Developments EU

Subscribe to Developments EU via RSS

By Fiona Maclean & Calum Docherty

The Article 29 Working Party (WP29) – the group that represents the data protection authorities of all EU Member States – has published guidance and FAQs on a number of issues under the General Data Protection Regulation (GDPR).

Data Protection Officers (DPOs) (Guidance & FAQs)

DPOs are the cornerstone of the GDPR’s accountability regime. The GDPR requires that organisations must appoint a DPO when they engage in large-scale processing of personal data, large-scale regular and systematic monitoring of data subjects, or where obliged to by local law. The WP29 guidance elaborates on what these criteria mean in practice, clarifying when a DPO should be appointed. The guidance also confirms that the DPO can be an external party and is not personally responsible in the case of noncompliance with the GDPR.

By Ulrich Wuermeling

An internal Commission draft of a new ePrivacy Regulation (Draft) has been leaked to the public. The Commission plans to propose it in early 2017, but the content of the Draft does not seem near a final proposal. It is either older or still needs some time to be finalized. The Draft reveals the Commission’s priorities of extending the scope of the Regulation, reducing the number of consent notices for first party cookies, increasing privacy and confidentiality of user data and applying higher fines.

If the approach proposed by the Draft were to pass, the commercial rules for the Internet could change substantially in the EU. The ability of internet service providers to monetize services with marketing would be hampered and the users would have to pick up the bill. The economic impact analysis of the Draft simply ignores these consequences by stating that website publishers would have “small” adoption costs and not mentioning any economic impact for users. Furthermore, the Regulation would in parts isolate the EU market from global innovations by fostering data localization. The approach might shield EU based companies from unwanted competition, but would ultimately slow down the development of the digital market in the EU.

By Gail Crawford and Ulrich Wuermeling

On October 19, 2016, the Court of Justice of the European Union (CJEU) issued a ruling on the question of whether IP addresses constitute personal data. The ruling has direct implications on the general question of when data can be regarded as anonymous and, thus, fall outside the scope of data protection law. Many statistical applications rely on the assumption that they only use anonymous data (for example for online behavioral advertising, web analytics, security monitoring or health research). Whilst the CJEU has come to the conclusion that in this specific case IP addresses can be used to identify individuals, it provides helpful guidance in other cases where there is no real likelihood of the “key” to the data that is anonymised ever ending up in the hands of the processor in question.

In the case before the CJEU, the institutions of the German Federal Government stored logfiles of users of their internet websites in order to prevent attacks and to make it possible to prosecute “pirates.” The logfiles were kept by the institutions after the user ended the session. A German data protection activist sued the Government with the aim to block such storage. He argued that the data should be regarded as personal data since the internet service provider used by the activist had knowledge about his identity and the dynamic IP addresses he used. The logfiles should be regarded as “personal data” because the internet services provider, as a third party, was able to identify the users.

By Gail Crawford and Ulrich Wuermeling

As the whole world now knows, the UK voted to leave the European Union (EU) in its historic referendum on 23rd June by a vote of 51.9 percent in favour of “leave” to 48.1 in favour of “remain”. This blog focusses on how that decision will impact both UK and global organisations’ compliance with data protection law.

The referendum does not start the exit process. To formally start the exit process, the UK has to serve notice under Article 50 of the Treaty on the European Union which triggers a period for negotiation of the terms of the UK’s exit; with exit taking effect once those negotiations have concluded, or after two years (if sooner), irrespective of what terms have (or have not) been agreed. The two year cut-off period can only be extended with unanimous consent from all EU member states.

By Gail Crawford and Lore Leitner

Today, after more than four years of debate, the General Data Protection Regulation (GDPR, or the Regulation) enters into force. The GDPR will introduce a rigorous, far-reaching privacy framework for businesses that operate, target customers or monitor individuals in the EU. The Regulation sets out a suite of new obligations and substantial fines for noncompliance. Businesses need to act now to ensure that they are ready for when the Regulation becomes enforceable after the

By Mikhail Turetsky, Ksenia Koroleva and Lore Leitner

On July 13, 2015, the Russian President signed Federal Law No. 264-FZ (the Law), which introduced a range of amendments into Russian legislation (the Amendments). In particular, the principle of the “right to be forgotten”, a concept not previously recognized under Russian law came into effect on January 1, 2016.

Amendments

The Law introduced the right for individuals to request that search engine operators delete links to certain information relating to the individuals from searches run on the individuals’ names or surnames. The Law applies only to individuals and does not mention legal entities.

By Ulrich Wuermeling, Jennifer Archie & Lore Leitner

On March 17, 2016, the Civil Liberties Committee convened to discuss whether the Privacy Shield framework that will replace Safe Harbor provides adequate protection to the data of EU citizens. A number of experts were questioned including: the US lead negotiator, the EU Data Protection Supervisor, members of the Article 29 Working Party and Max Schrems, whose court case against Facebook led to Safe Harbor’s downfall.

The meeting of the Civil Liberties Committee follows on from the European Commission’s publication last month of the legal texts that will form the basis of the EU-US Privacy Shield and a Communication summarizing the action taken to rebuild trust in the data flows from the EU to the US. The European Commission also made public a draft “adequacy decision” establishing that the safeguards provided under the Privacy Shield are equivalent to the EU data protection standards. The documents provide a better idea of the substance and structure of the Privacy Shield, announced by the European Commission on February 2, 2016 and confirm the US commitment to ensuring that there will be no indiscriminate mass surveillance by its national security authorities.

Focus areas of the Privacy Shield

From the material made public, the new framework focuses on four areas:

By Ulrich Wuermeling, Gail Crawford and Jennifer Archie

Earlier this week, the European Commission announced that a “political” agreement has been reached on a new framework for data flows from the EU to the US. The announcement highlights a few changes from the old Safe Harbor regime, such as more direct and active oversight by US regulators, more stringent privacy protections, and establishing an ombudsman at the State Department for EU citizens who wish to complain about data protection matters. However, as a legal and compliance matter, US companies who previously relied upon Safe Harbor to transfer EU data take significant compliance risk if they do nothing in anticipation of newly branded EU-US Privacy Shield framework being formally approved, given it is not yet documented and will be subject to review by the EU data protection supervisory authorities in the so-called Article 29 Working Party as well as representatives of the Member States and the European Parliament.

By Ulrich Wuermeling

A political compromise has been reached on the new European Data Protection Regulation. On December 15, 2015, the negotiators in the so-called “informal trilogue” between the Council, the Parliament and the European Commission closed the final issues. Meanwhile, the Luxembourg Presidency informed the LIBE-Committee of the Parliament as well as the Permanent Representatives Committee of the Member States about the outcome. The LIBE-Committee will review the final changes on December 17, 2015, but the aim is not

By Gail Crawford and Andrea Stout

On December 7th, members of the European Parliament (MEPs) and the Luxembourg Presidency of the EU Council of Ministers provisionally agreed to the text of the long awaited network and information security directive also known as the cybersecurity directive (Directive).

While the text of the proposed Directive has yet to be released publicly, press releases indicate that the Directive will introduce new requirements for certain organizations to implement security measures to prevent