The European Parliament passed a resolution today strongly criticizing Privacy Shield and recommending that Privacy Shield be suspended as of September 1, 2018, if the US doesn’t shape up by that deadline.  Should US companies that rely on Privacy Shield panic?


The European Parliament has no power to suspend Privacy Shield on September 1, 2018, or any other date.  Only two entities can do that:  the European Commission, or the Court of Justice of the European Union (CJEU).  And the CJEU might just do that when it rules sometime during the next year or so on the new case between Maximillian Schrems and Facebook (Case C-311/18).  There’s no new information on the Schrems II case at CJEU, but we are tracking it.   That one is worth worrying about.

The European Parliament’s resolution does have some political weight, however.   The Commission is required to respond to the Parliament within three months explaining what it is going to do – if anything – in response to the Parliament’s criticisms.   And if the Commission shrugs its shoulders, there’s not much the Parliament can do except pass another resolution.

The final version of the European Parliament’s resolution is not available yet on the Parliament’s website (it was just passed today), but the proposed form can be found here. 

One of the most striking changes to EU privacy law under the EU’s General Data Protection Regulation (which goes into effect May 25, 2018) is the very strict approach to user consent.    For many years, companies operating in the EU (as elsewhere) have relied heavily on user consent to achieve compliance with the relevant data protection and direct marketing laws.   When the GDPR was first published, it became clear that the EU intended to crack down on the use of consent in many common situations where the EU felt that individuals were not being treated fairly.

Draft guidance published on Dec. 18 by a key advisory body representing the EU’s national data protection authorities , the Article 29 Working Party (WP29),  has confirmed that regulators will approach consent strictly.  The guidance is worth reading in full.  Some highlights:

  • Consent cannot be bundled.  Instead, consents must be granular.  You will need a separate consent for each purpose for which data will be processed.  WP29 notes that this could easily lead to “click fatigue” (implicitly casting doubt on the validity of the consent) when individuals are routinely presented with a long set of check boxes, but WP29 says that this is a problem for data controllers to solve.
  • Consent to “unnecessary” uses of personal data cannot be used as a quid pro quo for access to a service.  This confirms our previous suggestion that the GDPR invalidates the prevalent business model of providing free services (such as a free app) in exchange for access to personal data that is used for behavioral advertising or other marketing purposes.
  • The “explicit” consent needed for processing sensitive personal data requires something even stronger than the already-stringent standard for “normal” consent under the GDPR.  The guidance suggests several mechanisms that primarily involve an extra confirmation step by the user, such as clicking on an opt-in box and then responding affirmatively to a text or e-mail to confirm the consent.  It’s not clear that users will welcome the extra steps and delay, but WP29 maintains that there needs to be something “more” to reach the level of “explicit” consent.
  • Data controllers must identify their legal bases for processing in advance and cannot “swap” bases if the initial basis for processing proves defective.  In other words, controllers cannot have a “backup” basis for a given processing operation, even when a given processing activities could be done on one of a number of bases, such as necessity for contract performance, legitimate interest, or consent.

The draft guidance is open for public comment until January 23, 2018.


US companies and policy makers will no doubt spend a good chunk of the day today considering the possible implications for them of yesterday’s UK vote for Brexit.  Mark Carney, Governor of the Bank of England, has issued a statement to calm the markets.  I will content myself with a much more modest statement to calm US companies who have been working hard to fill in the gap left by the demise of Safe Harbor and to prepare for the implementation of the GDPR in May 2018:  Brexit will have very little, if any, impact on the UK’s approach to data protection laws, at least in the medium term (say the next five years or so).

Why is that?  First and foremost, the UK has no interest in doing anything that would impede the flow of personal data between the UK and the rest of Europe.  The GDPR, like the current laws under the Data Protection Directive, provides a pathway of least resistance for data transfers: If a country’s laws “ensure[ ] an adequate level of protection” for the personal data, the Commission can issue an adequacy decision to allow data transfers to that country (without the need for model clauses or BCRs).  The most straightforward way for the UK to get an adequacy decision is to adopt and implement the GDPR (or at least all of the material parts of the GDPR) as part of its national legislation.

Second, of all the things that the UK will need to negotiate with the EU over the coming years, any quibbles that the UK may have about data protection legislation is likely to be low on the list, far behind passporting of banking services and new immigration arrangements.   The UK did have some concerns about the GDPR, as communicated by the ICO in its initial comments on the Commission’s early draft of the GDPR.  However, none of them were deal-breakers for the UK.

Third, as a practical matter, UK companies that are part of international corporate groups with a European presence would probably not make it a priority to push hard for UK legislation that eases their burden under UK law, while they still have to comply, in effect, with the GDPR with respect to their European operations (both of their affiliates and with regard to UK companies’ own sales into Europe).

Looking past the medium term, how might the UK’s approach change later on, once the key Brexit negotiations are finished?  The ICO did say a couple of weeks ago at a conference that it would consider other approaches, such as the data protection frameworks used in New Zealand or Australia, that meet EU adequacy requirements.  However, all of those existing frameworks will need to be reviewed again against the GDPR in order to keep their adequacy decisions in place, so those legal frameworks may look a lot more like the GDPR within a couple of years.

So until the ICO tells us otherwise, US companies working on preparing for the implementation of the GDPR should continue with that work even if their primary EU activities are only in the UK.  (And don’t forget that the actual exit is not taking place immediately.)

The Article 29 Working Party has released opinions on Privacy Shield and “essential guarantees” under EU law relating to surveillance, here and here.

Please join us in our webinar at 1 pm EDT today to learn more about the Article 29 Working Party’s opinion on Privacy Shield (register here).  We will look at the opinion’s likely impact on Privacy Shield’s rocky progress through the EU bureaucracy, as well as on the legal attacks that we expect Privacy Shield will face if and when it is ultimately adopted by the Commission.


Don’t forget to join us tomorrow afternoon – Tuesday – at 1 PM ET for a webinar discussion on the New EU General Data Protection Regulation. What’s next? What are the key changes? What do you need to do to prepare?

Registration is here.

Continue Reading REMINDER: Webinar TOMORROW — Getting to Grips with the New EU General Data Protection Regulation: Key Changes and What You Need to Do to Prepare

As EU data protection watchers know, the draft General Data Protection Regulation (which has been around long enough to be universally referred to by its acronym, GDPR) exists in three major versions, with a fourth version recently released by the office of the European Data Protection Supervisor (EDPS).  The EDPS is the EU’s own internal privacy cop and, of course, a significant commentator on EU data protection matters.

The authors of the EU Parliament and Council drafts used their own unique editing styles to show their changes to the Commission’s original draft, which makes it a challenge to compare all three drafts.  The EDPS has made the drafts a bit more accessible to the public by launching an app to display the drafts side by side (two at a time) on a smart phone or tablet.  There’s a Google Play and an Apple AppStore version – links here.   I’ve tried the Apple version of the app and am pleased to report that it works well. The interface is easy to use.  There’s a search function (remember to use British spellings, like “pseudonymisation” and “unauthorised”).

The EDPS has also prepared a PDF version showing the four drafts in columns, but it’s not a particularly user-friendly format.  As a lawyer, I’d prefer nice clean copies of the four versions in a form I could redline, but failing that, I’ll take the app!

Written by Susan Foster, Solicitor England & Wales/Admitted in California

 (LONDON) Could the European Court of Justice’s May 13, 2014 Google Spain decision delay the adoption of the EU Data Protection Regulation?

In the Google Spain “Right to be Forgotten” case, the ECJ held that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant.  The Google Spain decision has given a much sharper focus to the discussion about the Right to be Forgotten that may soon be adopted as part of the new Data Protection Regulation that is expected to be passed sometime in 2015.  With the advent of the Google Spain decision, an issue that was on the sideline for most businesses – and which was expected by some to be quietly dropped from the draft Data Protection Regulation – has become a hot political issue.  The Right to be Forgotten as interpreted by the ECJ has garnered international attention, deepened the UK/continental EU divide, and ultimately could delay the adoption of a final form of the Data Protection Regulation.

The Google Spain case has been controversial for various reasons.  The decision takes an expansive approach to the long-arm reach of EU data protection law.  It holds search engine providers liable to comply with removal requests even when the information in the search results is true, was originally published legally and can continue to be made available by the original website.  The decision makes the search engine provider the initial arbiter of whether the individual’s right to have his or her information removed from publically available search results is outweighed by the public’s interest in access to that information.   (For a pithy analysis of the “public record” aspects of the case, see John Gapper’s “Google should not erase the web’s memory” published in the Financial Times.)

Continue Reading Google, the House of Lords and the timing of the EU Data Protection Regulation

Written by Susan Foster, Solicitor England & Wales/Admitted in California

 (LONDON) Google – along with the rest of us – is still considering the implications of the European Court of Justice’s May 13, 2014 decision that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant or accurate.  This decision by Europe’s highest court is unappealable, so the Google Spain case is law throughout the European Economic Area (EEA) until changed by legislation (unlikely) or modified by the ECJ in a later decision (also unlikely).

To reach this conclusion, the ECJ found that:

  1.  Google is a data controller (and not merely a data processor) because it indexes information gleaned from the Internet in order to create its search results.
  2. The information in question (which had to do with a government order that a house be put up for auction due to its owner’s failure to pay certain taxes) is protected personal data despite the information having been properly published at the time of its initial publication. (Ironically, the Spanish newspaper that initially published the information was not required to remove the article – Google just can’t include the article in its search results.)
  3. Countervailing considerations such as the potential burden on Google that will arise from having to consider “right to be forgotten” requests and the interest of the public in having access to past public information are outweighed by the right of the individual to be forgotten.

From one perspective, this is just a search engine case, and the only companies that need to worry about it are search engine companies with some kind of business presence or technical facilities in Europe (which creates the nexus for the EU’s legal jurisdiction).  And of course, historians might be worried, along with anyone else who thinks that public information should stay publicly available to safeguard freedom of expression, or the integrity of the historical record, or the democratic process, or the like.  And EEA residents might even wonder what their life would be like if all search engines blocked off European results because the compliance burden outweighed the ad revenues – or, because, now that they are deemed to be data controllers, they couldn’t work out a way to comply with the Eighth Principle restricting transfers of personal data outside of the EEA . . .

No, the reasons that other (non-search) businesses, particularly in the US, should be concerned about the Google Spain decision are the following:

  • The EU notion of personal data is not the same as the US notion of private information.  It is far broader and includes information obtained from public sources as well as information that an individual has voluntarily disclosed to the world.  When you evaluate your company’s data collection and processing activities, you need to remember that, in Europe, personal data is virtually everything about, or written by, an individual, whether or not the information has already been made public.
  • The EU is unconcerned about imposing huge burdens on companies.  Well, at least it’s unconcerned about imposing huge burdens on large companies that aren’t headquartered in the EEA  – but it would be unwise to look at the Google Spain case as inherently exceptional.  There’s a draft Data Protection Regulation making its way through the EU legislative pipeline that will levy fines for breaches in the order of up to 5% of global turnover.   The draft Data Protection Regulation imposes very strict standards and processes on businesses that process personal data, and the Google Spain decision simply underscores that the balance of rights and interests in the EU is tipped firmly in the direction of the individual.  Message to business?  Get ready for the hammer.  The Google Spain decision shows where it’s going to strike.

Written by Susan Foster, Solicitor England & Wales/Admitted in California

 (LONDON) Privacy practitioners from the US and Europe gathered in London on April 30 and May 1 to discuss current thinking about privacy policy, regulation and compliance at the IAPP’s European Data Protection Intensive conference.

In the background to the current discussions, of course, we have lurking the behemoth of the draft Regulation that is very likely to replace the current Directive that governs privacy in the EU.  The Regulation itself is currently subject to a “trilog” – a three-way negotiation among the European Commission, Parliament and Council of Ministers.  (The Parliament’s plenary vote on March 12, 2014, ensured that the Parliament cannot changes its position on the Regulation even after the round of Parliamentary elections this June.)  Speakers at the IAPP conference projected that the Regulation will be finalized and passed as law sometime towards the end of 2014, or possibly 2015. Continue Reading The latest thinking from Europe (while we are waiting for the Regulation)

Written by Susan Foster, Solicitor England & Wales/Admitted in California

(LONDON) The European Commission announced yesterday that it is working towards a revised timeline for the adoption of a definitive Data Protection Regulation by the end of 2014.

While Commissioner Viviane Reding’s press release about finalizing the Regulation by the end of 2014 has been reported by some as a new deadline, it is really more of an aspirational date.  In fact, the “new deadline” is consistent with comments made by the Commission at the end of 2013.  So it’s not really news, but the Commissioner’s comments are certainly worth reading as a summary of where we are with this critical legislation from the Commission’s perspective.  In Commissioner Reding’s own words, “[a]n agreement on the reform is possible before the end of this year.”

What might make Dec. 31, 2014 a difficult date to achieve?   Certainly the Commission and the European Parliament are keen to expedite adoption of the Regulation, and the difference in their views are relatively minor in the “big picture” sense.  However, the Council of the EU (the forum for the views of the national governments of the Member States) still needs to weigh in on the Parliament’s version of the draft Regulation.

Interestingly, Commissioner Reding’s press release was silent concerning the Council’s retraction last December of its support for the crucial “one-stop shop” that would give companies one regulator to deal with rather than 28 – although she did link to her December 6, 2013 speech chiding the Council for backsliding on the one-stop shop.  This is just one of several important issues that need to be resolved, and the complexity of the EU legislative process will make it a challenge to tie off all of the major issues and relatively minor loose ends by the end of 2014.  That said, we should see a huge push from the Commission and Parliament to make headway in the coming months – so this is a critical time for the national governments of the Member States, businesses and individuals to engage with the ongoing debates over privacy regulation in Europe.