Select Page

Author: Privacylawblog fieldfisher

Privacy Shield (begrudgingly) here to stay! For now…

The Commission gave it the official (if lukewarm) ok in October, following the first annual review. Last week it was time for the Article 29 Working Party (WP29) to have its say.  The overall verdict: OK but could do better.  This is backed up by a threat to mount a legal challenge.  But whilst this is more of a story than the Trump announcement earlier this year (see my earlier post), Privacy Shield organisations or those considering it should not lose any sleep. “OK” The Opinion starts with the usual lines about welcoming progress before we get down to the juicy stuff.  A great improvement on Safe Harbor, welcome the Department of Commerce’s commitment and dedicated staff, welcome increased transparency on surveillance and declassification of certain documents etc etc.  It reads like a huge ‘but’ is coming. “Could do better…” The WP29 split their objections into two categories: they are not happy with certain aspects on the commercial side, and they have major concerns about state surveillance. a) Commercial aspects WP29 bemoaned the lack of guidance both for organisations certifying to PS and for individuals trying to assert their rights. The Department of Commerce (DoC) retorted that it was principles-based and they wanted organisations to consider the principles rather than copy and paste official text. WP29 wants clear guidance for individuals and organisations on how the scheme works. A...

Read More

Everything you’ve ever wanted to know about DPO but never dared to ask

As the entry into force of the General Data Protection Regulation (GDPR) approaches, more and more companies are assessing whether they need to designate a Data Protection Officer (DPO) and, at times, may be struggling to understand how the provisions on the DPO will apply to them. This blog post will not cover the general provisions on DPO under articles 37 to 39 of the GDPR. For a general overview of what the GDPR requires, please read our previous blog post on the topic (click here). Instead, this article answers some of the more difficult questions that you may be asking but have never dared to ask. 1. Does the requirement to designate a DPO apply both to controllers and processors? Yes. For processors, it is one of many direct obligations in the GDPR. Processors will need to check their own compliance programmes are in order. There is potential for overlap or conflict where a processor with a DPO will be processing on behalf of a controller with a DPO. The Working Party 29 (WP29) guidance simply states that they “should then cooperate with each other“. 2. Must organizations outside the EU designate a DPO? Organizations with no establishments in the EU will need to assess first whether article 3 on the territorial scope of the GDPR applies to them, particularly if they are offering goods or services directly to individuals in the EU, or monitoring...

Read More

Privacy’s not dead.  It’s hiring.

Some time back, in the early dawn of my legal career, a colleague took me aside and said to me “You do realise that this whole privacy thing is just a fad?  It’ll soon pass.”  That was some ten years ago or so, and it’s gratifying (and, frankly, a relief) to find that the area of law I chose to settle on has proven far from a fad. There is a danger when speaking with fellow privacy professionals, though, that we become something of an echo chamber.  Every privacy professional tends to believe that privacy is of paramount importance (why else would they move into it?) and we tend to reaffirm one another’s beliefs that the significance of data protection law will endure indefinitely. That isn’t a view always held by non-privacy colleagues though.  Many view the current GDPR as something of a flash in a pan – a kind of Y2K for privacy professionals.  There can be a sense that, while privacy is a big deal now as companies rush to complete their GDPR implementation projects, come May 25th next year everyone will breathe a big sigh of relief and things will calm down again. This won’t be the case.  Privacy will only grow in importance over the coming years.  For now, I’ll leave aside the social and ethical arguments about why privacy will continue to dominate since...

Read More

Getting to know the GDPR, Part 9 – Data transfer restrictions are here to stay, but so are BCR

The position under the General Data Protection Regulation (“GDPR“) relating to international transfers of personal data is similar to the existing regime under the Data Protection Directive (the “Directive“). However, there are a number of important differences that are likely to have key practical implications. What does the law require today? Under the Directive, the bottom line is that businesses are prohibited from transferring personal data outside the European Economic Area to a third country that does not have adequate data protection. The European Commission has the power to approve particular countries as providing an adequate level of data protection, taking into consideration the data protection laws in force in that country and its international commitments. A current list of “approved countries” is available from the European Commission’s website here. Following the ECJ decision in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, the US Department of Commerce’s U.S.-EU Safe Harbor Framework is no longer recognised as providing adequate data protection. Businesses may also transfer personal data to a third country on the basis of a mechanism from which an adequate level of data protection can be adduced (e.g. the standard contractual clauses approved by the EU Commission (“Model Clauses“) or Binding Corporate Rules (“BCR“) or if one of the derogations under the Directive applies. The implementation of the rules in relation to international transfers under the Directive may...

Read More

Getting to know the General Data Protection Regulation, Part 8 – You may need to appoint a Data Protection Officer.

  Introduction The General Data Protection Regulation (“GDPR”) introduces a new mandatory obligation for all companies who process personal data in certain specified circumstances to appoint a data protection officer (“DPO”). The DPO will be responsible for (amongst other things) monitoring an organisation’s compliance with the GDPR and reporting to the highest level of management on privacy-related issues.   What does the law require today?  Under the current EU Data Protection Directive 95/46/EC (“Directive“) there is no mandatory requirement for companies to appoint a DPO. However, Member States have the power to exempt companies that have appointed a DPO from the duty to register with the local data protection authority (“DPA”). Given the wide discretion for Member States to choose how (if at all) to implement this aspect of Directive, it has been approached in very different ways, resulting in a patchwork of divergent country-specific requirements What will the General Data Protection Regulation require?   Who must appoint a DPO?   Under the GDPR, both controllers and processors must appoint a DPO in certain specified circumstances. Earlier drafts of the GDPR text made this obligation mandatory only for companies with more than 250 employees. However the compromise version of the Regulation has no such restriction. Article 35 makes it clear that the obligation to appoint a DPO applies: To all public authorities processing personal data (except for courts acting...

Read More

France to adopt GDPR provisions before it comes into force in 2018

France is getting ahead of the final adoption of the General Data Protection Regulation (“GDPR”) and is expected to adopt this year several provisions of the GDPR before it comes into force in 2018. Indeed, the French Government has introduced a new Bill for a “Digital Republic” (the “Bill”) , which amongst other things, would amend several key provisions of the French Data Protection Act and the Consumers Code, with a view to implementing specific provisions of the GDPR under national law. In particular, the Bill seeks to enforce the French Data Protection Authority’s (“CNIL”) powers to impose fines against data controllers for violations of the French Data Protection Act. The Bill was adopted by the French National Assembly on 26th January 2016 in its first reading and has now been passed to the Senate. This Bill is expected to be adopted later this year. Once adopted, these provisions would come into force under French law before the GDPR’s comes into force after a two-year grace period that follows its publication in the Official Journal of the European Union. Below is a summary of the key provisions of the Digital Republic Bill that would amend the French Data Protection Act and the Consumers Code: Right to data portability The Bill would introduce a general right for consumers to retrieve their data partially or entirely. All providers of online communication services...

Read More

NIS Directive establishes first EU-wide cyber security rules

In December 2015 the EU institutions came to an agreement on the Network and Information Security Directive (‘NIS Directive’), establishing a set of EU-wide rules on cyber security for the first time; formal adoption of the Directive by the European Parliament and the Council of the EU is pending at the time of publication. For those businesses that fall under its scope, such as search engines and cloud computing providers, the advent of the NIS Directive will mean that incident handling and notification will take on a more serious role than previously, and numerous security obligations will need to be satisfied. Mark Webber and Michael Brown of Fieldfisher discuss five key issues for online businesses to consider in reaction to the Directive.   Under the NIS Directive, certain companies operating in critical sectors such as health, energy and transport, as well as some online businesses like search engines, online marketplaces and cloud computing providers, will be required to satisfy wide-ranging security and incident reporting obligations. From the TalkTalk hack to the Ashley Madison breach, cyber security issues and risks have captured the attention of journalists, CEOs, legislators and ordinary citizens in recent years. The NIS Directive represents a legislative attempt to address some of these cyber issues and risks and, in doing so, safeguard EU critical infrastructure and the much-vaunted EU Digital Single Market. Although the NIS Directive has...

Read More

The EU-US Privacy Shield. Not quite there yet!

On February 2nd, 2016, the EU and U.S. officials reached a political agreement on a new framework for transatlantic data flows called “EU-US Privacy Shield“. You may be thinking: “That’s it!” a new solution has been found. Just keep on reading… you’ll see that it’s far from being a done deal. The following day (on February 3rd, 2016) the Article 29 Working Party (“WP 29“) released a public statement on the consequences of the EU Court of Justice’s decision invalidating Safe Harbour and gave a high level opinion on the political agreement that that was agreed yesterday. The key points of this statement are summarized below: The WP29 welcomes the conclusion of the negotiations between the EU and US introducing a new “EU-US Privacy Shield” but it has not yet received a copy of this political agreement and is waiting to receive the relevant documents in order to verify the legal bindingness of this arrangement and to assess whether it complies with the Court’s decision on Safe Harbour. The WP 29 still has “concerns” regarding the current US legal framework (in particular the practices of US intelligence) and therefore has set forth four “essential guarantees” for intelligence activities that are meant to comply with EU fundamental rights. 1/ Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to...

Read More