On Thursday, April 14, 2016, the European Parliament voted to adopt the long-awaited EU General Data Protection Regulation (the GDPR). During the plenary session Jan Philipp Albrecht, rapporteur of the European Parliament for the GDPR, welcomed the adoption following what he described as years of “democratic debate and legislative process.” Albrecht further described the adoption as “a huge step forward towards creating a single legal environment for the digital world of tomorrow.” Today’s parliamentary vote completes the legislative process for adoption of the GDPR. The final step will be for the GDPR to be published in the Official Journal of the EU which will likely take place in May 2016. Companies and regulators will then have two years from the date of publication in which to implement the requirements under the GDPR. Businesses should now seriously consider the impact of the GDPR and start planning for implementation.
The past several days, the GDPR (the EU General Data Protection Regulation) took two significant steps towards adoption. On Friday, April 8, 2016, the European Council adopted the GDPR at first reading. Then today, Tuesday, April 12, 2016, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (the LIBE Committee) approved the GDPR by a 54-3 vote with one abstention. The European Parliament is due to vote on the GDPR in a second reading at a plenary session this coming Thursday. That will complete the legislative process for adoption of the GDPR. The final step will be for the GDPR to be published in the Official Journal of the EU which will likely take place in May 2016. After publication, the GDPR will apply two years after the date of publication, allowing companies and regulators a grace period to prepare. The interpretation of the GDPR will be shaped by guidance from the new European Data Protection Board.
The much-anticipated documentation for the EU-U.S. Privacy Shield, a new framework on transatlantic data flows, was published by the European Commission on February 29, 2016. The framework now will undergo a process of review and approval, including by the EU’s Article 29 Working Party, which is due to finish its review by the end of March 2016. If approved, it will take effect after an implementation period, during which all companies that wish to use the Privacy Shield as a basis for data transfers will have to certify in accordance with the new framework.
*This post originally appeared in Lawfare on February 25, 2016.
Let’s not pretend that that the outcome the Justice Department seeks in the Apple case is limited to only a single case and just this particular phone.
This unquestionably involves a special case. Because of the specter of an ISIS connection, the San Bernardino attacks send chills down the spine of every American. The ISIS connection makes this case different from other cases of homegrown radicalization. And the actual owner of the iPhone has consented to the search.
It is these special characteristics that make the San Bernardino case a compelling vehicle for the FBI to press its concerns about end-to-end encryption on devices and apps. … [Read More]
On Wednesday, February 24, President Obama signed the Judicial Redress Act into law. “What it does in the simplest terms is makes sure that everybody’s data is protected in the strongest possible way with our privacy laws—not only American citizens, but also foreign citizens,” President Obama said at signing. “We take our privacy seriously. And along with our commitment to innovation, that’s one of the reasons that global companies and entrepreneurs want to do business here.” According to EU Commissioner Věra Jourová, “The signature of the Judicial Redress Act by President Obama is a historic achievement in our efforts to restore trust in transatlantic data flows . . . . It will strengthen privacy, while ensuring legal certainty for transatlantic data exchanges between police and criminal justice authorities. This is crucial to keep Europeans safe through efficient and robust cooperation between the EU and the U.S. in the fight against crime and terrorism.”
The Article 29 Working Party has confirmed in a statement that EU Standard Contractual Clauses and Binding Corporate Rules are still valid data transfer mechanisms for the time being. The announcement was made following a meeting held to discuss the consequences of the Court of Justice of the European Union’s (“CJEU“) decision invalidating the US-EU Safe Harbor Framework and just one day after the European Commission announced that a political agreement had been reached on a new framework, the “EU-US Privacy Shield”.
The European Commission has announced that a political agreement has been reached on a new framework on transatlantic data flows. The announcement was made in a press conference on February 2nd by Vice President Ansip and Commissioner Jourová , in which the Commissioner expressed the hope that the new framework, dubbed the “EU-US Privacy Shield,” will be in force within three months. The Commissioner identified three key elements of this new framework: (i) strong obligations on companies handling the personal data of Europeans and robust enforcement; (ii) clear safeguards and transparency obligations on US government access; and (iii) effective protection of the rights of EU citizens, with several redress possibilities.
On December 18, President Obama signed into law an omnibus spending package for 2016 that included the Cybersecurity Act of 2015 (known in former versions as the Cybersecurity Information Sharing Act). After years of debate, the Cybersecurity Act establishes a framework to facilitate and encourage confidential two-way private sector sharing of cyberthreat information with the federal government and provides liability shields for cyberthreat information sharing, as well as for specific actions undertaken to defend or monitor corporate networks. The Cybersecurity Act also designates the Department of Homeland Security (DHS) to coordinate cyberthreat information sharing.
The Cybersecurity Act has important implications for cooperation among industry participants and with regulatory agencies in development of effective cybersecurity programs. Public-private cyberthreat information sharing is an important step to improve companies’ defenses and responses to the changing cyberthreat landscape. Though the Act is effective immediately, the attorney general and DHS secretary must release guidelines within 90 days.
After almost four years of intense negotiations, on 15 December 2015, an informal agreement on the proposed EU Data Protection Regulation was reached between the Council of Ministers and the European Parliament. An extraordinary meeting of the LIBE Committee is scheduled for 17 December 2015 for the 28 EU Member States to vote on the text. Final adoption of the Regulation is likely to be in early 2016.