European Union

Enhancing Safeguards for US Signals Intelligence Activities 

President Biden October 7, 2022 Executive Order on
Enhancing Safeguards for US Signals Intelligence Activities – 
Towards an Updated EU-US Privacy Shield Framework 

When the European Court of Justice issued its decision on Schrems and Facebook Ireland v. Data Protection Commissioner in July 2020 (Schrems II),[1] it triggered a brutal disruption and stoppage in the operations of the EU-US Privacy Shield framework (Framework). It also caused significant chaos in the operations of numerous US or EU/EEA businesses and organizations that were relying on the Framework as a strategic tool and structure for providing a legal basis for exchanges or transfers of personal data for commercial and business purposes between the two sides of the Atlantic. 

After lengthy and challenging negotiations between representatives of the European Commission and the United States, a new proposed Trans-Atlantic Data Privacy Framework was published at the end of March 2022. According to the White House, the EU-US Trans-Atlantic Data Privacy Framework of March 2022 was intended to lay the ground for providing a legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union raised in July 2020 in the Schrems II case.

(more…)
Read More

Final Versions of Standard Contractual Clauses Adopted

Three years after the GDPR came into effect, the European Commission has issued the much-awaited final version of two new sets of Standard Contractual Clauses that are expected to enable data controllers and processors to address some of the thorny issues in the transfer of personal data of EU/EEA citizens. The Press Release of the EU Commission, dated June 4, 2021, is available here.

Five New Templates

As anticipated from prior drafts, the new Standard Contractual Clauses framework is comprised of two sets of documents that address two distinct settings. A total of five documents can be used depending on the circumstances: 

One category provides one document, intended to address transfers between controllers and processors when both parties are in the EU/EEA (or otherwise subject to the GDPR) and must meet the GDPR Art. 28. 

The other group addresses, in addition, the issues arising from crossborder data transfers where one of the entities is established outside the EU/EEA (and not subject to the GDPR).  Four scenarios are addressed: Controller-to-controller transfers; Controller-to-processor transfers; Processor-to-processor transfers; and Processor-to-controller transfers. 

(more…)
Read More

Privacy Shield after Schrems 2: What to Do Next?

Since the publication of the EU Court of Justice decision in the Schrems 2 case, many organizations that send or receive personal data of EU/EEA residents have been struggling to find reliable, viable means to ensure the continuity of the data flows emanating from the EU/EEA, and the privacy protections needed for this data. The guidance provided by regulatory authorities on both sides of the Atlantic has been limited. 

The Schrems 2 decision focuses primarily on two elements, the EU-US Privacy Shield and the Standard Contractual Clauses Controller-to-Processor.  Both the EU-US Privacy Shield program and the Standard Contractual Clause framework have come out with a black eye. And both aspects of the Schrems 2 decisions have significant consequences for businesses that operate on a global scale.

(more…)
Read More

Failure to Meet Data Retention and Data Minimization Obligations In Germany Results in a EUR 14.5 Million fine

Francoise Gilbert

Failure to Meet Data Retention and Data Minimization Obligations In Germany Results in a EUR 14.5 Million fine

The abundance of storage space and the increased pressure to keep interacting with current or former customers prompt businesses to collect large amounts of data, and retain as much of this data as possible, often well beyond actual useful period. Too often, businesses may not spend the time and resources necessary to periodically audit their practices and evaluate the nature of the data collected or to be collected, how the data is used, or why it is needed in view their then-current needs. And they may neglect to purge their databases and securely dispose of this data.

(more…)

Read More

The Right to be Forgotten Tsunami: What Effect for US Companies

Francoise Gilbert

The so-called Right to Be Forgotten or right of erasure (RTBF) has been the subject of much debate and attention since the publication of the Court of Justice of the European Union (CJEU) opinion in May 2014, in the Costeja v. Google case. The CJEU held that, under certain conditions, a European citizen has the right to demand that a search engine remove links to information pertaining to him that is “inaccurate, inadequate, irrelevant, or excessive,” even if the information is truthful.

Since the publication of the CJEU opinion, search engines have been flooded by delisting requests. According to the Google Transparency Report, as of the end of February 2015, Google has received over 220,000 delisting requests, and has evaluated over 800,000 URLs.

The topic has also garnered the attention of the Article 29 Working Party (A29), which published Guidelines, in late November 2014, to explain the position of the EU Data Protection Authorities. Among other things, the Guidelines provide that delisting requests, when accepted, must be implemented on all domains operated, worldwide, by the entity receiving the delisting request, and not just only on its EU domains.

Interest in RTBF has also expanded outside the European Economic Area (EEA). Cases similar to the Costeja case have been brought in Asia and the Americas. It is clear that a strong current is building. The CJEU Costeja ruling and its aftermath are significant for businesses around the world in many respects. The genie is out of the bottle, and may be sneaking into, and disrupting many businesses.

(more…)

Read More

Right to be Forgotten – Casting a Wider Net

Francoise Gilbert

The Article 29 Working Party (WP29) has published, in its document WP 225, Guidelines on the Implementation of the Court of Justice of the European Union (CJEU) Judgment on Google Spain and Inc. v. Agencia Espanola de Proteccion des Datos (AEPD) and Mario Costeja GonzalezC-131/12 (Guidelines) to provide its interpretation of the CJEU’s ruling, and identify the criteria that will be used by the EU/EEA Member States Data Protection Authorities when addressing complaints from individuals following a denial of de-listing requests.

(more…)

Read More

Amended Draft EU Regulation Approved by LIBE Committee on October 21

Francoise Gilbert

A revised draft of the proposed EU Data Protection Regulation was approved by the EU Committee on Civil Liberties, Justice, and Home Affairs on October 21, 2013.

Overall, the amendments strengthen privacy rights of EU residents. The most significant amendment is probably that which sets the maximum fine in case of a violation of the new law. The original draft regulation had set the maximum fine at 1,000,000 Euros or 2% of a company’s worldwide income and had adopted a tiered approach. After this recent set of amendments, fines could reach up to 100,000,000 Euros or up to 5% of a company’s annual worldwide income, whichever is greater.

 

(more…)

Read More

Accountability and Protection of Personal Data

Alain Bensoussan

In data privacy matters, “accountability” means an obligation to report and explain, combined with principles of transparency and traceability, with a view to identify and document the measures implemented to comply with data privacy law requirements. It also implies an obligation for the data controller to assume liability and warrant a result, namely the efficacy of the data protection and the verifiability of the measures taken to this end.

Accountability thus implies for the data controller not only the obligation to comply with the applicable rules, but also the obligation to demonstrate to the authorities and/or the data subjects how such compliance is ensured. Laws and other texts will gradually integrate accountability requirements for personal data protection. (more…)

Read More

Privacy by Design

Alain Bensoussan

The Privacy by Design (PbD) principle means that privacy and data protection are embedded throughout the entire life cycle of technologies, from the early design stage to their deployment, use and ultimate disposal. This in particular means that the protection of data must be at the heart of a company’s internal processes.

Adopting a PbD approach is a very visible trend in international groups and this trend is expected to grow significantly.

Privacy by Design can serve as a new tool to help companies stand out among their competitors and be a further mark of quality and trust for clients. (more…)

Read More

EU Parliament Resolution for Amendment of Rome II Regulation on Law Applicable to Violations of Privacy

Alain Bensoussan

On May 10, 2012, the European Parliament adopted a resolution (available here) with recommendations to the Commission on the amendment of Regulation (EC) No. 864/2007 on the law applicable to non-contractual obligations, known as Rome II. The Parliament first noted that “the Rome II Regulation lacks a provision for the determination of the law applicable to violations of privacy and rights relating to personality”. (more…)

Read More