You Are Viewing Europe

NIS Directive Adopted in August 2016 – What’s Next

Posted by fgilbert on August 12th, 2016

Directive (EU) 2016/1148 of the European Parliament and of the Council of July 6, 2016, Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union Network and Information (“NIS Directive” or “Directive”), entered into force in August 2016, outlines plans for establishing a base level of network and information security that is coherent across the European Union (EU) and European Economic Area (EEA). It defines a framework for enabling networks and information systems to be better prepared to respond to actions that compromise the availability, authenticity, integrity, or confidentiality of the data that they process, store, or transmit. In addition, each Member State will be required to adopt a Network Information Security strategy defining its objectives and policy and regulatory measures regarding cybersecurity.

Scope and Affected Entities

The Directive will primarily affect “operators of essential services” and “digital Service providers”. Under the Directive, an entity provides an essential service if the entity provides a service that is essential for the maintenance of critical societal and/or economic activities; the provision of that service depends on network and information systems; and an incident to the network and information systems of that service would have significant disruptive effects on the provision of that service. Examples of such operators of essential services include entities in the following industries: Energy; Transportation; Banking; Financial Markets Infrastructures; Health care; Drinking water supply and distribution; and Digital infrastructure. The second group of companies impacted by the NIS Directive is digital services providers located in the Member States, which includes online market places, such as e-commerce platforms; cloud computing services; and online search engines.

Obligations of Operators of Essential Services

The Directive outlines specific obligations on operators of essential services. For example, they will have to take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems that they use in their operation and to prevent and minimize the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, to facilitate the continuation of those services.

They will be required to notify the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide. Notifications must include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident.

They will also have to provide information necessary to assess the security of their network and information systems including documented security policies.; and provide evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor, and, in the latter case, to make the results thereof, including underlying evidence, available to the competent authority.

Obligations of Digital Service Providers

Digital service providers will also be required to identify and take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems use to offer services and to prevent and minimize the impact of security incidents. These measures will have to ensure a level of security and take into account the security of systems and facilities, incident handling, business continuity management, monitoring, auditing and testing, and compliance with international standards.

Digital service providers will have to notify the competent authorities without undue delay of any incident having a substantial impact on the provision of a service that they offer in the EU. Such notification will have to include information to enable the competent authorities to determine the significance of any cross-border impact.

Cooperation Among Member States

The Directive puts in place several structures for ensuring efficient activities within each Member State and cooperation among the Member States. For example, Member States will have to designate a competent national authority responsible for implementation and enforcement of the NIS Directive.  They will also be required to establish Computer Security Incident Response Teams (CSIRTs) which will be responsible for handling cybersecurity incidents and risks.

A network of Computer Security Incident Response Teams (CSIRTs Network), also established by the Directive, will help promote swift and effective operational cooperation on cybersecurity incidents and for sharing information about security risks among Member States. The CSIRTs Network will consist of representatives of the CSIRTs established in the Member States and the Computer Emergency Response Team (CERT-EU).

A “Cooperation Group”, composed of representatives of the EU Member States, representative of ENISA (EU Agency for Network and Information Security) and the European Commission will facilitate strategic cooperation and information exchanges among Member States. It will prepare strategic guidelines for the activities of the CSIRTs Network and discuss the capabilities and preparedness of Member States.

Between Now and May 2018

The NIS Directive entered into force in August 2016. The EU/EEA Member States now have until May 2018 to implement its principles into their national laws. Companies that do business in the EU/EEA and fall within the scope of the NIS Directive should monitor the implementation process in the Member States where they operate, and the further guidance that the competent authorities will issue. They also should be aware that the EU Commission has the power to adopt implementing acts regarding the required formats and procedures to be used for notification and incident assessment.

EU-U.S. Privacy Shield Approved and Signed

Posted by fgilbert on July 14th, 2016

Since October 2015, when the Court of Justice of the European Union invalidated the Safe Harbor Agreement, numerous US and EU companies have struggled to provide a legal basis to the transfer of personal information across the Atlantic. On July 12, representatives of the European Commission and the U.S. Department of Commerce signed the “EU-US Privacy Shield” agreement, which replaces the Safe Harbor agreement. The new EU US Privacy Shield become effective as of August 1, 2016.

The documents that form the executed Privacy Shield agreement are an updated version of those that were published in late February 2016. The signed Shield documents clarify numerous issues that were of concern to Europeans and introduces several new requirements.

The primary changes are found in the Draft Commission Implementing Decision Regarding the Adequacy of the Protection Provided by the EU-U.S. Privacy Shield (“Decision”). The Decision clarifies that the Principles will apply solely to the processing of personal data by a U.S. organization insofar as the processing by such organization does not fall within the scope of EU legislation.

Subcontractors

Shield Certified companies will have to require their subcontractors and service providers to delete or de-identify personal data when no longer needed for the identified processing or compatible purposes. This will also have to require recipients of personal data to notify them if the recipient can no longer provide the same level of protection as required by the Privacy Shield Principles (Principles).

Data Quality and Data Uses

The Decision stresses that organizations will have to ensure that personal data is reliable for its intended use, accurate, complete, and current. Special rules will apply to the use of personal data for direct marketing purposes, to allow individuals to opt-out at any time.

Crossborder Transfers

Regarding cross-border transfers, the Decision stresses that the obligation to provide the same level of protection must apply to all parties involved in the processing of the data, irrespective of their location, when the original recipient itself transfers that data to a third party, for example a subprocessor.

Recourse, Enforcement, and Liability

The Decision clarifies that organizations that have failed to deal appropriately with complaints will be subject to oversight and enforcement actions by the Federal Trade Commission, the Department of Transportation or another U.S. authorized statutory body. It provides a lengthy analysis and details the eight levels of redress and the escalation procedure that will be available to EU residents.

Transparency and Oversight

Part of the new measures to ensure transparency and allow for oversight will include the monitoring by the U.S. Department of Commerce whether the self-certified organizations on the Privacy Shield list are current in their obligations.  If an organization is not current in its obligations, the Department of Commerce will enforce the return or deletion of the personal data that the entity received on the basis of the Privacy Shield.

Access by U.S. Public Authorities

The Decision clarifies that the EU Commission has determined that U.S. law contains a number of limitations on the access to, and use of, personal data transferred to the United States for national security purposes, and that sovereign and redress mechanisms provide sufficient safeguards for those data to be effectively protected against unlawful interference and the risk of abuse.

It also confirms that bulk collection will only be authorized exceptionally where targeted collection is not feasible, and will be accompanied by additional safeguards to minimize the amount of data collected and subsequent access (which will have to be targeted and only be allowed for specific purposes).

 

For a detailed analysis of the updated Shield Documents see article co-authored by Francoise Gilbert and Marie Jose van der Heijden, “Privacy Shiel 2.0 Sighned, Sealed and Delivered, published in the Bloomberg BNA Privacy and Data Security Law Report on July 11, 2016.

 

 

 

WP29 gives “Thumbs Down” to Draft EU-US Privacy Shield

Posted by fgilbert on April 13th, 2016

In a 58-page opinion published on April 13, 2016, the influential European Union Article 29 Working Party (“WP29”), which gathers representatives of the data protection authorities of the 28 EU member states, expressed significant concerns with respect to the terms of the proposed EU-US Privacy Shield that is intended to replace the EU-US Safe Harbor.

The WP29 made numerous critiques to the documents that form the proposed EU-US Privacy Shield framework. Some of these critiques address the essential elements of contention that have been expressed in numerous forms in the past. These include for example, the lack of consistency between the principles set forth in the Privacy Shield documents and the fundamental EU data Protection principles outlined in the 1995 EU Data Protection Directive, the proposed EU General Data Protection Regulation, and related documents.

The WP29 group also requested that clearer restrictions apply to the onward transfer of the personal information, which occurs once personal data of EU residents has been transferred to the US. They are especially concerned about the subsequent transfer of data to a third country, outside the United States. In addition, the WP29 continues to be concerned about the effect, scope, and effectiveness of the measures proposed to address activities of law enforcement and intelligence agencies, often described as “massive collection” of data.

 

Background

On 29 February 2016, the European Commission and US Department of Commerce published a series of documents intended to constitute a new framework for transatlantic exchanges of personal data for commercial purposes, to be named the EU-U.S. Privacy Shield. The Privacy Shield is intended to replace the EU-US Safe Harbor, which was invalidated by the Court of Justice of the European Union (CJEU) in October 2015, in the Schrems case.

Since the publication of the draft Privacy Shield documents, the WP29 members have convened in a series of meetings in order to assess these documents and come up with a common position.

The results of this 6-week intense evaluation were expressed in an opinion entitled “Opinion 01/2106 on the EU-US Privacy Shield Draft Adequacy Decision – WP 238” published on April 13, 2016. The 58-page well drafted and thoughtful document contains numerous positive comments about the efforts of the EU and US teams in trying to design a framework that would implement the guidance of the two-page term sheet published at the end of January that outlined the key aspects of the proposed cross Atlantic framework.

The document also expressed a wide variety of concerns with respect to the proposed EU-US Privacy Shield that is intended to replace the EU-US Safe Harbor. The WP29 group was concerned by (i) the commercial provisions (which address issues similar to those addressed in the Safe Harbor); (ii) the surveillance aspects, specifically, the possible derogations to the principles of the Privacy Shield for national security, law enforcement, and public interests purposes; as well as (iii) the proposed joint review mechanism.

 

Commercial Aspects

Consistency with Data Protection Principles

The WP29 indicated that its key objective is to make sure that the Privacy Shield would offer an equivalent level of protection of individuals when personal data is processed under the Privacy Shield. The WP29 believes that some key EU data protection principles are not reflected in the draft documents, or have been inadequately substituted by alternative notions.

While it does not expect the Privacy Shield to be a mere and exhaustive copy of the EU legal framework, the WP29 stressed that the Privacy Shield should contain the substance of the fundamental principles in effect in the European Union, so that it can ensure an “essentially equivalent” level of protection. For instance, the data retention principle is not expressly mentioned; there is no wording on the protection that should be afforded against automated individual decisions based solely on automated processing. The application of the purpose limitation principle to the data processing is also unclear.

Onward Transfers

The WP29 paid special attention to onward transfers, an issue that was key to the Safe Harbor decision. It believes that the Privacy Shield provisions on onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose and the guarantees applying to transfers to Agents.

The WP29 noted that since the Privacy Shield will also be used to transfer data outside the US, onward transfers from a Privacy Shield entity to third country recipients, it should provide the same level of protection on all aspects of the Shield, including national security. In case of an onward transfer to a third country, every Privacy Shield organization should have the obligation to assess any mandatory requirements of the third country’s national legislation applicable to the data importer before making the transfer.

Recourse Mechanisms

Finally, although the WP29 notes the additional recourses made available to individuals to exercise their rights, it is concerned that the new redress mechanism in practice may prove to be too complex, difficult to use for EU individuals, and therefore, ineffective. Further clarification of the various recourse procedures is therefore needed; in particular, where they are willing, EU data protection authorities could be considered as a natural contact point for the EU individuals in the various procedures, and have the option to act on their behalf.

 

National Security

Derogations for national security purposes

The WP29 observed that the draft EU Commission Adequacy Decision extensively addresses the possible access to data processed under the Privacy Shield for purposes of national security and law enforcement. It also notes that the US Administration, in Annex VI of the documents, also provides for increased transparency on the legislation applicable to intelligence data collection.

Massive Collection

Regarding the massive collection of information, the WP29 notes, however, that the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not exclude massive and indiscriminate collection of personal data originating from the EU. Given the concerns this brings for the protection of the fundamental rights to privacy and data protection, the WP29 pointed to other resources for clarification on this point, such as the forthcoming rulings of the CJEU in cases regarding massive and indiscriminate data collection.

Redress

Concerning redress, the WP29 welcomes the establishment of an Ombudsperson as a new redress mechanism. Concurrently, it expressed its concern that this new institution might not be sufficiently independent, might not be vested with adequate powers to effectively exercise its duty, and does not guarantee a satisfactory remedy in case of disagreement.

Annual Joint Review

Regarding the proposed Annual Joint Review mechanism mentioned in the Privacy Shield framework, the WP29 noted that the Joint Review is a key factor to the credibility of the Privacy Shield. It points out, however, that the specific modalities for operations, such as the resulting report, its publicity and the possible consequences, as well as the financing, need to be agreed well in advance of the first review.

 

Drafting Deficiencies

Consistency with the General Data Protection Regulation

The WP29 notes that the Privacy Shield needs to be consistent with the EU data protection legal framework, in both scope and terminology. It suggests that a review should be undertaken shortly after the entry into application of the General Data Protection Regulation (GDPR), to ensure that the higher level of data protection offered by the GDPR is followed in the adequacy decision and its annexes.

Structure and Content

Regarding the structure and content of the documents, the WP29 noted that the complexity of the structure of the documents that constitute the Privacy Shield make the documents difficult to understand. They are also concerned that the lack of clarity of the new framework might cause it to be difficult to comprehend by data subjects, organizations, and even data protection authorities. In addition, they note occasional inconsistencies within the 110 pages that form the current draft of the Privacy Shield framework. The WP29 therefore urges the Commission to make the documents clear and understandable for both sides of the Atlantic.

 

Conclusion

In its 58-page opinion, the WP29 made great efforts to point to the improvements brought by the Privacy Shield compared to the Safe Harbor decision. However, overall, the evaluation of the 110-page proposed Privacy Shield framework is generally negative. The WP29 appears to doubt that the protection that would be offered by the Privacy Shield is essentially equivalent to that of the EU.

Even though there are numerous positive comments, such as acknowledgements that many of the shortcomings of the Safe Harbor were addressed in the proposed framework, the general tone of the WP29 is critical of the end result. The concerns expressed in the WP29 Opinion include, for example, lack of consistency with the EU data protection, insufficient coverage of the massive collection of information. They also point to more basic issues such as inconsistencies among provisions, and lack of clarity caused by the structure and composition of the document.

It remains to be seen the extent to which the EU Commission will be able to address these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the proposed documents. The viability of the Privacy Shield remains in question.

With the negative opinion issued by the WP29, a very influential body of the European Union, it becomes uncertain whether, and when, a stable and final draft will be completed. Assuming such framework may reach a form that is satisfactory to both sides, it would also need to be implemented. Once the final draft is approved and voted on, it will need to be implemented. At a minimum, a new infrastructure, a website, and additional personnel will be needed to make it operational.

Six months after the CJEU invalidated the EU Commission decision that had created the EU-US Safe Harbor, cross Atlantic data transfers are still in limbo. There is still no simple, business friendly solution to addressing the stringent prohibition against cross border data transfers between EU/EEA entities and US based companies.

US companies that had built their operations and business models around the simple and easy to use EU-US Safe Harbor; assuming that they have not already done so, need to address the legality of their cross border data transfers. With no light, so far at the end of the tunnel, it is urgent that they evaluate and implement means to address the stringent restriction against cross border data transfers in effect in the European Union and European Economic Areas, that they understand and address the needs of their counterparts in the EU/EEA region, in order to minimize the risk of enforcement action against the European entities.

 

EU-US Privacy Shield Update

Posted by fgilbert on February 29th, 2016

The European Commission has released a Draft Adequacy Finding as a step towards the finalization of a new EU-US Privacy Shield. The concept of an EU-US Privacy Shield was outlined in an arrangement published on February 2, 2016. The Shield is intended to replace the EU-US Safe Harbor Agreement, which was invalidated in an October 6, 2015 decision of the European Court of Justice.

The Draft Adequacy Finding will now be reviewed, commented upon, revised and finalize by a wide range of EU agencies and officials before being submitted to vote by the EU Parliament and the European Council. This finalization should not occur before several months.

The EU-US Privacy Shield is intended to create stronger obligations for US companies that process the personal data of residents of the European Economic Area than those that were outlined in the EU-US Safe Harbor, adopted in 2000. It is expected to require stronger monitoring and enforcement by the US Department of Commerce and the Federal Trade Commission, including through increased cooperation with the Member States Data Protection Authorities.

The EU-US Privacy Shield is expected to include written commitments and assurances by the United States that any access by public authorities to personal data transferred to the US under the new arrangement on national security grounds will be subject to clear conditions, limitations and oversight, in order to prevent generalized access. A newly created Ombudsperson mechanism will handle complaints and inquiries in this context.

Safe Harbor 2.0 Agreement Reached

Posted by fgilbert on February 2nd, 2016

On February 2, 2016, representatives of the European Commission and the United States agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield. The main elements of the arrangement provide that:

  • US companies that wish to receive EU data will be required to commit to stringent obligations on how personal data is processed and individual rights are guaranteed;
  • Citizens who think that their data has been misused will have several redress possibilities ;
  • Companies will be required to respond to citizens’ complaints within a set timeframe;
  • European Data Protection Authorities will have the ability to refer complaints to the US Department of Commerce and the Federal Trade Commission;
  • Alternative Dispute resolution will be free of charge;
  • Access by U.S. law enforcement to personal data transferred under the EU-US Privacy Shield will be subject to clear conditions, limitations and oversight mechanisms, preventing generalized access;
  • Complaints on possible access by national intelligence authorities will be referred to an Ombudsperson;
  • The implementation of the arrangement – including the restriction to law enforcement access to data – will be subject to annual joint reviews. The European Commission and the U.S. Department of Commerce will conduct the reviews and invite US national intelligence experts and European Data Protection Authorities to participate.

The College of EU Commissioners, which approved the final terms of the arrangement, has mandated Vice-President Ansip and Commissioner Jourová to prepare a draft “adequacy decision” in the coming weeks clarifying the elements of the EU-US Privacy Shield.

Once the document has been finalized, it will be submitted to approval by the College of Commissioners. The Article 29 Working Party and a committee composed of representatives of the Member States will also be consulted. In the meantime, the U.S. will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.

Israel Revokes is Acceptance of Safe Harbor

Posted by fgilbert on October 20th, 2015

In early October 2015, the Court of Justice of the European Union (CJEU) in the Schrems and Facebook case, declared the EU-US Safe Harbor invalid. The CJEU ruling stunned many businesses and organizations throughout the world. For the past 15 years, the Safe Harbor Program had made it easy for businesses established in the United States and the European Economic Area (EEA) to exchange personal data in the ordinary course of business. It was the simplest and most business friendly method for addressing the prohibition against cross-border data transfers to countries that do not offer adequate protection of privacy rights and personal data, a prohibition that is common to all data protection laws of EEA member states.

Since the issuance of the ruling, a flurry of activity has occurred. Numerous reactions and comments have been published. Two of the most notable statements issued by the Article 29 Working Party and by the Israeli Law, Information and Technology Authority require that US companies involved in international exchanges of personal data with the EMEA Region react promptly to the invalidation of the Safe Harbor Program, so that they establish alternative measures to address the void left by this invalidation.

On October 15, 2015 the Article 29 Working Party (A29) – the umbrella organization that encompasses the Data Protection Commissioners of the 31 EEA Member States – published its initial reaction to the CJEU ruling. The A29 confirmed that the invalidation of the Safe Harbor Program is effective immediately. In addition, it warned that if, by January 2016, the United States and the European Union have not reached a satisfactory agreement that incorporates certain elements identified in the A29 statement, the EEA Data Protection Authorities will commence enforcement actions against illegal cross border data transfers.

Israel Revokes its Acceptance of the Us EU Safe Harbor

Now, on October 19 2015 the Israeli Law, Information and Technology Authority (ILITA), the country’s data protection authority, announced that, in view of the CJEU ruling invalidating the EU-US Safe Harbor, it would cease treating a US company’s self-certification under the EU–US Safe Harbor as a ground for granting derogations to its own prohibition against crossborder data transfers out of Israel. In other words, Israeli companies that relied on the fact that a US company was listed on the Safe Harbor List of the US Department of Commerce can no longer do so to justify the legality of their transfer of data to the United States.

In a long statement analyzing the CJEU case, the ILITA announced that it revoked its prior authorization permitting the transfer of personal data from Israel to those organizations in the United States that certified under the EU-US Safe Harbor. In keeping with the data protection legislation enacted throughout the EEA, the Israel Privacy Protection Regulations (Transfer of Data to Databases Abroad) 2001 restricts the transfer of personal data outside the country unless the recipient country ensures a level of data protection that is no lesser than that provided under Israeli law, or one of the derogations in Section 2 of the 2001 Regulations applies.

Up until very recently, the ILITA had found that those US organizations certified under the EU-US Safe Harbor provided an adequate level of protection for personal data and, as such, fell under the derogation, provided under Section 2(8)(2) of Israel’s 2001 Privacy Protection Regulations, authorizing data transfers from Israel. However, with the recent CJEU decision in the Schrems case, the position of the ILITA has changed. It has stated that organizations can no longer rely on the aforementioned derogation as the basis for the transfer of personal data between Israel and the United States. The ILITA has advised organizations to assess whether they can legitimize the transfer of personal data between Israel and the United States under one of the other derogations provided in Section 2 of the 2001 Regulations. The ILITA has also advised that it continues to assess the implications of the Schrems decision and that it will publish information and additional clarifications if necessary.

Israel is one of the few counties whose data protection law has been deemed to meet the stringent criteria required under the EU Data Protection Directive 95/46/EC. Under Commission Decision 2011/61/EU, Israel is considered as providing, an adequate level of protection for personal data transferred from the European Union. This adequacy finding ensures that personal data can be transferred from the European Union to Israel, without companies having to rely on other legal methods, such as contractual clauses, to effect the data transfer. It is likely that Israel’s decision to follow the determination in the CJEU ruling invalidating the Safe Harbor Program was prompted by its concern to keep its privileged status vis-à-vis European entities in good standing.

While Israel’s reaction is understandable under the circumstances, it may be a sign that other countries throughout the world that also have the privilege of having been deemed by the European Commission to offer “adequate protection”, countries such as Argentina, Uruguay, Canada or Switzerland, might soon adopt the same approach as Israel. This would isolate further the United States, and create additional pressure for the United States government to modify its course of action and its strategies regarding international commerce

What to do Next?

The activities of US law enforcement agencies remain of great concern to the rest of the world. In its statement, the A29 points out that the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis. It believes that such surveillance is incompatible with the EU legal framework, and that existing transfer tools are not the solution to this issue.

It is becoming clear that the repeated assertions of the CJEU in its ruling, that personal data when on the US territory is subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard … without limitation” the prospective rules laid down by the Safe Harbor when they conflict with US national security and public interest are affecting the reasoning of the EEA Data Protection Commissioners and may also be getting traction outside the European Economic Area. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights.

The invalidation of the 2000/520 Safe Harbor Decision does not solve these fundamental issues. It is hard to see how data transferred from the EEA to the United States under BCRs or Standard Contractual clauses would not suffer the same fate. The next few months will be very busy and will see extensive activities in the United States, throughout Europe, and probably in other parts of the world. Hopefully the wake-up call provided by the CJEU ruling will pave the way to effective and productive negotiations that find a solution that help revive commerce and exchanges between the affected countries.

In the meantime, US companies must urgently evaluate their situation and take appropriate remedial measures to meet the data protection standards in the countries in which they currently do business. The January 2016 deadline, set by the A29 Working Party, is a very important deadline. US companies should take the time, this Fall, to reshape their crossborder data transfer solutions to address the significant challenges created by the invalidation of the EU-US Safe Harbor, and the associated ramifications such as the Israeli decision.

Safe Harbor Invalidation – Article 29 Working Party Sets January 2016 Deadline

Posted by fgilbert on October 16th, 2015

The long awaited reaction of the Working party to the ruling of the Court of Justice of the European Union (CJEU) in the Schrems and Facebook case in now public. Late on October 15, the Article 29 Working Party published a statement outlining its first response to the landmark ruling. The Working Party’s statement summarizes the group’s evaluation of the first consequences to be drawn at European and national level.

The Working Party point out that the data protection authorities, EU institutions, Member States, and businesses are collectively responsible for finding sustainable solutions to implement the Court’s judgment. It stresses that businesses, in particular, should reflect on the eventual risks they take when transferring data to the United States, and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection principles.

Transfers under Safe Harbor Unlawful

Regarding the practical consequences of the CJEU judgment, the Working Party states that it is clear that transfers from the European Union to the United States can no longer be framed based on Safe Harbor mechanism and “transfers that are still taking place under the Safe Harbor after the CJEU judgment are unlawful.”

Standard Clauses and Binding Corporate Rules

Until the Working Party has completed its analysis of the impact of the CJEU judgment on other transfer tools, data protection authorities will consider that Standard Contractual Clauses and Binding Corporate Rules can still be used. However, during this transition period, the Working Party warns that data protection authorities will continue to exercise their right to investigate particular cases, and to exercise their powers in order to protect individuals.

January 2016 Deadline

The Working Party’s press release sets a January 2016 deadline. If, by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities may start taking all actions that they may deem necessary, including coordinated enforcement actions.

Massive Surveillance an issue

The activities of US law enforcement agencies remain of great concern to the Working Party. The Working Party points out that the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis. It believes that such surveillance is incompatible with the EU legal framework, and existing transfer tools are not the solution to this issue.

Intergovernmental Agreement Suggested

While progress has been made with the recent signature of the Umbrella Agreement and the ongoing negotiations regarding Safe Harbor 2.0, the Working Party believes that more needs to be done. A new Safe Harbor agreement would only a part of the solution; more is necessary.

The Working Party urges Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling cross Atlantic data transfers that respect fundamental rights. In particular, it suggests that such solutions could be found through the negotiation of an intergovernmental agreement providing stronger guarantees to EU data subjects.

The Working Party identifies key points that should be addressed in these intergovernmental negotiations. In the Working Party’s opinion, these solutions should always be assisted by clear and binding mechanisms and include at least obligations on:

  • Oversight of access by public authorities;
  • Transparency;
  • Proportionality;
  • Redress mechanisms; and
  • Data protection rights.

Shared Responsibility

The Working Party views it as a shared responsibility between data protection authorities, EU institutions, Member States, and businesses to find sustainable solutions to implement the Court’s judgment. It states that, in the context of the CJEU judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection laws and principles.

Safe Harbor Invalidation – What Consequences?

Posted by fgilbert on October 16th, 2015

 

In a 35-page ruling, published on October 6, 2015, the Court of Justice of the European Union has declared the EU-US Safe Harbor invalid. This means that the data transfers between European companies and the 4500+ US companies that have self-certified to their adherence to the EU-US Safe Harbor principles no longer have a legal basis and are exposed to the scrutiny of 31 Data Protection Authorities of the European Economic Area (EEA) Member states.

The CJEU ruling comes after lengthy proceedings initiated by an Austrian law student against Facebook, arguing that the transfer of his personal information from Austria to Facebook’s California servers under the protection of the Safe Harbor violates his rights. The original complaint argued that, based on the information provided by Edward Snowden regarding the mass surveillance powers of US National Security Agency, the United States offers no legal protection against data surveillance, and the powers of the US law enforcement agencies supersede the promises made in a company’s Safe Harbor self-certification.

The CJEU went beyond the specific question that had been raised in the Facebook case. It held that Article 3 of Decision 2000/520 (which allowed for the creation of the Safe Harbor) is invalid. And, because Article 3 of Decision 2000/520 is inseparable from the other provisions of Decision 2000/520, the invalidity of Article 3 invalidates Decision 2000/520 in its entirety.

As put simply and very concisely in the last line of the CJEU 35-page ruling: “Decision 2000/520 is invalid.”

What does this mean for US companies and their subsidiaries and trading partners located in the 31 Members States of the European Economic Area?

It means great uncertainty. There are long term and short term issues:

  • What to do immediately;
  • Whether this means a future with a series of data localization restrictions resulting in countries or regions adopting a silo approach to data storage.

Immediate Consequences

First, the legal basis of the EU-US Safe Harbor on which EEA companies had relied to transfer data to the United States has been declared invalid. However, the decision does not affect the Switzerland-US Safe Harbor. Thus transfers between Switzerland and the United States can continue under the existing Swiss-US Safe Harbor regime.

In the meantime, EEA data protection laws continue to prohibit the transfer of personal data outside the EEA territory unless there is a legal basis to show that the data, when on the US territory will benefit from the same protection as in the EEA.

There may be temporary work around. There are other approved methods to achieve the “adequate protection” required by the EEA data protection laws. For example, EU and EEA companies may decide to enter into contracts based on Standard Contractual Clauses approved by the European Commmission. This might be the fastest and most efficient way to react in the short term. But before this solution may be implemented, significant due diligence must be performed, and many parties must agree to the applicable terms. The terms of the Standard clauses crease stringent restrictions and significant liabilities for which US companies may need additional insurance coverage. Multi-national entities may attempt to obtain approval of BCRs (“Binding Corporate Rules”) for their internal transfers. But there are significant hurdles. For example, currently, only 21 out of the 31 EEA countries recognize Binding Corporate Rules.  Further, the process for approval of a set of BRCs may take one to two years from beginning to end..

Long Term Issues

A much more fundamental question remains. What happens to EEA data when they are stored on US territory? And will the NSA surveillance activities continue to create heartburn for EEA citizens and institutions?

The argument initially raised in the Facebook case was that the Snowden revelations raised concern about whether, in spite of a series of laws regulating government access to data and communicants, the US legal framework offers no actual protection against excessive surveillance by US law enforcement agencies.

In its 35-page analysis, the CJEU repeatedly asserts that personal data when on the US territory is subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard … without limitation” the prospective rules laid down by the Safe Harbor when they conflict with US national security and public interest. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights.

The invalidation of the 2000/520 Safe Harbor Decision does not solve this issue. Data transferred from the EEA to the United States under BCR or Standard Contractual clauses would suffer the same fate.

A world of silos?

The CJEU Decision in the Facebook case raises a much more fundamental question regarding cross border data transfers. It is not just the Safe Harbor program that is at stake.  It is the entire framework of model clauses, binding corporate rules and other methods that are currently used to address the “adequate protection” requirement under EU Member State data protection laws that is at stake.

Will the special powers granted to – or used by – law enforcement agencies in the US create such an obstacle to crossborder data transfers between the EEA and the US that US companies will have no choice but setting up data centers in the EEA, in order to store their EEA customers’ data within the EEA territory in an attempt to reduce the risk of being within the reach of the long arm of US law enforcement agencies?

And will this trend, combined with other data localization laws, such as the one in Russia, create a world of data silos? Will localization laws become the norm?

Is it already too late?

Right to Be Forgotten: Guidelines from WP29

Posted by fgilbert on November 26th, 2014

The Article 29 Working Party (WP29) has adopted Right to Be Forgotten Guidelines, to help Data Protection Authorities in the implementation of the May 13, 2014 judgment of the Court of Justice of European Union (CJEU) in the case Google Spain SL and Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez (C-131/12) (“Google Spain”). The WP 29 Guidelines provide the WP29’s view on the interpretation of the CJEU’s ruling, and identify the criteria that will be used by the data protection authorities when addressing complaints.

An EU press release published on November 25 announces the upcoming publication of the Guidelines[1] and provides some highlights. The complete text of the Guidelines is expected to be published within the next few days.

Background

In the Google Spain case, the CJEU clarified that Directive 95/46/EC applies to a search engine insofar as the processing of personal data is carried out in the context of the activities of a subsidiary on the territory of a Member State, set up to promote and sell advertising space on its search engine in this Member State with the aim of making that service profitable.

The CJEU also ruled that, under certain conditions, data subjects may request search engines to de-list links that appear in the search results based on the person’s name.

Scope of the Right to Be Forgotten

In its Press Release, the WP29 pointed that the CJEU ruling expressly states that the right only affects the results obtained from searches made on the basis of a person’s name and does not require deletion of the link from the indexes of the search engine altogether. The original information will still be accessible using other search terms, or by direct access to the source.

This is an important clarification. When implementing a request for de-listing, the only links that must be removed are those that would appear in response to a search for information regarding a specific person’s name. Links to the same article that would be associated with different searches, focusing on a different topic or different individual would survive.

Implementation Should be Global

A second element identified in the Press Release is the geographic scope of the de-listing implementation. According to the WP29, de-listing decisions must be implemented in such a way that they “guarantee the effective and complete protection of data subjects’ rights, and that EU Law cannot be circumvented.”

WP 29 stresses that limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ruling.

In practice, this means that de-listing should also occur and be effective on all relevant .com and other domains. WP29 expects that search engines, and other organization that will receive requests under the “right to be forgotten”, will implement the de-listing request on all domains on which they operates, and not just on EU or EEA based domains.

This is likely to cause concerns for the search engines and other organization required to implement Right to be Forgotten requests as it will result in significant increase in technical work and related administrative costs.

Who would be entitled to the Right to be Forgotten?

The WP29 also indicated that the EU Data Protection Authorities will focus on claims where there is a clear link between the data subject and the EU, such as where the data subject is a citizen or resident of an EU Member State.

Thus, the ruling and the guidelines are directed at activities of EU Data Protection Authorities, and for the benefit of EU/EEA residents.  Individuals residing outside the European Economic Area will not be entitled to seek the same privileges from the EU Data Protection Authorities.

13 Common Criteria

The guidelines contain the list of 13 common criteria that the Data Protection Authorities will apply to handle the complaints filed with their national offices following refusals of de-listing. These criteria will be applied on a case-by-case basis and in accordance with the relevant national legislations.

This list of criteria is to be seen as a flexible working tool to help Data Protection Authorities in their analysis of Right to be Forgotten complaints, and during their decision-making process. No single criterion would be determinative. Each of the criteria has to be read in the light of the principles established by the Court and in particular in the light of the public’s interest in having access to the information.

Next Steps

The complete Guidelines are not yet published. They are expected to be published within the next few days

[1] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20141126_wp29_press_release_ecj_de-listing.pdf

Article 29 Working Party Supports ECJ “Right to be Forgotten” Ruling

Posted by fgilbert on May 23rd, 2014

In a May 23, 2014 press release, the Article 29 Working Party (WP29) has indicated that it welcomes the May 13, 2014 ruling of the European Court of Justice (ECJ), which recognizes a “right to be forgotten” for individuals.

The WP29 also announced that it is planning a discussion among the EU data protection authorities at its upcoming plenary meeting on June 3-4, 2014 to analyze the consequences of the ECJ ruling. The WP29 indicated that it intends to develop guidelines to help build a common approach of EU data protection authorities on the implementation of this ECJ ruling. It is hoped that these guidelines will help clarify the criteria to be used when evaluating a data subject’s request to “be forgotten” against the public’s interest in having access to information.

The ECJ was requested to rule on a data subject’s right to obtain the deletion of links to certain search results. In its May 13, 2014 ruling, the ECJ concluded web users have the right to directly request from the search engine the deletion of the links to web pages containing information breaching their rights under the Directive, even if the publication of the information on the web pages in question is lawful in itself.

The ECJ noted, however, that while the rights to privacy and to the protection of personal data set forth in the EU Charter of Fundamental Rights override the search engine’s economic interest, they are not absolute; the right to deletion of information will have to be assessed on a case by case basis depending on the nature of the information in question, on its sensitivity for the data subject, and on the interest of the public to have access to that information, considering in particular the role played by the data subject in public life.

This decision has significant consequences both for search engines and for the public. Search engines will have to incur costs in responding to individual requests to block unwanted links. Since the publication of the ruling, they have already been flooded by takedown requests from a wide range of individuals. To follow the ruling, they would have to assess and balance, on a case-by-case basis, the individual’s right to be forgotten against the public’s right to information. If links are blocked, the public might be deprived of relevant information that otherwise might be relevant, useful, or necessary in making decisions.

In addition to the above, the ECJ ruling addresses two important issues that have been of great concern to companies that operate their websites on a worldwide basis. First, the ECJ ruling adopts a wide interpretation of the notion of “establishment” for determining the applicability of the EU Directive 95/46/EC and national law to a company when the processing of personal data is carried out in the context of the activities of a subsidiary on the territory of a Member State, set up to promote and sell advertising space in that Member State. This is likely to influence national courts in the European Economic Area into asserting broad scope jurisdiction over companies based on their promotion and advertising activities.

The other important position taken in the May 13, 2014 is the clarification of the concepts of “data processing” and “controller” in the context of the processing of personal data by search engines. So far numerous companies that view themselves as services providers, such as search engines or cloud service providers, have argued that they were only data processors, and that third parties were data controllers. In its May 13, 2014 ruling, the ECJ determined that search engine providers are data controllers when they automatically index information published online and provide such information to web users according to a particular order of preference.

The May 13, 2014 ECJ ruling is a very important decision. It is likely to have significant consequences in many areas of the data protection field, and beyond. It may also affect the current discussions regarding a “right to be forgotten” or a “right to erasure” in the proposed EU Data Protection Regulation.

This post was also published by The Computer & Internet Lawyer (August 2014)  Volume 31, Number 8, page 18 (Wolters Kluwer publisher).