.S. competent authorities have one year to implement the recommendations that the Article 29 Working Party (WP29, which is a gathering of all EU national data protection authorities) made in its opinion of November 28, 2017 to increase the level of personal data protection provided by the Privacy Shield framework. As they announced in this opinion, failure to do so will result in these authorities challenging the validity of the Privacy Shield adequacy decision before courts. Such a cancellation could lead to certified U.S. companies losing their certification (2,400 companies, including web giants and major cloud providers), having to freeze data flows and implementing other legal mechanisms allowing them to import personal data from the EU.

It should be noted that the EU and U.S. authorities negotiated the Privacy Shield under a perspective that was more in line with Directive 95/46 (the main data protection applicable instrument at the time of negotiation) than with the General Data Protection Regulation (GDPR). The GDPR will repeal this Directive and increase the level of protection of personal data from May 25, 2018, and the WP29 will plan to prepare businesses for it.

In its report, the WP29 focuses on guarantees of enforcement and efficiency.
Continue Reading

On September 15, 2017, the Trump White House released a Press Release regarding the EU-U.S. Privacy Shield—reiterating that they “firmly believe that the upcoming review [of the EU-U.S. Privacy Shield] will demonstrate the strength of the American promise to protect the personal data of citizens on both sides of the Atlantic.”

The first alliance of

Between the cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) and the adoption of the Privacy Shield, a number of data exporters have relied on the Standard Contractual Clauses (SCC) as the safest export tool to transfer personal data from the EU to the U.S. But as announced

After its first draft of February 29, 2016, the European Commission adopted the EU-U.S. Privacy Shield adequacy decision on July 12, 2016.  The first draft was adopted after the cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) on October 15, 2015 (Schrems case). A new adequacy decision was therefore highly welcome to allow the tens of thousands of U.S. and EU companies that rely on Safe Harbor to transfer personal data across the Atlantic. After the first draft of the adequacy decision, several EU institutions addressed numerous concerns regarding this first draft. First, on April 13, 2016, Article 29 Working Party (WP 29), released an  opinion, noting the Privacy Shield offers major improvementscompared to the invalidated Safe Harbor decisionbut, at the same time, urged the European Commission to resolve all concerns expressed by WP 29 in order to ensure that the protection to be offered by the Privacy Shield is indeed essentially equivalent to that of the EU. This opinion was followed on May 26, 2016 by a resolution of the EU parliament where it also expressed several concerns about the proposed Privacy Shield.  Finally, on May 30, 2016 the European Data Protection Supervisor (EDPS) published its opinion where, although it “welcomed the efforts shown by the parties to find a solution for transfers of personal data”, EDPS added that “robust improvements” were needed “in order to achieve a solid framework, stable in the long term”.

The EU-U.S. Privacy Shield adequacy decision adopted on July 12, 2016 by the European Commission was supposed to cure all the concerns expressed after the first draft. The surprise is of course that WP 29’s press release of July 26, 2016 does not consider that the improvements brought by the EU Commission and the U.S. authorities to the proposal of Privacy Shield adequately respond to the concerns expressed.  For instance, WP 29 regrets:

  • The lack of specific rules on automated decisions and of a general right to object;
  • That it remains unclear how the Privacy Shield Principles will apply to processors;
  • The lack of concrete assurance that bulk collection of personal data will not again happen, despite the commitment of the U.S. Office of the Director of National Intelligence (ODNI);
  • The lack of strict guarantees concerning the independence and the powers of the Ombudsmen in case of conflict caused by access by U.S. public authorities to personal data.

After expressing these criticisms, WP 29 proposes however to decide on the viability of the Privacy Shield after the first annual review of the framework that will take place in May 2017. In other words, WP 29 will not push for a legal challenge of the Privacy Shield before the first review.  This said, even though the timing proposed by WP 29 seems practicable, in case of action by data subjects of privacy activists, the “wait and see” attitude of WP 29 will probably be difficult to maintain. Finally, the position of WP 29 seems very practical.  Indeed, it is difficult to assess the adequacy of the Privacy Shield because it is mainly based on commitments taken from letters by different U.S. heads of administrative bodies and among others the ODNI. This meets one of the very general remarks expressed by the EDPS in its May 30, 2016 opinion, which called for longer term solutions” “with more robust stable legal frameworks to boost transatlantic relations”. The nearly one year deadline given by WP 29 is probably the opportunity to reach robust stable legal frameworks not only for the Privacy Shield, but also for Standard Contractual Clauses and Binding Corporate rules when they relates to transfers of personal data to the U.S.


Continue Reading

Following twenty-seven EU and U.S. non-profit organizations in their letter of March 16, the Article 29 Working Party (WP29) in its opinion n° 01/2016 of April 13 and the EU Parliament in its resolution of May 26, it is now the turn of the European Data Protection Supervisor (EDPS) to express, in its opinion

This April 13, the Article 29 Working Party (WP 29, which includes the EU national data protection authorities) expressed its concerns regarding the Privacy Shield during a press conference. The WP 29 will publish its detailed written position at a future date. In short, WP 29 considers, among other things, that:

  • the draft Privacy