Category Archives: Cooperation cases

Cooperation cases

Commission Nationale de l’Informatique et des Libertés (CNIL)

The passing of the Digital Republic Bill: its implications for organizations

On October 2016, the New Digital Republic Bill (hereinafter, the Bill) passed in France and significant changes for organisations have been implemented.

Now, data subjects have the right to access and control their personal information including: how long their data is stored, how will be used and the right to be forgotten or the right to request that personal data be removed without delay in case of minors.

It also contains the provision for any interested person to obtain, free of charge, a copy of any of his data resulting from the use of a online service provided by a service provider, except for data that has been significantly enriched by the service provider.

In addition, sanctions to be taken by the Commission Nationale de l’Informatique et des Libertés CNIL) have increased from €150,000 up to €3 Million euros in accordance with the new General Data Protection Regulation (GDPR) that will come into force in 2018.

Agencia Española de Protección de Datos (AEPD)

The AEPD starts an investigation to evaluate the Yahoo´s largest data breach

On 15 December 2016, Yahoo admitted that a large cyber attack affected more than a billion personal accounts worldwide which include different personal information such as names, email addresses, phone numbers, photos and other personal files stored online and even passwords and other encrypted or unencrypted security codes. This disclosure follows September’s incident in which the company admitted the theft ascribed to an unnamed foreign government that affected more than 500 million users dating back to 2014.

Yahoo breach is now being investigated and causes are under investigation. Meanwhile, it’s notifying users who may have been affected by the breach and making them changes their passwords.

The Director of the Spanish Data Protection Agency (AEPD) has expressed her intention to open an investigation to clarify the massive theft of data. In this regard, the AEPD is considering whether to impose sanctions if it determines that Yahoo has not informed users of a security breach.

Article 29 Working Party (WP29)

Letter to WhatsApp of 27 October 2016 relating to WhatsApp’s Terms of Service and Privacy Policy

The Article 29 Working Party has asked WhatsApp to send it information on the data that will be shared and the sources of the data (“e.g. data from the users’ phones or data already stored on company servers”) and those who will receive the data. The Article 29 WP has severe concerns regarding the manner in which the information related to the Terms of Service and Privacy Policy users (updated in August 2016) and about the validity of the users’ consent.

WhatsApp had already been warned by a German DPA and the CNIL.

Information Commissioner’s Office (ICO)

ICO’s blog on its international work

Blog post from multiple authors at the ICO detailing some of the ICO’s recent international cooperation work: including a meeting between EU supervisory bodies for the eIDAS regulation, a visit from senior investigators from the Office of the Privacy Commissioner of Canada, and participation in the 28th European Case Handling Workshop.

German Data Protection Authorities

German DPAs audit 500 Companies on Data Exports to countries outside the EU

On November 3, 2016, the Berlin data protection authority (DPA) in cooperation with the rest of the German DPAs (to be precise, a total of 10 German DPAs) announced in a press released that they will send formal questionnaires to approximately 500 small, medium-sized and large German companies to evaluate their cross-border data transfers.

The DPAs pointed out in the formal press release that all German companies involved in the processing of personal data must pay adequate attention to data privacy issues raised by cloud computing and software as a service (SaaS).

In this regard, DPAs warn that some German companies are not fully aware of applicable data privacy laws as they are frequently operating with cross-border data exports in cloud and SaaS services and the personal data collected is frequently being transferred to third countries outside the European Union (EU) without complying with data protection laws.

Office of the Information Commissioner

Update on litigation involving Facebook and Maximilian Schrems: Explanatory memo

On 31 May 2016, the Data Protection Commissioner (DPC) commenced proceedings in the Irish High Court. The purpose of the proceedings is to seek a reference to the Court of Justice of the European Union (CJEU) in relation to the “standard contractual clauses” mechanism under which, at present, personal data can be transferred from the EU to the US.

While the DPC does not seek any specific relief against Mr Schrems or Facebook Ireland Limited (FB), both of those parties were joined to the proceedings because the outcome of the case will impact on the DPC’s consideration of Mr Schrems’ complaint against Facebook (see further below). By joining Mr Schrems and FB to the proceedings, the DPC also ensured that those parties would have an opportunity (but not an obligation) to participate in the proceedings.

The purpose of this note is to explain the background to the case, the reasons why the DPC has taken the case and the current position in the High Court as of September 2016.

Information Commissioner’s Office (ICO)

The what, why and how of transferring data to the USA

ICO blog post on the impacts of the collapse of the Safe Harbour arrangement following the Court of Justice of the European Union’s decision on the Schrems case, finding that the Safe Harbor arrangement did not ensure adequate protection for personal data transferred from the EU to the US in line with the eight data protection principle. The post includes some contextual background, the implications for organisations, the need to act, and potential future developments.

Article 29 Working Party (WP29)

WP29 issues Opinion on the evaluation and review of the ePrivacy Directive

On July 19th, 2016, the WP29 presented an Opinion on the evaluation and review of the e-Privacy Directive (2002/58/EC). For the WP29, a thorough revision of the rules in the e-Privacy Directive is necessary in order to take into account the technological developments in the digital market and the recent adoption of the General Data Protection Regulation (GDPR).

Background information

The revision of the e-Privacy Directive is part of the Digital Single Market Strategy, announced by the European Commission (EC) on May 2015. The EC started the review of the Directive in 2015 by requesting a study about the transposition and effectiveness of the privacy related articles of the e-Privacy Directive as well as about the relationship between the Directive and the GDPR. A report[1] was published in June 2015. The EC launched in April 2016 a public consultation, open to citizens, legal entities and public authorities. The Commission consulted stakeholders on both the retrospective evaluation and the possible changes to the current e-Privacy Directive. The Opinion of the WP29 responds to this call. The EC intends to use the feedback provided from the consultation to prepare a new legislative proposal, which is expected by the end of 2016.


<<Annual Report 2015>> Datatilsynets årsberetning 2015

The annual report for the Danish data protection authority for 2015, published in 2016, includes a section on the international cooperation activities of the Danish DPA over the year, including activities related to the joint supervisory boards of Europol, Schengen visa system, EURODAC.