Summary The Irish High Court has made a preliminary reference to the Court of Justice of the European Union (“CJEU”), asking whether standard data protection clauses (“standard clauses”) are compatible with the legal rights of data subjects under EU law. Standard clauses are currently used as an appropriate safeguard to facilitate the transfer of personal data outside of the European Economic Area (the “EEA”). The reference to the CJEU comes despite previous decisions from the European Commission (the “Commission”) that have approved their use. It is worth noting that the reference does not invalidate the use of standard clauses for the moment. However, a judgment from the CJEU that does so would have implications for billions of euros worth of trade between the EU and the rest of the world. If the CJEU decides to render the use of standard clauses invalid, this would leave extremely limited scope for compliant data transfers … Continue Reading ››
Since its hotly awaited publication in January, the Proposal for an ePrivacy Regulation ("Proposal") has come under scrutiny from various stakeholders. Recently both the Article 29 Working Party ("WP29"), and the European Data Protection Supervisor ("EDPS"), have joined the chorus. Though both independent bodies are pleased with the concepts in the legislation, both express various concerns, with WP29 describing theirs as particularly 'grave'. Those (grave) concerns, alongside some recommendations are explored in detail below. EDPS: concerns over consent, tracking and cookies. As expected in his Opinion the EDPS welcomes various parts of the Proposal, including the legislators' choice for a regulation rather than a directive, and the extension of scope to over-the-top (“OTT”) communications services such as Skype and WhatsApp. The Commission's ambition to bring all publically accessible networks and services within the scope of the confidentiality requirements is also praised. However, though the EDPS … Continue Reading ››
The Article 29 Working Party ("WP29") has recently adopted new General Data Protection Regulation ("GDPR") Guidance, this time focusing on Data Protection Impact Assessments ("DPIAs"). The Guidelines aim to clarify when a DPIA is required and provide criteria for the lists of the kind of processing operations which are subject to the requirement for a DPIA, to be adopted by Data Protection Authorities under Article 35(4) of the GDPR. Although the guidance has been formally “adopted”, the WP29 is welcoming comments from stakeholders until 23 May 2017, so it is possible that elements may be modified in the near future. The guidance is significant as it represents EU data protection authorities’ collective interpretation of this important new compliance requirement. Any comments on the guidelines can be sent to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and firstname.lastname@example.org by 23 May 2017. What is a Data Protection Impact Assessment? DPIAs are not a formal requirement … Continue Reading ››
As Max Schrems continues to do battle over Model Clauses in the Irish High Court, the Article 29 Working Party (WP29) has this week issued guidance surrounding EU-US Privacy Shield (Privacy Shield) related complaints. The guidance will be of note to any EU citizen wishing to complain about the handling of their personal data that has been transferred from the EU to one of the, as of 24 February, 1724 Privacy Shield registered organisations. It encompasses a template complaint form and Rules of Procedure and should provide parties concerned with all the information necessary to notify a breach under the 6 month old framework. The Rules of Procedure provide guidance on how an "Informal Panel of EU DPAs" (Panel) will operate in advising US organisations following a complaint. The Panel will aim to provide guidance within 60 days after receiving a complaint form. The complaint … Continue Reading ››
Just before the festive break, the Article 29 Working Party ("WP29"), the group representing national data protection regulators in the EU, issued new guidance on several key aspects of the new General Data Protection Regulation ("GDPR"). This is the first guidance of its kind issued by the WP29, and as such represents the first time the data protection authorities have revealed their thoughts on the interpretation of the GDPR. The guidance consists of three separate sets of guidelines and FAQs:
- an explanation of the role of the now mandatory Data Protection Officer ("DPO");
- a guide to the new right to data portability; and
- guidance regarding the "one stop shop" mechanism for establishing the lead data protection authority in cases of cross-border data processing.
Datonomy summarises the latest developments in the ongoing saga of US data transfers. What's new? On 13 April, the Article 29 Working Party announced their eagerly awaited – but as it turned out, somewhat inconclusive - conclusions on the proposed new EU-US Privacy Shield data transfer mechanism. A lunchtime press conference led by Article 29 Working Party Chairman Isabelle Falque-Pierrotin was followed by the publication in the late afternoon of two new documents:
- a 58 page Opinion on the EU-US Privacy Shield adequacy decision
- a 15 page Working Document on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees)
- the commercial aspects
- derogations for national security purposes.
Late on Friday 16 October, Europe’s data protection regulators issued an opinion enabling ongoing transfers of personal information from the EU to the US, at least for the time being. This followed on from the CJEU’s 6 October decision in the Schrems case that the so-called “safe harbor” regime used by more than 4000 US companies to legitimize the import of EU personal information was invalid. Following that decision a number of German data protection authorities ruled that “model clauses”, another mechanism used by thousands of other organisations to legitimize EU to US transfers, were also invalid. There was growing concern that the Article 29 Working Party, an influential body representing Europe’s data protection authorities, would follow the German approach creating more uncertainty and removing one of the few remaining limbs to support transfer. Businesses on both sides of the Atlantic can breathe a sigh of relief. The opinion, although far from categorically … Continue Reading ››