Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an opinion by the Article 29 Working Party, representing, among other things, the EU’s data protection authorities, is a key next step that will shape enforcement and data transfer options for companies in the post-Schrems environment.  Until then, here is a summary of the approach that some of the national DPAs are taking:
Continue Reading EU DPA Enforcement Guidance Post-Schrems

On Thursday, the Court of Justice of the EU ordered Sweden to pay a lump sum of €3 million for failure to transpose the EU’s Data Retention Directive (the “Directive”) into national law within the prescribed period.  The Directive obliges electronic communications service providers to store information about communications for a period of 6 – 24 months in case they are needed by law enforcement authorities.  The deadline for EU Member States to transpose the Directive had expired on September 15, 2007.  In 2010, following an initial action brought by the European Commission, the Court held that Sweden had exceeded the time limit for adopting the laws, regulations and administrative provisions necessary to comply with the Directive.

In 2011, the Commission brought a subsequent action, asking the Court to order Sweden to pay a daily penalty for each day that Sweden delays in complying with that judgment.  In March 2012, however, the Swedish Parliament adopted measures transposing the Directive into Swedish legislation.  As a result, the Commission withdrew the request for a daily penalty payment, but maintained its claim regarding the payment of a lump sum.

In Thursday’s judgment, the Court held that it was necessary to order Sweden to make a lump sum payment as it had failed to fulfill its obligations under EU law.  In particular, the Court considered the impact of Sweden’s failure on both public and private interests, especially in view of the Directive’s aim to ensure that electronics communications data are available for the purpose of the investigation, detection and protection of serious crime. In calculating the amount,  the Court also considered the duration of the continuation of the infringement of over two years and the fact that Sweden was a first time “offender.”Continue Reading Sweden Hit with €3M Penalty Payment For Delay in Transposing Data Retention Directive

Recently, the Swedish Data Protection Authority (“DPA”) published a review of the use of cloud services, informed by the practices of three Swedish municipalities’ use of services from leading cloud providers.  Based on the study, the DPA has published guidelines (currently only available in Swedish) that clarify the requirements of Swedish data protection law with