Data Transfers/Safe Harbor/Privacy Shield
Subscribe to Data Transfers/Safe Harbor/Privacy Shield's Posts

Any Progress? The Draft Data Protection Regulation Celebrates its Third Anniversary

On the third anniversary of the EU Commission’s proposed new data protection regime, the UK ICO has published its thoughts on where the new regime stands. The message is mixed: progress in some areas but nothing definitive, and no real clarity as to when the new regime may come into force.

The legislative process involves the agreement of the European Commission, the European Parliament and the Council of Europe (representing the governments of the member states). So far the European Parliament has agreed its amendments to the Commission’s proposal and we are still waiting for the Council to agree it’s amendments before all three come together and try and find a mutually agreeable position.

The Council is guided by the mantra “nothing is agreed until everything is agreed”, and so even though there has been progress with the Council reaching “partial general agreement” on international transfers, risk-based obligations on controllers and processors, and the provisions relating to specific data processing situations such as research and an approach agreed on the one-stop shop principle (allowing those operating in multiple states to appointed and deal with a single authority), this progress means nothing until there is final agreement on everything. At this stage that means all informal agreements remain open to renegotiation.

It is noted that Latvia holds the presidency of the Council until June 2015. The Latvians have already noted that Anydata protection reform remains a key priority but progress has been slow and time may be against them. Where Latvia fails, Luxembourg will hopefully succeed as it takes up the presidency from June.

The ICO is urging all stakeholders to push on with the reform, although they see the proposed timetable of completion of the trilogue process by the end of 2015 as being optimistic. Instead a more reasonable timetable may be a final agreement by mid-2016 with the new regime up and running in 2018.




read more

Article 29 Working Party Adopts Procedure on Approval of Model Clauses

On 26 November 2014, the Article 29 Working Party adopted a working document on establishing a cooperation procedure for issuing common opinions on whether contractual clauses are compliant with the European Commission’s Model Clauses (Model Clauses).

The working document establishes the procedure in which companies wishing to use identical contractual clauses in different Member States for transfers of personal data outside the European Economic Area (EEA) are able to obtain a coordinated position from the relevant Data Protection Authorities (DPA) on the proposed contracts, without the need to approach each relevant DPA individually for approval.

Background

Model Clauses represent one of the ways that a data controller can overcome the general prohibition contained in the EU Data Protection Directive (95/46/EC) on cross-border transfers of personal data to countries outside the EEA that do not offer adequate levels of data protection.  The Model Clauses are intended to be used without amendment – although some divergence, e.g., through the use of additional clauses having no impact on the overall compliance of the Model clauses adopted, may be acceptable.

Company groups in Europe often use identical contractual clauses in different jurisdictions for the purposes of transfers out of the EEA.  However, differing implementation of the Data Protection Directive between Member States has resulted in the situation whereby some jurisdictions require DPA approval of the Model Clauses used (such as Austria, Denmark, France and Spain), whether used with or without amendment, whereas other jurisdictions do not require such DPA approval where the Model Clauses are used without amendment.  The result of the above is that it may be possible that identical contracts using the Model Clauses with only minor amendment are considered compliant by a DPA in one jurisdiction but not in others.

According to the Working Party, the purpose of this working document is to create a procedure allowing companies to obtain a coordinated position from the relevant DPAs when using identical contractual clauses based on the Model Clauses with minor amendment, in particular as to whether the contractual clauses are compliant with the Model Clauses.

The Process

Should a company wish to know whether its contract is compliant with the Model Clauses, under the proposed cooperation procedure, it will first need to ask the DPA it believes is entitled to act as the lead DPA to launch the EU cooperation procedure.

The company will then need to provide the lead DPA a copy of the contract, indicating the references to the Model Clauses together with any divergences and additional clauses, as well a list of EEA countries from which the company will be carrying out the transfers.

The Lead DPA

The Working Party has suggested that the company should choose the lead DPA from a Member State in which the transfers will take place and it will be for the company to justify why the DPA should be considered the lead.  According to the Working Party, the following criteria should be considered by the company:

  1. The location from which the contractual [...]

    Continue Reading



read more

Privacy and Data Protection: 2014 Year in Review

In 2014, regulators around the globe issued guidelines, legislation and penalties in an effort to enhance security and control within the ever-shifting field of privacy and data protection. The Federal Trade Commission confirmed its expanded reach in the United States, and Canada’s far-reaching anti-spam legislation takes full effect imminently. As European authorities grappled with the draft data protection regulation and the “right to be forgotten,” the African Union adopted the Convention on Cybersecurity and Personal Data, and China improved the security of individuals’ information in several key areas. Meanwhile, Latin America’s patchwork of data privacy laws continues to evolve as foreign business increases.

This report furnishes in-house counsel and others responsible for privacy and data protection with an overview of key action points based on these and other 2014 developments, along with advance notice of potential trends in 2015. McDermott will continue to report on future updates, so check back with us regularly.

Read the full report here.




read more

Is There an End in Sight for EU Data Protection Reform?

On 5 November 2014, Peter Hustinx, the European Data Protection Supervisor (EDPS), together with Germany’s Federal Data Protection Commissioner, Andrea Voβhoff, held a panel discussion in respect of the state of play and perspectives on EU data protection reform.

Although participants identified a number of key outstanding issues to be resolved prior to the conclusion of the reform process, there was some optimism that such issues could be overcome, and the process completed, before the end of 2015.

Background

The EDPS is an independent supervisory authority whose members are elected by the European Parliament and the Council in order to protect personal information and privacy, in addition to promoting and supervising data protection in the European Union’s institutions and bodies.  The role of the EDPS includes inter alia advising on privacy legislation and policies to the European Commission, the European Parliament and the Council and working with other data protection authorities (DPA) to promote consistent data protection throughout Europe.

The proposed data protection regulation is intended to replace the 1995 Data Protection Directive (95/46/EC) (the Directive) and aims not only to give individuals more control over their personal data, but also make it easier for companies to work across borders by harmonising laws between all EU Member States.  The European Parliament and the Civil Liberties, Justice and Home Affairs (LIBE) Committee have driven the progress on new data protection laws, but there has been frustration aimed at the Council of Ministers for their slow progress.  Following the vote by the European Parliament in March 2014 in favour of the new data protection laws, the next steps include the full Ordinary Legislative Procedure (co-decision procedure), which requires the European Parliament and the Council to reach agreement together.

The panel discussion attendees were made up of institutional representatives and key figures involved in the EU Data Protection Reform Package, including: Stefano Mura (Head of the Department for International Affairs at Italy’s Ministry of Justice); Jan Albrecht MEP (Vice-Chair and Rapporteur of the European Parliament LIBE Committee); and Isabelle Falque-Pierrotin (President of CNIL and Chair of the Article 29 Working Party).  The purpose of the panel discussion was to consider the outstanding issues and next steps to finalise proposals on EU data protection reform, particularly in the context of the recent CJEU rulings on data retention and the right to be forgotten.

Key Messages

The key points raised during the panel discussion included:

  • There is optimism that the reform process will be completed in the next year subject to resolving outstanding issues, such as:
    • Whether public authority processing should be included in the proposed data protection regulation – Andrea Voshoff commented that this issue was being considered by the Council of Ministers Committee in relation to the introduction of a clause preventing the lowering of standards by national laws.  Stefano Mura added that while there is a desire for both a uniform approach between the EU Member States and a right for Member States to regulate their own public sectors, a [...]

      Continue Reading



read more

Processing Personal Data in Russia? Consider These Changes to Russian Law and How They May Impact Your Business

Changes Impacting Businesses that Process Personal Data in Russia

On July 21, 2014, a new law Federal Law № 242-FZ was adopted in Russia (Database Law) introducing amendments to the existing Federal Law “On personal data” and to the existing Federal Law “On information, information technologies and protection of information.”  The new Database Law requires companies to store and process personal data of Russian nationals in databases located in Russia.  At a minimum, the practical effect of this new Database Law is that companies operating in Russia that collect, receive, store or transmit (“process”) personal data of natural persons in Russia will be required to place servers in Russia if they plan to continue doing business in that market.  This would include, for example, retailers, restaurants, cloud service providers, social networks and those companies operating in the transportation, banking and health care spheres.  Importantly, while Database Law is not scheduled to come into force until September 1, 2016, a new bill was just introduced on September 1, 2014 to move up that date to January 1, 2015.  The transition period is designed to give companies time to adjust to the new Database Law and decide whether to build up local infrastructure in Russia, find a partner having such infrastructure in Russia, or cease processing information of Russian nationals.  If the bill filed on September 1 becomes law, however, that transition period will be substantially shortened and businesses operating in Russia will need to act fast to comply by January 1.

Some mass media in Russia have interpreted provisions of the Database Law as banning the processing of Russian nationals’ personal data abroad.  However, this is not written explicitly into the law and until such opinion is confirmed by the competent Russian authorities, this will continue to be an open question.  There is hope that the lawmakers’ intent was to give a much needed boost to the Russian IT and telecom industry, rather than to prohibit the processing of personal data abroad.  If this hope is confirmed, then so long as companies operating in Russia ensure that they process personal data of Russian nationals in databases physically located in Russia, they also should be able to process this information abroad, subject to compliance with cross-border transfer requirements.  

The other novelty of this new Database Law is that it grants the Russian data protection authority (DPA) the power to block access to information resources that are processing information in breach of Russian laws.  Importantly, the Database Law provides that the blocking authority applies irrespective of the location of the offending company or whether they are registered in Russia.  However, the DPA can initiate the procedure to block access only if there is a respective court judgment.  Based on the court judgment the DPA then will be able to require a hosting provider to undertake steps to eliminate the infringements.  For example, the hosting provider must inform the owner of the information resource that it must eliminate the infringement, or the hosting [...]

Continue Reading




read more

The New Normal: Big Data Comes of Age

On May 1, 2014, the White House released two reports addressing the public policy implications of the proliferation of big data. Rather than trying to slow the accumulation of data or place barriers on its use in analytic endeavors, the reports assert that big data is the “new normal” and encourages the development of policy initiatives and legal frameworks that foster innovation, promote the exchange of information and support public policy goals, while at the same time limiting harm to individuals and society. This Special Report provides an overview of the two reports, puts into context their conclusions and recommendations, and extracts key takeaways for businesses grappling with understanding what these reports—and this “new normal”—mean for them.

Read the full article.




read more

The FTC Means It: Another Safe Harbor Enforcement Action

No doubt about it: the U.S. Federal Trade Commission (FTC) is serious about taking action against companies that misrepresent their U.S.-EU Safe Harbor certification status.  On February 11, 2014, the FTC announced that children’s online entertainment company Fantage.com agreed to settle charges that it deceptively represented, through statements in its online privacy policy, that it held a current certification under the U.S.-EU Safe Harbor framework.  The Fantage.com settlement follows on the heels of the FTC’s settlements (announced on January 21, 2014) with 12 companies that made representations about Safe Harbor compliance when in fact their certifications had lapsed. These 13 settlements, announced within in the first six weeks of 2014 and added to the 10 settlements reached for similar actions from 2009 to 2012, indicate the FTC’s commitment to ensuring that the Safe Harbor Program remains a vital and effective compliance mechanism for U.S.-based multinational companies.

The Allegations and Order

According to this recent FTC complaint, Fantage.com failed to complete its annual recertification of Safe Harbor compliance but continued to make publically-available statements about its compliance with the U.S.-EU Safe Harbor Framework.  From June 2011 (when the company made its initial self-certification) to January 2014 (when the company renewed its self-certification), the FTC examined the company’s privacy policies and online statements for representations concerning its Safe Harbor status. 

In its complaint, the FTC alleged that the company, “…expressly or by implication…” misrepresented that it was a current participant in the Safe Harbor Framework when, from June 2012 until January 2014, its certification had lapsed.  The FTC cited the following statement made on the company’s website as an example of the false and misleading representations:

“When we collect personal information from residents of the European Union, we follow the privacy principles of the U.S.-EU Safe Harbor Framework, which covers the transfer, collection, use, and retention of personal data from the European Union.” 

While the FTC does not allege substantive violations of the Safe Harbor Framework, the sanctions that follow place compliance obligations on the company.  The Settlement Agreement Containing Consent Order:  

  • enjoins Fantage.com from misrepresenting its compliance with any governmental or self-regulatory data privacy program for 20 years; and
  • imposes on Fantage.com detailed record-keeping requirements for five years, including maintenance of records (i) for all advertisements or other statements containing representations about privacy program participation; (ii) all materials that form the basis for preparing such representations; and (iii) all materials that call into question the company’s compliance with the Order.

If Fantage.com violates the settlement agreement, the FTC is empowered to assess up to $11,000 per day in monetary penalties.

Compliance Tips

Based on these enforcement actions, any company that self-certifies under the U.S,-EU Safe Harbor Framework should immediately:

  • check its certification status to ensure that it is marked “current” on the Department of Commerce website: https://safeharbor.export.gov/list.aspx;
  • review any privacy policies and online statements referencing the Safe Harbor program to ensure that they properly reflect the status of their certification;
  • institute a systemic [...]

    Continue Reading



read more

Data Privacy Day 2014

In Boston, we celebrated Data Privacy Day (January 28) by presenting “U.S. Privacy and Data Protection: 2013 Year In Review and a Prediction of What’s to Come in 2014” for participants in an IAPP KnowledgeNet.  Our panel of speakers discussed significant U.S. data privacy and protection events from 2013 and shared thoughts about what’s ahead for 2014 in U.S. data privacy and protection.  You may download the presentation slides here.

We hope you find our presentation materials informative.   Of course, please do not hesitate to contact any member of the Of Digital Interest editorial team with questions or comments.




read more

In with the New: 2014 Privacy, Advertising and Digital Media Predictions

Data privacy and security made the headlines practically daily in 2013.  Our second annual Privacy and Data Protection 2013 Year in Review topped 65 pages!

What privacy, advertising and digital media trends will make headlines in 2014? Here are predictions from Of Digital Interest’s U.S. editorial team:

User Tracking Law Enforcement in California: “Amendments to the California Online Privacy Protection Act (CalOPPA) took effect on January 1, 2014 that require every website that is available to California residents to disclose how it responds to Do Not Track signals from web browsers and what third party data collection is occurring on the website.  I predict that we will see enforcement activity from the California Attorney General about whether website owners/operators have made disclosures to consumers that not only meet the new CalOPPA requirements but also accurately reflect tracking activities by the website and by third parties.”  – Heather Egan Sussman, Partner

No Kid-ding:  “January 1 marked the six-month anniversary of the effective date of the amended “COPPA Rule,” which requires businesses to have parental consent before personal information is collected from kids under age 13.  Having just approved a parental consent method (in December), I predict that the Federal Trade Commission (FTC) will initiate COPPA enforcement actions related to social media (now that photos and videos are personal information under COPPA) and in mobile apps (now that COPPA covers geo-location data).  Perhaps the FTC will start by investigating the app developers to which the FTC sent letters explaining their new COPPA compliance responsibilities last May.”  – Julia Jacobson, Partner

Safe Harbor Will Stay Safe:  “Last year’s government surveillance accusations made the U.S. Safe Harbor Program a flash point for debate between EU and U.S. data protection regulators.  Nevertheless, very few on either side of the Atlantic believe that companies properly certified under the Safe Harbor Program should disrupt data transfers necessary to meet credible business objectives.   I predict that the rhetoric will continue, but so will the U.S. Safe Harbor Program, albeit perhaps tweaked in response to the European Commission’s recently-issued recommendations to improve the Progam’s effectiveness.   More debate to come in 2014, but, meanwhile, many U.S. companies will continue to view Safe Harbor certification as their preferred approach to E.U. data protection compliance and will continue to implement data protection policies and programs intended to comply with the Safe Harbor Principles.”  – Ann Killilea, Counsel

Cloudy Forecast:  “The year of 2014 is quickly becoming the year of the mega-sized data breach, with the Target and Neiman Marcus incidents leading the way.  Corporate customers have long been aware that cloud offerings present data security concerns, but may not have been as laser-focused on the data breach aspects as they should.  I predict that in 2014, as the cloud service market becomes a commercial fact of life, data breach concerns will dominate how customers select and contract with their cloud service providers, and how they implement their incident response plans by including cloud service providers in their preparations.”  – [...]

Continue Reading




read more

Privacy and Data Protection: 2013 Year in Review

Privacy and data protection continue to be an exploding area of focus for regulators in the United States and beyond. This report gives in-house counsel and others responsible for privacy and data protection an overview of some of the major developments in this area in 2013 around the globe, as well as a prediction of what is to come in 2014.

Read the full report here.




read more

STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law