The past several days, the GDPR (the EU General Data Protection Regulation) took two significant steps towards adoption. On Friday, April 8, 2016, the European Council adopted the GDPR at first reading. Then today, Tuesday, April 12, 2016, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (the LIBE Committee) approved the GDPR by a 54-3 vote with one abstention. The European Parliament is due to vote on the GDPR in a second reading at a plenary session this coming Thursday. That will complete the legislative process for adoption of the GDPR. The final step will be for the GDPR to be published in the Official Journal of the EU which will likely take place in May 2016. After publication, the GDPR will apply two years after the date of publication, allowing companies and regulators a grace period to prepare. The interpretation of the GDPR will be shaped by guidance from the new European Data Protection Board.
Today, alleged extracts from the impending Article 29 Working Party Opinion on the adequacy of the Privacy Shield were leaked. These extracts indicate that a number of clarifications on the Privacy Shield documents will be required before the Working Party can confirm that the Privacy Shield, in its view, ensures a level of protection that is essentially equivalent to that in the EU. The full opinion is due to be published on Wednesday 13 April, and will form part of the package for consideration by the European Commission.
The much-anticipated documentation for the EU-U.S. Privacy Shield, a new framework on transatlantic data flows, was published by the European Commission on February 29, 2016. The framework now will undergo a process of review and approval, including by the EU’s Article 29 Working Party, which is due to finish its review by the end of March 2016. If approved, it will take effect after an implementation period, during which all companies that wish to use the Privacy Shield as a basis for data transfers will have to certify in accordance with the new framework.
The Article 29 Working Party has confirmed in a statement that EU Standard Contractual Clauses and Binding Corporate Rules are still valid data transfer mechanisms for the time being. The announcement was made following a meeting held to discuss the consequences of the Court of Justice of the European Union’s (“CJEU“) decision invalidating the US-EU Safe Harbor Framework and just one day after the European Commission announced that a political agreement had been reached on a new framework, the “EU-US Privacy Shield”.
The European Commission has announced that a political agreement has been reached on a new framework on transatlantic data flows. The announcement was made in a press conference on February 2nd by Vice President Ansip and Commissioner Jourová , in which the Commissioner expressed the hope that the new framework, dubbed the “EU-US Privacy Shield,” will be in force within three months. The Commissioner identified three key elements of this new framework: (i) strong obligations on companies handling the personal data of Europeans and robust enforcement; (ii) clear safeguards and transparency obligations on US government access; and (iii) effective protection of the rights of EU citizens, with several redress possibilities.
The European Court of Human Rights (“ECtHR”) ruled earlier this month that an employer’s monitoring of an employee’s personal emails in a work-related Yahoo account was not a breach of the employee’s Article 8 privacy rights (“the right to respect for private and family life, the home and correspondence”). The court’s ruling was not a general approval of employee monitoring, but was dependant on several critical facts, including the employer’s policy completely prohibiting personal communications on work accounts, and the limited nature of the monitoring into only the work account.
After almost four years of intense negotiations, on 15 December 2015, an informal agreement on the proposed EU Data Protection Regulation was reached between the Council of Ministers and the European Parliament. An extraordinary meeting of the LIBE Committee is scheduled for 17 December 2015 for the 28 EU Member States to vote on the text. Final adoption of the Regulation is likely to be in early 2016.
In 2013, the European Commission put forward a proposal for a Network and Information Security Directive (the “NIS Directive”) as part of the EU’s Cyber Security Strategy. The European Parliament and Council of Ministers recently reached political agreement on the NIS Directive on 7 December 2015, which includes data breach notification obligations.
According to the Commission’s press release published on 8 December 2015, the NIS Directive will improve the cybersecurity capabilities of and cooperation between EU Member States. The Commissioner for the Digital Economy and Society further explained that this improved cooperation will assist the EU in its fight against increasing numbers of cyber attacks, commenting that “cybersecurity is essential in today’s European digital economy and society – and it remains a permanent challenge.”
As the legislative journey for the General Data Protection Regulation (“GDPR”) nears its conclusion, last week (Nov. 27,2015) saw the publication of a further compromise text which left the door open for additional “trilogue” discussions on the much-debated subjects of administrative fines, data protection officers (“DPOs”), and data breaches, as well as details of other provisions.
On October 29, 2015, the European Parliament adopted a resolution on the electronic mass surveillance of EU citizens (the “Resolution”). Positioned as a follow-up to its resolution of 12 March 2014 in which the Parliament called for the immediate suspension of Safe Harbor and put forward a number of recommendations to limit access to personal data of European citizens as part of mass surveillance, the Resolution calls on the European Commission to “reflect immediately on alternatives to Safe Harbor and on the impact of the judgment [from the Court of Justice of the European Union in the Schrems case] on any other instruments for the transfer of personal data to the U.S.” It also calls for the European Commission to “report on the matter by the end of 2015.” In addition, the European Parliament demanded that the Commission urgently provide an update on the ongoing negotiations between US authorities and the Commission.