The clock is now ticking. On May 4th the European Parliament published the final text of the General Data Protection Regulation (“GDPR”), and the rules of the game have significantly changed – at least in the context of EU data protection law. First, the GDPR changes the underlying approach to data protection law, with a new emphasis placed on accountability and risk-based approaches. “Privacy by Design” and “Privacy by Default” have been included in the regulatory ecosystem. Second, significant changes have been made to the obligations of “controllers” and “processors”. These include specific criteria for having compliant privacy notices and vendor management contracts. Third, enforcement is now a very real, and potentially risky, thing. With the possibility of administrative fines being up to 4% of a business’ global gross revenue, private rights of action by individuals, and non-profit privacy watchdog groups (also known as “Civil Society”) having the right to complain of a company’s privacy practices directly to the local Data Protection Authorities; compliance with the GDPR will now be one of those risks that any business who touches EU data will need to seriously consider. Fortunately, the GDPR won’t go into effect until May 25th 2018. However, businesses with significant data from the EU need to start considering how to comply now. Continue Reading Europe Is Shifting, And It’s a Big Deal – The New GDPR

It is the beginning of 2016, and American companies are anxiously awaiting news of whether or not a new “Safe Harbor 2.0” will emerge. In October of 2015, the European Court of Justice declared invalid Safe Harbor 1.0 in the Schrems decision. This had an immediate effect on any American company collecting personal data from the EU by removing the legal basis for this kind of data transfer. As of October 2015, consumer, client, and even employee data cannot be legally transferred to the US under the Safe Harbor Framework.

Fortunately, the data protection regulators (“DPAs”)recognized the turmoil this decision created within the business community on both sides of the Atlantic. As a result, the Article 29 Working Party (which is the convention of DPAs from each of the EU Member States) issued an enforcement moratorium on enforcement actions until the end of January 2016, so that they could assess the effectiveness of data transfer tools available. As part of this moratorium, the Working Party called on “…Member States and European institutions to open discussions with U.S. authorities in order to find legal and technical solutions”; and that the “current negotiations around a new Safe Harbor could be part of the solution.” Continue Reading Safe Harbor 2.0 – Is It Happening?

The annual conference of the world’s data protection regulators is a three day exercise, with half of the conference being “closed door” for the regulators only, and the other half being a series of side meetings and presentations, which report out to interested attendees the results of the closed door meetings. This is a good meeting to gain insight in the next year’s trends in data protection regulation and enforcement across the globe. While this conference happens every year, the events in the European Court of Justice and the impending completion of the new General Data Protection Regulation (“GDPR”) made this year’s conference particularly interesting. Here are some of the insights which were developed during the conference: Continue Reading The 37th International Conference of Data Protection & Privacy Commissioners – Some Observations

Today the European Court of Justice (“ECJ”) issued its Judgment in the Schrems case, and in doing so, added another tremor to the ongoing seismic shift related to cross-border privacy law. The two major elements of today’s Judgment are: 1) that Commission Decision 2000/520/EC  of 26 July 2000 of the adequacy of the protection provided by the US Safe Harbor Framework (the “Safe Harbor Decision”) is invalid, and 2) even if the Safe Harbor Decision were otherwise valid, no decision of the Commission can reduce the authority of a national data protection authority to enforce data protection rights as granted by Article 28 of Directive 95/46/EC (the “DP Directive”).

Clearly, the first element brings a more immediate concern for all the companies participating in the Safe Harbor framework. However, the second element will have much longer term consequences for the stability of US-EU commerce and privacy law. Continue Reading Safe Harbor – Not so Safe After Schrems

Under section 56 of the Data Protection Act 1998 (DPA), it is now a criminal offence for any person or organisation to require an individual to submit a ‘subject access request’ (i.e. the right for an individual to access any of their personal data held by third parties on payment of a fee, provided certain requirements are met) in order to obtain and provide a copy of their criminal record. This will not prevent employers and others from obtaining access to criminal records through legitimate means (for example, seeking disclosure officially through the Disclosure and Barring Service). The offence was created over a decade and a half ago but has only been brought into force on 10 March 2015. Continue Reading Crackdown on ‘Back-door’ Criminal Record Checks

The French Answer to Flexible Working

Ever since the first laws on the 35-hour week were enacted over fifteen years ago, monitoring working time has been a headache for employers in France. With the introduction of new technology and mobile devices, the situation has worsened. The French approach to flexible working is to reaffirm that employees have the right to privacy and in some sectors the obligation to disconnect, as recently shown by the CNIL, the French Data Privacy Watchdog and the SYNTEC Federation. Continue Reading The French Answer To Flexible Working: The Right To Privacy and To Limit Work After Business Hours

The CJEU’s judgment against Google has been hailed as a “Landmark Ruling“. I agree that this judgment is a landmark ruling – however, not for the reason everyone else is making it out to be. As noted earlier, the “Right to be Forgotten” isn’t really in the holding of the judgment. Further, the “long-arm” application of EU law isn’t something new (at least to US attorneys). What is new is the reason for allowing a right of deletion against a search engine and not the underlying publisher of the original facts. Continue Reading The CJEU’s Judgement Against Google: What It Does Mean

The Court of Justice for the European Union (“CJEU”) issued a judgment in the case Google v. AEPD which has garnered a significant amount of attention. The two primary reasons for this attention (besides it is a case against Google – which usually is newsworthy) are 1) the seeming expansion of EU law into extra-territorial reach, and 2) the recognition of the “Right to be Forgotten”. Several authors have taken it upon themselves to spill quite a bit of ink on this judgment. And, there is some trepidation that business will be negatively impacted in a new and significant way under this judgment. A careful reading of both the Advocate General’s Opinion as well as the CJEU’s judgment in this matter does show how the EU is progressing in the matter of cross-border privacy protections. However, this judgment may not be as far reaching as some commentators have thought. Continue Reading The CJEU’s Judgment Against Google: What It Doesn’t Mean

To continue my prior post on the Article 29 Working Party’s Opinion 6/2014, it is important to take a closer look at the specifics of the notion of a Controller’s “Legitimate Interests”

Unlike all the other criteria for lawful processing, Article 7(f) is the only one which specifically articulates the idea that commercial interests should have weight in the calculus of “fair and lawful” processing. In each of the other criteria, if the criteria is met, the grounds for processing are considered a priori legitimate. In Article 7(f), each purpose for processing will need to have the balancing test engaged. This is going to require a bit more analysis than the other criteria. However, because of the fact that this analysis is internal to the business, it may well be less onerous than other options would be (e.g. having the DPA opine as to the legitimacy of the processing). Continue Reading Legitimate Interests – Alternative to Notice & Choice?

When talking about EU privacy law many businesses bemoan the lack of a “commercially reasonable” basis for collecting and using personal information. Europe is usually seen as a consumer-protective regime which focuses on prohibiting business from doing anything with data unless the consumer has affirmatively agreed to the processing before the processing begins (e.g. the “cookie directive”). However, the Article 29 Working Party (“WP”) has just released an Opinion which signals a change in the winds. The rarely used “legitimate interest of the data controller” basis for processing now has a new importance in the realm of fair and legal criteria for processing personal information. Continue Reading On Balance – the Legitimate Interest of a Controller