The Article 29 Data Protection Working Party (comprising representatives from the data protection regulators in each EU Member State, the European Data Protection Supervisor and the European Commission) has issued an opinion on data processing at work (2/2017) (the Opinion).  The Opinion is not legally binding but it does provide an indication as to how EU data protection regulators will consider and interpret EU data protection law.  The new EU data protection law (the General Data Protection Regulation – or the GDPR) comes into force on 25 May 2018 and will impose significant fines on non-compliant organizations (up to 4% of annual worldwide turnover or €20 million, whichever is higher) in addition to giving individuals more rights with regard to their personal data.  The GDPR does not only apply to EU companies, but can also apply to non-EU based organizations processing EU citizens’ personal data.

The Opinion notes that in light of the increasing amount of personal data that is being processed in the context of an employment relationship, the balance between the legitimate interests of the employer and the privacy rights of the employee becomes ever more important. It provides guidance on a number of specific scenarios including the use of social media during recruitment. Nowadays, employers may be tempted to view job applicants’ social media profiles as part of the recruitments process. However, according to the Opinion, employers may only use social media to find out information about a job applicant where: (a) they have a “legal ground” for doing so; (b) doing so is necessary and relevant for the performance of the position being applied for; (c) the applicant has been informed that their social media profiles will be reviewed; and (d) the employer complies with all of the data protection principles set out in the law.

What steps should your organization take if it wishes to review social media profiles as part of the recruitment process while also complying with the Opinion and EU data protection law? Continue Reading New Guidance Issued by EU Data Protection Regulators – Does Your Organization Use Social Media During Recruitment?

In June the ICO updated its Subject Access Code of Practice, which gives guidance to data controllers on how to respond to subject access requests from data subjects. The Code itself is not legally binding, but provides advice on good practice to promote compliance with the Data Protection Act 1998 (DPA). With less than a year to go before the introduction of the GDPR, it seems a shame that this revised Code does not address the forthcoming amendments to the law, such as the reduced time limits to respond to a subject access request (which will decrease from the current 40 days to a mere 30) but it does make recommendations for more streamlined and user-friendly options for responding and, in addition to helpful notes on how to handle requests and deal with tricky issues, serves as a reminder of the basic entitlements, which are to:

  • Be told whether any personal data is being processed;
  • Receive a description of the personal data, the reasons it is being processed and whether it will be given to any other organizations or people;
  • Receive a copy of the personal data; and
  • Receive details of the source of the data (where available).

For many businesses, subject access requests can be a time-consuming and frustrating aspect of data protection compliance. There is an understandable urge to ignore them, or provide a minimal response, particularly if the request is made in the context of an existing dispute, or preempting litigation and disclosure/discovery of documents. However, the law states that data controllers must be prepared to make extensive efforts to find and retrieve the information requested in a subject access request, unless it would be unreasonable or would involve disproportionate effort to do so. There is an exemption in the DPA accordingly. This issue has been tentatively raised in the past but the recent cases of Dawson-Damer[1] and Ittiadieh/Deer and Oxford University[2] (both decisions of the Court of Appeal) have given the ICO the opportunity to provide more clarification on these points:

  1. Disproportionate effort is not defined in the DPA, but there may be cases where the work/expense involved in complying with a request by providing a copy of the information in permanent form exceeds the individual’s right of access to their personal data;
  2. Data controllers can take into account any difficulties in finding the information and complying with the request. (This approach is consistent with the EU concept of proportionality, but the ICO expects data controllers to balance any difficulties with the benefits the information might bring to the data subject);
  3. Data controllers have the burden of proof to show that they have taken all reasonable steps to comply with a subject access request and it would be disproportionate in all the circumstances to take further steps; and
  4. It is good practice to engage with the person making the request, to help reduce the costs and effort involved in searching for the information requested. (If there is a complaint, the data controller’s willingness to engage with the requestor will be considered).

Overall, the ICO expects data controllers to act positively towards those making a subject access request and to have readily accessible systems in place to respond to requests. Those receiving a request should deal with them promptly and fairly from the start. Subject access is a fundamental right and (as noted in the Code) an opportunity to improve customer service and delivery, by increasing levels of trust and confidence, streamlining processes and providing better customer care. These aims are consistent with the GDPR and so even though this Code is not specifically targeted at compliance with the new laws, companies should benefit from its up to date guidance.

 

[1] Dawson-Damer & Ors v Taylor Wessing LLP [2017] EWCA Civ 74

[2] Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors

The UK government launched its 5-year National Cyber Security Strategy in November 2016, investing a reported £1.9 billion to protect UK businesses from cyber-attacks and make the country the safest place to live and do business online. This strategy has included the opening of the National Cyber Security Centre (part of GCHQ) and the creation of campaigns to support businesses with expert guidance on cyber security, such as Cyber Aware and Cyber Essentials.

More recently, on 19 April, the government produced its report into cyber security breaches, based on a survey of over 1500 UK businesses. According  to the government report, just under half of all UK businesses suffered at least one cyber security breach or attack in the last 12 months, yet only 1 in 10 businesses have a cyber security incident management plan in place and only a third have a formal policy that covers cyber security risks. The average cost of a breach is said to be around £20,000, but this is a conservative estimate and for many larger companies the cost is much more, not least in monetary terms. The risk of negative publicity and damage to reputation remains high, even when security measures are adopted and insurance cover is in place, so it is no wonder that businesses are confused about what to do to protect themselves and the data they hold. The danger is that companies do not sufficiently address the problems, perhaps because it seems impossible to eliminate the threat completely, or they are put off by scaremongering tactics by InfoSec consultants or cyber insurance brokers.

Cybersecurity should be a priority for company directors. Under the Companies Act 2006, they have a duty to promote the success of the company and to exercise reasonable care, skill and diligence in the performance of their role. Failing to adopt and maintain appropriate security measures to protect personal data and confidential information against cyber-attacks could be considered a breach of these duties and expose the company and individual directors to legal liabilities, including fines and claims for compensation, under data protection legislation and potential action from regulators, such as the ICO or FCA, for businesses in the financial sector. Continue Reading UK Cyber- Security Breaches Survey

On May 18, 2017, the European Commission imposed a “proportionate and deterrent” fine of €110 million on Facebook for providing misleading information during the Commission’s investigation under the EU merger control rules of Facebook’s acquisition of WhatsApp. This decision – which it is understood Facebook will not appeal – is an example of the importance that the Commission puts on complying with all aspects of the EU merger rules.  The information at issue concerned how Facebook would be able to use its and WhatsApp’s data.  Although the case did not directly concern the processing or use of data as such, its factual background raises data protection issues and it is notable that similarly high fines will soon be possible under the EU’s General Data Protection Regulation (GDPR) for data protection infringements.

During the acquisition notification procedure in 2014, the Commission had some concerns about Facebook’s ability to establish automated matching between users’ accounts in the two services. Such matching could be a way for Facebook to introduce advertising on WhatsApp and/or to use personal data sourced from WhatsApp to improve its targeting of advertisements. From a competition perspective, this could strengthen Facebook’s position in the online advertising market and hamper competition in such market. From the data protection side, data subjects and data protection authorities should be informed of any such data sharing between Facebook and WhatsApp, as well as possible new processing resulting from that matching.

Facebook informed the Commission that it would be technically impossible to achieve reliable automated matching between Facebook users’ accounts and WhatsApp users’ account.  However, WhatsApp updated its Terms of Service and Privacy Policy in August 2016, which update included the possibility of linking WhatsApp user’ phone numbers with Facebook users’ identities.  The Commission investigated and found that the technical possibility of this automatic matching of identities existed in 2014, that Facebook staff were aware of this and that Facebook was aware of the relevance of the issue for the Commission’s investigation. Facebook’s answers in 2014 had been incorrect or misleading and a fine was justified.

Separately, in a letter of October 2016, the Article 29 Working Party (WP29, gathering all EU data protection authorities) called into question the validity of the existing WhatsApp users’ consent to this change under data protection rules.  This is because, at the time they signed up, users were not informed that their data was to be shared among the “Facebook family of companies” for marketing and advertising purposes.  The WP29 announced an investigation, urged WhatsApp to communicate all available information on this new data processing and required the company not to proceed with the sharing of users’ data until appropriate legal protections could be assured.

This investigation by the Article 29 Working Party demonstrates once again, against the background of the increased sanctions soon to be introduced under the GDPR, the importance of compliance with data protection law in the EU.  For example, companies engaged in a merger or acquisition should integrate data protection compliance programs (in addition to those covering, at least, general corporate, competition and bribery/corruption matters). Such programs should include at least the following measures:

  • Map and assess the privacy risk involved in the new processing to be carried out in the context of the corporate operation (due diligence audits, international transfers, etc.), as well as the privacy risk involved in the new processing that will be carried after the operation.
  • To the extent required by law, inform the data subjects (employees, clients, stakeholders, etc.) about those new processing and purposes, taking into account confidentiality issues.
  • Take all steps necessary to make the new data processing, data transfers and processing purposes compliant with the various applicable data protection rules.

It has been less than three years since the Court of Justice of the European Union (CJEU) decided that people have the right to have incorrect information about them removed from online search engine results. However, this so-called “right to be forgotten” is not absolute, as confirmed by the CJEU’s most recent ruling last week.

This case concerned an Italian director, Mr. Salvatore Manni, who sought to have his personal details removed from company records in an official public register. He believed that his properties had failed to sell because the companies register showed that he had been an administrator of another company that went bankrupt.

The CJEU held that Mr. Manni could not demand the deletion of his personal data from the official register because the public nature of company registers is intended to ensure legal certainty and to protect the interests of third parties. It was held that this inference with an individual’s fundamental rights to a private life and to protect personal data was not disproportionate in the circumstances. This was because company registers only disclose a limited amount of personal data and company executives should be required to disclose data relating to their identity and functions within a company. The CJEU concluded by saying that in specific and exceptional situations, overriding and legitimate reasons may justify limiting the rights of third parties to access such data, and left it up to national courts to determine whether “legitimate and overriding reasons” exist on a case-by-case basis.

This decision echoes the ruling in the 2014 Google Spain Case; the right to be forgotten must be balanced against individuals’ fundamental rights, such as the right of freedom of expression and the public’s right to know information about persons holding key positions within a company. The General Data Protection Regulation (GDPR) which codifies the right to be forgotten also confirms this position. The right to be forgotten allows individuals to request the deletion of personal data in specific circumstances. However, the GDPR contains certain exemptions where companies can refuse to deal with a deletion request, such as where the processing is necessary to exercise the right of freedom of expression, and for archiving purposes in the public interest.

Companies who receive requests by individuals asking that their personal data be deleted will need to determine, on a case-by-case basis, whether or not such data should be erased. Organizations will be required to perform a balancing act against any competing rights when considering such erasure requests.

See also:

UK’s First Ever Right To Be Forgotten Enforcement: Google In the Firing Line Again

The French Data Protection Authority Puts Google On Notice To Delist Domain Names Beyond Site’s EU Extensions

The CJEU’s Google Spain Decision: A Right to be Forgotten Within the Limits of the Freedom of Expression

Costeja’s Revenge: Orders to Delete Accurate Data and the Right to be Forgotten in the EU

A study by the International Association of Privacy Professionals has found that 28,000 data protection officers (DPO) will be needed in the next two years for companies to comply with the EU’s new General Data Protection Regulation (GDPR).  By the time the GDPR comes into force in 2018, in-scope entities will have to have their DPO in place. Competition for DPOs will likely be strong in light of the ongoing shortage of privacy professionals. With this in mind, businesses should start thinking now about how best to recruit, train and resource a DPO and not wait for the GDPR to come into effect.

The GDPR requires data controllers and processors to appoint a DPO when processing is carried out by a public authority or when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”. Even where not required, businesses may voluntarily appoint a DPO. This will not only include EU companies but also companies based in the U.S. and elsewhere who fall within the scope of the GDPR and the DPO requirements.

DPOs must possess “expert knowledge of data protection law and practices”, plus have an understanding of the company’s technical and organizational structure and its IT infrastructure and technology. Key tasks include ensuring regulatory compliance; training staff; coordinating with regulators and understanding applicable data processing risks.

Businesses can either assign this role to an existing or new employee provided that the employee’s other professional duties do not create a conflict with his or her new duties as DPO, or businesses can appoint an external candidate under a service contract. A corporate group may appoint a single DPO provided that the person is “easily accessible” for each entity. This means that the DPO must not only be able to speak the local language but also understand and address differences in data protection laws across the Member States in which the business operates.

DPOs must be independent in the performance of their tasks and are not only responsible for managing data privacy compliance, but also reporting any non-compliance to the relevant data protection authority. The role, therefore, is one of internal policeman and whistleblower at the same time, which businesses may, at first, find challenging. Breach of the DPO provisions may lead to huge administrative fines (up to the greater of EUR 10,000,000, or up to 2% of an organizations’ total worldwide annual turnover of the preceding financial year).

Companies should take steps now to determine whether they are subject to the GDPR and if so, whether a DPO must be appointed. Given the significance of privacy compliance today and the potential new administrative fines, even if a business is not required to appoint a DPO, larger companies that regularly process data may wish to consider appointing one in any event in order to assist with GDPR preparations and demonstrate compliance when the new law comes into effect.

While we wait to see what the BREXIT result will mean for the UK’s data protection regime, it is important to recognize that the result will not change anything immediately. The exact nature of the post-BREXIT UK-EU relationship will influence any UK data protection reform, and it is highly likely that the UK will continue to be heavily influenced by EU laws. Indeed, the UK’s data protection authority (the ICO) has emphasized that “international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.”

So what should you be doing now?

Prepare for the GDPR and changes to UK data protection laws

Data controllers established in the UK processing personal data in the context of that establishment are currently subject to the UK’s Data Protection Act (DPA). Once the EU’s General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, the UK will still be a member of the EU and so the GDPR will automatically replace the DPA. UK companies will then need to comply with the new regime until BREXIT occurs. Following that, the GDPR will fall away but we do not yet know what form any replacement legislation will take.  If the UK wants to continue trading with other EU Member States, it will likely need to adopt legislation similar to the GDPR (see further below). With this in mind, businesses should continue with their GDPR compliance preparations.

In addition, the GDPR will not only apply to businesses established in the EU, but it will also apply to businesses outside the EU that processes personal data of EU citizens, either by offering services or goods or from monitoring behavior. Therefore, following BREXIT, the GDPR will still apply to UK based businesses trading with the EU or targeting EU citizens. Such businesses therefore should continue their GDPR compliance efforts.

Consider where personal data is processed and transferred

EU data protection laws prohibit transfers of personal data to countries outside the European Economic Area (EEA), unless they have been recognized as providing “adequate protection” to personal data. Companies need to consider whether they receive data in the UK from global regions which are currently compliant based on the UK being within the EU or EEA.  If the UK is not classified as “adequate” post BREXIT, UK companies receiving data from the EEA will need to re-think their data protection compliance strategy and put in place adequate safeguards, such as Model Clauses and Binding Corporate Rules.

In addition, the converse (transfers outside the UK) may also be an issue and so companies should consider whether they send personal data from the UK and what compliance measures they may need to put in place. The new EU/U.S. Privacy Shield is due to be adopted early next week. Following BREXIT, the Privacy Shield will not cover transfers from the UK to the U.S. However, the ICO could approve the Privacy Shield as an adequate means of data transfer from the UK to the U.S., or it could establish a similar framework (e.g. like the U.S.-Swiss Safe Harbor framework).

Determine where the organization’s main EU establishment will be

Some GDPR provisions are dependent on the “main establishment” of a business being in the EU. Once the UK leaves the EU, a company with UK based headquarters will no longer count as the main establishment under the GDPR following BREXIT. This will affect a company’s lead data protection supervisory authority under GDPR for the purpose of enforcement and other reasons such as approval of Binding Corporate Rules.

It is hard to predict at the moment precisely the timing and scope of legal changes to the UK’s data protection regime resulting from BREXIT. We will continue to monitor developments closely and keep you fully informed and the post-BREXIT process unfolds.

SAVE THE DATE McGuireWoods Annual European Data Protection and Security Conference September 27, 2016 London

Learn more about data protection laws in light of BREXIT. The conference is designed for in-house counsel, risk managers, security officers, regulatory and compliance officers, directors, financial officers, information officers, human resource officers and managers of corporations with cross-border operations. A full agenda is under development, but topics and speakers from last year’s event can be viewed here.

Click here to ensure you receive an invitation to our 2016 conference.

Following twenty-seven EU and U.S. non-profit organizations in their letter of March 16, the Article 29 Working Party (WP29) in its opinion n° 01/2016 of April 13 and the EU Parliament in its resolution of May 26, it is now the turn of the European Data Protection Supervisor (EDPS) to express, in its opinion n° 4/2016 of May 30, its concerns about the compliance of the draft adequacy decision on the EU-U.S. Privacy Shield (available here) with the Schrems ruling. As a refresher, this ruling, issued on October 6, 2015 by the EU Court of Justice (CJEU) (C-362/14), invalidated the Safe Harbor framework, which allowed EU companies to transfer personal data to certain self-certified U.S. companies. Since the EDPS is one of the most influential voices on the CJEU regarding data protection matters, this opinion should be carefully considered.

The EU and U.S. negotiators are caught between competing sides. For obvious reasons, industry urges the negotiators to reach an agreement before the end of summer and the U.S. elections. On the other side, the WP29 and the EDPS outline the imperative to meet the requirements resulting from the Schrems ruling by reaching an agreement ensuring “a level of protection of fundamental rights and freedoms that is [not necessarily identical but] essentially equivalent to that guaranteed within the European Union“. The outcome of this negotiation relies on whether U.S. legislation will provide the guarantees of implementation and enforcement of the commitments made under the agreement.

In its opinion, the EDPS targets the lack of precision of certain provisions and recommends strengthening certain principles:

  • Purpose limitation: data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
  • Data retention: data must not be retained longer than is necessary for the purpose for which it is processed;
  • Automated processing: every person should have the right not to be subject to a decision based solely on automated processing which significantly affects him/her;
  • Onward transfers: those transfers should not enable third parties and foreign importers to circumvent the Privacy Shield framework; and
  • Data subjects’ right: the provisions addressing the right to access and the right to object should be improved.

The EDPS welcomes the efforts towards increased transparency in the information provided on access to data by U.S. authorities. However, according to the EDPS, the Privacy Shield should better specify the notion of “foreign intelligence” and the purposes for which derogations “necessary to meet national security, law enforcement or any public interest requirement” are possible.

The EDPS also recommends improving the redress mechanisms by providing specific commitments that (i) the proposed Ombudsperson will be able to act independently not only from the intelligence community but from any authority, (ii) the requests for information and cooperation from this Ombudsperson will be effectively implemented by all U.S. agencies, (iii) the level of protection of U.S. and non-U.S. data subjects will be identical. The EDPS encourages exploring the possibility of involving EU representatives in the assessment of the oversight system results.

One of the major merits of this opinion is to promote general and long-term objectives that can lead negotiations toward a stable agreement. According to the EDPS:

  • The final adequacy assessment should not only include regulations directly related to the U.S. commitments but all federal and state laws that could allow access for public interest purposes;
  • As required by the CJEU and the WP29, in order to check whether the finding relating to the adequacy decision is still factually justified, the annual joint review of the application of the Privacy Shield should not only include meetings with public and private entities but also “on-the-spot verifications“;
  • Last but not least, the new elements of the General Data Protection Regulation (GDPR), which will replace the current Directive in about two years, should be put on the negotiating table, including the privacy by design and by default principles, data portability and the criteria for future third countries adequacy decisions.

For more information on the Privacy Shield and the GDPR, please refer to the following prior Password Protected blog posts:

New Threat to Transatlantic Personal Data Transfers: Possible Invalidation of Standard Contractual Clauses

New Tough and Harmonized Framework for EU Data Protection

EU-U.S. Privacy Shield: Better or Worse?

Replacing Safe Harbor: EU-U.S. Privacy Shield Announced

U.S. Chamber of Commerce and Business Europe Request Quick, Perennial Safe Harbor Fix

Safe Harbor Invalidated by the CJEU; Are There Other Solutions for Transatlantic Transfers?

Means, Other Than Safe Harbor, of Transferring Personal Data to the U.S. Potentially Vitiated?

CJEU Declares the EU Commission Safe Harbor Decision Invalid

On April 8, 2016, the Council of the EU adopted the final text of the General Data Protection Regulation (GDPR). On April 14, the EU Parliament approved the Council’s decision. Twenty days after its publication in the Official Journal of the EU, the GDPR will enter into force (very likely in May 2016) and two years after this entry into force, it will be applicable and will replace the current Directive 95/46 (very likely in May 2018). What are the practical impacts of this new legislation?

First, the main principles of the current Directive will remain. Even if some changes will have great impacts in the day-to-day practice of companies, the GDPR mainly raises EU standards by recognizing previous best practices, case law and non-binding opinions of certain authorities. Major evolutions probably result from the legal form of the instrument: a Regulation, rather than a Directive. This means that the GDPR’s provisions will be directly invoked by individuals and directly enforced against companies without implementation through variable national legislations. Hence, contrary to the Directive, the text is totally consistent and comprehensive. This is progress for multinationals having subsidiaries in several member states.

Below are some key provisions of the GDPR:

  • Territorial scope. The GDPR applies, notably:
    • to processing carried out in the context of the activities of a controller/processor established in the EU, regardless of whether such processing takes place in the EU or not; and
    • to processing of personal data of data subjects who are in the EU, even if the controller/processor is not established in the EU, provided that the processing activities relate to (i) an offer of goods or services to data subjects in the EU, or (ii) the monitoring of their behavior as far as their behavior takes place within the EU.
  • Consent. If consent is the relevant legal basis for processing, the GDPR clearly states that it can never be implicit and must result from unambiguous and positive actions directly relating to the purpose of the processing.
  • Accountability. Data protection law is no more a simple declaratory or documental matter; controllers should be able to demonstrate concrete compliance and implementation of GDPR’s principles.
  • Privacy by design and by default. Controllers must implement technical and organizational measures ensuring that, from the determination of the means for processing, such processing complies with the GDPR and that, by default, only data that are necessary for each specific purpose are processed.
  • Data Protection Impact Assessment (DPIA). Where the processing relates to certain sensitive operations or data, the controller must carry out and must provide a documented DPIA to authorities, describing, assessing and preventing the risk associated with each processing.
  • Data Protection Officer (DPO). Where the processing relates to certain sensitive operations or data, the controller/processor must designate a DPO, mainly to ensure compliance with the GDPR and communicate with data subjects and authorities.
  • Controller/Processor. Regarding most of the GDPR’s requirements, the processor is severally and jointly liable with the controller.
  • Data breach. The GDPR provides details on criteria and delays for declaring data breaches to authorities and, in some cases, to data subjects.
  • Sanctions. In the case of infringement, the GDPR entitles national data protection authorities to impose fines that are greatly increased compared with the current national laws. These fines may amount to:
    • 2 percent of the total worldwide annual turnover for a minor offense, an
    • 4 percent of the total worldwide annual turnover for a major offense.

On April 14, the EU Parliament also adopted a new Directive on data transfers for police and judicial purposes.

As indicated above, the GDPR will be applicable in about two years, which is a sufficient (but not excessive) period of time to prepare for compliance and accountability.

For more information on the GDPR, please refer to the following prior Password Protected blog posts:

2016: A Turning Point For Personal Data Protection

EU Happy Holiday Present: The GDPR

In 2015, a number of high-profile media and political events and several legal cases raised questions about personal data protection in the European Union. 2016 looks to be a pivotal year for reforms in personal data protection, including issues related to recent matters.

The following developments are anticipated:

  • The General Data Protection Regulation will form the centerpiece of the new legislative framework on data protection for private individuals. Of direct applicability and unitary implementation, it should be adopted in early 2016 and will reinforce data protection rules and sanctions;
  • A new Data Protection Directive for Police and Judicial Cooperation in Criminal Matters should also see the light of day. It will aim to reinforce data protection safety in the context of crime prevention information exchanged between law enforcement agencies of both member states and non-EU members;
  • A new agreement is expected between the EU and the US to remedy the invalidation of the Commission’s Safe Harbor decision by the Court of Justice of the European Union (CJEU) in its ruling issued on October 6, 2015 (C-362/14). Currently under negotiation, the new agreement will provide a clear legal basis for data transfers to the U.S. and more controlled enforcement measures.

Besides these projects, other initiatives expected to be advanced include:

  • A new Data Retention Directive will replace the previous one, invalidated by the CJEU on April 8, 2014 (C-293/12 and C-594/12). This instrument will largely harmonize the general data retention obligations imposed by EU member states to telecommunications operators for crime and terrorism prevention;
  • A new agreement will establish enhanced cooperation for air passenger data collection and exchange between both member states and non-EU members (Passenger Name Record);
  • A Cyber Security Directive will provide harmonized principles in the matter of general IT security;
  • The E-Privacy Directive of 12 July 2002 (2002/58/EC), which establishes specific rules tailored to the protection of one’s private life on the Internet, will be revised.

The European political objectives are clear: adapt the data protection legal framework to the new digital economy environment but, at the same time, introduce new instruments to fight criminal activities (Directive for Police and Judicial Cooperation in Criminal Matters, Data Retention Directive, Passenger Name Record and Cyber Security Directive).

For more information on the aforementioned cases and reforms, please also refer to the following prior Password Protected blog posts:

EU Happy Holiday Present: The GDPR

CJEU Declares the EU Commission Safe Harbor Decision Invalid

The Court of Justice of the EU Declares Invalid the Data Retention Directive 2006/24