The European Commission has launched a new data protection website aimed at educating the public and helping businesses and other organizations comply with their new obligations under the General Data Protection Regulation.  The Commission’s website contains some infographics to help readers get to grips with the key points of the GDPR.  It also contains Q&A and examples that may be helpful in assessing when the GDPR’s various obligations are triggered in different situations.

While the infographics approach to explaining companies’ GDPR obligations have the virtue of simplicity, the Commission’s explanation of what smaller companies must do is far from exhaustive and might mislead readers into thinking they are in compliance when they are not.  For example, the explanation of the record keeping requirements mentions three criteria that trigger the requirements for companies with under 250 employees (SMEs), but omits a critical “or” between the infographic’s second (risky processing of any personal data) and third criteria (processing of sensitive data or criminal records).  Small companies could easily be misled into thinking that only processing that meets all three criteria requires record-keeping.

Larger companies that are subject to the GDPR will likely find the Commission’s SME-focused infographics useful, but should approach with a bit of caution.  Their data processing activities will require record-keeping and, since larger companies are typically more complex, it may require deeper analysis to get to grips with their GDPR obligations.

That said, companies looking for a digestible, visually engaging explanation of their responsibilities under the GDPR will find this a useful addition to their GDPR preparation toolkit.

The Article 29 Working Party has released opinions on Privacy Shield and “essential guarantees” under EU law relating to surveillance, here and here.

Please join us in our webinar at 1 pm EDT today to learn more about the Article 29 Working Party’s opinion on Privacy Shield (register here).  We will look at the opinion’s likely impact on Privacy Shield’s rocky progress through the EU bureaucracy, as well as on the legal attacks that we expect Privacy Shield will face if and when it is ultimately adopted by the Commission.


Privacy & Security Matters Monday Blog Series ImageAnd the days dwindle down, to a precious few … November …

We are still following developments in the EU relating to the invalidation of the US-EU Safe Harbor Framework.   In case you were on a secluded island during the month of October, you can catch up here.

European Commission Issues Communication.  On Friday, the European Commission issued “long-awaited” guidance (called a Communication), which did not shed much new light on the cross-border data transfer issues, but instead rehashes the “alternative transfer tools” available to legitimize data flows to jurisdictions deemed “not adequate,” like the United States.   More after the jump. Continue Reading Privacy Monday: November 9, 2015 – EU/Safe Harbor Updates

EU Commissioner Vera Jourova recently announced in a speech to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) that the Commission and the US have made substantial progress in finalizing a new Safe Harbor program. Jourova noted that the collection and use of European personal data for US national security purposes remains a key open issue.  However, she also reminded LIBE that the US has undergone a substantial review of the NSA’s alleged mass surveillance activities over the past couple of years.

Overall, Jourova’s comments seemed optimistic regarding getting a new Safe Harbor program finalized prior the Art. 29 Working Party’s January deadline for increased enforcement by national Data Protection Authorities starting at the end of January 2016. (The Art. 29 Working Party’s statement is available as a PDF on this page.)

In the meantime, the German regional data protection authorities have collectively announced that they will investigate data transfers by Google and Facebook to the US (without waiting for complaints by German users).  The German DPAS have also suspended approval of new Binding Corporate Rules and customized data protection clauses.  (Model clauses, which don’t require DPA approval in Germany, are not immediately affected, but could be vulnerable to attack.)

Keeping an eye on national data protection authorities’ enforcement agendas will be important once we have Safe Harbor 2.0 in place, since under the Schrems decision, Safe Harbor 2.0 will be effectively subject to the review of national DPAs and courts.

Written by Susan Foster, Solicitor England & Wales/Admitted in California

 (LONDON) Could the European Court of Justice’s May 13, 2014 Google Spain decision delay the adoption of the EU Data Protection Regulation?

In the Google Spain “Right to be Forgotten” case, the ECJ held that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant.  The Google Spain decision has given a much sharper focus to the discussion about the Right to be Forgotten that may soon be adopted as part of the new Data Protection Regulation that is expected to be passed sometime in 2015.  With the advent of the Google Spain decision, an issue that was on the sideline for most businesses – and which was expected by some to be quietly dropped from the draft Data Protection Regulation – has become a hot political issue.  The Right to be Forgotten as interpreted by the ECJ has garnered international attention, deepened the UK/continental EU divide, and ultimately could delay the adoption of a final form of the Data Protection Regulation.

The Google Spain case has been controversial for various reasons.  The decision takes an expansive approach to the long-arm reach of EU data protection law.  It holds search engine providers liable to comply with removal requests even when the information in the search results is true, was originally published legally and can continue to be made available by the original website.  The decision makes the search engine provider the initial arbiter of whether the individual’s right to have his or her information removed from publically available search results is outweighed by the public’s interest in access to that information.   (For a pithy analysis of the “public record” aspects of the case, see John Gapper’s “Google should not erase the web’s memory” published in the Financial Times.)

Continue Reading Google, the House of Lords and the timing of the EU Data Protection Regulation

Written by Susan Foster, Solicitor England & Wales/Admitted in California

(LONDON) The European Commission, which has the authority to make changes to the US Safe Harbor program, has published a paper titled “Rebuilding Trust in EU-US Data Flows” that sets out the changes that the Commission would like to see the US adopt.  While it would be a bit premature to start revising your company’s privacy policy and preparing for surprise audits by the US government, the paper sends some strong signals as to what to expect in perhaps a year’s time.

As most readers will know, the US Safe Harbor program is a voluntary program under which US companies agree to assume various legal obligations, and in turn are permitted by EU data protection laws to receive the personal data of EU residents.

The Commission’s recommendations are obviously in response to the revelations concerning the US’s intelligence activities involving the collection, via US internet services providers and others, of vast quantities of data transmitted by, or concerning, EU residents.  The Commission cannot comment, of course, on the intelligence activities of its own member states, since, as the Commission notes, “whilst the EU can take action in areas of EU competence, in particular to safeguard the application of EU law, national security remains the sole responsibility of each Member State.”  This means that the Commission’s interests in restricting surveillance of the online activities of EU residents may not be entirely congruent with the interests of its member states, which will need to take into account their own intelligence activities and intelligence sharing arrangements as well as their concerns for the privacy of their citizens.  That said, the Commission does not appear at all reluctant to recommend changes to US intelligence programs and the powers of the Foreign Intelligence Surveillance Court.

The other key context for the recommendations is the ongoing trade talks between the US and EU, known as the Transatlantic Trade and Investment Partnership (T-TIP).  The Commission pointedly states in today’s communication that the EU views T-TIP and data protection laws (including Safe Harbor) as separate matters, and that the T-TIP negotiations will not affect its views on Safe Harbor:  “For this reason, data protection standards will not be negotiated within the Transatlantic Trade and Investment Partnership, which will fully respect the data protection rules.”  That seems rather a brave statement at this stage of the T-TIP negotiations (which are not due to be concluded until sometime in 2014).  It remains to be seen whether the Commission will be successful in completely separating the two issues, given the fundamental commercial value of personal data.

But let’s assume for now that neither EU national security interests nor the T-TIP talks will have any influence on the discussion about Safe Harbor.  What is the Commission proposing?  Broadly, the following:

  • a broad review of the functioning of Safe Harbor
  • improving the US government’s supervision and monitoring of compliance of Safe Harbor participants
  • ensuring that the national security exception that is currently available under Safe Harbour is used only “to an extent that is strictly necessary and proportionate”
  • EU citizens must receive the same level of protection (due process and judicial redress) as US citizens in intelligence-gathering operations
  • The US government should commit that “personal data held by private entities in the EU will not be accessed directly by US law enforcement agencies outside of formal channels of co-operation, such as Mutual Legal Assistance agreements and sectoral EU-US  . . .  authorising such transfers under strict conditions, except in clearly defined, exceptional and judicially reviewable situations.”
  • US intelligence collection programs should be “improved by strengthening the role of the Foreign Intelligence Surveillance Court  and by introducing remedies for individuals.”

The Commission also provided a summary of 13 specific recommendations in a separate press release today.  The following selections from these 13 requirements are slightly paraphrased – see the EC’s memo for the full recommendations.

  • Requiring the Safe Harbor website to list all companies that are NOT current member of Safe Harbor (which would be in the hundreds of thousands, if not more, as there are only some 3,000 plus participants today)
  • Privacy policies on companies’ websites should include a link to an alternative dispute resolution (ADR) provider
  • The Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints
  • The US government should conduct proactive compliance investigations (not contingent on complaints or any signs of non-compliance)
  • Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour
  • Companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements

The Commission’s Communication and related press releases should have the positive effect of making the discussion around Safe Harbor more specific in light of the Commission’s concrete suggestions.  Meanwhile, the larger context of sweepingly ambitious trade treaty negotiations, citizens’ reactions (on both sides of the Atlantic) to government surveillance programs (and not just by the USA), and national interests in intelligence-gathering and counterterrorism may make it difficult to negotiate the changes to Safe Harbor in isolation.  But that’s not really a bad thing.  Data protection laws don’t exist in a vacuum, after all.



International Data Protection and Privacy Day is Monday, January 28th.

The European Commission certainly found a way to mark the day.  After weeks of intense speculation, the European Commission has released its sweeping package of legislation to reform the Data Protection Directive.

We are analyzing the entire legislative package, which includes a new regulation and  a directive and will comprise a single set of data protection rules for all of the European Union.

Key provisions that will impact US companies:

  • Extraterritorial application.  In her press conference earlier today, EU Commissioner Viviane Reding made it perfectly clear that this new data protection scheme will be apply to EU based companies and non-EU based companies that either process data of individuals residing in the EU to whom they offer goods or services, or whose activities serve to monitor the behavior of such individuals.   This is virtually any company operating online.
  • “One-stop-shop” for EU data controllers — but not for non-EU controllers.  EU data controllers will be supervised by the data protection authority of the Member State where the controller’s “main establishment” is based.  Non-EU based controllers must designate a representative in one of the Member States where they target data subjects.  We’ll have further analysis on this point.
  • Data transfers.  The existing EU restriction on data transfers to countries that do not offer adequate protection remains in place.  However, the use of standard contractual clauses will no longer be subject to prior authorization or approval by data protection authorities.  Also, the adoption of binding corporate rules (BCRs) would be made easier, and the regime would be extended to data processors; an entire section is devoted to BCRs.   US companies with multinational operations should start thinking about the BCR process.
  • Specific rules on consent.  The existing data protection rules include certain grounds for lawful processing of personal data,  including consent.   The concept of “consent” and cross-border transfers of personal data for processing in the human resources context has always proven vexing and not well defined.  The draft law now contains a stand-alone section on consent — and a definition:  any “freely given specific, informed and explicit indication of will”.  Consent cannot be used as a legal basis for processing personal data where “there is a clear imbalance between the data subject and the controller.”  This appears to be problematic for US companies that have relied on some sort of consent from employees for the processing of personal data.
  • Breach notification.  The draft Regulation, as we discussed here, introduces a comprehensive breach notification requirement.  It specifies that data controllers must notify any data breach to the supervisory authority “without undue delay and, where feasible, within 24 hours”.   When discussing the “undue delay” qualifier, Commissioner Reding added, “for me [this] means 24 hours.”
  • Mandatory Data Protection Officer.  Organizations employing 250 persons or more must designate a data protection officer.