Archives: European Union

Mintz Levin’s Immigration Law Blog is running a series titled “Innocents Abroad” addressing issues in an increasingly globalized economy where employers assign employees all over the globe.

These are big questions, reflecting some of the practical concerns in our international marketplace.  The series focuses on the well-intentioned Global HR Director, Ned Help, who will raise hot topics and difficulties his company faces when sending their employees abroad.  We will then explore the common pitfalls and offer practical solutions to the difficulties Ned Help faces.   This month’s edition:   Privacy Considerations – follow the rest of the series at Innocents Abroad.


 

From:            Carrie Counselor

To:                  Ned Help

Date:              May 24, 2016

RE:     Privacy considerations for employees working abroad

Dear Ned,

I understand that one of your employees will be engaging a six-month temporary assignment around Europe to scope market opportunities, and you’d like to have a better understanding of what to be thinking about in terms of privacy.  Great question!  This is an area where many employers struggle because other jurisdictions protect privacy and personal data quite differently than we do here in the United States.

Generally speaking, federal and state laws applicable to employee information do not have “extraterritorial” effect beyond the information that remains in the United States, meaning that American employees working abroad (even temporarily) will not benefit from US legal protections with respect to personal information collected, stored or transmitted outside of the country.

What makes this area of the law particularly crucial and daunting for employers is that non-US countries frequently offer greater protections to employees and establish far higher compliance obligations on the part of employers.  Of particular concern for you should be the data protection landscape across the European Economic Area (referred to as the “EEA,” encompassing all European Union (EU) Member States as well as Iceland, Liechtenstein and Norway) because each country has passed its own set of national laws governing the collection, use, retention and transmission of personal data. Companies must consider these local laws before electronically monitoring an employee outside the United States or transferring an employee’s personal information back home.  Let’s talk specifics: Continue Reading Innocents Abroad: Privacy Considerations for Employers

The Article 29 Working Party has released opinions on Privacy Shield and “essential guarantees” under EU law relating to surveillance, here and here.

Please join us in our webinar at 1 pm EDT today to learn more about the Article 29 Working Party’s opinion on Privacy Shield (register here).  We will look at the opinion’s likely impact on Privacy Shield’s rocky progress through the EU bureaucracy, as well as on the legal attacks that we expect Privacy Shield will face if and when it is ultimately adopted by the Commission.

 

UPDATE: The Article 29 Working Party has released surprisingly brief comments on Privacy Shield, available here.  Consistent with the press briefing held earlier today (see below), WP29 has concluded that Privacy Shield falls short without providing specific guidance as to what, exactly, an acceptable version of Privacy Shield would look like.

Earlier today, the Article 29 Working Party (“WP29”) held a press conference to give a preview of its assessment of the proposed EU-US Privacy Shield arrangements that were slated to replace the struck-down Safe Harbor program and bring much-needed certainty to companies that transfer personal data from the EU to the US.

While full comments will be available later today, we know now that WP29 has declined to give Privacy Shield its support.  It appears that WP29 has serious concerns about the limitations of US national security agencies to conduct mass surveillance.  WP29 is also skeptical about the rights of redress for EU residents and would prefer that EU residents be able to bring complaints immediately via their local EU data protection authorities.    We will cover the WP29 assessment more fully during our webinar on Thursday, April 14.  Register here.  In the meantime, for those who would like to listen to the press briefing, an audio recording is available here:  https://scic.ec.europa.eu/streaming/article-29-working-party

Now that the EU Commission has published the complete version of its draft decision adopting the EU-US Privacy Shield program, it’s time for the key reviewers to dig in.   I don’t mean the lawyers, or EU privacy advocates, or US businesses, although their views will no doubt be wide-ranging and illuminating.  But no, the really important reviewers are the members of the Article 29 Working Party.

Regular readers of this blog will know that the Art. 29 WP is made up of representatives of the EU’s national data protection authorities and that the group has a major advisory role as mandated by Art. 29 of the Data Protection Directive (hence the catchy name).  The reason that that Art. 29 WP’s views will be particularly important for Privacy Shield is that the national DPAs will be the arbiters of the initial attacks that are almost certain to be made on Privacy Shield once it is adopted.  In terms of legal action, the first step EU privacy advocates who are not satisfied with Privacy Shield (which Max Schrems has already characterized as “lipstick on a pig“)  will take is to file complaints with their local DPAs. The DPAs will then need to consider whether Privacy Shield protects the “fundamental rights and freedoms” of the complainants.  The DPAs will then issue decisions that can be appealed to the local courts.  The local courts would then need to refer questions of European law (such as the validity of the Commission decision to adopt Privacy Shield) to the Court of Justice of the EU, which is the only court authorized to strike down a Commission decision.  But it all starts with the DPAs.

The Art. 29 WP has promised to publish its comments after a plenary meeting on April 12-13.  If the Art. 29 WP comes out in favor of Privacy Shield prior to its adoption, it will be a lot tougher for the DPAs to turn around later and agree with complainants that Privacy Shield is, after all, inadequate and should be struck down.  So Art. 29 WP has compelling incentives to scrutinize the draft Privacy Shield decision very carefully over the next six weeks.  It will be interesting to see whether the Commission draft survives the review without any vulnerabilities being identified that would lead the Commission to reopen negotiations with the US.

The European Commission has finally made the draft text of the EU-US Privacy Shield program available (scroll down in the press release for further links).  The Privacy Shield program, which was agreed to in principle by US and EU negotiators nearly four weeks ago, will replace the Safe Harbor program that was struck down last autumn by the Court of Justice of the EU.  However, Privacy Shield is not quite a done deal. The Commission is awaiting comments on the Privacy Shield program from the Article 29 Working Party, an advisory group that consists of members of the national data protection authorities.

The amended Judicial Redress Act has passed the House and is on its way to the president to be signed into law.  The Act, which we covered in an earlier blog post, gives citizens  of foreign countries the same rights as US citizens in connection with the use by the US government of their personal data, subject to a determination by the Attorney General that the country in question cooperates with the US in sharing law enforcement information, doesn’t impede the flow of personal data to the US for commercial purposes, and meets certain other requirements.  Essentially, the Judicial Redress Act helps assuage the EU’s concerns about government uses of personal data.  The Judicial Redress Act is vital for the EU’s acceptance of the Umbrella Agreement for sharing of data by law enforcement agencies.  It should be helpful for the proposed new “Privacy Shield,” which is currently under review by representatives of Europe’s national data protection agencies.

The US Senate passed the amended version of the Judicial Redress Act on February 9.  The amendments, which tie the Umbrella Agreement to Safe Harbor 2.0 (now dubbed the US-EU “Privacy Shield”), now go back to the House for approval.  We discussed the amendments in an earlier blog looking at the intersection of security-related and commercial discussions between the US and EU.

As we’ve discussed previously, the GDPR significantly limits user consent as a basis for processing personal data.  One interesting question is whether the new rules on consent will kill free apps in Europe.  Free apps typically involve the offer of a service (the app) in exchange for access to personal data (whatever data the app siphons off from my phone, for example, per the terms of use that I probably didn’t bother reading).  Under the GDPR, that may not be a bargain that I, as a consumer, am allowed to make. Continue Reading Will free apps soon be dead in Europe?

Update: The US Commerce Department has released a “fact sheet” on the new Privacy Shield agreement.  

The European Commission has issued a press release that gives an outline of some key changes to the EU-US safe harbor, now dubbed the “Privacy Shield.”  The new accord still needs to be reviewed by the Article 29 Working Party and the College of Commissioners, but assuming it remains substantially the same, we can expect the following: Continue Reading Commission Press Release and FTC Fact Sheet outlines the new EU-US “Privacy Shield”

According to press reports, European Union and U.S. negotiators in Brussels finalized what is being called a “political agreement” on a new Safe Harbor transatlantic data transfer agreement. European Union justice commissioner Vera Jourová will present the agreement to the European Commission’s 28 commissioners today. Continue Reading Political Agreement Reached on US-EU Safe Harbor; Details “Hazy”