Europe

It has been an eventful week in the European Parliament in relation to data privacy and security matters.  Having already voted in favor of the General Data Protection Regulation (“GDPR”) and endorsed a controversial report into allegations of mass surveillance, the European Parliament voted yesterday on the proposed Network and Information Security (“NIS”) Directive.  In line with previous committee reports, the Parliament vote ensures that the Proposed Network and Information Security Directive focuses on protecting critical infrastructure in the energy, transport, financial services and health sectors. 

The EU legislative bodies will now enter into negotiations to agree a final text.  Commissioner Kroes called earlier this week for this work to be completed this year, but this timeframe seems ambitious.Continue Reading European Parliament Votes to Ensure that the Proposed Network and Information Security Directive Focuses on Protecting Critical Infrastructure

Today, the European Parliament (EP) voted in favor of the two reports of rapporteurs Jan-Philipp Albrecht and Dimitrios Droutsas concerning the proposed General Data Protection Regulation and the proposed Directive for the law enforcement sector. The support for the report on the proposed Regulation (see here), which the LIBE Committee of the EP had adopted in October last year (see InsidePrivacy, What Companies Should Know About the LIBE Committee’s Amendments to the EU’s Proposed Data Protection Regulation, October 24, 2013), was particularly strong (621 votes in favor out of 653 votes), whereas a considerable minority (276 votes out of 677 with 371 votes in favor) voted against the report on the proposed Directive (see here).

The votes followed a debate on the reform package that took place in the plenary yesterday.  The debate was characterized by strong support for the proposed Regulation.  A few Members of the EP (MEPs) raised concerns in particular in relation to the rules applicable to small and medium-sized companies (SMEs) and the potential impact on freedom of press and health research. However, although several MEPs recognized that the proposed Regulation would not be perfect, the majority considered it to be a step into the right direction and several stressed that it would establish parity of European with non-European companies.Continue Reading European Parliament Votes in Favor of Proposed General Data Protection Regulation

Speaking at Berkeley’s Online Tracking Workshop today, Françoise Le Bail, Director-General of the European Commission’s DG Justice (the leading department regarding the EU data protection reforms) confirmed the European Commission’s vision that the EU needs stronger penalties in order to ensure effective enforcement of European data protection rules. Ms. Le Bail said that European privacy regulators should be able to impose “significant” sanctions on companies for violating EU privacy rules.

Under the current EU Data Protection Directive, dating back to 1995, each EU Member State autonomously decides on the sanctions for data protection violations, resulting in considerable differences throughout the EU. According to critics, the fines are “too small” in most Member States, particularly in comparison to the turn-over of the companies concerned. Frequently used examples are the fines imposed on Google last year by Spain and France (EUR 900,000 and EUR 150,000, respectively).Continue Reading Dissuading Companies from Violating Data Protection Rules: Senior European Commission Official Calls for ‘Significant’ Fines

Recent events in the European Parliament and European Council demonstrate that concerns over the U.S.-EU Safe Harbor Agreement are continuing to mount, and reform or even revocation of the Safe Harbor Agreement remains a possibility.  Today, Covington published a client alert that discusses recent developments involving the Safe Harbor Agreement

Continue Reading The Future of the Safe Harbor Agreement

On January 8, 2014, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), announced that it was imposing a fine of €150,000 on Google, as well as a requirement that Google, within eight days of the decision, publicize the fine on its own website (at

Continue Reading Google Fined by the CNIL for Privacy Breaches as European Regulators Continue Investigation

In light of growing concerns over cybersecurity and evolving technology and operational practices, Ofcom (the independent regulator and competition authority for the UK communications industries) is seeking views on whether its existing guidance on network security should be revised.  Interested parties have until 21 February 2014 to respond.   Depending on

Continue Reading Updating Ofcom’s Guidance on Network Security – New Consultation

On Tuesday, 19 November, the Regional Court of Berlin ruled against Google in a case brought by the Federation of German Consumer Associations (vzbv).  The vzbv had initiated an action for injunction against Google, requesting it to stop using certain clauses in its Terms of Use and Privacy Policy.  In Germany, consumer associations have a right to bring legal proceedings against companies that engage in commercial practices which are illegal under the Act Against Unfair Competition.

The court sided entirely with the plaintiff and ruled that Google must refrain from using the relevant (and similar) clauses in agreements with consumers in Germany. If Google breaches this prohibition monetary penalties of up to €250,000 or imprisonment of up to six months can be imposed (to be enforced against Google’s legal representatives).

The court’s reasoning is not yet available, but according to press reports the court considered the relevant clauses to be overly vague and broad and to restrict the rights of consumers. The vzbv had argued that users were “unreasonably disadvantaged.”  The court’s press release lists all the relevant clauses which the court considered to be illegal.  We break these down after the jump.  Continue Reading Berlin Court Condemns Google, Strikes Provisions in Privacy Policy and Terms

Only a few days after the leading parliamentary committee waved through the proposed amendments to the European Commission’s legislative proposal for a General Data Protection Regulation (see here and here), the EU Member States’ governments have decided to postpone the adoption of the Regulation to 2015.  Germany and the

Continue Reading European Council Taps the Breaks–Adoption of EU General Data Protection Regulation Delayed

By Mark Young

On Monday, the LIBE Committee of the European Parliament adopted proposed amendments to the Commission’s legislative proposal for a General Data Protection Regulation.  Earlier this week we summarized the vote and procedural details (here).  In this alert, we provide more detail on the amendments
Continue Reading What Companies Should Know About the LIBE Committee’s Amendments to the EU’s Proposed Data Protection Regulation

In a historic vote today, the leading parliamentary committee on the European Commission’s proposed General Data Protection Regulation, the Civil Liberties Committee (“LIBE”), adopted all compromise amendments put forward to the Commission’s original proposal. The compromise amendments had been prepared by the rapporteur, Green Member of the Parliament, Jan Philipp Albrecht, in close collaboration with his counterparts in each of the other political parties. The amendments, which covered over 80 Articles across several hundreds of pages in the proposed Regulation, represented only a small fraction of the more than 3,000 proposed amendments received by the Committee earlier this year from stakeholders and interest groups.

The vote had initially been scheduled for April, but in view of the large number of amendments, had been postponed several times (see InsidePrivacy, European Parliament’s Lead Committee for the Proposed EU General Data Protection Regulation Postpones Vote , March 21, 2013). Despite these delays, the actual voting process was rapid — in an evening meeting in Strasbourg, the Committee members adopted with an overwhelming majority en bloc all the compromise amendments as well as the draft text for the General Data Protection Regulation in less than an hour of voting. In addition to the en bloc vote, the Committee also voted separately on six particularly controversial individual compromise amendments, which were nevertheless also all adopted (three of which passed only with significantly reduced majorities, however). According to press reports, the adopted compromise amendments, which have not been officially published, contain a mixed bag for companies, including an increased level of fines and new registration requirements (in case of certain international data transfers and disclosure requests for personal data by foreign courts or authorities).

In a final key vote, the Committee also approved a mandate for Mr. Albrecht to directly start negotiations with the Council (the EU institution representing the EU Member States’ governments) and the Commission (the so-called trilogue process). In addition, in a statement before the vote, Mr. Albrecht declared the Committee’s determination that, irrespective of the outcome of the trilogue process, there will be a plenary vote in Parliament in April on the results of the process, which could, for instance, take the form of a first reading, the adoption of a mandate, or a partial agreement.  This statement indicates that the Parliament will push for rapid negotiations with the Council and the Commission in order to obtain a full vote on the final text of the proposed Regulation before the Parliament elections in May 2014.Continue Reading LIBE Committee Vote Completes Major Step Towards Adoption of EU Data Protection Regulation