Europe

On May 12, 2016, EU Advocate General (“AG”) Manuel Campus Sanchez-Bordona issued an Opinion in Case C-582/14 Patrick Breyer v Germany, which is pending before the EU’s highest court (the Court of Justice).  The Court is not legally bound by this Opinion, but in practice often follows the opinions of its Advocate Generals in its rulings.  See here for the German language version; an English version is awaited.

The AG essentially considered that dynamic ‘IP’ addresses qualify as personal data, even if the website operator in question cannot identify the user behind the IP address, since the users’ internet access providers have data which, in connection with the IP address, can identify the users in question.

The AG went on to consider that the collection and use of IP address data, for the purpose of ensuring the functioning of the website, might be justified on the basis of the “balancing of legitimate interests” test under the EU Data Protection Directive 95/46/ EC (the “Directive”), notwithstanding more restrictive national rules in Germany.

If followed by the Court of Justice, the Opinion will have broad implications for EU data protection law, even the forthcoming General Data Protection Regulation (the “GDPR”).  In particular, the Opinion will be relevant for any industries that handle de-identified personal data, and re-confirms the limits that national legislators need to respect when deviating from EU-level data protection legislation.Continue Reading EU Advocate General Considers Dynamic IP Addresses To Be Personal Data

As forecast in our latest blog on the topic (available here), the European Parliament today voted into law a new General Data Protection Regulation (“GDPR”) that will replace the EU’s all-encompassing Data Protection Directive as of mid-2018.

Today’s vote brings to a close a legislative process that has lasted nearly five years; the law’s

Following the expected approval of the final text of the General Data Protection Regulation (“GDPR”) in the European Parliament this week, the Commission is now turning its attention towards the ePrivacy Directive.

On Monday (April 11, 2016), the Commission launched a public consultation to review and propose changes to the ePrivacy Directive (2002/58/EC).  (See the

As noted in our post yesterday, the text of the EU-U.S. Privacy Shield, the upcoming trans-Atlantic data-transfer framework between the EU and U.S. to replace the invalidated U.S.-EU Safe Harbor, has been released by the U.S. Department of Commerce.  Commerce’s release coincided with the release of a draft adequacy decision by the European Commission.

A number of the Privacy Shield principles, notably in enforcement, onward transfer, and regular review, are significantly more stringent than the Safe Harbor.  In light of these new obligations, among others, privacy professionals should carefully consider whether this data-transfer framework is right for their companies.

  1. Tougher and Binding Remedies and Enforcement

In addition to FTC enforcement under Section 5, the Principles encourage individuals to bring their complaints directly to the organization at issue, to which the signatory must respond within 45 days.  If the complaint is not resolved, the consumer may bring his or her complaint before an independent dispute resolution body.  The Principles allow signatories to utilize U.S.- or EU-based dispute resolution bodies, or a panel of EU member state data protection authorities (DPAs).Continue Reading Privacy Shield: Top Five Reasons It’s Tougher Than the Safe Harbor, Whether You Should Certify, and Next Steps

Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an opinion by the Article 29 Working Party, representing, among other things, the EU’s data protection authorities, is a key next step that will shape enforcement and data transfer options for companies in the post-Schrems environment.  Until then, here is a summary of the approach that some of the national DPAs are taking:
Continue Reading EU DPA Enforcement Guidance Post-Schrems

On February 3rd, the Article 29 Working Party, representing Europe’s data protection authorities, published its reaction to the announcement of a new “Privacy Shield” political agreement between the European Commission and the U.S. Government.  The Privacy Shield agreement, announced on February 2nd (and further described in our blog post here), is intended to replace the now-defunct Safe Harbor Framework, and may form a future legal basis for transatlantic data flows between Europe and the United States.
Continue Reading Article 29 Working Party Reacts to the U.S.-EU Privacy Shield Agreement

On January 12, 2016, the European Court of Human Rights (ECtHR) ruled that an employer who had monitored an employee’s private communications during working hours had not breached the employee’s right to privacy (under Article 8 of the European Convention on Human Rights).

This judgment will influence how other European national courts and regulators view similar cases involving employer monitoring of employee private communications. However, the full scope of the judgement remains somewhat unclear; in particular, it remains unclear whether the ECtHR would apply similar logic if the monitored communications had been carried out through a personal account, rather than a professional one.  Employers should also take note that the judgment emphasizes the need for employer monitoring policies to be reasonable and proportionate.  The judgment is available in full here.
Continue Reading European Court of Human Rights Rules That Employers Can Monitor Employee Private Communications

Today, the EU institutions reached the long-awaited political agreement on the General Data Protection Regulation (GDPR), which will fundamentally change the EU privacy landscape (for the Commission press release see here and the European Parliament press release here).  Almost four years after the publication of the legislative proposal for the GDPR, the final trilogue

A European Parliament policy department has released a report, entitled Big Data and Smart Devices and Their Impact on Privacy, that criticizes the lack of focus on privacy and data protection in the European Commission’s “Digital Single Market” policy agenda, noting a “conflicting” intersection between the Commission’s Digital Single Market objectives and the EU’s efforts, now in their hopefully final stages, to reform the EU’s general legislation around the protection of personal information.
Continue Reading EU Parliament Policy Report Takes Dim View of EU Commission’s “Pro-Market” Policies on Big Data and Smart Devices