You Are Viewing International

European Court of Justice Decision Creates Havoc in Global Digital Exchanges: One Shot Down, One seriously Injured; 5,300 Stranded

Posted by fgilbert on July 16th, 2020

At long last, the European Court of Justice (EUCJ) has published its decision in the “Schrems 2” case. The EUCJ was tasked with reviewing the effectiveness of the mechanisms used in the context of crossborder data transfers. A key question was whether standard contractual clauses (SCC) used as a means of establishing “adequate protection” for personal data transferred out of the European Union or European Economic Area did in fact result in ensuring the level of “adequate protection” defined in the EU General Data Protection Regulation and the European Charter of Fundamental Rights.

The decision, published on July 16, looked at both the EU-US Privacy Shield and the SCCs. It invalidated the Privacy Shield, thereby destroying the virtual bridge that allowed 5,378 US based Shield self-certified organizations to conduct business with entities located in the European Union and European Economic Area. It preserved, but created significant challenges to the SCC (Controller to Processor) ecosystem  by creating new constraints and obstacles, to the countless organizations located both in the US and abroad, in their global digital trade with their European Partners.

The Basic Premise

The premise of the decision is that currently the US national security, public interest and law enforcement laws, have primacy over the fundamental rights of persons whose personal data are transferred to the US.  They do not take into account the principles of proportionality and are not limited to collecting only that data which is necessary. In addition, according to the EUCJ decision, US law does not grant data subjects actionable rights before the courts against US authorities.

EU-US Privacy Shield Invalidation

The EUCJ determined that the protection provided to personal data in the United States is inadequate to meet the level of protection of privacy and privacy rights guaranteed in the EU by the GDPR and the EU Charter of Fundamental rights.

According to the decision, the US surveillance programs  are not limited to what is strictly necessary, and the United States does not grant data subject actional rights against the US authorities. Further, the Ombudsperson program does not provide data subjects with any cause of action before a body that offers guarantees substantially equivalent to those required by EU law. Therefore, the EU-US Privacy Shield is no longer a legal instrument for the transfer of personal data from the EU to the US.

The immediate consequence of the invalidation of the EU-US Privacy Shield is that more than 5,000 US organizations, and their trading partners throughout the European Union and the European Economic Area are left stranded with no way out.  The invalidation declared by the EUCJ take immediate effect.  These transfers must cease.  This is likely to prove a catastrophic hurdle for many companies already weakened by the Covid pandemic.

Standard Contractual Clauses

The Standard Contractual Clauses for the transfer of personal data to processors established in third countries remain valid.  However, the Court found that, before a transfer of data may occur, there must be a prior assessment of the context of each individual transfer, that evaluates the laws of the country where the recipient is based, the nature of the data to be transferred, the privacy risks to such data, and any additional safeguards adopted by the parties to ensure that the data will receive adequate protection, as defined under EU Law.  Further, the data importer is required to inform the data exporter of any inability to comply with the standard data protection clauses.  If such protection is lacking the parties are obligated to suspend the transfer, or terminate the contract.  Thus, while the SCC (controller-to-processor) remain valid, their continued validity is subject to an additional step: the obligation to conduct the equivalent of a data protection impact assessment to ensure that the adequate protection is and will be provided and, subsequently, continuously monitored.

What’s Next?

  • Organizations that exchange or have access to personal data of residents of the EU or EEA should promptly assess the mechanisms currently in place to ensure the legality of their transfer of personal data outside the European Union.
  • If the organization has relied only on the EU-US Privacy Shield as a mechanism to ensure the legality of its personal data transfers, it should immediately halt the transfer of personal data out of the EU.  It should evaluate alternative means, most likely in the form of Standard Contractual Clauses.  For transfers that cannot be covered by SCCs, derogations under Article 49 of the GDPR might apply.
  • If the organization – whether located in the United States, or anywhere in the world – has already in place SCC, the EUCJ decision adds a significant hurdle in the form of a requirement for a prior evaluation of the protection to be offered to individuals and ongoing monitoring.
  • As always, ensure that these decisions and analysis are adequately documented, and proper records kept.
  • Remember to ensure integration and consistency with existing documents such as the organization’s privacy policy or its records of processing activities.
  • Keep in mind that while the Privacy Shield is invalidated as a means to legalize cross-border data transfers, US organizations that have signed up with the Shield program remain responsible for continuing to protect previously collected data in accordance with the promises and representations made in their self-certifications.
  • Stay informed of the developments in the next few days. It is expected that EU/EEA member state data supervisory authorities will publish useful guidance on how to react to the decision.  Some have already published comments and provided guidance.

New Data Protection Law Enacted in Dubai Emirate

Posted by fgilbert on June 3rd, 2020

Dubai has enacted a new data protection law that replaces the current privacy law, law N. 1 of 2007. The new 50-page law, which modernizes the current data protection law, will come into effect on July 1, 2020, at which time the pre-existing law and all related regulations will be repealed.

 

The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (DIFC Law No. 5 of 2020) was enacted on June 1, 2020 by His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE, in capacity as the Ruler of Dubai. Like its predecessor, the geographic scope of the law is limited to the Dubai International Financial Centre (DIFC) rather than the entire territory of the Dubai emirate.

 

The new law introduces concepts of accountability, and enhances individuals’ control over their personal data. It also provides for fines for data breaches. According to its Article 5, the purpose of the law is to provide standards and controls for the processing and free movement of personal data, and to protect the fundamental rights of the data subjects. Interestingly, Article 5 also specifies that the purpose of the law is to protect the fundamental rights of data subject “including how such rights apply to the protection of personal data in emerging technologies.”

 

Overview

DIFC Law No. 5 of 2020 takes into accounts principles found it other well-known data protection laws, such as the EU General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law (LGPD), and the California Consumer Privacy Act (CCPA). According to the official press release, the modernization of the data protection legal landscape of the DIFC signals its ambition to apply for adequacy recognition by the European Commission and other jurisdictions, which would ease global data transfers for DIFC-based businesses.

 

Geographic Scope

The new DIFC Data Protection Law applies to the processing of personal data by a controller or processor incorporated in the DIFC, regardless of whether the processing takes place in the DIFC or not. It also applies to a controller or processor, regardless of its place of incorporation, that processes personal data in the DIFC as part of stable arrangements, other than on an occasional basis. The law applies to such controller or processor in the context of its processing activity in the DIFC, including transfers of Personal Data out of the DIFC.

 

General Requirements

The law sets out 9 principles, which are outlined in a manner similar to that which is used in the EU’s GDPR. Also like in the GDPR, the requirements include a separate obligation for accountability whereby the data controller or processor is responsible for, and must be able to demonstrate, its compliance with those nine principles.

 

Lawfulness of the Processing

Law No. 5 of 2020 identifies six bases for what constitutes “lawful processing”. These bases include consent, necessity (the processing is necessary to perform certain specified tasks), and legitimate interest. In the same manner as provided in the GDPR, the processing can be justified by a “legitimate interest” only if the interest of data controller is not overridden by the rights or interests of the data subject. Article 13 of the law defines circumstances that would be considered “legitimate interest”, including the prevention of fraud, or ensuring security.

 

Accountability

The new law details accountability obligations for controllers and processors, including requirements for the development of a program to demonstrate compliance with the law. It also requires the implementation of appropriate technical and organizational measures to demonstrate that the processing is performed in accordance with the law.

 

The law requires the establishment of a written “data protection policy”, and requires that controllers and processors follow the principle of data protection by design and by default. There are also requirements for the development of a record of processing activities, appointment of data protection officers (in specified circumstances, including for example, “high risk processing activities”), conducting data protection impact assessments and imposing contractual obligations that protect individuals and their personal data.

 

Notification of the Data Protection Commissioner

Unlike the EU GDPR, which removed the obligation under prior law to notify the country’s data supervisory authority, the new DIFC data protection law retains the existing obligation for data controllers to register their processing activities with the DIFC’s data protection commissioner by filing a “notification of processing operations” and it extends that obligation to data processors. The notification must be kept up to date through amended notifications.

 

Cessation of Processing

Article 22 of the new law details the procedures that the data controller must follow when it is required to cease processing personal data. “Cessation of processing” may occur when the basis for processing changes or ceases to exist, or when the controller is required to cease processing due to the exercise of the data subject’s rights. The obligation also extends to ensuring that all data processors perform similar activities on the data held by them. This useful and practical provision does not appear to resemble any other provision in other similar laws, worldwide.

 

Content of the Privacy Policy

In a manner similar to that of Articles 13 and 14 of the GDPR, Articles 29 and 30 outline the required content of a privacy policy.

 

Rights of Individuals

Article 32 to 38 of DIFC Law No. 5 of 2020 grants enhanced rights to individuals. These rights include, for instance, right to withdraw consent, right to access, rectification and erasure of personal data, right to object to the processing, right to restrict the processing, right to data portability, right to object to any decision based solely on automated processing, including profiling. These rights are generally comparable to those outlined in the EU GDPR or Brazil LGPD, for example.

 

Article 39 provides a right of “non-discrimination” which resembles some aspects of California’s CCPA. It prohibits discrimination against an individual who has exercised her rights (for example, right to restrict the processing of her data) by denying any goods or services to that individual, or charging different prices, or providing goods of less quality. Like the California CCPA, it also allows controllers to offer financial and other incentives to data subjects for their willingness to allow the controller to use personal information about them.

 

Crossborder data transfers

The new law contains the usual restrictions to the transfer of personal data out of the territory, and requires that the country of the recipient provide “adequate protection” or in the absence of such laws that the data exporter and data importer provide adequate safeguard, such as those that would come from binding corporate rules, standard contractual clauses, and the like, unless a derogation applies.

 

Data Breaches

The DIFC data protection law includes comprehensive provisions regarding the notification of data breaches. Like the GDPR, the law distinguishes notification to be provided to the data commissioner from notification to be provided to the data subjects. Unlike GDPR or some US laws, there is no set maximum number of days for making the notification to the Commissioner. The time frame for making the initial notification is “as soon as possible” and the triggering event is whether the incident “compromises confidentiality, security or privacy.

 

Notification to data subjects is triggered only when the breach “is likely to result in a high risk to the security or rights of a data subject”. In this case, there is also no maximum time frame for making the notification. It would be ”as soon as practicable” in most circumstances, or “promptly” when there is “an immediate risk of damages”.

 

Remedies, Liability and Sanctions

Part 9 of the new DIFC law addresses Remedies, Liability and Sanctions. A wide variety of sanctions is provided, going from warnings to the issuance of a “direction” requiring a controller or processor to do or refrain from doing certain acts, to fines, payment of damages and compensation to the data subject, or payment of the costs incurred by the data commissioner or other person. The new law leaves to the Board of Directors of the DIFCA to draft regulations on this matter.

 

Data Sharing; Response to Request from Public Authority

Article 28 of Law No. 5 of 2020 provides guidance for the procedures to be followed when a data controller or processor receives a request from a public authority regarding the disclosure and/or transfer of personal data. The guidance provided is practical and detailed.

 

According to the press release issued by the DIFC, these provisions may form the first step towards data sharing standards within the UAE and the region.

 

Code of Conduct and Certification

Article 48 of the law provides for the use of “codes of conduct” and Article 49 provides for “certification schemes”. Both concepts will be familiar to those companies that operate in, or do business with, the European Union or European Economic Area.

 

Delayed Enforcement

In light of the current global pandemic, while the Data Protection Law is effective from July 1, 2020, businesses to which it applies will have a grace period of three months, until October  1, 2020, to prepare to comply with it, after which the new data protection law will becomes enforceable.

 

Regulations

According to the DIFC press release, the Board of Directors of the DIFC Authority is issuing new Data Protection Regulations that set out the procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines and adequate jurisdictions for cross-border transfers of personal data.

EUR 14.5 Million Fine for Violation of GDPR Minimization and Retention Limitation Principles

Posted by fgilbert on December 2nd, 2019

EUR 14.5 million fine

At the beginning of November 2019, the Berlin Commissioner for Data Protection and Freedom of Information assessed a EUR 14.5 million fine against Deutsche Wohnen SE, a German residential real estate company, for violations of the GDPR, specifically violation of the data minimization and storage limitation principles. The decision has been made public, but is not yet final; it has been appealed.

According to Berlin Data Commissioner, the EUR 14.5 million fine was related to alleged deficiencies in the company’s archiving system, which did not allow for deletion of legacy data. The data affected included financial information about tenants, such as pay-slips, self-disclosure forms, extracts from employment agreements, tax data, social security and health insurance data and bank statements. The Berlin Data Commissioner also found that the practices of the company constituted an infringement of the data protection by design requirements. It focused primarily on violations of the data minimization principle and the failure to dispose of the data upon expiration of the retention period.

Basic Rules

Companies that are subject to the GDPR should keep in might that the GDPR provides for fines significantly higher than those that were assessed under the national laws that derived from the 1995 EU Data Protection Directive. GDPR Article 83 provides for two levels of fines, which depend on the nature of the violation, but even the lower range would allow for significant fine amounts. The highest level of fines is up to EUR 20 Million or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. The lowest level of fines is up to EUR 10 Million or 2% of the worldwide annual revenue, whichever is higher.

Germany, where the Deutsche Wohnen case was handled, is taking a structured approach to the determination of fines for violation of the GDPR. In October 2019, DSK, the joint coordinating board of the German Data Protection Authorities, published a detailed chart for the calculation of GDPR fines. Among other things, it sets out several levels of severity of the violation, and associates to each of these levels a multiplier range between 1 and 14.4.  A fine is computed according to that multiplier and the daily global revenue for the company or group of companies. According to the Berlin Data Commissioner, the fine in the Deutsche Wohnen case has been computed by using the DSK model.

Recent Cases

As the EU Data Supervisory Authorities are reviewing cases and assessing fines that are based on the provisions of the GDPR, we note an increasing number of decisions that provide for significant fines. Earlier this year, for example, CNIL, the French Data Protection Authority, assessed a EUR 50 million fine against Google for aggressive marketing practices. This was followed, during the summer by a £100 million fine assessed against Marriott Hotel, and a £183.39 million against British Airways. Both cases were handled by the UK Information Commissioner’s Office.

Lessons Learned

While the nature of the Deutsche Wohnen case is different from that of the earlier cases discussed above, and the level of fines assessed against the real estate company is significantly lower than those described above, they show that

  • Supervisory Authorities handle a wide variety of cases, react to numerous forms of alleged violations of the GDPR; not just data breaches
  • Compliance with the basic data protection principle is a significant element; they should be reviewed at each legal and technical audit.
  • Periodic compliance and technical audits may help identify deficiencies and reduce legal and technical risk when these deficiencies are corrected.
  • Fine levels under GDPR are generally significantly higher than under prior regimes.

Conclusion

The abundance of storage space and the increased pressure to keep interacting with current or former customers prompt businesses to collect large amounts of data, and retain as much of this data as possible, often well beyond actual useful period. Too often, businesses may not spend the time and resources necessary to periodically audit their practices and evaluate the nature of the data collected or to be collected, how the data is used, or why it is needed in view their then-current needs. And they may neglect to purge their databases and securely dispose of this data.

As discussed above, these practices might lead to an investigation and result in a fine. Companies that are subject to the EU General Data Protection Regulation (GDPR) and the related EU data protection laws should remember that GDPR and those national laws contain detailed and specific provisions requiring, among other, that entities collect only the minimum amount of data necessary, and limit the retention of this data to the shortest, most reasonable time. Among other things, periodic reevaluation of data handling practices, data needs, and legal obligations such those related to retention limitation, are essential to maintain an appropriate level of compliance with the GDPR and national applicable laws.

The EU General Data Protection Regulation and Its Implications for US Insurance Companies

Posted by fgilbert on August 2nd, 2018

An article published by Francoise Gilbert in collaboration with the Greenberg Traurig Insurance Department.

Summer 2018 Magazine Reprint

All you wanted to know about the GDPR

Posted by fgilbert on April 2nd, 2018

Extensive presentation by Francoise at a Bay Pay event.

 

90 days to May 25, 2018 – Does your Business Meet its GDPR Obligations?

Posted by fgilbert on February 21st, 2018

The EU General Data Protection Regulations – or GDPR – goes into effect in 90 days, on May 25, 2018.  With such a name, it would be easy to conclude that the law governs only the activities of businesses established in the European Union (EU) or European Economic Area (EEA), and that those established elsewhere are not concerned.

This is not the case.  Organizations that are not established within the EU/EEA are subject to GDPR when they process personal data of individuals who are in the EU/EEA if the processing activities are related to:

  • The offering of goods or services to such individuals in the EU/EEA, even if payment is not required, or
  • The monitoring of their behavior, to the extent that their behavior takes place within the EU/EEA. Profiling of individuals based on their use of the Internet is an example of such monitoring.

In practice, most US businesses – probably 70% – are subject to the GDPR where they collect or process the personal data of individuals located in the US.  According to our observations, only a very small fraction of those US businesses that are subject to the GDPR have completed their GDPR compliance overhaul.  Those who have ignored the GDPR or have failed to properly evaluate the extent to which the GDPR might apply to their activities should rethink this analysis and take action as soon as possible to address these obligations, if relevant.

The GDPR is a significant, complex document.  Compliance, therefore, is commensurate to its complexity.  For most businesses, evaluating their practices and conducting all activities that are required to achieve compliance can take three to six months. Numerous larger businesses, such as multinationals, have been working on GDPR implementation for more than two years.

The list of obligations under the GDPR is very long.  The document is comprised of 272 provisions, which are divided into 173 recitals and 99 Articles. It is also supplemented by documents issued by the EU institutions, or the Member States themselves. The EU’s Article 29 Working Party, so far, has published at least 13 guidelines. Some local supervisory authorities have published their own guidelines. Some Member States have adopted laws or amendments that relate to the GDPR.

Here are some highlights to keep in mind, among the many others that are written in the GDPR and related documents.

  • Violations of the law are subject to significant administrative fines that can reach up to 20 Million euros, or in the case of multi-national businesses, 4% of their global revenue.
  • In addition, individuals have a private right of action that allows them to file a complaint in court when they believe that their rights under the GDPR have been violated as a result of the processing of their personal data in non-compliance with the GDPR. They can mandate certain non-profit organizations to lodge the complaint and exercise their right to receive compensation on their behalf, a process that, in its effect, is likely to be similar to that of class action lawsuits customary in the United States.
  • Businesses are prohibited from collecting or processing personal data unless one of six circumstances occurs. They are required to state on their privacy notice why they have the right to collect and process the personal data of individuals. Company can no longer just infer from a person’s visit of a website that the individual has consented to the collection and use of his/her data. Specific consent is required.
  • Businesses have significant obligations that go well beyond current common practices. In particular, there are significant record keeping requirements as well as limitation to data retention.
  • Products must be designed in accordance with Data Protection by Design and Data Protection by Default principles. In some cases, businesses are required to conduct Data Protection Impact Assessments.
  • Individuals have significant rights, such as right of access, right of correction, right of data portability or right to be forgotten. Businesses have 30 days to respond to a request, which makes it necessary to implement the appropriate technical measures and administrative procedures to respond promptly to requests from individuals.
  • If a company’s core activities require the regular and systematic monitoring of individuals on a large scale, or the processing of special categories of data on a large scale, it must appoint a Data Protection Officer. Special categories of data include, for example, data about health, genetic data and biometric data, religion or sexual life.
  • Privacy notices must be updated to include a large amount of information required by the law.
  • Businesses must amend most of their contracts with third party service providers, or with their own customers if they act as service provider to another entity. These contracts must include numerous provisions mandated by the GDPR.

These are just example. There is much more. GDPR compliance project takes a significant amount of time.

To address their obligations under the GDPR, businesses must to conduct numerous activities, such as:

  • Start with understanding whether and how the business may have access to personal data of individuals in the EU/EEA, what is done to or with this data, with whom it shared, and how the business interacts with the individual for marketing purposes
  • Conduct a gap analysis to determine what needs to be done to comply with the GDPR, and prioritize these activities
  • Address the company’s obligations as a controller or processor
  • Address the restrictions to marketing, targeting, profiling
  • Update the contracts with data processors, subprocessors
  • Document the security program; update the security breach response plan
  • Address the crossborder data transfer restrictions
  • Identify the legal grounds for processing the personal data
  • Update the privacy notice
  • Develop processes to address obligations regarding individuals’ rights
  • Update training for personnel
  • Identify the lead supervisory authority

The GDPR has become a significant part of the US Privacy and Security legal landscape. It is important for US businesses to pay attention to compliance now because a majority of US businesses – as well as business located in other countries outside the EU/EEA – are and will continue to be subject to the GDPR for some of the personal data that they collect.

The GDPR will affect many of the business deals that a company may conduct. As businesses acquire or do business with businesses that are subject to the GDPR, the contracts that are drafted will likely have to address GDPR issues.

There are only 90 days left to take action and address GDPR compliance. There is still time if you have not already done so.  If you don’t, those individuals and businesses located in the EU/EEA with whom you want to do business may soon inquire whether your company can demonstrate whether it is compliant with the GDPR, and if your answer is not satisfactory, may take their business to others who do comply.

NIS Directive Adopted in August 2016 – What’s Next

Posted by fgilbert on August 12th, 2016

Directive (EU) 2016/1148 of the European Parliament and of the Council of July 6, 2016, Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union Network and Information (“NIS Directive” or “Directive”), entered into force in August 2016, outlines plans for establishing a base level of network and information security that is coherent across the European Union (EU) and European Economic Area (EEA). It defines a framework for enabling networks and information systems to be better prepared to respond to actions that compromise the availability, authenticity, integrity, or confidentiality of the data that they process, store, or transmit. In addition, each Member State will be required to adopt a Network Information Security strategy defining its objectives and policy and regulatory measures regarding cybersecurity.

Scope and Affected Entities

The Directive will primarily affect “operators of essential services” and “digital Service providers”. Under the Directive, an entity provides an essential service if the entity provides a service that is essential for the maintenance of critical societal and/or economic activities; the provision of that service depends on network and information systems; and an incident to the network and information systems of that service would have significant disruptive effects on the provision of that service. Examples of such operators of essential services include entities in the following industries: Energy; Transportation; Banking; Financial Markets Infrastructures; Health care; Drinking water supply and distribution; and Digital infrastructure. The second group of companies impacted by the NIS Directive is digital services providers located in the Member States, which includes online market places, such as e-commerce platforms; cloud computing services; and online search engines.

Obligations of Operators of Essential Services

The Directive outlines specific obligations on operators of essential services. For example, they will have to take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems that they use in their operation and to prevent and minimize the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, to facilitate the continuation of those services.

They will be required to notify the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide. Notifications must include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident.

They will also have to provide information necessary to assess the security of their network and information systems including documented security policies.; and provide evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor, and, in the latter case, to make the results thereof, including underlying evidence, available to the competent authority.

Obligations of Digital Service Providers

Digital service providers will also be required to identify and take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems use to offer services and to prevent and minimize the impact of security incidents. These measures will have to ensure a level of security and take into account the security of systems and facilities, incident handling, business continuity management, monitoring, auditing and testing, and compliance with international standards.

Digital service providers will have to notify the competent authorities without undue delay of any incident having a substantial impact on the provision of a service that they offer in the EU. Such notification will have to include information to enable the competent authorities to determine the significance of any cross-border impact.

Cooperation Among Member States

The Directive puts in place several structures for ensuring efficient activities within each Member State and cooperation among the Member States. For example, Member States will have to designate a competent national authority responsible for implementation and enforcement of the NIS Directive.  They will also be required to establish Computer Security Incident Response Teams (CSIRTs) which will be responsible for handling cybersecurity incidents and risks.

A network of Computer Security Incident Response Teams (CSIRTs Network), also established by the Directive, will help promote swift and effective operational cooperation on cybersecurity incidents and for sharing information about security risks among Member States. The CSIRTs Network will consist of representatives of the CSIRTs established in the Member States and the Computer Emergency Response Team (CERT-EU).

A “Cooperation Group”, composed of representatives of the EU Member States, representative of ENISA (EU Agency for Network and Information Security) and the European Commission will facilitate strategic cooperation and information exchanges among Member States. It will prepare strategic guidelines for the activities of the CSIRTs Network and discuss the capabilities and preparedness of Member States.

Between Now and May 2018

The NIS Directive entered into force in August 2016. The EU/EEA Member States now have until May 2018 to implement its principles into their national laws. Companies that do business in the EU/EEA and fall within the scope of the NIS Directive should monitor the implementation process in the Member States where they operate, and the further guidance that the competent authorities will issue. They also should be aware that the EU Commission has the power to adopt implementing acts regarding the required formats and procedures to be used for notification and incident assessment.

EU-U.S. Privacy Shield Approved and Signed

Posted by fgilbert on July 14th, 2016

Since October 2015, when the Court of Justice of the European Union invalidated the Safe Harbor Agreement, numerous US and EU companies have struggled to provide a legal basis to the transfer of personal information across the Atlantic. On July 12, representatives of the European Commission and the U.S. Department of Commerce signed the “EU-US Privacy Shield” agreement, which replaces the Safe Harbor agreement. The new EU US Privacy Shield become effective as of August 1, 2016.

The documents that form the executed Privacy Shield agreement are an updated version of those that were published in late February 2016. The signed Shield documents clarify numerous issues that were of concern to Europeans and introduces several new requirements.

The primary changes are found in the Draft Commission Implementing Decision Regarding the Adequacy of the Protection Provided by the EU-U.S. Privacy Shield (“Decision”). The Decision clarifies that the Principles will apply solely to the processing of personal data by a U.S. organization insofar as the processing by such organization does not fall within the scope of EU legislation.

Subcontractors

Shield Certified companies will have to require their subcontractors and service providers to delete or de-identify personal data when no longer needed for the identified processing or compatible purposes. This will also have to require recipients of personal data to notify them if the recipient can no longer provide the same level of protection as required by the Privacy Shield Principles (Principles).

Data Quality and Data Uses

The Decision stresses that organizations will have to ensure that personal data is reliable for its intended use, accurate, complete, and current. Special rules will apply to the use of personal data for direct marketing purposes, to allow individuals to opt-out at any time.

Crossborder Transfers

Regarding cross-border transfers, the Decision stresses that the obligation to provide the same level of protection must apply to all parties involved in the processing of the data, irrespective of their location, when the original recipient itself transfers that data to a third party, for example a subprocessor.

Recourse, Enforcement, and Liability

The Decision clarifies that organizations that have failed to deal appropriately with complaints will be subject to oversight and enforcement actions by the Federal Trade Commission, the Department of Transportation or another U.S. authorized statutory body. It provides a lengthy analysis and details the eight levels of redress and the escalation procedure that will be available to EU residents.

Transparency and Oversight

Part of the new measures to ensure transparency and allow for oversight will include the monitoring by the U.S. Department of Commerce whether the self-certified organizations on the Privacy Shield list are current in their obligations.  If an organization is not current in its obligations, the Department of Commerce will enforce the return or deletion of the personal data that the entity received on the basis of the Privacy Shield.

Access by U.S. Public Authorities

The Decision clarifies that the EU Commission has determined that U.S. law contains a number of limitations on the access to, and use of, personal data transferred to the United States for national security purposes, and that sovereign and redress mechanisms provide sufficient safeguards for those data to be effectively protected against unlawful interference and the risk of abuse.

It also confirms that bulk collection will only be authorized exceptionally where targeted collection is not feasible, and will be accompanied by additional safeguards to minimize the amount of data collected and subsequent access (which will have to be targeted and only be allowed for specific purposes).

 

For a detailed analysis of the updated Shield Documents see article co-authored by Francoise Gilbert and Marie Jose van der Heijden, “Privacy Shiel 2.0 Sighned, Sealed and Delivered, published in the Bloomberg BNA Privacy and Data Security Law Report on July 11, 2016.

 

 

 

Israel Revokes is Acceptance of Safe Harbor

Posted by fgilbert on October 20th, 2015

In early October 2015, the Court of Justice of the European Union (CJEU) in the Schrems and Facebook case, declared the EU-US Safe Harbor invalid. The CJEU ruling stunned many businesses and organizations throughout the world. For the past 15 years, the Safe Harbor Program had made it easy for businesses established in the United States and the European Economic Area (EEA) to exchange personal data in the ordinary course of business. It was the simplest and most business friendly method for addressing the prohibition against cross-border data transfers to countries that do not offer adequate protection of privacy rights and personal data, a prohibition that is common to all data protection laws of EEA member states.

Since the issuance of the ruling, a flurry of activity has occurred. Numerous reactions and comments have been published. Two of the most notable statements issued by the Article 29 Working Party and by the Israeli Law, Information and Technology Authority require that US companies involved in international exchanges of personal data with the EMEA Region react promptly to the invalidation of the Safe Harbor Program, so that they establish alternative measures to address the void left by this invalidation.

On October 15, 2015 the Article 29 Working Party (A29) – the umbrella organization that encompasses the Data Protection Commissioners of the 31 EEA Member States – published its initial reaction to the CJEU ruling. The A29 confirmed that the invalidation of the Safe Harbor Program is effective immediately. In addition, it warned that if, by January 2016, the United States and the European Union have not reached a satisfactory agreement that incorporates certain elements identified in the A29 statement, the EEA Data Protection Authorities will commence enforcement actions against illegal cross border data transfers.

Israel Revokes its Acceptance of the Us EU Safe Harbor

Now, on October 19 2015 the Israeli Law, Information and Technology Authority (ILITA), the country’s data protection authority, announced that, in view of the CJEU ruling invalidating the EU-US Safe Harbor, it would cease treating a US company’s self-certification under the EU–US Safe Harbor as a ground for granting derogations to its own prohibition against crossborder data transfers out of Israel. In other words, Israeli companies that relied on the fact that a US company was listed on the Safe Harbor List of the US Department of Commerce can no longer do so to justify the legality of their transfer of data to the United States.

In a long statement analyzing the CJEU case, the ILITA announced that it revoked its prior authorization permitting the transfer of personal data from Israel to those organizations in the United States that certified under the EU-US Safe Harbor. In keeping with the data protection legislation enacted throughout the EEA, the Israel Privacy Protection Regulations (Transfer of Data to Databases Abroad) 2001 restricts the transfer of personal data outside the country unless the recipient country ensures a level of data protection that is no lesser than that provided under Israeli law, or one of the derogations in Section 2 of the 2001 Regulations applies.

Up until very recently, the ILITA had found that those US organizations certified under the EU-US Safe Harbor provided an adequate level of protection for personal data and, as such, fell under the derogation, provided under Section 2(8)(2) of Israel’s 2001 Privacy Protection Regulations, authorizing data transfers from Israel. However, with the recent CJEU decision in the Schrems case, the position of the ILITA has changed. It has stated that organizations can no longer rely on the aforementioned derogation as the basis for the transfer of personal data between Israel and the United States. The ILITA has advised organizations to assess whether they can legitimize the transfer of personal data between Israel and the United States under one of the other derogations provided in Section 2 of the 2001 Regulations. The ILITA has also advised that it continues to assess the implications of the Schrems decision and that it will publish information and additional clarifications if necessary.

Israel is one of the few counties whose data protection law has been deemed to meet the stringent criteria required under the EU Data Protection Directive 95/46/EC. Under Commission Decision 2011/61/EU, Israel is considered as providing, an adequate level of protection for personal data transferred from the European Union. This adequacy finding ensures that personal data can be transferred from the European Union to Israel, without companies having to rely on other legal methods, such as contractual clauses, to effect the data transfer. It is likely that Israel’s decision to follow the determination in the CJEU ruling invalidating the Safe Harbor Program was prompted by its concern to keep its privileged status vis-à-vis European entities in good standing.

While Israel’s reaction is understandable under the circumstances, it may be a sign that other countries throughout the world that also have the privilege of having been deemed by the European Commission to offer “adequate protection”, countries such as Argentina, Uruguay, Canada or Switzerland, might soon adopt the same approach as Israel. This would isolate further the United States, and create additional pressure for the United States government to modify its course of action and its strategies regarding international commerce

What to do Next?

The activities of US law enforcement agencies remain of great concern to the rest of the world. In its statement, the A29 points out that the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis. It believes that such surveillance is incompatible with the EU legal framework, and that existing transfer tools are not the solution to this issue.

It is becoming clear that the repeated assertions of the CJEU in its ruling, that personal data when on the US territory is subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard … without limitation” the prospective rules laid down by the Safe Harbor when they conflict with US national security and public interest are affecting the reasoning of the EEA Data Protection Commissioners and may also be getting traction outside the European Economic Area. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights.

The invalidation of the 2000/520 Safe Harbor Decision does not solve these fundamental issues. It is hard to see how data transferred from the EEA to the United States under BCRs or Standard Contractual clauses would not suffer the same fate. The next few months will be very busy and will see extensive activities in the United States, throughout Europe, and probably in other parts of the world. Hopefully the wake-up call provided by the CJEU ruling will pave the way to effective and productive negotiations that find a solution that help revive commerce and exchanges between the affected countries.

In the meantime, US companies must urgently evaluate their situation and take appropriate remedial measures to meet the data protection standards in the countries in which they currently do business. The January 2016 deadline, set by the A29 Working Party, is a very important deadline. US companies should take the time, this Fall, to reshape their crossborder data transfer solutions to address the significant challenges created by the invalidation of the EU-US Safe Harbor, and the associated ramifications such as the Israeli decision.

Safe Harbor Invalidation – Article 29 Working Party Sets January 2016 Deadline

Posted by fgilbert on October 16th, 2015

The long awaited reaction of the Working party to the ruling of the Court of Justice of the European Union (CJEU) in the Schrems and Facebook case in now public. Late on October 15, the Article 29 Working Party published a statement outlining its first response to the landmark ruling. The Working Party’s statement summarizes the group’s evaluation of the first consequences to be drawn at European and national level.

The Working Party point out that the data protection authorities, EU institutions, Member States, and businesses are collectively responsible for finding sustainable solutions to implement the Court’s judgment. It stresses that businesses, in particular, should reflect on the eventual risks they take when transferring data to the United States, and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection principles.

Transfers under Safe Harbor Unlawful

Regarding the practical consequences of the CJEU judgment, the Working Party states that it is clear that transfers from the European Union to the United States can no longer be framed based on Safe Harbor mechanism and “transfers that are still taking place under the Safe Harbor after the CJEU judgment are unlawful.”

Standard Clauses and Binding Corporate Rules

Until the Working Party has completed its analysis of the impact of the CJEU judgment on other transfer tools, data protection authorities will consider that Standard Contractual Clauses and Binding Corporate Rules can still be used. However, during this transition period, the Working Party warns that data protection authorities will continue to exercise their right to investigate particular cases, and to exercise their powers in order to protect individuals.

January 2016 Deadline

The Working Party’s press release sets a January 2016 deadline. If, by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities may start taking all actions that they may deem necessary, including coordinated enforcement actions.

Massive Surveillance an issue

The activities of US law enforcement agencies remain of great concern to the Working Party. The Working Party points out that the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis. It believes that such surveillance is incompatible with the EU legal framework, and existing transfer tools are not the solution to this issue.

Intergovernmental Agreement Suggested

While progress has been made with the recent signature of the Umbrella Agreement and the ongoing negotiations regarding Safe Harbor 2.0, the Working Party believes that more needs to be done. A new Safe Harbor agreement would only a part of the solution; more is necessary.

The Working Party urges Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling cross Atlantic data transfers that respect fundamental rights. In particular, it suggests that such solutions could be found through the negotiation of an intergovernmental agreement providing stronger guarantees to EU data subjects.

The Working Party identifies key points that should be addressed in these intergovernmental negotiations. In the Working Party’s opinion, these solutions should always be assisted by clear and binding mechanisms and include at least obligations on:

  • Oversight of access by public authorities;
  • Transparency;
  • Proportionality;
  • Redress mechanisms; and
  • Data protection rights.

Shared Responsibility

The Working Party views it as a shared responsibility between data protection authorities, EU institutions, Member States, and businesses to find sustainable solutions to implement the Court’s judgment. It states that, in the context of the CJEU judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection laws and principles.