Select Page

Author: Privacylawblog fieldfisher

Why BCR are the future of global data flows

On October 3rd, 2017, the Irish High Court issued a decision to refer questions on the adequacy of standard contractual clauses (SCC) to the Court of Justice of the European Union (CJEU). This decision (which is already being referred to as the “Schrems 2.0 case” named after its plaintiff, Maximilian Schrems) follows a similar case that was brought before the Irish High Court in 2014 which ultimately resulted in a decision of the CJEU invalidating the Safe Harbour agreement between the United States and Europe. Without pre-empting the CJUE’s ruling in this case, a decision to invalidate the SCC would certainly have serious implications for business, even more so than the decision invaliding Safe Harbour. It is worth highlighting that the SCC are not limited to transfers to the US (as was the case for Safe Harbour) and on the contrary are used massively by companies to transfer their data to group entities and to third parties worldwide. The fundamental issue for businesses is therefore on what legal basis will they continue to lawfully transfer their data outside Europe if the SCC are invalidated by the CJEU? Here are five reasons why businesses should consider implementing Binding Corporate Rules (BCR). 1. High degree of future-proofing Both Privacy Shield and SCC are slowly but surely falling out of favour. With that in mind, businesses are left with few options: they...

Read More

CNIL amends whistleblowing regime following adoption of “Sapin 2 Law”

In France, the legal framework for whistleblowing schemes derives from on a decision of the French Data Protection Authority (the “CNIL”) of 2005 adopting a “single authorization AU-004” for the processing of personal data in the context of whistleblowing schemes. This single authorization and the CNIL’s accompanying guidelines are largely based on the Article 29 Working Party’s Opinion 1/2006 of 1st February 2006 setting out EU-wide guidelines for whistleblowing schemes in Europe. Companies in France must notify their whistleblowing processing activities to the CNIL via an online self-certification procedure on the CNIL’s website, whereby they make a formal undertaking that their whistleblowing hotline complies with the pre-established conditions set out in the CNIL’s single authorization AU-004. Initially developed in response to the adoption of the U.S. Sarbanes-Oxley Act of 2002, the CNIL’s position historically has been to limit the scope and use of whistleblowing hotlines in France to areas where companies must comply with applicable laws (mainly in the areas of finance, accounting, banking and fight against corruption). Since then, the CNIL has broadened the scope of its single authorization AU-004 a number of times to include other areas, such as compliance with the Japanese Financial Instruments Act, the prevention of anti-competitive practices, discrimination and work harassment, and compliance with health, hygiene, safety and environmental regulations in the workplace. The Law n°2016-1691 of 9 December 2016 on transparency, the...

Read More

EU Commissioner Jourová: Privacy Shield, GDPR readiness, online hate speech and more…

Vera Jourová, the European Union Commissioner for Justice, Consumers and Gender Equality, rounded off a recent three-day visit to the US with a speech at Berkeley School of Law on the current state of online privacy and consumer protection. Members of our Silicon Valley Privacy and Security team were there in person to hear Mrs Jourová address various topics, including the first joint annual review of Privacy Shield (which she co-launched on 18 September), the progress made for GDPR readiness to date and the ongoing issues of online hate speech and radicalisation. We were there to hear her thoughts. Privacy Shield – the Commission remains committed to Privacy Shield and Mrs Jourová expressed “positive reflections” after the launch of the framework’s first annual review with her US counterpart, Commerce Secretary Wilbur Ross. The Commissioner did, however, acknowledge a number of “ongoing challenges” both legal and political. In particular, she cited concerns over mass surveillance in the US, the increasing use of profiling and automated decision making (especially in relation to credit scoring) and the Trump administration’s failure to appoint a permanent US ombudsmen and other vacancies within a number of US agencies, including the Federal Trade Commission and the Privacy and Civil Liberties Oversight Boards. Despite her upbeat mood, Mrs Jourová did state in a recent interview that “the option of suspending the Privacy Shield is real“. GDPR – having...

Read More

AEPD fines facebook

Spanish DPA issues 1.2€ Million fine on Facebook for lack of transparency (among others) – with the potential for more fines from other DPAs The Spanish Data Protection Agency (AEPD) imposed a sanction of 1.200.000 € against Facebook after determining it has committed several severe breaches of the Spanish Data Protection Act (The AEPD’s press release can be found here). The Belgian, French, Hamburg and Netherlands DPAs are also investigating Facebook on these issues and further fines are expected. Why was Facebook fined? According to the AEPD’s statement, the key grounds for the fine are as follows: Lack of transparency about the collection and processing of data on the Facebook website: The AEPD describes Facebook’s privacy policy as “vague” and considers it does not provide clear and detailed information about the processing purposes or what data is collected. It specifically criticizes that Facebook only provides some examples of what the purposes are. The AEPD also considers that users have to access too many different links in order to get to know the privacy policy.   Lack of transparency about the collection and processing of data on third party websites:  The AEPD maintains that users are not sufficiently informed about the use of Facebook cookies, for example when they navigate third party sites. According to the AEPD, the average user is oblivious to the fact that Facebook drops cookies when the...

Read More

Getting to know the GDPR, Part 9 – Data transfer restrictions are here to stay, but so are BCR

The position under the General Data Protection Regulation (“GDPR“) relating to international transfers of personal data is similar to the existing regime under the Data Protection Directive (the “Directive“). However, there are a number of important differences that are likely to have key practical implications. What does the law require today? Under the Directive, the bottom line is that businesses are prohibited from transferring personal data outside the European Economic Area to a third country that does not have adequate data protection. The European Commission has the power to approve particular countries as providing an adequate level of data protection, taking into consideration the data protection laws in force in that country and its international commitments. A current list of “approved countries” is available from the European Commission’s website here. Following the ECJ decision in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, the US Department of Commerce’s U.S.-EU Safe Harbor Framework is no longer recognised as providing adequate data protection. Businesses may also transfer personal data to a third country on the basis of a mechanism from which an adequate level of data protection can be adduced (e.g. the standard contractual clauses approved by the EU Commission (“Model Clauses“) or Binding Corporate Rules (“BCR“) or if one of the derogations under the Directive applies. The implementation of the rules in relation to international transfers under the Directive may...

Read More

Getting to know the General Data Protection Regulation, Part 8 – You may need to appoint a Data Protection Officer.

  Introduction The General Data Protection Regulation (“GDPR”) introduces a new mandatory obligation for all companies who process personal data in certain specified circumstances to appoint a data protection officer (“DPO”). The DPO will be responsible for (amongst other things) monitoring an organisation’s compliance with the GDPR and reporting to the highest level of management on privacy-related issues.   What does the law require today?  Under the current EU Data Protection Directive 95/46/EC (“Directive“) there is no mandatory requirement for companies to appoint a DPO. However, Member States have the power to exempt companies that have appointed a DPO from the duty to register with the local data protection authority (“DPA”). Given the wide discretion for Member States to choose how (if at all) to implement this aspect of Directive, it has been approached in very different ways, resulting in a patchwork of divergent country-specific requirements What will the General Data Protection Regulation require?   Who must appoint a DPO?   Under the GDPR, both controllers and processors must appoint a DPO in certain specified circumstances. Earlier drafts of the GDPR text made this obligation mandatory only for companies with more than 250 employees. However the compromise version of the Regulation has no such restriction. Article 35 makes it clear that the obligation to appoint a DPO applies: To all public authorities processing personal data (except for courts acting...

Read More

France to adopt GDPR provisions before it comes into force in 2018

France is getting ahead of the final adoption of the General Data Protection Regulation (“GDPR”) and is expected to adopt this year several provisions of the GDPR before it comes into force in 2018. Indeed, the French Government has introduced a new Bill for a “Digital Republic” (the “Bill”) , which amongst other things, would amend several key provisions of the French Data Protection Act and the Consumers Code, with a view to implementing specific provisions of the GDPR under national law. In particular, the Bill seeks to enforce the French Data Protection Authority’s (“CNIL”) powers to impose fines against data controllers for violations of the French Data Protection Act. The Bill was adopted by the French National Assembly on 26th January 2016 in its first reading and has now been passed to the Senate. This Bill is expected to be adopted later this year. Once adopted, these provisions would come into force under French law before the GDPR’s comes into force after a two-year grace period that follows its publication in the Official Journal of the European Union. Below is a summary of the key provisions of the Digital Republic Bill that would amend the French Data Protection Act and the Consumers Code: Right to data portability The Bill would introduce a general right for consumers to retrieve their data partially or entirely. All providers of online communication services...

Read More

NIS Directive establishes first EU-wide cyber security rules

In December 2015 the EU institutions came to an agreement on the Network and Information Security Directive (‘NIS Directive’), establishing a set of EU-wide rules on cyber security for the first time; formal adoption of the Directive by the European Parliament and the Council of the EU is pending at the time of publication. For those businesses that fall under its scope, such as search engines and cloud computing providers, the advent of the NIS Directive will mean that incident handling and notification will take on a more serious role than previously, and numerous security obligations will need to be satisfied. Mark Webber and Michael Brown of Fieldfisher discuss five key issues for online businesses to consider in reaction to the Directive.   Under the NIS Directive, certain companies operating in critical sectors such as health, energy and transport, as well as some online businesses like search engines, online marketplaces and cloud computing providers, will be required to satisfy wide-ranging security and incident reporting obligations. From the TalkTalk hack to the Ashley Madison breach, cyber security issues and risks have captured the attention of journalists, CEOs, legislators and ordinary citizens in recent years. The NIS Directive represents a legislative attempt to address some of these cyber issues and risks and, in doing so, safeguard EU critical infrastructure and the much-vaunted EU Digital Single Market. Although the NIS Directive has...

Read More