By Ulrich Wuermeling

Well ahead of the implementation deadline for the European General Data Protection Regulation (GDPR), the German Parliament (Bundestag) passed a new Federal Data Protection Act (Bundesdatenschutzgesetz) on April 27, 2017. The Federal Council (Bundesrat) could confirm the Act before the summer, but may require further amendments. If the Parliament and the Council fail to agree, the legislative process will have to start from the beginning after the German elections in September.

The new Act retains the old title of the Bundesdatenschutzgesetz, but the content has changed completely. The GDPR is directly applicable and, therefore, the Act only complements the GDPR or regulates areas outside the scope of it. Most of the 85 Articles of the new Act deal with the public sector and the implementation of the Law Enforcement Directive. However, it also includes some provisions for the private sector based on opening clauses that either allow or require national implementation. The main German modifications for the private sector are the following:

By Fiona Maclean & Calum Docherty

The Article 29 Working Party (WP29) – the group that represents the data protection authorities of all EU Member States – has published guidance and FAQs on a number of issues under the General Data Protection Regulation (GDPR).

Data Protection Officers (DPOs) (Guidance & FAQs)

DPOs are the cornerstone of the GDPR’s accountability regime. The GDPR requires that organisations must appoint a DPO when they engage in large-scale processing of personal data, large-scale regular and systematic monitoring of data subjects, or where obliged to by local law. The WP29 guidance elaborates on what these criteria mean in practice, clarifying when a DPO should be appointed. The guidance also confirms that the DPO can be an external party and is not personally responsible in the case of noncompliance with the GDPR.

By Gail Crawford and Ulrich Wuermeling

As the whole world now knows, the UK voted to leave the European Union (EU) in its historic referendum on 23rd June by a vote of 51.9 percent in favour of “leave” to 48.1 in favour of “remain”. This blog focusses on how that decision will impact both UK and global organisations’ compliance with data protection law.

The referendum does not start the exit process. To formally start the exit process, the UK has to serve notice under Article 50 of the Treaty on the European Union which triggers a period for negotiation of the terms of the UK’s exit; with exit taking effect once those negotiations have concluded, or after two years (if sooner), irrespective of what terms have (or have not) been agreed. The two year cut-off period can only be extended with unanimous consent from all EU member states.

By Ulrich Wuermeling, Gail Crawford and Jennifer Archie

Earlier this week, the European Commission announced that a “political” agreement has been reached on a new framework for data flows from the EU to the US. The announcement highlights a few changes from the old Safe Harbor regime, such as more direct and active oversight by US regulators, more stringent privacy protections, and establishing an ombudsman at the State Department for EU citizens who wish to complain about data protection matters. However, as a legal and compliance matter, US companies who previously relied upon Safe Harbor to transfer EU data take significant compliance risk if they do nothing in anticipation of newly branded EU-US Privacy Shield framework being formally approved, given it is not yet documented and will be subject to review by the EU data protection supervisory authorities in the so-called Article 29 Working Party as well as representatives of the Member States and the European Parliament.

By Ulrich Wuermeling

A political compromise has been reached on the new European Data Protection Regulation. On December 15, 2015, the negotiators in the so-called “informal trilogue” between the Council, the Parliament and the European Commission closed the final issues. Meanwhile, the Luxembourg Presidency informed the LIBE-Committee of the Parliament as well as the Permanent Representatives Committee of the Member States about the outcome. The LIBE-Committee will review the final changes on December 17, 2015, but the aim is not

By Gail Crawford and Andrea Stout

On December 7th, members of the European Parliament (MEPs) and the Luxembourg Presidency of the EU Council of Ministers provisionally agreed to the text of the long awaited network and information security directive also known as the cybersecurity directive (Directive).

While the text of the proposed Directive has yet to be released publicly, press releases indicate that the Directive will introduce new requirements for certain organizations to implement security measures to prevent

By Ulrich Wuermeling

Almost four years after the European Commission introduced their draft for a new European Data Protection Regulation, negotiators of the European Parliament and Council are close to agreeing on a compromise text, set for December 15, 2015. If the final negotiations in the so-called “informal trilogue” are successful, the legislative process can be formally finalized at the beginning of next year and the Regulation will become applicable two years later. During that period, businesses established in the

By Ulrich Wuermeling

On November 6, the European Commission issued a comprehensive Communication on the consequences of the Schrems Judgment of the Court of Justice of the European Union (ECJ). In the Communication, the Commission puts national data protection authorities in their place by stating that Model Contracts are a valid alternative measure to provide adequate safeguards for data transfers to the US. According to the Commission, even in countries where use of the Model Contracts require permission by national data protection authorities, such permission has to be granted if the Model Contracts are used without modifications. Only the ECJ would have the power to invalidate the Commission Decisions on Model Contracts. According to the Schrems Judgement, the rights of the data protection authorities with respect to such Decisions are limited to examining them and bringing proceedings against them in court, if the authority believes adequate protection has not been provided.

On October 16, the data protection authorities as organized in the so-called Article 29 Working Party claimed in a Statement that they will continue their analysis on the impact of the Schrems Judgment on other transfer tools. Prior to that Statement, some regional data protection authorities had gone further and claimed that current reliance upon Model Contracts as an alternative transfer mechanism could be inadmissible after the Schrems Judgment (notably the data protection authority of Schleswig-Holstein and Rheinland-Pfalz in Germany). A joint Statement of the German data protection authorities followed and caused further confusion. It stated that the data protection authorities will not give permission to data transfers based on data export contracts. However, the Statement only referred to individually drafted data export contracts which are rarely used in practice anyway. One has to keep in mind that in Germany the use of Model Contracts does not need permission by data protection authorities in any event.

By Brian Meenagh

On October 26, 2015, Raja Al Mazrouei, the Commissioner for Data Protection for the Dubai International Financial Centre (the DIFC), issued guidance on the adequacy of US Safe Harbor for the purpose of exporting personal data from the DIFC. The guidance is significant for organisations that transfer personal data from the DIFC to the US and such organisations should urgently review the basis upon which they transfer personal data from the DIFC to the US to ensure that they continue to comply with the DIFC Data Protection Law (No 1 of 2007).

The guidance follows the decision of the European Court of Justice (the ECJ) in Case C-362/14 – Maximillian Schrems v Data Protection Commissioner that Decision 2000/520 of the European Commission, which stated that Safe Harbor-certified US companies provide adequate protection for personal data transferred to them from the EU (the Safe Harbor Adequacy Decision), is invalid.

The key message from the guidance is that:

“the invalidation of the Adequacy Decision by the ECJ provides cause for the Commissioner to reconsider the adequacy status previously afforded under the Law to US Safe Harbor Recipients. However, the Commissioner also understands that there are ongoing negotiations between Europe and US authorities towards an improved Safe Harbor framework and that these negotiations are well advanced.

By Ulrich Wuermeling

On October 26, the European Commissioner Věra Jourová addressed the Parliament Committee on Civil Liberties, Justice and Home Affairs to discuss the consequences of the Schrems Judgment of the Court of Justice of the European Union (ECJ).

Jourová commented on the status of the negotiations with the US to find a new solution for data transfers: “There is agreement on these matters in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the Court.” She plans to visit the US mid-November and hopes to make further progress on a new arrangement with the US.