By Lisa Peets and Rosie Klement

On July 14, 2017, the Impact Assessment Institute (“IAI”) (an independent institute committed to impartial impact assessment and scientific evaluation of policy and legislation in the EU) published a study assessing the impact assessment carried out by the European Commission in connection with the Commission’s proposal for a new E-Privacy Regulation (“EPR”).  The IAI study is critical of the Commission’s impact assessment, and – by extension – the Commission’s case for the new EPR itself.

Background on the Impact Assessment and EPR

The EPR is the Commission’s proposed update to the existing EU E-Privacy Directive, and is intended to complement the EU’s broader data protection regime (as set out in the General Data Protection Regulation, “GDPR”).  The EPR would introduce a number of rules, including a provision protecting the confidentiality of communications that would regulate traditional telecoms services, and new “over-the-top” (“OTT”) services such as VoIP, web email, and instant messaging, among others.  The Commission EPR proposal is currently progressing through the legislative process in both the European Parliament and Council.

When formulating new proposals for regulations such as the EPR, the Commission prepares impact assessments in accordance with the Better Regulation Guidelines (detailed guidance intended to improve the quality of the Commission’s law-making).  The Commission duly prepared an impact assessment for the EPR, which was published alongside the text of the EPR legislative proposal on January 10, 2017 (the “Impact Assessment”).
Continue Reading Impact Assessment Institute Releases Report Critical of Commission’s Case for E-Privacy Regulation

The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C.  The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, address concerns that have been raised, and seek to ensure that the Privacy Shield is well positioned to continue operating as a valid legal basis for transfers of personal data from the EU to the U.S.

Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce (“Commerce”) and the European Commission (“Commission”), with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security.  Regulators have also indicated that they plan to solicit and incorporate feedback and comments from other Privacy Shield stakeholders as part of the review process, including from self-certified companies and other interested organizations.

Although this is the first annual review, it is important to note that the Privacy Shield has already been the subject of intense public scrutiny.  The draft text of the framework was released in February, several months prior to the final release in July, and a number of stakeholders took the opportunity to comment on the text, leading to several revisions designed to improve and strengthen the Privacy Shield. 
Continue Reading First Annual Privacy Shield Review Will Comprehensively Assess the Framework

Nearly 2,000 organizations are now listed as self-certified to the EU-U.S. Privacy Shield on the Department of Commerce’s (“Commerce”) Privacy Shield website.  Given current developments on both sides of the Atlantic, there are likely to be significant Privacy Shield developments in the coming months.

EU Justice Commissioner Věra Jourová recently concluded her visit to the U.S. to meet with Trump Administration officials and others regarding the status of the Privacy Shield.  During her visit, Commissioner Jourová spoke about the importance of the Privacy Shield as a framework with “enormous potential to strengthen the transatlantic economy and reaffirm our shared values.”  She also met with Commerce Secretary Wilbur Ross to discuss the Privacy Shield, and announced that the first annual joint review will occur in September, which she indicated would be “an important milestone where we need to check that everything is in place and working well.”
Continue Reading Privacy Shield Approaches 2,000 Participants; Review Scheduled for September

Today, the first meeting between the European Parliament (“EP”), the Council and the Commission (called “trilogue”) took place with the aim of reaching an agreement on the General Data Protection Regulation (“GDPR”) by the end of the year.  (For background, please see our previous InsidePrivacy post on the Council’s recently agreed general approach.)  The three EU institutions also discussed the status and timetable for the trilogue negotiations on the proposed Data Protection Directive in the law enforcement context (“Law Enforcement DP Directive”).

Right after the meeting,  the EP’s rapporteur on the GDPR, Green MEP Jan-Philipp Albrecht, the Chair of the Civil Liberties, Justice and Home Affairs (‘LIBE’) committee, S&D MEP Claude Moraes, justice ministers from the outgoing (Latvia) and incoming (Luxembourg) Council Presidencies, and the EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, gave a joint press conference on the state of play of the talks and next steps.

Continue Reading EU General Data Protection Regulation – First day of ‘trilogue’ discussions