The European Commission has today published its Report on the first annual review of the EU-U.S. Privacy Shield (the Report is accompanied with a Staff Working Document, Infographic, and Q&A).  The Commission concludes that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to Privacy Shield-certified companies in the United States.  With its conclusion, the Commission also makes a number of recommendations to further improve the Privacy Shield framework.  The Report follows a joint press statement by the U.S. Secretary of Commerce and EU Commissioner Jourová on September 21, 2017, closing the review and reaffirming that the “United States and the European Union share an interest in the [Privacy Shield] Framework’s success and remain committed to continued collaboration to ensure it functions as intended.”

Background

The EU-U.S. Privacy Shield is a framework that effects the lawful transfer of personal data from the EEA to Privacy Shield-certified companies in the U.S.  The Privacy Shield framework was unveiled by the EU and United States on July 12, 2016 and the Privacy Shield framework became operational on August 1, 2016.  To date, there are over 2,400 in companies (including more than 100 EU-based companies) that have certified, with 400 applications under review.

The Privacy Shield provides an annual review and evaluation procedure intended to regularly verify that the findings of the Commission’s adequacy decision are still factually and legally justified.  Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce and the European Commission, with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security.  In preparation for the Review, the Commission also sought feedback from a number of trade associations, NGOs, and certified companies.  (See our earlier posts on the purpose of the first annual review here and here.)
Continue Reading EU Commission Concludes Privacy Shield “Adequate” in first Annual Review

On October 3, 2017, the Irish High Court referred Data Protection Commissioner v Facebook Ireland Limited [2016 No. 4809 P.] to the Court of Justice of the European Union (“CJEU”).  The case, commonly referred to as Schrems II, is based on a complaint by Max Schrems concerning the transfer of personal data by Facebook, from Ireland to the United States, using the EU Standard Contract Clauses (“SCCs”).

Background

The SCCs are a European Commission-approved mechanism to legally effect the transfer of personal data from the EEA to third (non-EEA) countries.  The SCCs provide for a contractual arrangement between a EEA-based data exporter and a non-EEA-based data importer of personal data, under which the data importer agrees to abide by EU privacy standards.
Continue Reading Validity of EU Standard Contractual Clauses Referred to CJEU

On September 13, 2017, the UK Government published a new Data Protection Bill regulating the use of individuals’ personal data.

The Bill, which is intended to replace the UK Data Protection Act 1998, would serve a range of functions, most notably setting out how the UK intends to make use of its leeway to derogate from basic rules in the new EU General Data Protection Regulation 2016/679 (the “GDPR”).  For instance, the GDPR allows countries in the EU to modify its rules or introduce additional sanctions where necessary to protect freedom of expression, research, or other public interest objectives.

The Bill would also apply “GDPR-like” rules to data that is not covered by the GDPR (such as data in unstructured paper-based files), implement of the new EU Police and Criminal Justice Data Protection Directive (the “PCJ DPD”), and set down privacy and data security rules for its intelligence agencies.

The Bill will now undergo further debate and amendment, and should hopefully clear both Houses of Parliament in advance of May 25, 2018, when the GDPR will become law in the UK subject to any modifications implemented by the Bill.

This post discusses some of the Bill’s salient points for commercial organizations.
Continue Reading UK Government Publishes New Data Protection Bill

On 13 September, the Information Commissioner’s Office (ICO) published draft guidance on GDPR contracts and liabilities on contracts between controllers and processors under the GDPR (the “Guidance”).  The ICO is consulting on the Guidance until 10 October.  We summarize the key aspects of the Guidance below.
Continue Reading GDPR Contracts and Liabilities Between Controllers and Processors

On September 5, 2017, the Grand Chamber of the European Court of Human Rights (“ECtHR”) issued its ruling on appeal in the case of Bărbulescu v. Romania, concerning alleged unlawful workplace monitoring of Mr. Barbulescu’s private communications.

Overturning the ECtHR’s prior ruling in the case (covered by Inside Privacy here), the Grand Chamber held that Romanian courts had not adequately and fairly weighed up the competing interests of Mr Barbulescu and his employer.  That defect of justice meant that Romania had failed to proactively protect Mr Barbulescu’s right to privacy, as required by its membership of the European Convention on Human Rights.

The Grand Chamber held that Mr Barbulescu’s right to privacy extended to his workplace, despite his private use of a work computer constituting a breach of his rules of employment.  The Grand Chamber held that while privacy in the workplace can be restricted “as necessary,” “an employer’s instructions cannot reduce private social life in the workplace to zero,” since the right to privacy does not necessarily depend on an individual’s reasonable expectations, and can be enjoyed in public and in the workplace, notwithstanding prohibitions and warnings given to the individual.  A fulsome balancing exercise was therefore required in cases such as these.

The Grand Chamber underlined that provided national courts undertake an adequate balancing exercise, they have some discretion as to the actual result (i.e. whether the employer’s or employee’s rights prevail in a given case).  Similar discretion is also enjoyed by national legislators and constitutions when setting underlying rules on workplace privacy, provided such rules – and a means to enforce them – are actually in place.

Nevertheless, the ruling states that workplace monitoring must always be limited to what is necessary for a legitimate purpose, and should be accompanied by a range of safeguards, normally including prior notice to employees – particularly when the content of communications is concerned.
Continue Reading New Ruling in European Employee Monitoring Case

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).

We summarise the UK Government’s plans below, including which organisations may be in scope — for example, in the energy, transport and other sectors, as well as online marketplaces, online search engines, and cloud computing service providers — and the proposed security and incident reporting obligations.

Organisations that are interested in responding to the consultation have until September 30, 2017 to do so.  The UK Government will issue a formal response within 10 weeks of this closing date, and publish further security guidance later this year and next.  A further consultation on incident reporting for digital service providers will be run later this year; the Government invites organisations that are interested in taking part to provide appropriate contact details.
Continue Reading UK Government Proposes Cybersecurity Law with Serious Fines

By Lisa Peets and Rosie Klement

On July 14, 2017, the Impact Assessment Institute (“IAI”) (an independent institute committed to impartial impact assessment and scientific evaluation of policy and legislation in the EU) published a study assessing the impact assessment carried out by the European Commission in connection with the Commission’s proposal for a new E-Privacy Regulation (“EPR”).  The IAI study is critical of the Commission’s impact assessment, and – by extension – the Commission’s case for the new EPR itself.

Background on the Impact Assessment and EPR

The EPR is the Commission’s proposed update to the existing EU E-Privacy Directive, and is intended to complement the EU’s broader data protection regime (as set out in the General Data Protection Regulation, “GDPR”).  The EPR would introduce a number of rules, including a provision protecting the confidentiality of communications that would regulate traditional telecoms services, and new “over-the-top” (“OTT”) services such as VoIP, web email, and instant messaging, among others.  The Commission EPR proposal is currently progressing through the legislative process in both the European Parliament and Council.

When formulating new proposals for regulations such as the EPR, the Commission prepares impact assessments in accordance with the Better Regulation Guidelines (detailed guidance intended to improve the quality of the Commission’s law-making).  The Commission duly prepared an impact assessment for the EPR, which was published alongside the text of the EPR legislative proposal on January 10, 2017 (the “Impact Assessment”).
Continue Reading Impact Assessment Institute Releases Report Critical of Commission’s Case for E-Privacy Regulation

The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an undertaking committing to changes to ensure it is acting in line with the UK Data Protection Act.

On September 30,  2015, the Royal Free entered into an agreement with Google UK Limited (an affiliate of DeepMind) under which DeepMind would process approximately 1.6 million partial patient records, containing identifiable information on persons who had presented for treatment in the previous five years together with data from the Royal Free’s existing electronic records system.  On November 18, 2015, DeepMind began processing patient records for clinical safety testing of a newly-developed platform to monitor and detect acute kidney injury, formalized into a mobile app called ‘Streams’.
Continue Reading ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law

By Dan Cooper and Rosie Klement

The EU’s Article 29 Working Party (“WP29”) has issued new guidance on data processing in the employment context.  Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive (Directive 95/46/EC), but also considers the developments coming into force on May 25, 2018 under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

The WP29 released the guidance partly as a result of the GDPR, but also due to the number of new technologies that have been adopted since previous WP29 publications relating to personal data in the workplace (see Opinion 8/2001 on the processing of personal data in the employment context and the 2002 Working Document on the surveillance of electronic communications in the workplace).  As the WP29 observes, these new technologies enable extensive systematic processing of employees’ personal data and present significant challenges to privacy and data protection.

The new guidance is not restricted to the protection of persons with an employment contract, but is more expansive in scope and intended to cover a range of individuals in an employment relationship with an organization, such as applicants and part-time workers (the term “employee” applies broadly in all such contexts).  The guidance discusses a number of distinct employment scenarios: processing operations during the recruitment and employee screening stage; processing for monitoring ICT usage in and out of the workplace; time, attendance and video monitoring; processing relating to employees’ use of vehicles; as well as the disclosure of employee data to third parties and international transfers of personal data.
Continue Reading EU Article 29 Working Party Releases Extensive GDPR Guidance on Data Processing at Work