Legislation & Regulation

Subscribe to Legislation & Regulation via RSS

By Ulrich Wuermeling

Almost four years after the European Commission introduced their draft for a new European Data Protection Regulation, negotiators of the European Parliament and Council are close to agreeing on a compromise text, set for December 15, 2015. If the final negotiations in the so-called “informal trilogue” are successful, the legislative process can be formally finalized at the beginning of next year and the Regulation will become applicable two years later. During that period, businesses established in the

By Ulrich Wuermeling

On November 6, the European Commission issued a comprehensive Communication on the consequences of the Schrems Judgment of the Court of Justice of the European Union (ECJ). In the Communication, the Commission puts national data protection authorities in their place by stating that Model Contracts are a valid alternative measure to provide adequate safeguards for data transfers to the US. According to the Commission, even in countries where use of the Model Contracts require permission by national data protection authorities, such permission has to be granted if the Model Contracts are used without modifications. Only the ECJ would have the power to invalidate the Commission Decisions on Model Contracts. According to the Schrems Judgement, the rights of the data protection authorities with respect to such Decisions are limited to examining them and bringing proceedings against them in court, if the authority believes adequate protection has not been provided.

On October 16, the data protection authorities as organized in the so-called Article 29 Working Party claimed in a Statement that they will continue their analysis on the impact of the Schrems Judgment on other transfer tools. Prior to that Statement, some regional data protection authorities had gone further and claimed that current reliance upon Model Contracts as an alternative transfer mechanism could be inadmissible after the Schrems Judgment (notably the data protection authority of Schleswig-Holstein and Rheinland-Pfalz in Germany). A joint Statement of the German data protection authorities followed and caused further confusion. It stated that the data protection authorities will not give permission to data transfers based on data export contracts. However, the Statement only referred to individually drafted data export contracts which are rarely used in practice anyway. One has to keep in mind that in Germany the use of Model Contracts does not need permission by data protection authorities in any event.

By Brian Meenagh

On October 26, 2015, Raja Al Mazrouei, the Commissioner for Data Protection for the Dubai International Financial Centre (the DIFC), issued guidance on the adequacy of US Safe Harbor for the purpose of exporting personal data from the DIFC. The guidance is significant for organisations that transfer personal data from the DIFC to the US and such organisations should urgently review the basis upon which they transfer personal data from the DIFC to the US to ensure that they continue to comply with the DIFC Data Protection Law (No 1 of 2007).

The guidance follows the decision of the European Court of Justice (the ECJ) in Case C-362/14 – Maximillian Schrems v Data Protection Commissioner that Decision 2000/520 of the European Commission, which stated that Safe Harbor-certified US companies provide adequate protection for personal data transferred to them from the EU (the Safe Harbor Adequacy Decision), is invalid.

The key message from the guidance is that:

“the invalidation of the Adequacy Decision by the ECJ provides cause for the Commissioner to reconsider the adequacy status previously afforded under the Law to US Safe Harbor Recipients. However, the Commissioner also understands that there are ongoing negotiations between Europe and US authorities towards an improved Safe Harbor framework and that these negotiations are well advanced.

By Ulrich Wuermeling

On October 26, the European Commissioner Věra Jourová addressed the Parliament Committee on Civil Liberties, Justice and Home Affairs to discuss the consequences of the Schrems Judgment of the Court of Justice of the European Union (ECJ).

Jourová commented on the status of the negotiations with the US to find a new solution for data transfers: “There is agreement on these matters in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the Court.” She plans to visit the US mid-November and hopes to make further progress on a new arrangement with the US.

By Ulrich Wuermeling

An early Position Paper of the German data protection authority of Schleswig-Holstein on the Schrems Judgment of the Court of Justice of the European Union (ECJ) gave little hope for practical alternatives to Safe Harbor. On October 26, all German data protection authorities published a more reasoned joint Statement that follows the approach taken by the Article 29 Working Party. It still includes some surprises in the details, but also offers hope for Model Contracts to be able to serve at least as an interim solution.

The Statement of the German data protection authorities (GDPA) starts with the unsurprising conclusion that data transfers cannot rely on the Safe Harbor Decision anymore. It continues to mention that the Schrems Judgment also puts data transfers under other instruments (like BCRs or Model Contracts) in question. The GDPAs announcement that they will not approve new BCRs or contractual solutions for data transfers in the US and have also requested that the German government allow data protection authorities to bring claims to courts (as required by the ECJ in the Schrems Judgment). The Statement of the GDPAs is short and obviously a compromise between differing views.

By Gail Crawford, Ulrich Wuermeling and Jennifer Archie

The so called Article 29 Working Party met on October 15, 2015 to discuss the consequences of the Schrems Judgment of the European Court of Justice (ECJ). On October 16, 2015, the Working Party published a Statement summarizing their initial conclusions. The Working Party includes representatives of the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission.

The Working Party states that data transfers made under Safe Harbor are unlawful following the Judgment. However, enforcement actions of the national data protection authorities shall only take place, if no other solution is found by the end of January 2016. In the opinion of the Working Party, such solution could include an intergovernmental agreement between the EU and US with reference to a revised Safe Harbor framework. It will be seen whether the US government will be able to agree to limit law enforcement access and to provide remedies for data subjects as required by the European Court of Justice, to the satisfaction of the EU. Due to this uncertainty, businesses will not be able to wait until January 2016, because they will not be able to implement alternative solutions in time, if the governments do not agree.

By Jennifer Archie, Gail Crawford and Ulrich Wuermeling

On October 6, the European Court of Justice ruled that Decision 2000/520 of the European Commission, which stated that Safe Harbor-certified US companies provide adequate protection for personal data transferred to them from the EU (the Safe Harbor Adequacy Decision), is invalid (Case C-362/14 – Maximillian Schrems v [Irish] Data Protection Commissioner). The judgment is immediately effective without a grace period. The Data Protection Authorities of the EU Member States (Article 29 Working Party) have already scheduled a working group emergency meeting to discuss the consequences of the judgment, but it is unlikely that the meeting will lead to a simple solution for the 4,000+ US companies who rely on Safe Harbor. The European Commission has also published a press release with a short set of guidelines.

The Reasoning of the Court

In its judgment of 6 October 2015, the Court stated that

  • “legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter”

On July 10, the Federal Communications Commission (“FCC”) released the text of a Declaratory Ruling and Order, initially adopted on June 18, that provides various clarifications regarding the Telephone Consumer Protection Act of 1991 (“TCPA”) and the FCC’s existing rules. The proceeding that led to the Order attracted widespread attention and was the result of nearly two dozen petitions filed by organizations representing healthcare, banking, retail, and telecommunications interests. The broad interest in this proceeding is the direct result of the sweeping impact that the TCPA has had on when and how businesses may contact consumers, as well as the multiplicity of consumer class actions threatened and filed against advertisers, debt collectors, and others making automated calls or sending automated text messages.

What is an “Automatic Telephone Dialing System” (ATDS)?

The first clarification made by the Order is with respect to “autodialers” (or, in the wording of the statute, an “automatic telephone dialing system”). The TCPA and the FCC’s existing rules prohibit making non-emergency calls to a wireless number without prior express consent when those calls are made using an autodialer or an artificial or prerecorded voice. Accordingly, there has been significant controversy over what kinds of dialing systems qualify as autodialers, which the TCPA defines as equipment that has the “capacity” to “store or produce telephone numbers to be called, using a random or sequential number generator,” and to “dial such numbers.” See, e.g., Satterfield v. Simon & Shuster, Inc., 569 F.3d 946, 951 (9th Cir. 2009) (A “system need not actually store, produce, or call randomly or sequentially generated telephone numbers, it need only have the capacity to do it” for the TCPA to apply.).[i]

June is proving to be a very active month for the US Federal Communications Commission (FCC) in construing the Telephone Consumer Protection Act, including what sorts of consumer interactions are sufficient to meet the requirements for consent to receive marketing or other messages. This post reports on an extraordinary warning letter issued to PayPal, criticizing a user-agreement based approach to collecting consent. Next week, we will report on a series of TCPA interpretative guidance which was adopted yesterday by a vote of 3 to 2.

On June 11, the FCC publicly released a warning letter sent to PayPal, Inc., by the FCC’s Enforcement Bureau, stating that PayPal’s new user agreement “may violate” a federal law called the Telephone Consumer Protection Act, or TCPA. The TCPA requires a consumer’s consent before a business may make certain types of phone calls or send automated text messages. PayPal had released a modification of its existing user agreement (set to go into effect on July 1) that would authorize the company to make “autodialed or prerecorded calls and text messages” for a variety of purposes and at any telephone number PayPal associates with the customer.

The recent showdown over renewal of certain provisions of the USA Patriot Act (often called simply the Patriot Act) and the subsequent enactment of the USA Freedom Act have raised a number of questions about the ongoing impact of these laws on data traversing or being stored in the United States. While the new law takes the NSA out of the direct business of maintaining metadata (which includes phone number called, the time and duration of the call, and location