On 7 February 2019, the German competition law regulator, the Federal Cartel Office (FCO), concluded a lengthy investigation into Facebook.  It found that the company abused its dominant market position by making the use of its social network conditional on the collection of user data from multiple sources.

The FCO’s probe into Facebook is one of the first cases in the EU concerning the intersection between the EU’s new data privacy laws (contained in the General Data Protection Regulation or GDPR) and competition law. The abuse finding under German competition law (which is broadly the same as the pan-EU competition law in this regard) relied on what was, according to the FCO, a breach of EU data protection law. Continue Reading Federal Cartel Office vs. Facebook: When Data Privacy and Competition Law Collide

The General Data Protection Regulation (GDPR) imposes strict obligations upon organizations that process the “personal data” of European individuals. Failure to comply with GDPR can result in large fines. The UK’s Information Commissioner’s Office (ICO), in recent months, issued a number of fines of £500,000 on global businesses with household names, and such fines have generated a lot of publicity. Many onlookers would be shocked by the magnitude of those fines but may not have appreciated that they were imposed under the Data Protection Act 1998, which was in force when the offending breaches occurred. Had the breaches taken place after May 25th of this year, when the GDPR took effect, those fines would more than likely have been significantly higher.

Businesses have therefore invested significant resources and money to make sure that they do not fall foul of the obligations imposed by the GDPR. Yet, within less than a year of the GDPR becoming binding law, those same businesses face further disruption as Brexit looms. Continue Reading Implications of Brexit on GDPR

The General Data Protection Regulation (GDPR) is now in effect.  On the 25th of May, the day the GDPR took effect, Commissioner Jourová made a speech, in Brussels, at the General Data Protection Regulation conference to mark the beginning of a new chapter in data protection’s history in the EU. In her speech, the Commissioner recalled that data protection is of vital importance for EU citizens as personal data protection is a fundamental right in the EU and that this matter is also crucial for businesses as personal data protection is an issue for trust in the digital market.

However, some EU countries, including Belgium, Greece and Hungary for example, missed the May 25th deadline and are not ready to fully enforce the GDPR. This creates legal uncertainty for both citizens and companies.

Continue Reading EU Countries that missed the GDPR deadline could face court

The EU and U.S. competent authorities have one year to implement the recommendations that the Article 29 Working Party (WP29, which is a gathering of all EU national data protection authorities) made in its opinion of November 28, 2017 to increase the level of personal data protection provided by the Privacy Shield framework. As they announced in this opinion, failure to do so will result in these authorities challenging the validity of the Privacy Shield adequacy decision before courts. Such a cancellation could lead to certified U.S. companies losing their certification (2,400 companies, including web giants and major cloud providers), having to freeze data flows and implementing other legal mechanisms allowing them to import personal data from the EU.

It should be noted that the EU and U.S. authorities negotiated the Privacy Shield under a perspective that was more in line with Directive 95/46 (the main data protection applicable instrument at the time of negotiation) than with the General Data Protection Regulation (GDPR). The GDPR will repeal this Directive and increase the level of protection of personal data from May 25, 2018, and the WP29 will plan to prepare businesses for it.

In its report, the WP29 focuses on guarantees of enforcement and efficiency. Continue Reading The WP29 Issues an Ultimatum to Improve the Privacy Shield

On September 15, 2017, the Trump White House released a Press Release regarding the EU-U.S. Privacy Shield—reiterating that they “firmly believe that the upcoming review [of the EU-U.S. Privacy Shield] will demonstrate the strength of the American promise to protect the personal data of citizens on both sides of the Atlantic.”

The first alliance of its kind, the E.U.-U.S. Privacy Shield provides a framework for the exchange of consumer personal data between the United States and countries in the European Union. Established in 2016, one of the purposes was to enable U.S. companies to more efficiently receive data from countries in the EU while staying compliant with privacy laws that protect EU citizens.  The agreement also allows companies to store EU citizens’ personal data on U.S. servers.

The “upcoming review” referenced in the White House Press Release refers to the first annual review of the Privacy Shield since its adoption, with both EU and U.S. officials stating their support for the alliance in a joint statement released September 21, 2017.  According to this statement, over 2,400 organizations have jointed the Privacy Shield since the program’s inception a year ago.  The U.S. and EU both declared a “share[d] . . . interest in the Framework’s success and remain committed to continued collaboration to ensure it functions as intended.”

But what good is an agreement without any bite for potential violators? The Federal Trade Commission (FTC) recently signaled that it fully intended to keep companies accountable for potential violations of the EU-U.S. Privacy Shield.

According to an FTC Press Release dated September 8, 2017, three U.S. Companies agreed to settle FTC charges that they “misled consumers about their participation” in the EU-U.S. Privacy Shield. The FTC alleged that these companies violated the FTC Act by “falsely claiming that they were certified to participate in the EU-U.S. Privacy Shield” when they had all “failed to complete the certification process for the Privacy Shield.” Acting FTC Chairman Maureen K. Ohlhausen warned companies that these “actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce.” Notably, these enforcement actions are the first cases the FTC has brought to enforce the Privacy Shield.

Moving forward, companies should carefully assess whether they have completed the steps and certification necessary to make certain representations about participation in the EU-U.S. Privacy Shield—as both the FTC and the current White House administration fully intend on continuing to “demonstrate the strength of the American promise” to pull their weight in the alliance.

Between the cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) and the adoption of the Privacy Shield, a number of data exporters have relied on the Standard Contractual Clauses (SCC) as the safest export tool to transfer personal data from the EU to the U.S. But as announced in our previous blog posts, the validity of the SCC and the Privacy Shield had to pass the EU legal test as regard to the fundamental right to data protection.

Indeed, while the Privacy Shield is facing an action for annulment brought by Digital Right Ireland to the CJEU, it is now the turn of the SCC to be examined in the context of a request filed by Maximilian Schrems against Facebook Ireland Limited to the Irish data protection authority (DPA). This last case has been submitted by the DPA to the Irish High Court, which is now assessing the opportunity to refer the question to the CJEU.

On May 24, 2016, the Irish DPA issued a draft decision summarizing its concerns about the validity of the SCC. It is worth noting that this was a turning point for the Irish DPA: the former Irish Commissioner, Billy Hawkes, defended the Safe Harbor against Maximilian Schrems and some other DPAs, whereas the new Irish Commissioner Helen Dixon basically defends the opposite, despite some improvements in U.S. laws and the SCC that occurred after the cancellation of the Safe Harbor. This might be the sign of an evolution due to the entry into force of the EU General Data Protection Regulation, the new strong and unified piece of data protection legislation that will apply from May 2018.

The main concern of the Irish DPA about the use of the SCC is the absence of an effective court’s remedy in the U.S. legislation for EU citizens to enforce their right to data protection where it might be a risk that personal data is processed by U.S. State agencies for national security purposes. Indeed, even if an EU citizen meets the criteria for a remedy against surveillance under the U.S. Foreign Intelligence Security Act, it appears on foot of the U.S. court’s decisions they cannot sue the U.S. government.

Concerning the Privacy Shield, it is too soon to know if it will survive the new U.S. political era. As observed with the dead Safe Harbor, strong voices start to express themselves opposing the industry and the EU and U.S. Privacy Shield negotiators (pro) to the EU civil society and some members of the EU Parliament and DPAs (contra).

The key issue finally lies in the ability for the U.S. legislation to grant data subjects with enforceable data protection rights that EU authorities and courts would find at least equivalent to those granted by the EU. The two above-mentioned legal cases, as well as the economic stakes of EU-U.S. data flows should put a strong pressure on U.S. government to provide additional guarantees.

For more information on the future of the Privacy Shield and SCC, please refer to the following prior Password Protected blog posts:

Expected Soon: Modifications of the Standard Contractual Clauses

Is the Privacy Shield Viable? Article 29 Working Party Proposes to Wait for Its Final Verdict

New Threat to Transatlantic Personal Data Transfers: Possible Invalidation of Standard Contractual Clauses

WP 29 Expresses Concerns About EU-U.S. Privacy Shield

After its first draft of February 29, 2016, the European Commission adopted the EU-U.S. Privacy Shield adequacy decision on July 12, 2016.  The first draft was adopted after the cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) on October 15, 2015 (Schrems case). A new adequacy decision was therefore highly welcome to allow the tens of thousands of U.S. and EU companies that rely on Safe Harbor to transfer personal data across the Atlantic. After the first draft of the adequacy decision, several EU institutions addressed numerous concerns regarding this first draft. First, on April 13, 2016, Article 29 Working Party (WP 29), released an  opinion, noting the Privacy Shield offers major improvementscompared to the invalidated Safe Harbor decisionbut, at the same time, urged the European Commission to resolve all concerns expressed by WP 29 in order to ensure that the protection to be offered by the Privacy Shield is indeed essentially equivalent to that of the EU. This opinion was followed on May 26, 2016 by a resolution of the EU parliament where it also expressed several concerns about the proposed Privacy Shield.  Finally, on May 30, 2016 the European Data Protection Supervisor (EDPS) published its opinion where, although it “welcomed the efforts shown by the parties to find a solution for transfers of personal data”, EDPS added that “robust improvements” were needed “in order to achieve a solid framework, stable in the long term”.

The EU-U.S. Privacy Shield adequacy decision adopted on July 12, 2016 by the European Commission was supposed to cure all the concerns expressed after the first draft. The surprise is of course that WP 29’s press release of July 26, 2016 does not consider that the improvements brought by the EU Commission and the U.S. authorities to the proposal of Privacy Shield adequately respond to the concerns expressed.  For instance, WP 29 regrets:

  • The lack of specific rules on automated decisions and of a general right to object;
  • That it remains unclear how the Privacy Shield Principles will apply to processors;
  • The lack of concrete assurance that bulk collection of personal data will not again happen, despite the commitment of the U.S. Office of the Director of National Intelligence (ODNI);
  • The lack of strict guarantees concerning the independence and the powers of the Ombudsmen in case of conflict caused by access by U.S. public authorities to personal data.

After expressing these criticisms, WP 29 proposes however to decide on the viability of the Privacy Shield after the first annual review of the framework that will take place in May 2017. In other words, WP 29 will not push for a legal challenge of the Privacy Shield before the first review.  This said, even though the timing proposed by WP 29 seems practicable, in case of action by data subjects of privacy activists, the “wait and see” attitude of WP 29 will probably be difficult to maintain. Finally, the position of WP 29 seems very practical.  Indeed, it is difficult to assess the adequacy of the Privacy Shield because it is mainly based on commitments taken from letters by different U.S. heads of administrative bodies and among others the ODNI. This meets one of the very general remarks expressed by the EDPS in its May 30, 2016 opinion, which called for longer term solutions” “with more robust stable legal frameworks to boost transatlantic relations”. The nearly one year deadline given by WP 29 is probably the opportunity to reach robust stable legal frameworks not only for the Privacy Shield, but also for Standard Contractual Clauses and Binding Corporate rules when they relates to transfers of personal data to the U.S.

Continue Reading Is the Privacy Shield Viable? Article 29 Working Party Proposes to Wait for Its Final Verdict

While we wait to see what the BREXIT result will mean for the UK’s data protection regime, it is important to recognize that the result will not change anything immediately. The exact nature of the post-BREXIT UK-EU relationship will influence any UK data protection reform, and it is highly likely that the UK will continue to be heavily influenced by EU laws. Indeed, the UK’s data protection authority (the ICO) has emphasized that “international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.”

So what should you be doing now?

Prepare for the GDPR and changes to UK data protection laws

Data controllers established in the UK processing personal data in the context of that establishment are currently subject to the UK’s Data Protection Act (DPA). Once the EU’s General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, the UK will still be a member of the EU and so the GDPR will automatically replace the DPA. UK companies will then need to comply with the new regime until BREXIT occurs. Following that, the GDPR will fall away but we do not yet know what form any replacement legislation will take.  If the UK wants to continue trading with other EU Member States, it will likely need to adopt legislation similar to the GDPR (see further below). With this in mind, businesses should continue with their GDPR compliance preparations.

In addition, the GDPR will not only apply to businesses established in the EU, but it will also apply to businesses outside the EU that processes personal data of EU citizens, either by offering services or goods or from monitoring behavior. Therefore, following BREXIT, the GDPR will still apply to UK based businesses trading with the EU or targeting EU citizens. Such businesses therefore should continue their GDPR compliance efforts.

Consider where personal data is processed and transferred

EU data protection laws prohibit transfers of personal data to countries outside the European Economic Area (EEA), unless they have been recognized as providing “adequate protection” to personal data. Companies need to consider whether they receive data in the UK from global regions which are currently compliant based on the UK being within the EU or EEA.  If the UK is not classified as “adequate” post BREXIT, UK companies receiving data from the EEA will need to re-think their data protection compliance strategy and put in place adequate safeguards, such as Model Clauses and Binding Corporate Rules.

In addition, the converse (transfers outside the UK) may also be an issue and so companies should consider whether they send personal data from the UK and what compliance measures they may need to put in place. The new EU/U.S. Privacy Shield is due to be adopted early next week. Following BREXIT, the Privacy Shield will not cover transfers from the UK to the U.S. However, the ICO could approve the Privacy Shield as an adequate means of data transfer from the UK to the U.S., or it could establish a similar framework (e.g. like the U.S.-Swiss Safe Harbor framework).

Determine where the organization’s main EU establishment will be

Some GDPR provisions are dependent on the “main establishment” of a business being in the EU. Once the UK leaves the EU, a company with UK based headquarters will no longer count as the main establishment under the GDPR following BREXIT. This will affect a company’s lead data protection supervisory authority under GDPR for the purpose of enforcement and other reasons such as approval of Binding Corporate Rules.

It is hard to predict at the moment precisely the timing and scope of legal changes to the UK’s data protection regime resulting from BREXIT. We will continue to monitor developments closely and keep you fully informed and the post-BREXIT process unfolds.

SAVE THE DATE McGuireWoods Annual European Data Protection and Security Conference September 27, 2016 London

Learn more about data protection laws in light of BREXIT. The conference is designed for in-house counsel, risk managers, security officers, regulatory and compliance officers, directors, financial officers, information officers, human resource officers and managers of corporations with cross-border operations. A full agenda is under development, but topics and speakers from last year’s event can be viewed here.

Click here to ensure you receive an invitation to our 2016 conference.

Following twenty-seven EU and U.S. non-profit organizations in their letter of March 16, the Article 29 Working Party (WP29) in its opinion n° 01/2016 of April 13 and the EU Parliament in its resolution of May 26, it is now the turn of the European Data Protection Supervisor (EDPS) to express, in its opinion n° 4/2016 of May 30, its concerns about the compliance of the draft adequacy decision on the EU-U.S. Privacy Shield (available here) with the Schrems ruling. As a refresher, this ruling, issued on October 6, 2015 by the EU Court of Justice (CJEU) (C-362/14), invalidated the Safe Harbor framework, which allowed EU companies to transfer personal data to certain self-certified U.S. companies. Since the EDPS is one of the most influential voices on the CJEU regarding data protection matters, this opinion should be carefully considered.

The EU and U.S. negotiators are caught between competing sides. For obvious reasons, industry urges the negotiators to reach an agreement before the end of summer and the U.S. elections. On the other side, the WP29 and the EDPS outline the imperative to meet the requirements resulting from the Schrems ruling by reaching an agreement ensuring “a level of protection of fundamental rights and freedoms that is [not necessarily identical but] essentially equivalent to that guaranteed within the European Union“. The outcome of this negotiation relies on whether U.S. legislation will provide the guarantees of implementation and enforcement of the commitments made under the agreement.

In its opinion, the EDPS targets the lack of precision of certain provisions and recommends strengthening certain principles:

  • Purpose limitation: data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
  • Data retention: data must not be retained longer than is necessary for the purpose for which it is processed;
  • Automated processing: every person should have the right not to be subject to a decision based solely on automated processing which significantly affects him/her;
  • Onward transfers: those transfers should not enable third parties and foreign importers to circumvent the Privacy Shield framework; and
  • Data subjects’ right: the provisions addressing the right to access and the right to object should be improved.

The EDPS welcomes the efforts towards increased transparency in the information provided on access to data by U.S. authorities. However, according to the EDPS, the Privacy Shield should better specify the notion of “foreign intelligence” and the purposes for which derogations “necessary to meet national security, law enforcement or any public interest requirement” are possible.

The EDPS also recommends improving the redress mechanisms by providing specific commitments that (i) the proposed Ombudsperson will be able to act independently not only from the intelligence community but from any authority, (ii) the requests for information and cooperation from this Ombudsperson will be effectively implemented by all U.S. agencies, (iii) the level of protection of U.S. and non-U.S. data subjects will be identical. The EDPS encourages exploring the possibility of involving EU representatives in the assessment of the oversight system results.

One of the major merits of this opinion is to promote general and long-term objectives that can lead negotiations toward a stable agreement. According to the EDPS:

  • The final adequacy assessment should not only include regulations directly related to the U.S. commitments but all federal and state laws that could allow access for public interest purposes;
  • As required by the CJEU and the WP29, in order to check whether the finding relating to the adequacy decision is still factually justified, the annual joint review of the application of the Privacy Shield should not only include meetings with public and private entities but also “on-the-spot verifications“;
  • Last but not least, the new elements of the General Data Protection Regulation (GDPR), which will replace the current Directive in about two years, should be put on the negotiating table, including the privacy by design and by default principles, data portability and the criteria for future third countries adequacy decisions.

For more information on the Privacy Shield and the GDPR, please refer to the following prior Password Protected blog posts:

New Threat to Transatlantic Personal Data Transfers: Possible Invalidation of Standard Contractual Clauses

New Tough and Harmonized Framework for EU Data Protection

EU-U.S. Privacy Shield: Better or Worse?

Replacing Safe Harbor: EU-U.S. Privacy Shield Announced

U.S. Chamber of Commerce and Business Europe Request Quick, Perennial Safe Harbor Fix

Safe Harbor Invalidated by the CJEU; Are There Other Solutions for Transatlantic Transfers?

Means, Other Than Safe Harbor, of Transferring Personal Data to the U.S. Potentially Vitiated?

CJEU Declares the EU Commission Safe Harbor Decision Invalid

This April 13, the Article 29 Working Party (WP 29, which includes the EU national data protection authorities) expressed its concerns regarding the Privacy Shield during a press conference. The WP 29 will publish its detailed written position at a future date. In short, WP 29 considers, among other things, that:

  • the draft Privacy Shield does not take key data protection principles into account;
  • bulk collection of personal data by U.S. surveillance bodies remains possible; and
  • the independence of the U.S. Ombudsman is not guaranteed.

While recognizing the progress made, compared to the defunct Safe Harbor, the WP 29 invites the EU Commission to resolve all concerns expressed. The EU Commission is not bound by the opinion of WP 29, but failure to address or answer the concerns expressed will certainly weaken the not-yet-born Privacy Shield.

For more information on ex-Safe Harbor and EU-U.S. Privacy Shield, please refer to the following prior Password Protected blog posts:

EU-U.S. Privacy Shield: Better or Worse?

Replacing Safe Harbor: EU-U.S. Privacy Shield Announced

U.S. Chamber of Commerce and Business Europe Request Quick, Perennial Safe Harbor Fix

Safe Harbor Invalidated by the CJEU; Are There Other Solutions for Transatlantic Transfers?

Means, Other Than Safe Harbor, of Transferring Personal Data to the U.S. Potentially Vitiated?

CJEU Declares the EU Commission Safe Harbor Decision Invalid