European Union

Privacy Shield after Schrems 2: What to Do Next?

Since the publication of the EU Court of Justice decision in the Schrems 2 case, many organizations that send or receive personal data of EU/EEA residents have been struggling to find reliable, viable means to ensure the continuity of the data flows emanating from the EU/EEA, and the privacy protections needed for this data. The guidance provided by regulatory authorities on both sides of the Atlantic has been limited. 

The Schrems 2 decision focuses primarily on two elements, the EU-US Privacy Shield and the Standard Contractual Clauses Controller-to-Processor.  Both the EU-US Privacy Shield program and the Standard Contractual Clause framework have come out with a black eye. And both aspects of the Schrems 2 decisions have significant consequences for businesses that operate on a global scale.

(more…)
Read More

Failure to Meet Data Retention and Data Minimization Obligations In Germany Results in a EUR 14.5 Million fine

Francoise Gilbert

Failure to Meet Data Retention and Data Minimization Obligations In Germany Results in a EUR 14.5 Million fine

The abundance of storage space and the increased pressure to keep interacting with current or former customers prompt businesses to collect large amounts of data, and retain as much of this data as possible, often well beyond actual useful period. Too often, businesses may not spend the time and resources necessary to periodically audit their practices and evaluate the nature of the data collected or to be collected, how the data is used, or why it is needed in view their then-current needs. And they may neglect to purge their databases and securely dispose of this data.

(more…)

Read More

The Right to be Forgotten Tsunami: What Effect for US Companies

Francoise Gilbert

The so-called Right to Be Forgotten or right of erasure (RTBF) has been the subject of much debate and attention since the publication of the Court of Justice of the European Union (CJEU) opinion in May 2014, in the Costeja v. Google case. The CJEU held that, under certain conditions, a European citizen has the right to demand that a search engine remove links to information pertaining to him that is “inaccurate, inadequate, irrelevant, or excessive,” even if the information is truthful.

Since the publication of the CJEU opinion, search engines have been flooded by delisting requests. According to the Google Transparency Report, as of the end of February 2015, Google has received over 220,000 delisting requests, and has evaluated over 800,000 URLs.

The topic has also garnered the attention of the Article 29 Working Party (A29), which published Guidelines, in late November 2014, to explain the position of the EU Data Protection Authorities. Among other things, the Guidelines provide that delisting requests, when accepted, must be implemented on all domains operated, worldwide, by the entity receiving the delisting request, and not just only on its EU domains.

Interest in RTBF has also expanded outside the European Economic Area (EEA). Cases similar to the Costeja case have been brought in Asia and the Americas. It is clear that a strong current is building. The CJEU Costeja ruling and its aftermath are significant for businesses around the world in many respects. The genie is out of the bottle, and may be sneaking into, and disrupting many businesses.

(more…)

Read More

Right to be Forgotten – Casting a Wider Net

Francoise Gilbert

The Article 29 Working Party (WP29) has published, in its document WP 225, Guidelines on the Implementation of the Court of Justice of the European Union (CJEU) Judgment on Google Spain and Inc. v. Agencia Espanola de Proteccion des Datos (AEPD) and Mario Costeja GonzalezC-131/12 (Guidelines) to provide its interpretation of the CJEU’s ruling, and identify the criteria that will be used by the EU/EEA Member States Data Protection Authorities when addressing complaints from individuals following a denial of de-listing requests.

(more…)

Read More

Amended Draft EU Regulation Approved by LIBE Committee on October 21

Francoise Gilbert

A revised draft of the proposed EU Data Protection Regulation was approved by the EU Committee on Civil Liberties, Justice, and Home Affairs on October 21, 2013.

Overall, the amendments strengthen privacy rights of EU residents. The most significant amendment is probably that which sets the maximum fine in case of a violation of the new law. The original draft regulation had set the maximum fine at 1,000,000 Euros or 2% of a company’s worldwide income and had adopted a tiered approach. After this recent set of amendments, fines could reach up to 100,000,000 Euros or up to 5% of a company’s annual worldwide income, whichever is greater.

 

(more…)

Read More

Accountability and Protection of Personal Data

Alain Bensoussan

In data privacy matters, “accountability” means an obligation to report and explain, combined with principles of transparency and traceability, with a view to identify and document the measures implemented to comply with data privacy law requirements. It also implies an obligation for the data controller to assume liability and warrant a result, namely the efficacy of the data protection and the verifiability of the measures taken to this end.

Accountability thus implies for the data controller not only the obligation to comply with the applicable rules, but also the obligation to demonstrate to the authorities and/or the data subjects how such compliance is ensured. Laws and other texts will gradually integrate accountability requirements for personal data protection. (more…)

Read More

Privacy by Design

Alain Bensoussan

The Privacy by Design (PbD) principle means that privacy and data protection are embedded throughout the entire life cycle of technologies, from the early design stage to their deployment, use and ultimate disposal. This in particular means that the protection of data must be at the heart of a company’s internal processes.

Adopting a PbD approach is a very visible trend in international groups and this trend is expected to grow significantly.

Privacy by Design can serve as a new tool to help companies stand out among their competitors and be a further mark of quality and trust for clients. (more…)

Read More

EU Parliament Resolution for Amendment of Rome II Regulation on Law Applicable to Violations of Privacy

Alain Bensoussan

On May 10, 2012, the European Parliament adopted a resolution (available here) with recommendations to the Commission on the amendment of Regulation (EC) No. 864/2007 on the law applicable to non-contractual obligations, known as Rome II. The Parliament first noted that “the Rome II Regulation lacks a provision for the determination of the law applicable to violations of privacy and rights relating to personality”. (more…)

Read More

Analytics Cookies & Consent Exemption

Alain Bensoussan

Are analytics cookies, i.e., cookies used to measure website audience, subject to the prior consent of Internet users? This article provides insights about the French and European views on this topic.

Background

Directive 2002/58/EC, as amended by Directive 2009/136/EC (known as the
e-Privacy Directive) has reinforced the protection of users of electronic communication networks and services by requiring informed consent before information is stored or accessed in the user’s (or subscriber’s) terminal device. Article 5.3 of the Directive allows cookies to be exempted from the requirement of informed consent, if they satisfy some criteria.

(more…)

Read More

What the January 25, 2012 Draft of the Proposed EU Data Protection Reform Means for Companies Doing Business with or in the EU

January 27, 2012 – Francoise Gilbert

The comprehensive proposed data protection package that the European Commission unveiled on January 25, 2012 provides a sneak preview of the plans for the European Commission for the reform of the data protection rules in the European Union. It the draft legislative texts are adopted in a form substantially similar to that which was presented in the package, by 2015, the European Union will be operating under a single data protection law that applies directly to all entities and individuals in the Member States. In addition, much of the administrative burden that are currently costing billions of Euros to companies will have been removed. The savings would allow companies to allocate their data protection budget to more meaningful, efficient, data protection practices that are better adapted to the uses of personal data, the new technologies and the 21st century way of life.

(more…)

Read More