Select Page

Author: Privacylawblog fieldfisher

GDPR + e-Privacy = :-(

At some point in your life, you’ve probably had the experience of meeting someone who you feel you ought to like but, no matter how hard you try, you just can’t seem to gel with them – awkward silences creep into conversations and you find that, while you may share similar values, the ways you each go about approaching things are just different. Ultimately, despite both your best efforts, there’s just no chemistry. That’s what I imagine Europe’s GDPR and e-Privacy Directive would be like as playmates, if only they were people. They share common values – the protection of individuals’ fundamental rights to privacy and to data protection – and yet, try as they might, they just don’t play together all that nicely.  Unambiguous consent for cookies? Nowhere is this more apparent than when it comes to the issue of cookie consent. The e-Privacy Directive is a lex specialis (meaning a low that deals with a specific subject matter – in this case, the preservation of privacy over electronic communications channels).  It sits alongside the current Data Protection Directive / soon-to-be-in-effect GDPR (I’ll just say GDPR from hereon), setting out special rules deal with things like the privacy of communications content and metadata, e-marketing, and – of course – cookie requirements. The GDPR applies for any wider data protection issues concerning personal data which aren’t addressed by the e-Privacy Directive. So far,...

Read More

Getting to know the GDPR, Part 9 – Data transfer restrictions are here to stay, but so are BCR

The position under the General Data Protection Regulation (“GDPR“) relating to international transfers of personal data is similar to the existing regime under the Data Protection Directive (the “Directive“). However, there are a number of important differences that are likely to have key practical implications. What does the law require today? Under the Directive, the bottom line is that businesses are prohibited from transferring personal data outside the European Economic Area to a third country that does not have adequate data protection. The European Commission has the power to approve particular countries as providing an adequate level of data protection, taking into consideration the data protection laws in force in that country and its international commitments. A current list of “approved countries” is available from the European Commission’s website here. Following the ECJ decision in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, the US Department of Commerce’s U.S.-EU Safe Harbor Framework is no longer recognised as providing adequate data protection. Businesses may also transfer personal data to a third country on the basis of a mechanism from which an adequate level of data protection can be adduced (e.g. the standard contractual clauses approved by the EU Commission (“Model Clauses“) or Binding Corporate Rules (“BCR“) or if one of the derogations under the Directive applies. The implementation of the rules in relation to international transfers under the Directive may...

Read More

Getting to know the General Data Protection Regulation, Part 8 – You may need to appoint a Data Protection Officer.

  Introduction The General Data Protection Regulation (“GDPR”) introduces a new mandatory obligation for all companies who process personal data in certain specified circumstances to appoint a data protection officer (“DPO”). The DPO will be responsible for (amongst other things) monitoring an organisation’s compliance with the GDPR and reporting to the highest level of management on privacy-related issues.   What does the law require today?  Under the current EU Data Protection Directive 95/46/EC (“Directive“) there is no mandatory requirement for companies to appoint a DPO. However, Member States have the power to exempt companies that have appointed a DPO from the duty to register with the local data protection authority (“DPA”). Given the wide discretion for Member States to choose how (if at all) to implement this aspect of Directive, it has been approached in very different ways, resulting in a patchwork of divergent country-specific requirements What will the General Data Protection Regulation require?   Who must appoint a DPO?   Under the GDPR, both controllers and processors must appoint a DPO in certain specified circumstances. Earlier drafts of the GDPR text made this obligation mandatory only for companies with more than 250 employees. However the compromise version of the Regulation has no such restriction. Article 35 makes it clear that the obligation to appoint a DPO applies: To all public authorities processing personal data (except for courts acting...

Read More

France to adopt GDPR provisions before it comes into force in 2018

France is getting ahead of the final adoption of the General Data Protection Regulation (“GDPR”) and is expected to adopt this year several provisions of the GDPR before it comes into force in 2018. Indeed, the French Government has introduced a new Bill for a “Digital Republic” (the “Bill”) , which amongst other things, would amend several key provisions of the French Data Protection Act and the Consumers Code, with a view to implementing specific provisions of the GDPR under national law. In particular, the Bill seeks to enforce the French Data Protection Authority’s (“CNIL”) powers to impose fines against data controllers for violations of the French Data Protection Act. The Bill was adopted by the French National Assembly on 26th January 2016 in its first reading and has now been passed to the Senate. This Bill is expected to be adopted later this year. Once adopted, these provisions would come into force under French law before the GDPR’s comes into force after a two-year grace period that follows its publication in the Official Journal of the European Union. Below is a summary of the key provisions of the Digital Republic Bill that would amend the French Data Protection Act and the Consumers Code: Right to data portability The Bill would introduce a general right for consumers to retrieve their data partially or entirely. All providers of online communication services...

Read More

NIS Directive establishes first EU-wide cyber security rules

In December 2015 the EU institutions came to an agreement on the Network and Information Security Directive (‘NIS Directive’), establishing a set of EU-wide rules on cyber security for the first time; formal adoption of the Directive by the European Parliament and the Council of the EU is pending at the time of publication. For those businesses that fall under its scope, such as search engines and cloud computing providers, the advent of the NIS Directive will mean that incident handling and notification will take on a more serious role than previously, and numerous security obligations will need to be satisfied. Mark Webber and Michael Brown of Fieldfisher discuss five key issues for online businesses to consider in reaction to the Directive.   Under the NIS Directive, certain companies operating in critical sectors such as health, energy and transport, as well as some online businesses like search engines, online marketplaces and cloud computing providers, will be required to satisfy wide-ranging security and incident reporting obligations. From the TalkTalk hack to the Ashley Madison breach, cyber security issues and risks have captured the attention of journalists, CEOs, legislators and ordinary citizens in recent years. The NIS Directive represents a legislative attempt to address some of these cyber issues and risks and, in doing so, safeguard EU critical infrastructure and the much-vaunted EU Digital Single Market. Although the NIS Directive has...

Read More

The EU-US Privacy Shield. Not quite there yet!

On February 2nd, 2016, the EU and U.S. officials reached a political agreement on a new framework for transatlantic data flows called “EU-US Privacy Shield“. You may be thinking: “That’s it!” a new solution has been found. Just keep on reading… you’ll see that it’s far from being a done deal. The following day (on February 3rd, 2016) the Article 29 Working Party (“WP 29“) released a public statement on the consequences of the EU Court of Justice’s decision invalidating Safe Harbour and gave a high level opinion on the political agreement that that was agreed yesterday. The key points of this statement are summarized below: The WP29 welcomes the conclusion of the negotiations between the EU and US introducing a new “EU-US Privacy Shield” but it has not yet received a copy of this political agreement and is waiting to receive the relevant documents in order to verify the legal bindingness of this arrangement and to assess whether it complies with the Court’s decision on Safe Harbour. The WP 29 still has “concerns” regarding the current US legal framework (in particular the practices of US intelligence) and therefore has set forth four “essential guarantees” for intelligence activities that are meant to comply with EU fundamental rights. 1/ Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to...

Read More

The EU-US Privacy Shield – A “New Deal” for Safe Harbor?

At the Democratic National Convention in Chicago in 1932, as America seemed endlessly trapped within the depths of its Great Depression, Governor Franklin D. Roosevelt accepted his party’s nomination to run for President and promised the American people this: “I pledge you, I pledge myself, to a new deal for the American people.” This pledge – to lift the American people out of the economic troughs they had endured for years – helped Governor Roosevelt achieve office and become the next President of the United States.  Over the coming years, measures taken by Roosevelt under his “New Deal” program helped take the United States out of the Great Depression and restore it to economic glory. This piece of history has obvious parallels with the news announced by the European Commission today that it has agreed a “new framework” (admittedly, not quite as catchy as a “New Deal”) with the United States for transatlantic data flows: US data exports have been in crisis since the Snowden revelations, the new framework promises to significantly benefit ‘the man on the street’, and this agreement is widely perceived as critical to US businesses and the US economy. The effort taken to achieve this new framework has been simply monumental and, taken at face value, it’s cause for celebration.  But, as any lawyer will tell you, the devil is in the detail and today is only really part of the story… What does the new framework provide? To begin with, the...

Read More

EU / US fail to agree Safe Harbor replacement within deadline

Only moments ago,  EU Justice Commissioner Věra Jourová reported to the European Parliament that “talks are ongoing” in relation to agreeing a replacement for the Safe Harbor framework. Negotiating parties had hoped to strike a deal ahead of meetings between the EU data protection authorities on the topic of EU-US data transfers which shall take place in Brussels on 2nd / 3rd February.  Other headline points from Commissioner Jourová’s update to the European Parliament included that the new arrangement needs to be “fundamentally different from the old Safe Harbor” and “able to withstand any new challenges.” According to the Commissioner, discussions are continuing in relation to four key points: Limitations and safeguards as to access to data by US public authorities; Independent oversight and individual redress; The resolution of individual complaints; and Binding commitments from the US side. In terms of next steps, Commissioner Jourová is due to provide a progress update on the EU-US talks to her fellow EU Commissioners tomorrow.  Following that, we can expect a pivotal set of discussions between the EU data protection authorities on data transfer mechanisms and for transatlantic negotiations to recommence in earnest. Amidst this uncertainty, rest assured that the Fieldfisher Privacy, Security and Information law team will keep you posted on any breakthrough in negotiations or other notable...

Read More

Recent Posts – All categories