Updated at 8:50 pm GMT on 16 December 2015.
The new General Data Protection Regulation is effectively a “done deal” following the final trilogue meeting on December 15. One might assume based on UK media coverage that the biggest change in EU privacy law is that kids under 16 will need their parent’s consent to sign up for social media services and apps. As much consternation as that will cause at the breakfast table, it’s really the least of our worries.
It will take some time to process the new Regulation, and of course we don’t have the complete, official version yet (please read the important caveat at the end of this summary), but here are the key features of the Regulation in bullet point form so we can start mapping out the new legal landscape. This summary focuses more on what’s new than what has stayed in place; generally speaking, rights of data subjects that existed under the Directive also exist under the Regulation. On the other hand, the burdens on data controllers and processors have substantially increased. We’ll explore all of this in more detail over the coming weeks. Continue Reading The General Data Protection Regulation in Bullet Points
The EU Parliament committee that is charged with considering data protection matters (LIBE) has issued a press release calling on the European Commission to take action before the end of 2015 to come up with alternatives to Safe Harbor. Importantly, LIBE has also called on the Commission to reassess whether the European Court of Justice’s recent invalidation of Safe Harbor casts doubt on other means for legitimizing the transfer of personal data from the EEA to the US.
As we have commented previously here, the ECJ’s rationale in the Schrems Safe Harbor decision could be used to attack both BCRs and Model Clauses. LIBE certainly seems to have picked up on that also. Continue Reading EU Parliament Committee calls on the Commission for immediate action on US data transfers
As I reported earlier today, the Court of Justice of the EU (ECJ) has declared Safe Harbor invalid. The full decision is now available online in English here (other languages also available at curia.europa.eu by searching on C-362/14).
There are two key elements of the ECJ’s decision. The first is that national data protection authorities in the EEA are authorized – indeed, required – to hear complaints from individuals with regard to the transfer of their personal data outside of the EEA regardless of whether the Commission has issued an adequacy decision. The second is a determination that the Commission’s adequacy decision concerning Safe Harbor is invalid. Period. It’s gone.
Most US companies that rely solely on Safe Harbor will initially focus on the second part of the decision invalidating Safe Harbor. That makes sense, because if Safe Harbor is your company’s only basis for legitimizing the transfer of personal data from the EEA to the US, your company is likely in violation of various contracts and, if your company is the data controller responsible for the transfer or otherwise directly subject to European data protection laws, it’s probably in violation of European data protection laws. Near-term consequences? The possibilities include:
- termination of contracts and exposure to damages
- customer complaints to your company
- customer complaints against your company made to local Data Protection Authorities (DPAs)
- employee complaints (although rather less likely than customer complaints)
- loss of potential new business in Europe
- orders and injunctions issued by DPAs that force your company to stop transferring personal data
- (and no doubt you can add your own parade of horribles here . . . such as lost time of your General Counsel, your head of IT systems, head of consumer services and other senior executives, possibly a need for extensive data audits, and so on)
The invalidation of Safe Harbor in the blink of an eye (even if the case was pending over a year) requires urgent action. But we should also be concerned about the first part of the ECJ’s decision, to the effect that local DPAs will always have the right and obligation to hear complaints from individuals even if the Commission has issued an adequacy decision. We should care about this because for nearly two years, EU and US bureaucrats have been trying to negotiate a more robust Safe Harbor. Let’s call that Safe Harbor II.
A few days ago, some commentators suggested that Safe Harbor II would save Safe Harbor-dependent companies because it would remedy the faults that the ECJ might find with the original Safe Harbor. But now we know that even if the Commission endorses a Safe Harbor II, it can be attacked on a country-by-country basis. Furthermore, the ECJ has effectively raised the bar for Safe Harbor II – in future judicial assessments of Commission decisions, the ECJ will take a strict approach to reviewing such decisions (see Para. 78 of Schrems). To achieve a Safe Harbor II that meets the ECJ’s stringent requirements, the Commission will, effectively, need to “ensure” that the US’s national security laws don’t allow the gathering of data beyond that strictly necessary to achieve their objectives (that is, objectives that the ECJ thinks are legitimate) and contain adequate safeguards for EEA individuals. Taken in its strongest form, this could include a right to know their data has been processed by intelligence services, a right to find out what data has been gathered about them, and a right to have incorrect or incomplete data rectified (see Para. 90 of Schrems), all of which would be, to say the least, in tension with the fundamentals of intelligence work.
This all sounds a bit grim, doesn’t it? There are alternatives to Safe Harbor (again, described in my earlier posts on this topic), although they have their own challenges. Please tune in for our webinar on Wednesday, 7 October at 3 pm EDT for more discussion about steps you can take to comply with EU data protection laws in the new, post-Safe Harbor era.
UPDATE: Here’s a link to the English-language version of the ECJ’s full decision: Schrems Safe Harbor Decision
A press release issued by the Court of Justice of the EU (ECJ) regarding its decision in the Schrems Safe Harbor case (C-362/14) confirms that the ECJ has declared Safe Harbor invalid. The ECJ has sent the case back to the Irish Data Protection Authority to determine whether Facebook Ireland’s transfer of personal data to the US is permitted under EU data protection law, in light of Facebook’s participation in the NSA’s PRISM program. We are awaiting publication of the decision and will report further after it becomes available.
In the meantime, here’s the background to this decision and some suggestions for what to do next if your company relies on Safe Harbor:
The European Union’s Data Protection Directive (1995) prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an adequate level of privacy protection. Soon after the Directive was passed, the European Commission determined that the US doesn’t offer adequate levels of protection. The EU and the US negotiated the Safe Harbor agreement in 2000 to allow US companies to self-certify that they provide protections that are equivalent to the requirements of the Data Protection Directive.
Currently, over 4,500 US companies rely on the EU-US Safe Harbor program to make their transfer of personal data from the EU to the US legal under European privacy laws.
If your company relies exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, it will need to find another basis for the transfer as soon as possible. The primary options are:
- Consent of the data subject to the transfer. In most circumstances, the consent needs to be explicit and fully informed to be valid. It’s also important to keep records of the consent in case there’s a challenge.
- Binding corporate rules for intragroup transfers. BCRs need to be approved by the relevant national information commissioners, and this is a lengthy process (potentially 18 months or more). So while this is a longer term option, it won’t help if Safe Harbor is not available. Also, BCRs are vulnerable on the same grounds as Safe Harbor.
- Contracts between the exporting and receiving entities. The European Commission has provided model clauses that can be incorporated into agreements to ensure adequate protection of the transferred personal data. However, see the cautions below.
- In the UK, companies may be able to make their own adequacy determinations under guidance issued by the UK’s Information Commissioner’s Office.
There’s a very important caveat that would apply to all of these alternatives except possibly the data subject consent option: BCRs and model contracts require the data recipients essentially to promise that the data will be protected to the same level as in the EU. If your company could receive a subpoena from the NSA or other US government agency to disclose the personal data of EU residents, then the BCRs and contracts (and UK adequacy determinations) would presumably face the same weakness that the Safe Harbor faces: a fundamental incompatibility between EU data protection law and the powers of US government agencies to conduct intelligence operations and require US companies to comply.
Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jennifer Rubin and Gauri Punjabi’s Privacy in the Workplace presentation. Jen and Gauri discussed the latest statutory and common law developments concerning employer monitoring of employee email, access to employee social media accounts, social media policies, and bring your own device (“BYOD”) policies. We were pleased to host over 125 participants for this webinar.
For those who missed the webinar, some of the key takeaways for employers include the following:
- While there is not much federal or state statutory authority on employer monitoring of employee email access, employers are advised to provide employees with prior notice of such monitoring and obtain their consent to do so.
- Many states now prohibit employers from requesting access to their employees’ or job applicants’ social media accounts. This trend, along with the number of other states that have considered passing similar legislation, suggests that Congress may soon weigh in on this issue.
- The National Labor Relations Act applies to all employers, regardless of whether the workplace is unionized, and protects employees who use social media to discuss their wages, hours, and other terms and conditions of employment (i.e., concerted activity). Employers cannot prohibit employees from using work email accounts to have such discussions during non-working time. Employees will lose the protection of the Act when their actions disparage the employer’s products or services and/or create a risk of harm to the employer or to others.
- Social media policies should specify the nature of conduct that is permitted and prohibited and should not utilize broad language that could encompass the right of employees to engage in protected concerted activity. Social media policies should also take into account an employer’s need to protect trade secrets, comply with industry regulations and applicable federal and state employment statutes, and preserve information relevant to litigation.
- BYOD policies often result in lower employer costs related to device overhead (purchase/maintenance), improve employee productivity, and result in greater employee job satisfaction. Prior to implementation, however, employers should consider the process for monitoring compliance with other company policies, keeping track of wages owed to non-exempt employees who use their personal devices to work outside of the office, and maintaining the security of company information that ends up on an employee’s personal device and ensuring its removal once the employee leaves the company.
The next webinar in the Privacy series — Responding to Insider Theft and Data Disclosure — will take place on Wednesday, March 25, 2015. This webinar will offer practical advice about responding to data theft and disclosures by employees and former employees. We will cover such topics as conducting a proper investigation, utilizing state and local civil court processes to deter, halt, and remediate data thefts, and when and how to engage local and/or federal law enforcement. This webinar will be presented by members of Mintz Levin’s privacy and data security and white collar crime practice groups.
Sign up here to attend.
Registration is open for the next installment in the Mintz Levin Privacy & Security Group Wednesday Webinar series —
This webinar, scheduled for Wednesday, February 25, will focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss developments in the workplace privacy field, including statutory developments, mobile device regulation, social media’s impact on workplace privacy, recruiting and hiring, and some practical advice to keep your workplace policies in compliance with rapid legal developments.
Save the date and register online here!
Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) The highly influential Article 29 Working Party, composed in part of representatives of the EU’s national data protection offices, has announced that the right to be forgotten applies to .com as well as country-specific search results.
The Google Spain decision (discussed here) held that a search engine with advertising activities in Europe (directly or through a subsidiary) must delete search results that link to personal information that the person in question thinks is no longer “relevant.” Google implemented a removal process for its search domain names with European extensions, such as Google.fr, but not for Google.com search results. The Google Spain case makes Google the arbiter of removal requests in the first instance. If the request is rejected, the individual can appeal to his or her local EU Data Protection authority.
The Art. 29 Working Party has now issued an opinion that EU Data Protection authorities should interpret the Google Spain decision as applying globally. That means that Google would have to delete search results found through a search on Google.com. (It takes a bit of know-how to search Google.com from within Europe without getting automatically redirected back to the country-specific sites, but as of the date of this blog post, it is possible to do it.)
It is fair to assume that the national EU Data Protection authorities will follow the Art. 29 Working Party opinion, since the Working Party is made up largely of representatives of those authorities.
So EU law will affect what we see anywhere around the world when we search for information that involves an EU resident. Google’s reaction to the Google Spain decision has indicated that Google really doesn’t want to be the web’s censor – but it doesn’t seem to have much of a choice now.
In the past few years the National Labor Relations Board (“NLRB”) has taken an increased interest in whether workplace policies prohibiting employees from discussing the terms and conditions of their employment on social media such as Facebook and Twitter violate the National Labor Relations Act (“NLRA”) by interfering with workers’ rights to engage in concerted activity. Federal law prohibits an employer from interfering with employees who come together to discuss work-related issues for the purpose of collective bargaining or other mutual aid or protection, and the NLRB has (correctly) noted that social media has become one of the primary avenues through which employees engage in such activity. A spate of recent decisions makes clear that the NLRB has intensified (and will likely continue to intensify) its scrutiny of employer social media policies and this scrutiny extends no less to non-unionized employers.
Our colleagues at the Mintz Levin Employment Matters blog have written a thorough analysis of the latest, and you will want to read it and take another hard look at your company’s social media policies.
Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) Could the European Court of Justice’s May 13, 2014 Google Spain decision delay the adoption of the EU Data Protection Regulation?
In the Google Spain “Right to be Forgotten” case, the ECJ held that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant. The Google Spain decision has given a much sharper focus to the discussion about the Right to be Forgotten that may soon be adopted as part of the new Data Protection Regulation that is expected to be passed sometime in 2015. With the advent of the Google Spain decision, an issue that was on the sideline for most businesses – and which was expected by some to be quietly dropped from the draft Data Protection Regulation – has become a hot political issue. The Right to be Forgotten as interpreted by the ECJ has garnered international attention, deepened the UK/continental EU divide, and ultimately could delay the adoption of a final form of the Data Protection Regulation.
The Google Spain case has been controversial for various reasons. The decision takes an expansive approach to the long-arm reach of EU data protection law. It holds search engine providers liable to comply with removal requests even when the information in the search results is true, was originally published legally and can continue to be made available by the original website. The decision makes the search engine provider the initial arbiter of whether the individual’s right to have his or her information removed from publically available search results is outweighed by the public’s interest in access to that information. (For a pithy analysis of the “public record” aspects of the case, see John Gapper’s “Google should not erase the web’s memory” published in the Financial Times.)