Europe

A second round of “trilogue” negotiation on the EU General Data Protection Regulation (GDPR), on July 14th, has addressed the law’s territorial scope and rules relating to international data transfers (Articles 3 and Chapter 5, respectively).

Although no agreed text has been released, public comments made by Jan Philipp Albrecht, the European Parliament’s lead negotiator on the GDPR, indicate that agreement has been reached “in principle” on most of the provisions discussed. (For a video of his comments, please see here, from 3:10:00 to 3:20:00.)  However, some issues remain to be resolved, and it is expected they will be addressed when negotiations resume in September.Continue Reading Progress on EU GDPR Reform: International Aspects Debated

The U.S. and EU’s negotiators on the EU-U.S. Safe Harbor data transfer program have missed an end of May target date for reaching an agreement on amendments to the program.

They nevertheless publicly reaffirmed their commitment to reaching an agreement on the Safe Harbor program, and on an “Umbrella Agreement” that would protect personal data

On June 2, 2015, the Article 29 Working Party updated its published guidance on the topic of Processor BCRs.  In their latest guidance document, the Working Party focus specifically on the sensitive topic of disclosures to  law enforcement agencies (LEAs).

By means of Processor BCRs, data processors are able to share EU-originating personal data within their group globally.  This increases the risk that foreign LEAs will either request or compel production of the data by group affiliates established outside the EU.  European concerns over the broad scope of U.S. government surveillance programs, and similar programs in other countries, undoubtedly provided the impetus for the guidance.  The Working Party recognizes this risk and appears to appreciate the difficult situation processors can find themselves in when asked to produce information to LEAs. In line with previous guidance relating to e-discovery, the Working Party proposes a “best-efforts” model.Continue Reading Article 29 Working Party Updates BCR Guidance

From September 29 to October 7, 2014, parliamentary Committees of the European Parliament (“EP”) will be holding public confirmation hearings with Commissioners-designates with a view to assessing their skills and qualifications ahead of the EP’s vote on October 22 to approve (or reject) the Council’s appointment of the new Commission.

On October 1, the Committee on Legal Affairs (“JURI”), the Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), the Committee on Internal Market and Consumer Protection (“IMCO”) and the Committee on Women’s Rights and Gender Equality (“FEMM”) therefore held a hearing with Věra Jourová, the Czech Commissioner-designate for Justice, Consumers and Gender Equality.   The answers of the Commissioner designate, some of which are summarized here below, failed to impress the members of the European Parliament who will be subjecting the Commissioner- designate to further questions.  It is therefore at this stage unclear whether Ms Jourova will take up her portfolio later this year.Continue Reading Committees of European Parliament Hold Confirmation Hearing for Commissioner-Designate for Justice, Consumers, and Gender Equality

By Jacqueline Clover

The Court of Justice of the European Union (‘CJEU’) has ruled that an analysis produced by an administrative agency to inform and support the agency’s formal decisions (‘legal analysis’) is not of itself “personal data” as defined under Directive 95/46/EC (the ‘EU Data Protection Directive’).  This is the case even where the legal analysis contains information that is clearly “personal data”, such as an individual’s name, date of birth, nationality and gender.  The ruling of 17 July 2014 in Joined Cases C-141/12 and C-372/12 YS v. Minister voor Immigratie, Integratie en Asiel, and Minister voor Immigratie, Integratie en Asiel v. M, S, is available here.

It is an important decision for two reasons.  First, it clarifies the boundaries of what constitutes “personal data” under EU law. And, second, it clarifies that a data subject’s right of access under the EU Data Protection Directive does not necessarily require access to the actual records containing personal data. In some cases, a full summary of the personal data in an intelligible form suffices.Continue Reading EU Court of Justice clarifies the definition of personal data and scope of access requests

By: Sophie Noya

On May 22-25, EU citizens elected Members of the European Parliament (“MEPs”) for a five-year term.  Several of the key parliamentary decision-makers on the data protection reform have been reelected, including the strongest supporters of far-reaching privacy rights such as the rapporteur, German Green Member Jan Philipp Albrecht, and Dutch Liberal Sophia In’t Veld.  More than half of the European Parliament (“EP”) has been renewed, which may give an advantage to experienced MEPs who will try to play a dominant role.

Although the three main parliamentary groups (center-right EPP, center-left Socialists and center Liberals) continue to control two thirds of the seats in the EP, Eurosceptic and nationalist parties gained significant ground at the expense of mainstream parties.  These anti-EU parties – which could represent up to 25% of the Assembly – are composed of heterogeneous political formations.  This Parliament will therefore be more fragmented than the previous one.  In practice, social priorities will become more important and MEPs will likely strengthen their support to citizens’ rights in order to demonstrate that they drew the lessons from the elections outcome.Continue Reading EU Parliamentary Elections: What Impact on the EU Data Protection Reform?

By Philippe Bradley and Mark Young

The Court of Justice of the European Union (CJEU) today held that the EU Data Retention Directive (Directive 2006/24/EC)1 is invalid.  The CJEU ruled that the retention of data under the Directive constitutes an impermissibly broad and serious interference with fundamental human rights to private life and the protection of personal data.

The Data Retention Directive requires all EU Member States to ensure that communications service providers retain certain traffic, location and related data necessary to identify subscribers or users in relation to every communication carried (“communications data”), for the purpose of investigating, detecting and prosecuting “serious crime”, as defined by national law.  Today, the CJEU ruled that the Directive is unlawful despite its legitimate aim and the measures it put in place to protect retained data, and regardless of the fact that it does not require the content of communications to be retained.

The effect of the declaration of invalidity is immediate and effectively back-dated to the day on which the Data Retention Directive entered into force.  This raises interesting questions about the status of national implementing data retention laws (and possibly also about costs that service providers have incurred in complying with such laws), and whether the EU legislature will attempt to create an alternative data retention system that respects the limits set out in the ruling.Continue Reading EU Data Retention Directive Declared Invalid by Court of Justice of the EU

Last week, the Article 29 Data Protection Working Party published a non-binding Opinion on data breach notifications, titled Opinion 03/2014 on Personal Data Breach Notification (the Opinion).  The Opinion provides helpful new guidance to companies seeking to understand whether or not notifications about a breach must be made to European privacy regulators and/or affected individuals in the wake of a data breach.  Although the Opinion’s guidance is non-binding, and is not based on clear legal requirements, it is nevertheless likely to shape enforcement practices both inside and outside the EU, given the standing and influence of the Article 29 Working Party.

This post discusses key aspects of the Opinion.Continue Reading EU Article 29 Working Party Publishes Guidance on Data Breach Notification

In January 2014, a massive data leak of some 104 million credit card accounts shocked South Korea.  The number of affected accounts was twice the number of the population of South Korea’s.  The incident arose when a temporary employee of a personal credit rating agency that manages personal financial data of customers of three major credit card companies allegedly copied personal credit details of millions of people on his portable disk drive and subsequently sold the information to loan marketers and brokers.

On March 10, 2014, the Korean Government announced plans to prevent a recurrence of a large-scale security breach in the financial sector (the “Plan”) (available in Korean here). The Plan contains a number of elements that may be modeled on the EU’s proposed General Data Protection Regulation, such as turnover-based sanctions, limitations on data transfers and data retention and a reinforcement of individuals’ rights.  Some of the proposed measures are supposed to be implemented by amending existing relevant laws. Members of the National Assembly have already tabled legislative proposals for a number of amendments that reflect the Plan at a parliamentary committee meeting on February 24, 2014; however, it is at present unclear when they will be discussed and adopted by the Parliament. By contrast, other measures that do not require legislative changes are likely to be implemented as quickly as possible.

If adopted, the legislative proposals will have a significant impact in particular on financial institutions that handle a large amount of Korean customers’ personal information — such as banks, credit card companies and personal credit rating agencies. However, companies in other sectors are not off the hook, as the Government has indicated the possibility of a comprehensive inquiry to improve general personal information protection beyond the financial sector in the near future.Continue Reading Is Korea Moving Towards EU-Style Legislation for Financial Institutions?

As part of an ongoing European tour, President Obama has met with several EU political leaders in Brussels today.  After the meeting, Herman van Rompuy, President of the EU, stated that the US has agreed to review the Safe Harbor.  There are no further details known at this stage but most likely the changes will