Tag Archives: safe harbor

Commission Nationale de l’Informatique et des Libertés (CNIL)

Rules for the use of personal data in electoral campaigns

On July 2016, the France’s National Data Protection Commission (CNIL) issued a formal notice to Microsoft Cooperation urging Microsoft to make Windows 10 to comply with French data protection law. The CNIL criticized the company for tree actions:

a) tracking its users web browsing habits without their consent,

b) failing to offer proper security protections, and

c) delivering targeted advertising materials without the user’s consent.

This notification does not seek to prohibit Microsoft from using its services to advertise but seeks to enable users to make their choice freely, having been properly informed of their rights.

Consequently, the CNIL gave the company three months to comply with its orders to stop collecting personal data without the consent of those users concerned. Otherwise, the company may impose any applicable sanctions of up to 150,000 euros.

German Data Protection Authorities

German DPAs audit 500 Companies on Data Exports to countries outside the EU

On November 3, 2016, the Berlin data protection authority (DPA) in cooperation with the rest of the German DPAs (to be precise, a total of 10 German DPAs) announced in a press released that they will send formal questionnaires to approximately 500 small, medium-sized and large German companies to evaluate their cross-border data transfers.

The DPAs pointed out in the formal press release that all German companies involved in the processing of personal data must pay adequate attention to data privacy issues raised by cloud computing and software as a service (SaaS).

In this regard, DPAs warn that some German companies are not fully aware of applicable data privacy laws as they are frequently operating with cross-border data exports in cloud and SaaS services and the personal data collected is frequently being transferred to third countries outside the European Union (EU) without complying with data protection laws.

Article 29 Working Party (WP29)

Opinion of Article 29 WP29 on the EU – Privacy Shield draft adequacy decision

The Article 29 Data Protection Working Party (WP29) adopted its opinion on the EU-US Privacy Shield draft adequacy decision on April 13, 2016. The Privacy Shield saw the light after the invalidation by the Court of Justice of the European Union or CJEU (Schrems judgement) of the previous Safe Harbor agreement. The Opinion is complemented by a Working Document on the justification of interferences with the fundamental rights to privacy and data protection through surveillance when transferring personal data (European Essential Guarantees).

Months before, on October 2015, the WP29 stated that an assessment of the consequences of the Schrems decision with respect to all mechanism permitting data transfers to the US will be carried out. The WP29 proceed then to inventor and examine the jurisprudence of the CJEU as regards to Articles 7, 8 and 47 of the European Union Charter of Fundamental Rights and the Jurisprudence as well as the of the European Court of Human Rights related to Article 8 of the European Convention on Human Rights dealing with surveillance issues. The conclusions of this assessment led to the four European Essential Guarantees.

The Opinion of the WP29 includes an assessment of the Guarantees for data transfer to the US. According to it, the Privacy Shield includes significant improvements compared to the EU-US Safe Harbor framework. However, major points of concern remain and further clarification is needed in several aspects. The Working Party stressed the general complexity and lack of clarity regarding the Privacy Shield and expressed concerns with respect to both the commercial and national security aspects of the new framework.


Information Commissioner’s Office (ICO)

Safe Harbor: Calmer waters on the horizon 

“When David Smith wrote about Safe Harbor back in October, he spoke about a critical few months that he hoped would see the emergence of Safe Harbor 2.0.

That process has taken a little longer than hoped, but after much activity in Brussels and Washington last week the European Commission announced the EU-US Privacy Shield. The Shield is intended to replace the Safe Harbor framework, previously recognised as providing adequate protection for personal data transferred from the EU to Safe Harbor member companies in the USA.

The Article 29 Working Party, which is the grouping of European data protection authorities including the ICO, has consistently called for the European Commission and USA authorities to conclude their discussions on a replacement for Safe Harbor by the end of January. That deadline was met (just). The group met in Brussels last week to assess the latest position, as we said we would do back in October. The statement released on the back of that meeting last week welcomed the fact that the negotiations had concluded and the process to analyse what is proposed can start soon.

It is too early to say whether the new Shield provides adequate protection for personal data passed from the EU to the USA. The Article 29 Working Party will provide an opinion to the European Commission about the Shield, as envisioned under Article 30(1)(b) of the Data Protection Directive. It will also continue its work in assessing whether other transfer tools, such as standard contractual clauses (SCCs) and binding corporate rules (BCRs) can act as effective safeguards for personal data transferred to the USA.

We’re very much aware that organisations have been seeking clarity about how they can transfer data to the USA in compliance with the Data Protection Act. Until the Article 29 Working Party has produced its opinion on the Shield, there is not any new guidance for organisations at this stage – they must wait until the process of assessing the Shield is complete and the European Commission has made a formal decision on adequacy.

We’re clear that organisations can continue to use other tools such as SCCs and BCRs for transfers to the USA. Organisations should continue to take stock of the transfers they make and have a proper understanding of the legal basis, so that they are in a good position to act, should they need to. It may be useful to contact organisations in the USA to which you transfer personal data to highlight the possibility that the Shield may need to be considered in future.

The Article 29 statement mentions that data protection authorities will consider complaints about transfers under Safe Harbor. Our position remains the same as in October – whilst complaints can be considered the usual ICO regulatory policy will be applied. We will be guided by the risk posed to individuals and steps that can be reasonably expected of data controllers. We will not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome.”

Commission Nationale de l’Informatique et des Libertés (CNIL)

CNIL states that Facebook is breaching data protection rules

On 8 February 2016, the Commission Nationale de l’Informatique et des Libertés (CNIL) issued a formal notice to Facebook after an investigation where several actions were violating users privacy under Data Protection French Act.

In this regard, the CNIL identified that Facebook has been collecting the information of Internet individuals who did not have accounts on its platform but who visited public Facebook pages and their cookies were used to track their browsing activities. Therefore, the social network failed to get users consent and did not appropriately inform users of the techniques on which it used their cookies violating their fundamental rights and interests, including their right to respect for private life. Apart from that, Facebook has been collecting sensible data of users such as sexual orientations, political views and affiliations, and religion without the explicit consent of account holders.

Finally, the CNIL also ordered Facebook to stop transferring user data to the US under the Safe Harbor Agreement following the ruling that invalidated data transfer between EU and US and for which a replacement Act called EU-US Privacy Shield has been negotiated.