Article 7(4) says that in evaluating whether consent is freely given, “utmost account shall be taken of the fact whether, among others, the performance of a contract, including the provision of a service, is made conditional on the consent to the processing of data that is not necessary for the performance of this contract.”
Recital 34 is also illuminating: “In order to safeguard that consent has been freely-given, consent should not provide a valid legal ground for the processing of personal data in a specific case, where there is a clear imbalance between the data subject and the controller . . . . Consent is presumed not to be freely given, if it does not allow separate consent to be given to different data processing operations despite it is appropriate in the individual case, or if the performance of a contract, including the provision of a service is made dependent on the consent despite this is not necessary for such performance.”
There’s a strong argument that the full range of personal data that free apps usually collect goes well beyond what’s necessary to perform the service. Take a free mobile phone game, for example. It may not be necessary to use any personal data to provide the game. Rather, the personal data is “needed” only for the game provider’s business model – to fund the free app, not to provide it in the technical sense.
Did the EU intend to kill free apps? We’ll soon see.
Written by Kate Stewart
Recent enforcement actions by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) have highlighted that, not surprisingly, Covered Entities should not leave medical records in a physician’s driveway and should not dispose of protected health information (“PHI”) in a dumpster. From an action against a home health care provider announced yesterday, we can now add to that list the fact that PHI should not be stored under an employee’s bed or in a kitchen drawer. Continue Reading
Update: The US Commerce Department has released a “fact sheet” on the new Privacy Shield agreement.
The European Commission has issued a press release that gives an outline of some key changes to the EU-US safe harbor, now dubbed the “Privacy Shield.” The new accord still needs to be reviewed by the Article 29 Working Party and the College of Commissioners, but assuming it remains substantially the same, we can expect the following:
- More stringent obligations on companies handling Europeans’ personal data and more robust enforcement. The details of the new obligations have not yet been announced. The Department of Commerce has committed to monitoring companies for compliance. Again, we don’t know the precise nature of that monitoring. Companies handling HR data from the EU will need to commit to complying with decisions by European DPAs, but since controller-to-controller transfers of HR data are usually within the same corporate group, that shouldn’t be an extra burden.
- Clear safeguards and transparency obligations on U.S. government access. The US has apparently succeeded in showing that, contrary to the facts assumed in the Schrems decision, the US does not engage in indiscriminate mass surveillance. The US has agreed to an annual joint review with the EU, including with respect to national security access to personal data.
- Improved redress options for EU citizens: It appears that the existing redress rights are still in place. In addition, any EU citizen who has a complaint about possible access by EU national intelligence authorities will be able to complain to a new US ombudsperson within the DoJ.
- The Commission will review the adequacy of the US commitments and performance annually, essentially revisiting the Privacy Shield adequacy determination. That means that Privacy Shield should only be viewed as a year-to-year rolling program that could be brought to a swift end if the EU so chooses.
Hopefully the Commission and FTC will make the entire agreement publicly available soon. When it is published, US companies should review the new Privacy Shield program carefully before deciding to commit to it. For companies that have already invested substantial time and effort in putting model clauses in place, it may not offer any advantages. Recall that most of the EU’s major trade partners don’t have a special agreement with the EU, and presumably rely on the most part on the model clauses, BCRs and consent. While the model clauses and BCRs are under review by the Article 29 Working Party, the Commission’s new findings concerning the non-existence of indiscriminate mass surveillance by the US will make it harder to attack the model clauses and BCRs.
According to press reports, European Union and U.S. negotiators in Brussels finalized what is being called a “political agreement” on a new Safe Harbor transatlantic data transfer agreement. European Union justice commissioner Vera Jourová will present the agreement to the European Commission’s 28 commissioners today. Continue Reading
No news is not good news this time. The January 31 deadline for getting a new Safe Harbor Agreement in place came and went last weekend. Commissioner Jourova, who is leading the Safe Harbor 2.0 negotiations for the EU, reported on the negotiation’s status last evening to LIBE, the European Parliament committee that oversees privacy matters. While reporting that substantial progress has been made, Jourova noted that the details of the redress mechanisms for EU persons are still under negotiation, along with a few other issues relating to the overall robustness of the new framework. The Article 29 Working Party (representing the 28 member states’ data protection authorities) meets today and tomorrow to discuss the post-Schrems legal landscape. The Working Party has said that they will also release the results of their consideration of whether the Schrems decision vitiates the model clauses and binding corporate rules. The model clauses and BCRs are particularly vital data transfer mechanisms, given the limited options available for transfers outside of the European Economic Area, so the Working Party’s opinions will be an extremely important indicator for the the uncertain future of EU to US data flows.
If you would like to learn more about the politics and law behind the current Safe Harbor 2.0 negotiations, download the podcast of Running Aground in the Surveillance Safe Harbor, a teleforum hosted by the Federalist Society. The podcast features moderator Matthew R.A. Heiman, Vice President, Chief Compliance & Audit Officer, Tyco International; Stewart A. Baker, Partner, Steptoe & Johnson LLP and former Assistant Secretary for Policy at the Department of Homeland Security; and Susan Foster, a solicitor in England & Wales whose practice bridges the UK and US perspectives on data protection matters. Podcast made available through kind permission of the Federalist Society.
One of the fascinating aspects of the privacy-related negotiations between the EU and the US over the past couple of years has been the EU’s efforts to decouple trade (e.g, TTIP) and security-related negotiations from the Safe Harbor 2.0 negotiations. The US Senate’s Judiciary Committee pushed back firmly on that yesterday when it adopted amendments to the Judicial Redress Act, which the EU requires to be passed before it will sign the Umbrella Agreement between the US and EU relating to the sharing of crime-related information between law enforcement authorities. The basic aim of the Judicial Redress Act is to give EU citizens the same rights as US citizens under the United States’ Privacy Act of 1974. The European Commission has said a number of times that passage of the Judicial Redress Act was a step in the right direction for Safe Harbor 2.0 (without saying it was enough to fully address the Commission’s concerns). Continue Reading
There’s no doubt businesses in the EU and US would breathe a sigh of relief if a new Safe Harbor agreement is put in place between before European data protection authorities start prosecuting companies for potentially illegal personal data transfers to the US. But if it doesn’t happen, the US is actually not any worse off than most of the rest of the world. No other country has a special agreement with the EU concerning personal data transfers, and only eleven countries have been deemed to be “adequate” by the European Commission: Andorra, Argentina, Canada (commercial organizations only), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Only one of the countries on the “adequate” list, Switzerland, is a “top ten” EU trade partner, according to the latest trade statistics published by the Commission (based on 2014 figures). Only two of the countries are in the top twenty (Canada is in twelfth place). Japan, India, Brazil, Turkey, South Korea, all “top ten” EU trade partners, are not on the “adequate” list. Nor is China or Russia, both of which have significant trade with the EU (coming in second and third in the “total EU trade” rankings published by the Commission). So if the US isn’t on the “adequate” list, it is no worse off than most other major EU trade partners. Continue Reading
We may only be three weeks into 2016, but the Telephone Consumer Protection Act (“TCPA”) has already received a considerable amount of attention this year.
Yesterday, the U.S. Supreme Court determined in Campbell-Ewald Co. v. Gomez, that a defendant could not cut off a TCPA class action lawsuit by making an offer of settlement to the lead plaintiff in an amount that would fully satisfy his claims. Specifically, a defendant company that sent a single SMS text message to the lead class action plaintiff made an offer of judgment for $1503 (i.e., the statutory value of a single TCPA violation, trebled for willful misconduct). The lead plaintiff rejected this offer. Continue Reading
The European Court of Human Rights recently ruled in Bărbulescu v. Romania (Application no. 61496/08) that a Romanian employer did not violate its employee’s fundamental right of privacy when the employer accessed personal messages in the employee’s Yahoo! Messenger account. Numerous newspapers and other media sources quickly declared employee privacy dead as a result of the ruling – and the Court was sufficiently alarmed by the mischaracterization of the case that it issued a press release refuting the media accounts. (The Guardian published a rather entertaining article about the inaccurate media coverage with photos of various front-page announcements by its competitor newspapers.)
In fact, the Bărbulescu case is so specific to the somewhat unusual facts that it does more to show how limited the circumstances in which an employer can access personal communications of its employees. For a more down-to-earth take on the case, take a look at Law360’s analysis here. The take-away for employers is that it is vital to consult local employment lawyers first before engaging in any monitoring of employee communications, to make sure that your company’s policies and actions meet local requirements as well as the case law of the European courts.