Update on data protection: EU-US Privacy Shield, General Data Protection Regulation (GDPR) and prime focus 2016 of the Dutch Data Protection Authority
EU-US Privacy Shield
On October 27 2015, we reported that the European Union and the United States seemed close to reaching an agreement on a data transfer pact. As per February 2, it was revealed by the European Commission that the European Union and the United States have agreed upon a new framework, named the “EU-US Privacy Shield”. On February 29 the European Commission published a draft adequacy decision along with the texts of the Privacy Shield (a general outline of the Privacy Shield you find below). This new framework, consisting of the Privacy Shield Principles and written commitments by the U.S. Government, is meant to replace the invalidated Safe Harbour Principles. An adequacy decision reflects the adopted position the European Commission takes regarding the level of personal data protection provided by a country outside the European Economic Area. The ‘Article 29 Working Party’, which consists of data protection authorities of each of the 28 European Union member states, have been asked to give their opinion regarding the Privacy Shield Framework before a final decision will be made and the Privacy Shield can be put into effect. On April 14th the Article 29 Working Party has published their opinion regarding the EU-US Privacy Shield (a general outline of which you will find below).
Proposal has been widely criticized
The Privacy Shield proposal has been widely criticized. The liberal Dutch member of the European Parliament, Sophie in ‘t Veld, stated that the “legal status of these safeguards is very unclear, since the assurances seem to rely exclusively on political commitment, instead of legal acts. So any change in the political constellation in the US may undo the whole thing.” In addition to that, the well-known privacy activist Max Schrems, has remarked that “a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance.”
Opinion of the Article 29 Data Protection Working Party
In summary the Article 29 Data Protection Working Party (WP29) is of the opinion that the Privacy Shield Framework is a major improvement to the Safe Harbour Principles, however, it has some concerns regarding some key EU data protection principles. The concerns addressed by the WP29 are in short: (a) the data retention principle is not expressly mentioned; (b) the application of the purpose limitation principle is not clear; (c) onward transfers should provide the same level of protection; (d) redress mechanisms are complex and may therefor proof ineffective; (e) massive and indiscriminate collection of personal data from the EU is not excluded; and (f) the institution of the Ombudsperson is not sufficiently independent and will not have adequate powers to exercise its duty. The WP29 urges the European Commission to resolve these concerns in order to ensure an essentially EU equivalent protection under the Privacy Shield Framework.
What to do in the mean time?
It remains to be seen how and in what time frame it will all turn out. For the moment, businesses can still make use of substitute instruments (e.g. Binding Corporate Rules or Standard Contract Clauses). Relying on the Safe Harbour, however, is – since last October – no longer a legal option.
Judicial Redress Act – US law
The Judicial Redress Act is a new American act in place since 1 February 2016 which enables citizens of designated foreign countries to bring civil actions against U.S. agencies that intentionally or willfully disclose records in spite of the conditions set for disclosure of such records without the necessary consent thereto from the data subject. It is likely that the member states of the European Union become designated countries under this Act, which would enable its citizens to bring civil actions against U.S. agencies.
General Data Protection Regulation (GDPR)
On 15 December 2015 the European Parliament en Council have reached a political agreement on the final text of the General Data Protection Regulation (GDPR), which agreement has been formally endorsed by the Council on 8 April 2016 and by the Commission on 11 April 2016. It is expected that the official signing will soon take place and consequent publication in the Official Journal of the European Union, upon which the grace period of two year will start after which the GDPR will take effect in all member states of the European Union without transposition having to take place into the 28 national laws.
In short the pan-European GDPR will replace the inconsistent national laws currently in place in the 28 member states of the European Union, is based upon a risk-based approach (the controllers and in some instances the processors, will have to take into account the nature, scope, context and purposes of processing and the risks involved – so called data protection impact assessments), impose direct obligations on processors (for instance with regard to data security and data breach notification), reinforce data subject’s rights and give them more control over their personal data, make it easier for them to access their data, give them a right to be forgotten, the right to be timely informed about relevant data breaches and a right to data portability (to transmit personal data between service providers), strengthen the principles of data processing (such as data minimization, transparency and accountability), impose the obligation to keep records of processing activities (including data breaches), impose the obligation to notify the data protection authority of data breaches not later than 72 hours after having become aware of such breach, appoint an internal or external Data Protection Officer with expert knowledge of data protection law and practices and whom assists the controller or processor with monitoring the internal compliance with the GDPR, ensure stronger enforcement of rules and supervisory authorities will be authorized to impose a fine up to 2 – 4 % of a company’s global annual turnover. The GDPR will also apply to controllers and processors established in a third country if they offer goods or services or monitor the behavior of data subjects in the European Union.
Prime focus 2016 of the Dutch Data Protection Authority
In its annual report the Dutch Data Protection Authority set out its prime focus for 2016: security of personal data (measures taken to prevent data breaches), big data & profiling (apps for kids and the privacy of children at schools), medical data (e-health applications, medical data in the cloud), personal data at public authorities and personal data in the employment relationship (audit mechanisms, health data).
If you would like to know more about this matter or any other privacy issue, please contact mr. I.M. Tempelman.