Tag Archives: Privacy Shield

German Data Protection Authorities

German DPAs audit 500 Companies on Data Exports to countries outside the EU

On November 3, 2016, the Berlin data protection authority (DPA) in cooperation with the rest of the German DPAs (to be precise, a total of 10 German DPAs) announced in a press released that they will send formal questionnaires to approximately 500 small, medium-sized and large German companies to evaluate their cross-border data transfers.

The DPAs pointed out in the formal press release that all German companies involved in the processing of personal data must pay adequate attention to data privacy issues raised by cloud computing and software as a service (SaaS).

In this regard, DPAs warn that some German companies are not fully aware of applicable data privacy laws as they are frequently operating with cross-border data exports in cloud and SaaS services and the personal data collected is frequently being transferred to third countries outside the European Union (EU) without complying with data protection laws.

Data Protection Commissioner

Statement by the Office of the Data Protection Commissioner in respect of application for Declaratory Relief in the Irish High Court and Referral to the CJEU

The Office of the Data Protection Commissioner issued a press release announcing that:

“We continue to thoroughly and diligently investigate Mr Schrems’ complaint to ensure the adequate protection of personal data. We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.”

Data Protection Commissioner

Lack of regulation on the new “Privacy Shield” framework in Ireland

On February 2016, the European Commission (EC) and the United States (US) agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield. The new legal text replaces the Safe Harbour framework which declared invalid by the Court of Justice (CJEU) last October.

This new framework includes not only commitments in the commercial sector, but also access to personal data by public authorities for national security purposes. Furthermore, the draft “adequacy decision” has been included for all US companies providing services on the EU market.

The Data Protection Commissioner (DPC) has inadvertently found itself in the position of chief data regulator for the EU. According to Germany and other EU member states, Ireland’s data protection regime is too lenient, despite efforts made by the data protection commissioner.

Most of Europe’s largest technology organisations have a base in Ireland. Thus, any impediment to their ability to do business in Europe would affect Ireland most since companies are worried about personal data transfers to US.

Therefore, the DPC is taking a cautious stance on the new data protection framework. A blizzard of tech rulings is expected to be given in the following weeks.

Information Commissioner’s Office (ICO)

Safe Harbor: Calmer waters on the horizon 

“When David Smith wrote about Safe Harbor back in October, he spoke about a critical few months that he hoped would see the emergence of Safe Harbor 2.0.

That process has taken a little longer than hoped, but after much activity in Brussels and Washington last week the European Commission announced the EU-US Privacy Shield. The Shield is intended to replace the Safe Harbor framework, previously recognised as providing adequate protection for personal data transferred from the EU to Safe Harbor member companies in the USA.

The Article 29 Working Party, which is the grouping of European data protection authorities including the ICO, has consistently called for the European Commission and USA authorities to conclude their discussions on a replacement for Safe Harbor by the end of January. That deadline was met (just). The group met in Brussels last week to assess the latest position, as we said we would do back in October. The statement released on the back of that meeting last week welcomed the fact that the negotiations had concluded and the process to analyse what is proposed can start soon.

It is too early to say whether the new Shield provides adequate protection for personal data passed from the EU to the USA. The Article 29 Working Party will provide an opinion to the European Commission about the Shield, as envisioned under Article 30(1)(b) of the Data Protection Directive. It will also continue its work in assessing whether other transfer tools, such as standard contractual clauses (SCCs) and binding corporate rules (BCRs) can act as effective safeguards for personal data transferred to the USA.

We’re very much aware that organisations have been seeking clarity about how they can transfer data to the USA in compliance with the Data Protection Act. Until the Article 29 Working Party has produced its opinion on the Shield, there is not any new guidance for organisations at this stage – they must wait until the process of assessing the Shield is complete and the European Commission has made a formal decision on adequacy.

We’re clear that organisations can continue to use other tools such as SCCs and BCRs for transfers to the USA. Organisations should continue to take stock of the transfers they make and have a proper understanding of the legal basis, so that they are in a good position to act, should they need to. It may be useful to contact organisations in the USA to which you transfer personal data to highlight the possibility that the Shield may need to be considered in future.

The Article 29 statement mentions that data protection authorities will consider complaints about transfers under Safe Harbor. Our position remains the same as in October – whilst complaints can be considered the usual ICO regulatory policy will be applied. We will be guided by the risk posed to individuals and steps that can be reasonably expected of data controllers. We will not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome.”