Developments EU

Subscribe to Developments EU

Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year.

By Gail E. Crawford, Fiona M. Maclean, Ben Leigh, and Amy Smyth

The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data protection officers (DPOs). Each year, the EDPB’s Coordinated Enforcement Framework (CEF) designates a topic EU data protection authorities (DPAs) should focus on. Although participation for any given year is voluntary, the EDPB has stated that this CEF will involve 26 DPAs across the European Economic Area, including the European Data Protection Supervisor.

By Gail Crawford and Calum Docherty

On October 3, 2017, the Irish High Court announced that it will make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling on the validity of the Standard Contractual Clauses, which allow companies in the European Economic Area (EEA) to transfer personal data outside of the EEA. In doing so, the Irish High Court acknowledged that, “there are well founded grounds for believing that the [Standard Contractual Clauses] are invalid,” but clarified that this was a question of EU law for the CJEU to decide.

What happened in the case?

Maximillian Schrems (an Austrian privacy campaigner who, in 2015, led a case that struck down the EU-US Privacy Shield’s forerunner, Safe Harbor) has a Facebook account. Schrems complained to the Irish Data Protection Commissioner (DPC) that Facebook Ireland Limited (Facebook Ireland) transferred his data to its US-parent, Facebook Inc. (Facebook US) for further processing.

In order to transfer personal data to a third country outside of the EEA, that third country (in this case, the US) should offer guarantees ensuring an adequate level of protection for personal data essentially equivalent to the level of protection ensured within the EEA. The European Commission (EC) has not considered the US to provide this adequate level of protection for personal data, so companies that wish to transfer data must rely on other data transfer mechanisms, including the Standard Contractual Clauses.

By Gail Crawford and Ksenia Koroleva

The Federal Law No. 87-FZ of May 1, 2017, on Amendments to the Federal Law on Information, Information Technologies, and Information Protection (the Law) came into force on July 1, 2017. The Law introduces the definition of an audiovisual service owner and regulates their activities, including imposing ownership restrictions.

The Notion of Audiovisual Service Owners

According to the Law, an audiovisual service owner is an owner of a website, a page of a website, an information system, and/or software (an Audiovisual Service):

  • Used for collating and providing access to audiovisual content
  • By paid subscription and/or funded by advertising
  • To users located in the territory of Russia
  • With more than 100,000 users a day (on average)

The following are not regarded an Audiovisual Service:

  • Information resources registered as online media in accordance with the Federal Law No. 2124-1 of December 27, 1991, on Mass Media (e.g., online media, TV-channels, TV/radio/video programs, etc.)
  • Search engines
  • Information resources which focus on hosting user-generated content under the criteria to be set by the Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications (Roscomnadzor) (e.g., YouTube, RuTube, Vimeo).

By Gail Crawford, Ulrich Wuermeling, Calum Docherty

The General Data Protection Regulation (GDPR or Regulation) will become applicable in one year, as of May 25, 2018. A lot has happened since we set out the key provisions of the Regulation last year. As companies implement compliance programmes in efforts to protect data subjects and avoid hefty enforcement penalties, each EU Member State government has to pass implementation laws. Furthermore, regulators are slowly providing guidance on how to apply and interpret the GDPR.

What is happening in the EU Member States?LockRecord_384x144

The GDPR was drafted to “harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States” (Recital 3). Yet the GDPR itself provides a lot of leeway for Member States in its implementation, including room for derogations from at least 50 articles. This “margin of manoeuvre” (Recital 10) creates a degree of uncertainty for data controllers and data processors, and there are some areas where companies (especially those processing sensitive personal data, where Member States have the most flexibility) will need to wait and respond to what Member State governments are proposing.

By Ulrich Wuermeling

Well ahead of the implementation deadline for the European General Data Protection Regulation (GDPR), the German Parliament (Bundestag) passed a new Federal Data Protection Act (Bundesdatenschutzgesetz) on April 27, 2017. The Federal Council (Bundesrat) could confirm the Act before the summer, but may require further amendments. If the Parliament and the Council fail to agree, the legislative process will have to start from the beginning after the German elections in September.

The new Act retains the old title of the Bundesdatenschutzgesetz, but the content has changed completely. The GDPR is directly applicable and, therefore, the Act only complements the GDPR or regulates areas outside the scope of it. Most of the 85 Articles of the new Act deal with the public sector and the implementation of the Law Enforcement Directive. However, it also includes some provisions for the private sector based on opening clauses that either allow or require national implementation. The main German modifications for the private sector are the following:

By Ulrich Wuermeling

On January 10, 2017, the European Commission proposed a new ePrivacy Regulation (Proposal). Compared to the internal draft that was leaked in December, the official Proposal has been substantially modified. However, the general approach taken by the European Commission has not changed. The Proposal includes provisions with a broad scope of application covering over-the-top (OTT) services as well as communication between devices and all data stored on a device.

In the internal draft, the European Commission suggested

By Fiona Maclean & Calum Docherty

The Article 29 Working Party (WP29) – the group that represents the data protection authorities of all EU Member States – has published guidance and FAQs on a number of issues under the General Data Protection Regulation (GDPR).

Data Protection Officers (DPOs) (Guidance & FAQs)

DPOs are the cornerstone of the GDPR’s accountability regime. The GDPR requires that organisations must appoint a DPO when they engage in large-scale processing of personal data, large-scale regular and systematic monitoring of data subjects, or where obliged to by local law. The WP29 guidance elaborates on what these criteria mean in practice, clarifying when a DPO should be appointed. The guidance also confirms that the DPO can be an external party and is not personally responsible in the case of noncompliance with the GDPR.

By Ulrich Wuermeling

An internal Commission draft of a new ePrivacy Regulation (Draft) has been leaked to the public. The Commission plans to propose it in early 2017, but the content of the Draft does not seem near a final proposal. It is either older or still needs some time to be finalized. The Draft reveals the Commission’s priorities of extending the scope of the Regulation, reducing the number of consent notices for first party cookies, increasing privacy and confidentiality of user data and applying higher fines.

If the approach proposed by the Draft were to pass, the commercial rules for the Internet could change substantially in the EU. The ability of internet service providers to monetize services with marketing would be hampered and the users would have to pick up the bill. The economic impact analysis of the Draft simply ignores these consequences by stating that website publishers would have “small” adoption costs and not mentioning any economic impact for users. Furthermore, the Regulation would in parts isolate the EU market from global innovations by fostering data localization. The approach might shield EU based companies from unwanted competition, but would ultimately slow down the development of the digital market in the EU.

By Gail Crawford and Ulrich Wuermeling

On October 19, 2016, the Court of Justice of the European Union (CJEU) issued a ruling on the question of whether IP addresses constitute personal data. The ruling has direct implications on the general question of when data can be regarded as anonymous and, thus, fall outside the scope of data protection law. Many statistical applications rely on the assumption that they only use anonymous data (for example for online behavioral advertising, web analytics, security monitoring or health research). Whilst the CJEU has come to the conclusion that in this specific case IP addresses can be used to identify individuals, it provides helpful guidance in other cases where there is no real likelihood of the “key” to the data that is anonymised ever ending up in the hands of the processor in question.

In the case before the CJEU, the institutions of the German Federal Government stored logfiles of users of their internet websites in order to prevent attacks and to make it possible to prosecute “pirates.” The logfiles were kept by the institutions after the user ended the session. A German data protection activist sued the Government with the aim to block such storage. He argued that the data should be regarded as personal data since the internet service provider used by the activist had knowledge about his identity and the dynamic IP addresses he used. The logfiles should be regarded as “personal data” because the internet services provider, as a third party, was able to identify the users.

By Gail Crawford and Ulrich Wuermeling

As the whole world now knows, the UK voted to leave the European Union (EU) in its historic referendum on 23rd June by a vote of 51.9 percent in favour of “leave” to 48.1 in favour of “remain”. This blog focusses on how that decision will impact both UK and global organisations’ compliance with data protection law.

The referendum does not start the exit process. To formally start the exit process, the UK has to serve notice under Article 50 of the Treaty on the European Union which triggers a period for negotiation of the terms of the UK’s exit; with exit taking effect once those negotiations have concluded, or after two years (if sooner), irrespective of what terms have (or have not) been agreed. The two year cut-off period can only be extended with unanimous consent from all EU member states.