You Are Viewing Europe

Safe Harbor Invalidation – Article 29 Working Party Sets January 2016 Deadline

Posted by fgilbert on October 16th, 2015

The long awaited reaction of the Working party to the ruling of the Court of Justice of the European Union (CJEU) in the Schrems and Facebook case in now public. Late on October 15, the Article 29 Working Party published a statement outlining its first response to the landmark ruling. The Working Party’s statement summarizes the group’s evaluation of the first consequences to be drawn at European and national level.

The Working Party point out that the data protection authorities, EU institutions, Member States, and businesses are collectively responsible for finding sustainable solutions to implement the Court’s judgment. It stresses that businesses, in particular, should reflect on the eventual risks they take when transferring data to the United States, and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection principles.

Transfers under Safe Harbor Unlawful

Regarding the practical consequences of the CJEU judgment, the Working Party states that it is clear that transfers from the European Union to the United States can no longer be framed based on Safe Harbor mechanism and “transfers that are still taking place under the Safe Harbor after the CJEU judgment are unlawful.”

Standard Clauses and Binding Corporate Rules

Until the Working Party has completed its analysis of the impact of the CJEU judgment on other transfer tools, data protection authorities will consider that Standard Contractual Clauses and Binding Corporate Rules can still be used. However, during this transition period, the Working Party warns that data protection authorities will continue to exercise their right to investigate particular cases, and to exercise their powers in order to protect individuals.

January 2016 Deadline

The Working Party’s press release sets a January 2016 deadline. If, by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities may start taking all actions that they may deem necessary, including coordinated enforcement actions.

Massive Surveillance an issue

The activities of US law enforcement agencies remain of great concern to the Working Party. The Working Party points out that the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis. It believes that such surveillance is incompatible with the EU legal framework, and existing transfer tools are not the solution to this issue.

Intergovernmental Agreement Suggested

While progress has been made with the recent signature of the Umbrella Agreement and the ongoing negotiations regarding Safe Harbor 2.0, the Working Party believes that more needs to be done. A new Safe Harbor agreement would only a part of the solution; more is necessary.

The Working Party urges Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling cross Atlantic data transfers that respect fundamental rights. In particular, it suggests that such solutions could be found through the negotiation of an intergovernmental agreement providing stronger guarantees to EU data subjects.

The Working Party identifies key points that should be addressed in these intergovernmental negotiations. In the Working Party’s opinion, these solutions should always be assisted by clear and binding mechanisms and include at least obligations on:

  • Oversight of access by public authorities;
  • Transparency;
  • Proportionality;
  • Redress mechanisms; and
  • Data protection rights.

Shared Responsibility

The Working Party views it as a shared responsibility between data protection authorities, EU institutions, Member States, and businesses to find sustainable solutions to implement the Court’s judgment. It states that, in the context of the CJEU judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection laws and principles.

Safe Harbor Invalidation – What Consequences?

Posted by fgilbert on October 16th, 2015

 

In a 35-page ruling, published on October 6, 2015, the Court of Justice of the European Union has declared the EU-US Safe Harbor invalid. This means that the data transfers between European companies and the 4500+ US companies that have self-certified to their adherence to the EU-US Safe Harbor principles no longer have a legal basis and are exposed to the scrutiny of 31 Data Protection Authorities of the European Economic Area (EEA) Member states.

The CJEU ruling comes after lengthy proceedings initiated by an Austrian law student against Facebook, arguing that the transfer of his personal information from Austria to Facebook’s California servers under the protection of the Safe Harbor violates his rights. The original complaint argued that, based on the information provided by Edward Snowden regarding the mass surveillance powers of US National Security Agency, the United States offers no legal protection against data surveillance, and the powers of the US law enforcement agencies supersede the promises made in a company’s Safe Harbor self-certification.

The CJEU went beyond the specific question that had been raised in the Facebook case. It held that Article 3 of Decision 2000/520 (which allowed for the creation of the Safe Harbor) is invalid. And, because Article 3 of Decision 2000/520 is inseparable from the other provisions of Decision 2000/520, the invalidity of Article 3 invalidates Decision 2000/520 in its entirety.

As put simply and very concisely in the last line of the CJEU 35-page ruling: “Decision 2000/520 is invalid.”

What does this mean for US companies and their subsidiaries and trading partners located in the 31 Members States of the European Economic Area?

It means great uncertainty. There are long term and short term issues:

  • What to do immediately;
  • Whether this means a future with a series of data localization restrictions resulting in countries or regions adopting a silo approach to data storage.

Immediate Consequences

First, the legal basis of the EU-US Safe Harbor on which EEA companies had relied to transfer data to the United States has been declared invalid. However, the decision does not affect the Switzerland-US Safe Harbor. Thus transfers between Switzerland and the United States can continue under the existing Swiss-US Safe Harbor regime.

In the meantime, EEA data protection laws continue to prohibit the transfer of personal data outside the EEA territory unless there is a legal basis to show that the data, when on the US territory will benefit from the same protection as in the EEA.

There may be temporary work around. There are other approved methods to achieve the “adequate protection” required by the EEA data protection laws. For example, EU and EEA companies may decide to enter into contracts based on Standard Contractual Clauses approved by the European Commmission. This might be the fastest and most efficient way to react in the short term. But before this solution may be implemented, significant due diligence must be performed, and many parties must agree to the applicable terms. The terms of the Standard clauses crease stringent restrictions and significant liabilities for which US companies may need additional insurance coverage. Multi-national entities may attempt to obtain approval of BCRs (“Binding Corporate Rules”) for their internal transfers. But there are significant hurdles. For example, currently, only 21 out of the 31 EEA countries recognize Binding Corporate Rules.  Further, the process for approval of a set of BRCs may take one to two years from beginning to end..

Long Term Issues

A much more fundamental question remains. What happens to EEA data when they are stored on US territory? And will the NSA surveillance activities continue to create heartburn for EEA citizens and institutions?

The argument initially raised in the Facebook case was that the Snowden revelations raised concern about whether, in spite of a series of laws regulating government access to data and communicants, the US legal framework offers no actual protection against excessive surveillance by US law enforcement agencies.

In its 35-page analysis, the CJEU repeatedly asserts that personal data when on the US territory is subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard … without limitation” the prospective rules laid down by the Safe Harbor when they conflict with US national security and public interest. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights.

The invalidation of the 2000/520 Safe Harbor Decision does not solve this issue. Data transferred from the EEA to the United States under BCR or Standard Contractual clauses would suffer the same fate.

A world of silos?

The CJEU Decision in the Facebook case raises a much more fundamental question regarding cross border data transfers. It is not just the Safe Harbor program that is at stake.  It is the entire framework of model clauses, binding corporate rules and other methods that are currently used to address the “adequate protection” requirement under EU Member State data protection laws that is at stake.

Will the special powers granted to – or used by – law enforcement agencies in the US create such an obstacle to crossborder data transfers between the EEA and the US that US companies will have no choice but setting up data centers in the EEA, in order to store their EEA customers’ data within the EEA territory in an attempt to reduce the risk of being within the reach of the long arm of US law enforcement agencies?

And will this trend, combined with other data localization laws, such as the one in Russia, create a world of data silos? Will localization laws become the norm?

Is it already too late?

Right to Be Forgotten: Guidelines from WP29

Posted by fgilbert on November 26th, 2014

The Article 29 Working Party (WP29) has adopted Right to Be Forgotten Guidelines, to help Data Protection Authorities in the implementation of the May 13, 2014 judgment of the Court of Justice of European Union (CJEU) in the case Google Spain SL and Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez (C-131/12) (“Google Spain”). The WP 29 Guidelines provide the WP29’s view on the interpretation of the CJEU’s ruling, and identify the criteria that will be used by the data protection authorities when addressing complaints.

An EU press release published on November 25 announces the upcoming publication of the Guidelines[1] and provides some highlights. The complete text of the Guidelines is expected to be published within the next few days.

Background

In the Google Spain case, the CJEU clarified that Directive 95/46/EC applies to a search engine insofar as the processing of personal data is carried out in the context of the activities of a subsidiary on the territory of a Member State, set up to promote and sell advertising space on its search engine in this Member State with the aim of making that service profitable.

The CJEU also ruled that, under certain conditions, data subjects may request search engines to de-list links that appear in the search results based on the person’s name.

Scope of the Right to Be Forgotten

In its Press Release, the WP29 pointed that the CJEU ruling expressly states that the right only affects the results obtained from searches made on the basis of a person’s name and does not require deletion of the link from the indexes of the search engine altogether. The original information will still be accessible using other search terms, or by direct access to the source.

This is an important clarification. When implementing a request for de-listing, the only links that must be removed are those that would appear in response to a search for information regarding a specific person’s name. Links to the same article that would be associated with different searches, focusing on a different topic or different individual would survive.

Implementation Should be Global

A second element identified in the Press Release is the geographic scope of the de-listing implementation. According to the WP29, de-listing decisions must be implemented in such a way that they “guarantee the effective and complete protection of data subjects’ rights, and that EU Law cannot be circumvented.”

WP 29 stresses that limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ruling.

In practice, this means that de-listing should also occur and be effective on all relevant .com and other domains. WP29 expects that search engines, and other organization that will receive requests under the “right to be forgotten”, will implement the de-listing request on all domains on which they operates, and not just on EU or EEA based domains.

This is likely to cause concerns for the search engines and other organization required to implement Right to be Forgotten requests as it will result in significant increase in technical work and related administrative costs.

Who would be entitled to the Right to be Forgotten?

The WP29 also indicated that the EU Data Protection Authorities will focus on claims where there is a clear link between the data subject and the EU, such as where the data subject is a citizen or resident of an EU Member State.

Thus, the ruling and the guidelines are directed at activities of EU Data Protection Authorities, and for the benefit of EU/EEA residents.  Individuals residing outside the European Economic Area will not be entitled to seek the same privileges from the EU Data Protection Authorities.

13 Common Criteria

The guidelines contain the list of 13 common criteria that the Data Protection Authorities will apply to handle the complaints filed with their national offices following refusals of de-listing. These criteria will be applied on a case-by-case basis and in accordance with the relevant national legislations.

This list of criteria is to be seen as a flexible working tool to help Data Protection Authorities in their analysis of Right to be Forgotten complaints, and during their decision-making process. No single criterion would be determinative. Each of the criteria has to be read in the light of the principles established by the Court and in particular in the light of the public’s interest in having access to the information.

Next Steps

The complete Guidelines are not yet published. They are expected to be published within the next few days

[1] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20141126_wp29_press_release_ecj_de-listing.pdf

Article 29 Working Party Supports ECJ “Right to be Forgotten” Ruling

Posted by fgilbert on May 23rd, 2014

In a May 23, 2014 press release, the Article 29 Working Party (WP29) has indicated that it welcomes the May 13, 2014 ruling of the European Court of Justice (ECJ), which recognizes a “right to be forgotten” for individuals.

The WP29 also announced that it is planning a discussion among the EU data protection authorities at its upcoming plenary meeting on June 3-4, 2014 to analyze the consequences of the ECJ ruling. The WP29 indicated that it intends to develop guidelines to help build a common approach of EU data protection authorities on the implementation of this ECJ ruling. It is hoped that these guidelines will help clarify the criteria to be used when evaluating a data subject’s request to “be forgotten” against the public’s interest in having access to information.

The ECJ was requested to rule on a data subject’s right to obtain the deletion of links to certain search results. In its May 13, 2014 ruling, the ECJ concluded web users have the right to directly request from the search engine the deletion of the links to web pages containing information breaching their rights under the Directive, even if the publication of the information on the web pages in question is lawful in itself.

The ECJ noted, however, that while the rights to privacy and to the protection of personal data set forth in the EU Charter of Fundamental Rights override the search engine’s economic interest, they are not absolute; the right to deletion of information will have to be assessed on a case by case basis depending on the nature of the information in question, on its sensitivity for the data subject, and on the interest of the public to have access to that information, considering in particular the role played by the data subject in public life.

This decision has significant consequences both for search engines and for the public. Search engines will have to incur costs in responding to individual requests to block unwanted links. Since the publication of the ruling, they have already been flooded by takedown requests from a wide range of individuals. To follow the ruling, they would have to assess and balance, on a case-by-case basis, the individual’s right to be forgotten against the public’s right to information. If links are blocked, the public might be deprived of relevant information that otherwise might be relevant, useful, or necessary in making decisions.

In addition to the above, the ECJ ruling addresses two important issues that have been of great concern to companies that operate their websites on a worldwide basis. First, the ECJ ruling adopts a wide interpretation of the notion of “establishment” for determining the applicability of the EU Directive 95/46/EC and national law to a company when the processing of personal data is carried out in the context of the activities of a subsidiary on the territory of a Member State, set up to promote and sell advertising space in that Member State. This is likely to influence national courts in the European Economic Area into asserting broad scope jurisdiction over companies based on their promotion and advertising activities.

The other important position taken in the May 13, 2014 is the clarification of the concepts of “data processing” and “controller” in the context of the processing of personal data by search engines. So far numerous companies that view themselves as services providers, such as search engines or cloud service providers, have argued that they were only data processors, and that third parties were data controllers. In its May 13, 2014 ruling, the ECJ determined that search engine providers are data controllers when they automatically index information published online and provide such information to web users according to a particular order of preference.

The May 13, 2014 ECJ ruling is a very important decision. It is likely to have significant consequences in many areas of the data protection field, and beyond. It may also affect the current discussions regarding a “right to be forgotten” or a “right to erasure” in the proposed EU Data Protection Regulation.

This post was also published by The Computer & Internet Lawyer (August 2014)  Volume 31, Number 8, page 18 (Wolters Kluwer publisher).

Review of the Safe Harbor soon?

Posted by fgilbert on March 27th, 2014

In a short statement following the EU-US summit held in Brussels earlier this week, Herman Van Rompuy, President of the European Council, announced on March 27, 2014, that the United States and the European Union have agreed to take steps to address concerns caused by last year’s revelations on the USA NSA surveillance programs, and restore trust.

He indicated that, with respect to commercial use of personal data, the United States “have agreed to a review of the so-called Safe Harbour framework” to ensure transparency and legal certainty. In addition, with respect to government access to personal data, the parties will “negotiate an umbrella agreement on data protection by this summer, based on equal treatment of EU and US citizens.”

The full text of Mr. Van Rampuy’s statement is available at http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/ec/141919.pdf

 

Draft EU Privacy Regulation Amendments Approved

Posted by fgilbert on October 22nd, 2013

 

The European Union Committee on Civil Liberties, Justice, and Home Affairs, also known as the “LIBE Committee” approved amendments to the draft of the EU Data Protection Regulation on October 21, 2013.

The good news is that the “right to be forgotten” has been replaced with a “right of erasure” which is more narrowly phrased.

The bad news is … most of the other amendments. The revised draft would define a stronger and more stringent data protection regime, which is likely to create additional hurdles for US companies doing business in the European Union, or in need of transferring data out of the EU/EEA to the United States or to subsidiaries worldwide.

In particular, the revised draft increases significantly the maximum fine that might result from violation of the new law. The 2012 draft regulation set a maximum fine of 1,000,000 Euros or 2% of a company’s worldwide income and adopted a tiered approach. With the revised draft, fines could reach up to 100,000,000 Euros or up to 5% of a company’s annual worldwide income, whichever is greater.  This is a significant jump.

The next step is the review and approval of the amended text by the European Union Council and the European Commission. After that, the final text of the proposed Regulation would be submitted to the European Parliament for a final discussion and vote. This vote is not likely to take place before May 2014. If an agreement is not reached before the Parliament closes down for the election of new MPs, the negotiation over the Regulation could continue in the next session of the EU Parliament. In this case, more delay might be likely if there were a change in the composition of the Parliament.

The text of the approved amendment is available here.

Article 29 Working Party’s Opinion on Mobile App Privacy

Posted by fgilbert on March 15th, 2013

On March 14, 2013, the European Union’s Article 29 Working Party published its opinion on the unique privacy and data protection issues faced by applications used on mobile device.  The 30-page opinion provides an analysis of the technical and legal issues, and concludes with a series of recommendations to app developers, platform developers, equipment manufacturers and third parties.

In many respects, this new opinion of the Article 29 Working Party is very similar to the document that the Federal Trade Commissions has published recently on the same topic.  It addresses many themes also found in the FTC documents regarding the use of mobile applications in general, or that mobile applications directed to children.

The Article 29 Opinion WP 202 provides two series of recommendations for application developers.  The first set of recommendation is in fact a recitation of general principles set forth in the proposed Data Protection Regulation, but adapted to the specific context of the mobile world, with references to location data, unique device identifier, SMS.   There are also references to other modern concepts, such as privacy design, also found on the proposed Data Protection regulation, but absent from Directive 95/46/EC, the directive currently in effect.

The second set of recommendations to application developers includes specific guidance on the actions to be taken.  These include:

  • Adopting appropriate measures that address the risks to the data;
  • Informing users about security breaches;
  • Telling users what types of data are collected or 
accessed on the device, how long the data are retained and what security measures are used to protect these data;
  • Developing tools to enable users to decide how long their data should be retained, based on their specific preferences and contexts, rather than offering pre-defined retention terms;
  • Including information in their privacy policy dedicated to European users;
  • Developing and implementing simple but secure online access tools for users, without collecting 
additional excessive personal data;
  • Developing, in cooperation with OS and device manufacturers and others, innovative solutions to adequately inform users on mobile devices, such as through layered information notices combined with meaningful icons.

The remainder of the recommendations is addressed to app stores, OS and device manufacturers, and third parties.

The protection of children reappears as a common theme in the different recommendations to the different players in the mobile market.  Each set of recommendations provided in WP 202 stresses that they should limit their collection of information from children, and especially refrain from processing children’s data for behavioral advertising purposes, and refrain from using their access to a child’s account to collect data about the child’s relatives or friends.

Article 29 Working Party’s Opinion on Cloud Computing: A Threat for the Industry?

Posted by fgilbert on July 16th, 2012

In its Opinion 05/2012 on Cloud Computing published as document WP 196 in early July 2012, the Article 29 Working Party identifies the data protection risks that are likely to result from the use of cloud computing services, such as the lack of control over personal data and lack of information about how, where and by whom the data are being processed or sub-processed in the cloud.  It expressly deems the Safe Harbor regime insufficient to meet the requirements of the national data protection laws.

Even though opinions of Article 29 Working Party do not have the force of law, they have a very significant influence over the ways companies operate, and the privacy choices they make.  US businesses operating in the European Economic Area should keep in mind that the data protection authority of the country or countries in which they operate are highly likely to follow the guidance set forth in a Working Party’s opinion.  Thus, it is important that they operate within the guidelines and guidance provided in the opinions and other writings of the Article 29 Working Party.

Overview

One of the most significant concerns expressed in the Article 29 Opinion on Cloud Computing is the extent to which the Safe Harbor Principles fail to address the unique ways in which cloud computing services hold and process data.  The Article 29 Working Party believes that the Safe Harbor Principles, which were conceived in a different technological environment, fail to address the unique environment in which cloud services are provided. In their view, sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment.

The Opinion points to the lack of control over the whereabouts of the data held in the cloud, the lack of transparency on the security measures being adopted or the identity of the subprocessors, as threats to the protection of personal data.  It also stresses the importance of informing the data subjects about who processes their data, for what purposes, and in which locations, and how they can exercise the rights afforded to them in this respect when their data are hosted or processed in the cloud.

Due Diligence & Contract Terms

The document recommends that the cloud client select a cloud provider that guarantees compliance with EU data protection legislation derived from Directives 95/46/EC and 2002/58/EC.  It stresses that the cloud client should verify whether the cloud provider can guarantee the lawfulness of any crossborder international data transfers.

Once the cloud service provider is identified, the relationship should be recorded in a contract that affords sufficient guarantees in terms of technical and organizational measures for the cloud service.  The Opinion identifies a number of contractual safeguards to be included in the contract for cloud services.

Crossborder Transfers & Safe Harbor

One of the most important components of the Opinion is its negative analysis of the ability of most cloud providers to meet the restrictions on crossborder data transfers that are part of the EEA Member States national data protection laws.  The Opinion expresses significant concerns about the Safe Harbor’s ability to meet the requirements that the recipient of the data provide “adequate protection” consistent with that which is provided in the EU and EEA.

Among other things, the Opinion warns that the Working Party considers that companies exporting data should not merely rely on the statement of the data importer claiming that it has a Safe Harbor certification.  The company exporting data should request evidence demonstrating that their principles are complied with.  The Opinions also states that it might be advisable to complement the commitment of the data importer to the Safe Harbor with additional safeguards taking into account the specific nature of the cloud.’’

It is not clear what effect the Working Party’s Opinion in WP 196 will have on US cloud providers.  If US cloud providers want to continue to attract EU based clients, they will have to address the recommendations of WP 196, at least in connection with their sales in the European Union.  Will US customers request the same level of transparency and control?

Further analysis of WP 196 available in Francoise Gilbert’s article published by the BNA Privacy & Security Law Report, available here.

CNIL on Cloud Computing

Posted by fgilbert on June 28th, 2012

On June 25, CNIL – the French Data Protection Authority – published its recommendation on the use of cloud computing services. This recommendation is the result of a research project on cloud issues, which started in the Fall of 2011 with a consultation with industry. The documents released by CNIL include a summary of the research and documents; a compilation of the responses received to the consultation, and a set of recommendations.

The recommendations includes:

  • Clearly identify the type of data and type of processing that will be in the cloud
  • Identify the security and legal requirements
  • Conduct a risk analysis to identify the needed security measures
  • Identify the type of cloud service that is adapted for the contemplated type of processing
  • Choose a provider that provides sufficient guarantees

The CNIL document also provides an outline of the contractual clauses that should be included in a cloud contract and contains “Model Clauses” that may be added to contracts for cloud services.  These model clauses are provided as a sample, are not mandatory, and can be changed or adapted to each specific contract.

Except for a high level summary in English, the documents described above are currently available only in French on the CNIL website.  According to CNIL representatives, English translations of these documents should be available shortly.

  • Overview of CNIL Recommendation – Summary in English:

http://www.cnil.fr/english/news-and-events/news/article/cloud-computing-cnils-recommandations-for-companies-using-these-new-services/

  • Overview of CNIL Recommendation – Summary in French

http://www.cnil.fr/la-cnil/actualite/article/article/cloud-computing-les-conseils-de-la-cnil-pour-les-entreprises-qui-utilisent-ces-nouveaux-services/

  • Compilation of the responses to the CNIL consultation on cloud computing (in French)

http://www.cnil.fr/fileadmin/images/la_cnil/actualite/Synthese_des_reponses_a_la_consultation_publique_sur_le_Cloud_et_analyse_de_la_CNIL.pdf

  • Recommendation for companies wishing to use cloud services (in French)

http://www.cnil.fr/fileadmin/images/la_cnil/actualite/Recommandations_pour_les_entreprises_qui_envisagent_de_souscrire_a_des_services_de_Cloud.pdf.

 

 

Outline of BCR for Processors Published by Article 29 Working Party

Posted by fgilbert on June 20th, 2012

On June 19, 2012, the Article 29 Working Party adopted a Working Paper (WP 195) on Binding Corporate Rules (BCR) for processors, to allow companies acting as data processors to use BCR in the context of transborder transfers of personal data, such as in the case of cloud computing and outsourcing.

WP 195 includes a full checklist of the requirements for BCR for Processors and is designed both for companies and for data protection authorities.  The document provides a checklist outlining the conditions to be met in order to facilitate the use of BCR for processors, and the information to be found in the applications for approval of BCR to be presented in the application filed with the Data Protection Authorities.