European Union

Three years after the GDPR came into effect, the European Commission has issued the much-awaited final version of two new sets of Standard Contractual Clauses that are expected to enable data controllers and processors to address some of the thorny issues in the transfer of personal data of EU/EEA citizens. The Press Release of the EU Commission, dated June 4, 2021, is available here.

Five New Templates

As anticipated from prior drafts, the new Standard Contractual Clauses framework is comprised of two sets of documents that address two distinct settings. A total of five documents can be used depending on the circumstances: 

• SCC for Contracts between Controller and Processors Established in the EU/EEA

One category provides one document, intended to address transfers between controllers and processors when both parties are in the EU/EEA (or otherwise subject to the GDPR) and must meet the GDPR Art. 28. 

• SCC for the Transfer of Personal Data to Third Countries

The other group addresses, in addition, the issues arising from crossborder data transfers where one of the entities is established outside the EU/EEA (and not subject to the GDPR).  Four scenarios are addressed: Controller-to-controller transfers; Controller-to-processor transfers; Processor-to-processor transfers; and Processor-to-controller transfers. 

Francoise Gilbert

Failure to Meet Data Retention and Data Minimization Obligations In Germany Results in a EUR 14.5 Million fine

The abundance of storage space and the increased pressure to keep interacting with current or former customers prompt businesses to collect large amounts of data, and retain as much of this data as possible, often well beyond actual useful period. Too often, businesses may not spend the time and resources necessary to periodically audit their practices and evaluate the nature of the data collected or to be collected, how the data is used, or why it is needed in view their then-current needs. And they may neglect to purge their databases and securely dispose of this data.

(more…)

Francoise Gilbert

The so-called Right to Be Forgotten or right of erasure (RTBF) has been the subject of much debate and attention since the publication of the Court of Justice of the European Union (CJEU) opinion in May 2014, in the Costeja v. Google case. The CJEU held that, under certain conditions, a European citizen has the right to demand that a search engine remove links to information pertaining to him that is “inaccurate, inadequate, irrelevant, or excessive,” even if the information is truthful.

Since the publication of the CJEU opinion, search engines have been flooded by delisting requests. According to the Google Transparency Report, as of the end of February 2015, Google has received over 220,000 delisting requests, and has evaluated over 800,000 URLs.

The topic has also garnered the attention of the Article 29 Working Party (A29), which published Guidelines, in late November 2014, to explain the position of the EU Data Protection Authorities. Among other things, the Guidelines provide that delisting requests, when accepted, must be implemented on all domains operated, worldwide, by the entity receiving the delisting request, and not just only on its EU domains.

Interest in RTBF has also expanded outside the European Economic Area (EEA). Cases similar to the Costeja case have been brought in Asia and the Americas. It is clear that a strong current is building. The CJEU Costeja ruling and its aftermath are significant for businesses around the world in many respects. The genie is out of the bottle, and may be sneaking into, and disrupting many businesses.

(more…)

Francoise Gilbert

The Article 29 Working Party (WP29) has published, in its document WP 225, Guidelines on the Implementation of the Court of Justice of the European Union (CJEU) Judgment on Google Spain and Inc. v. Agencia Espanola de Proteccion des Datos (AEPD) and Mario Costeja GonzalezC-131/12 (Guidelines) to provide its interpretation of the CJEU’s ruling, and identify the criteria that will be used by the EU/EEA Member States Data Protection Authorities when addressing complaints from individuals following a denial of de-listing requests.

(more…)

Francoise Gilbert

A revised draft of the proposed EU Data Protection Regulation was approved by the EU Committee on Civil Liberties, Justice, and Home Affairs on October 21, 2013.

Overall, the amendments strengthen privacy rights of EU residents. The most significant amendment is probably that which sets the maximum fine in case of a violation of the new law. The original draft regulation had set the maximum fine at 1,000,000 Euros or 2% of a company’s worldwide income and had adopted a tiered approach. After this recent set of amendments, fines could reach up to 100,000,000 Euros or up to 5% of a company’s annual worldwide income, whichever is greater.

(more…)

Alain Bensoussan

In data privacy matters, “accountability” means an obligation to report and explain, combined with principles of transparency and traceability, with a view to identify and document the measures implemented to comply with data privacy law requirements. It also implies an obligation for the data controller to assume liability and warrant a result, namely the efficacy of the data protection and the verifiability of the measures taken to this end.

Accountability thus implies for the data controller not only the obligation to comply with the applicable rules, but also the obligation to demonstrate to the authorities and/or the data subjects how such compliance is ensured. Laws and other texts will gradually integrate accountability requirements for personal data protection. (more…)

Alain Bensoussan

The Privacy by Design (PbD) principle means that privacy and data protection are embedded throughout the entire life cycle of technologies, from the early design stage to their deployment, use and ultimate disposal. This in particular means that the protection of data must be at the heart of a company’s internal processes.

Adopting a PbD approach is a very visible trend in international groups and this trend is expected to grow significantly.

Privacy by Design can serve as a new tool to help companies stand out among their competitors and be a further mark of quality and trust for clients. (more…)

Alain Bensoussan

On May 10, 2012, the European Parliament adopted a resolution (available here) with recommendations to the Commission on the amendment of Regulation (EC) No. 864/2007 on the law applicable to non-contractual obligations, known as Rome II. The Parliament first noted that “the Rome II Regulation lacks a provision for the determination of the law applicable to violations of privacy and rights relating to personality”. (more…)

Alain Bensoussan

Are analytics cookies, i.e., cookies used to measure website audience, subject to the prior consent of Internet users? This article provides insights about the French and European views on this topic.

Background

Directive 2002/58/EC, as amended by Directive 2009/136/EC (known as the
e-Privacy Directive) has reinforced the protection of users of electronic communication networks and services by requiring informed consent before information is stored or accessed in the user’s (or subscriber’s) terminal device. Article 5.3 of the Directive allows cookies to be exempted from the requirement of informed consent, if they satisfy some criteria.

(more…)