In a seismic recommendation, Advocate General Yves Bot at the European Court of Justice (ECJ) issued his opinion in the closely watched Max Schrems case challenging the U.S.-EU Safe Harbor Agreement and has found Safe Harbor to be invalid. The opinion is not legally binding on the ECJ, although the Court most often follows the opinions of the Advocate General. The Advocate General recommendation makes the status of the existing Safe Harbor agreement even more uncertain, but acknowledges negotiations between the European Commission and the U.S. for an updated agreement and may leave room for a different result if such an agreement addresses concerns in the opinion about U.S. bulk surveillance.
The European Parliament has voted in a plenary session on March 12, 2014 to fully endorse the draft EU Data Protection Regulation (the Regulation) and the draft EU resolution calling for the immediate suspension of Safe Harbor (the Resolution), both of which were adopted previously by the European Parliament’s Civil Liberties Committee (the LIBE Committee).
According to the European Commission’s press release “today’s plenary vote means the position of the Parliament is now set in stone and will not change even if the composition of the Parliament changes following the European elections in May.”
A draft report by the European Parliament’s Civil Liberties Committee (the LIBE Committee) indicates that it is attempting to fundamentally alter the existing compliance mechanisms for transferring personal data from Europe. The recently leaked draft is dated December 23, 2013 and expresses the LIBE Committee’s response to the U.S. NSA surveillance programs, surveillance in various EU Member States and the impact on EU citizen’s fundamental rights and on transatlantic cooperation (the Report).
The new year will ring in significant privacy, data protection and cybersecurity changes in the U.S., Europe, Asia and elsewhere around the world. Below are some key developments and possible concrete action items for General Counsels, Chief Privacy Officers and Chief Information Officers:
The European Commission has released a comprehensive package of communications, reports and papers that set out actions which the Commission believes can restore trust in transatlantic data flows between the European Union and the United States following recent concerns over access to data by intelligence agencies.
The package included the following:
- Communication: ‘Rebuilding Trust in EU-U.S. Data Flows’;
- Communication: on the Functioning of the Safe Harbor from the Perspective of EU Citizens and Companies Established in the EU’;
- Report on the findings of the EU-U.S. Working Group; and
- Review of the existing agreements on Passenger Name Records and the Terrorist Finance Tracking Program.
The Commission’s announcement focused attention on the EU-U.S. Safe Harbor, which is discussed in below in this Alert, but a number of other key statements by the Commission are potentially relevant to multinationals, as well as Internet and technology companies. The Commission stressed the need for swift adoption of the EU’s data protection reform; strengthening data protection safeguards in the law enforcement area, including an agreement to guarantee a high level of protection for citizens who should benefit from the same rights on both sides of the Atlantic (EU citizens not resident in the U.S. should benefit from judicial redress mechanisms); addressing European concerns in the on-going U.S. reform process (including extending the safeguards available to U.S. citizens to EU citizens not resident in the U.S., increased transparency and better oversight); and promoting privacy standards internationally, advocating in particular that the U.S. should accede to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”). Significantly, the Commission also makes clear that standards of data protection will not be part of the on-going negotiations for a Transatlantic Trade and Investment Partnership. The Commission also noted that its proposed new data protection regulation “includes clear rules on the obligations and liabilities of data processors such as cloud providers, including on security. As the revelations about U.S. intelligence collection programs have shown, this is critical because these programs affect data stored in the cloud. Also, companies providing storage space in the cloud which are asked to provide personal data to foreign authorities will not be able to escape their responsibility by reference to their status as data processors rather than data controllers.”
One of the main actions by the Commission as part of the package is a review of the U.S.-EU Safe Harbor agreement that was agreed in 2000 and allows for transfer of personal data from the EU to companies in the U.S. that self-certify with the U.S. Department of Commerce as complying with certain privacy principles. Safe Harbor has proved popular as a means of allowing for international transfers of personal data from the EU to the U.S. with over 3,200 U.S. companies having self-certified.
However, there has been growing concern among some EU Data Protection Authorities about Safe Harbor and in particular its reliance on self-certification and lack of enforcement. In July 2013, Data Protection Authorities in the Germany commented that they had decided not to issue new permissions for data transfers to countries outside the EU and would examine whether data transfers on the basis of Safe Harbor should be suspended. The Commission in its Communication on the Functioning of Safe Harbor comments that “Given the weaknesses identified, the current implementation of Safe Harbor cannot be maintained. However, its revocation would adversely affect the interests of member companies in the EU and the U.S. The Commission considered that Safe Harbor should rather be strengthened.”
So Safe Harbor is to be retained but amended to add further privacy protections. More specifically, the European Commission makes thirteen recommendations that are designed to strengthen Safe Harbor related to transparency, enforcement, the Safe Harbor principles and the use of the exception for national security which allows for the principles to be limited “to the extent necessary” to meet national security, public interest or law enforcement requirements:
1. Self-certified companies should publicly disclose their privacy policies: this recommendation makes it clear that it is no longer sufficient for Safe Harbor companies to disclose a mere description of their policy. Privacy policies should be made publicly available on the company website.
2. Privacy policies of self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbor website which has the list of all current members adhering to the scheme: this recommendation would allow for immediate verification of a Safe Harbor company and would lessen the ability for false claims of adherence by non-adhering companies.
3. Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors e.g. cloud computing services: Safe Harbor allows for onward transfers from the Safe Harbor company to third parties acting “as agents” (e.g. cloud providers) but the third party should enter into a contract with the Safe Harbor company under which the third party agrees to provide the same level of privacy protection as the Safe Harbor principles. The Commission recommends that the Department of Commerce should be notified of such contracts and the privacy safeguards should be made public.
4. Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme: the Commission recommends that the label ‘Not current’ be included on the Department of Commerce list of Safe Harbor members which should be accompanied by a clear warning that a company is currently not fulfilling Safe Harbor requirements.
5. The privacy policies on companies’ websites should include a link to ADR (Alternative Dispute Resolution) providers and/or the EU panel: the Safe Harbor principles require that a readily available and affordable independent mechanism must be in place by which complaints and disputes are investigated. The Commission considers that providing a link to the ADR provider or the EU panel would allow for an individual to immediately contact the ADR provider or the EU panel in the case of problems.
6. ADR should be readily available and affordable: this recommendation is meant to eliminate the charging of fees by some ADR providers under the Safe Harbor scheme.
7. Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure used and follow-up they give to complaints: according to the Commission this recommendation should make the dispute resolution an effective and trusted mechanism with publication of findings for non-compliance included within sanctions of ADR providers.
8. A certain percentage of certified or re-certified companies under Safe Harbor should be subject to investigations of effective compliance of their privacy policies. This recommendation is based on the Commission’s view that although privacy policies are reviewed by the U.S. Department of Commerce when a company renews its certification there is no evaluation of the actual practice of compliance by that company with the Safe Harbor principles.
9. Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to a follow-up investigation after one year.
10. In the case of doubts about a company’s compliance or pending complaints, the Department of Commerce should inform the competent EU Data Protection Authority.
11. False claims of adherence of Safe Harbor adherence should continue to be investigated. According to the Commission companies that claim to be complying with Safe Harbor requirements while not listed by the Department of Commerce is misleading and weakens the credibility of the system and so such companies should be investigated.
Access by U.S. authorities
12. Privacy policies of self-certified companies should include information on the extent to which U.S. law allows public authorities to collect and process data transferred under the Safe Harbor scheme. This recommendation is also extended so privacy policies should explain how the company would apply exceptions to the Safe Harbor principles to the extent necessary to meet requirements of national security, public interest or law enforcement.
13. The exception of national security under Safe Harbor should only be used to the extent that it is strictly necessary or proportionate: the Safe Harbor Communication further specifies that EU data subjects have no opportunity for access, redress or rectification relating to the processing of their personal data under U.S. surveillance, therefore there is a need to restrict exceptions to that which is strictly necessary or proportionate to the reason for which the exception is being used.
According to the Commission for Safe Harbor to work as intended, the monitoring and supervision by U.S. authorities of compliance of self-certified companies with the Safe Harbor Principles needs to be more effective and systematic and the thirteen recommendations are intended to achieve this. The Commission will now engage with the U.S. authorities to discuss how to strengthen Safe Harbor with amendments to be identified by summer 2014 and, according to the Commission, implemented as soon as possible. At the same time the Commission will be undertaking a more detailed review of Safe Harbor which will involve an open consultation and a debate in the European Parliament and at the Council of Ministers.
For companies that are currently self-certified under Safe Harbor, or in the process of becoming self-certified, it will be a relief to know that the Commission is not currently intending to suspend Safe Harbor, however, it is likely that a number of measures will be looked at to strengthen it and therefore the position should be closely monitored with other international data transfer solutions such as Binding Corporate Rules also considered.
If you have any questions regarding this update, please contact the following or the Sidley lawyer with whom you usually work:
William Long, Partner
John Casanova, Partner
Edward McNicholas, Partner
Alan Raul, Partner
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.
The European Parliament’s Civil Liberties Committee has published its draft report on the proposed EU Data Protection Regulation that is causing concern for many corporations. http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf.
The report sets out amendments to the draft EU data protection regulation published by the European Commission last January (the “Regulation”)
Despite being one of the most lobbied pieces of European legislation, many will be disappointed that as amended the draft Regulation still imposes very significant burdens on businesses that are in the EU, or which are outside the EU but offer goods or services to EU customers, with fines of up to 2% of annual worldwide turnover.
Although there has been considerable debate on the proposed Regulation, there is still time for those concerned to make their views known to the European legislature. A summary of the main elements of the proposed regulation as amended by the Committee are set out below.
Scope of Regulation and Enforcement
- The Regulation will apply expansively to all global businesses, including any Internet company with more than 500 European customers. To be specific, it would apply to “data controllers” established in the EU or operating from outside the EU where the processing activities are aimed at the offering of goods or services to individuals in the EU irrespective of whether payment is required. A data controller outside the EU will need to appoint a representative in the EU if it processes personal data of 500 or more individuals a year, irrespective of whether payment is required for the goods or services.
- For the first time, the regime will directly affect software and hardware development. So called “producers” (i.e. hardware and software developers) that produce systems to process personal data must take measures to ensure data protection compliance when designing systems.
- Provisions for fines of up to 2% of annual worldwide turnover for violations of the Regulation remain, although additional criteria are proposed that would be taken into account by Data Protection Authorities (DPA) when determining the administrative sanction.
- There are a number of amendments to strengthen the position on collective redress: Bodies or associations acting in the public interest would be able to go to court on behalf of data subjects to seek damages and damages will now also be permitted for non-pecuniary loss such as distress.
International Data Transfers
- Transfers of personal data from the EU to countries that are not deemed to provide an adequate level of protection (such as the United States) should be on the basis of binding legal instruments (such as Binding Corporate Rules and the EU’s standard contractual clauses). The ability of the European Commission to decide that a particular industry sector provides an adequate level of protection (such as the U.S. healthcare industry) has also been rejected.
- The U.S.-EU Safe Harbor and other previous adequacy decisions as well as decisions relating to standard contractual clauses will remain in force for only two years after the Regulation takes effect. This may lead to companies needing to assess whether their prior compliance efforts remain valid.
- International investigations will become significantly more complicated. An important new provision will require that a controller’s representative must notify the DPA and obtain an authorization for transfer pursuant to the requests or orders of a court, tribunal or authority of any country outside the EU.
Consent, Legitimate Interest and Data Protection Notices
- Compliance will also become more complex given that consent may not be available in the employment context. Although the report emphasizes the importance of consent, it adds the condition that consent should not be valid if there is a significant imbalance between the position of the data controller and the data subject (i.e. the individual) remaining in the Regulation. However, incentives are also included for data controllers to use pseudonymous data (e.g. key coded) for which lighter consent obligations will apply.
- More detail is also provided on when it is possible for a data controller to rely on the legitimate interest ground to process personal data with the controller required to publish why it believes its interests override those of the data subject. The legitimate interests of the data controller include enforcement of legal claims.
- Data protection policies are to be communicated using multi-layered formats and icons with full information available on request. Data subjects also have a right to be informed about the disclosure of their personal data to a public authority.
Right to be Forgotten, Data Portability and Profiling
- The Right to be Forgotten (i.e. to have personal data erased) remains in the Regulation but has been amended so data controllers would no longer have to take reasonable steps to contact third parties to request them to erase copies of the data if the personal data has been transferred or made public based on legal grounds (such as legitimate interest).
- The Right to Data Portability (i.e. to obtain a copy of the data being processed and to move the data to another platform) has been merged with the Right of Subject Access (i.e. the right for confirmation whether personal data is being processed). The Right of Subject Access has also been amended so data subjects now have a right to be informed if their personal data has been disclosed to public authorities.
- Targeted Internet advertising could also face significant impacts. Profiling will only be permitted with the data subject’s consent or based on an express statutory provision.
Documentation, Impact Assessments, Security and DPOs
- The requirement in the proposed Regulation for data controllers and processors to retain detailed documentation on the processing has been merged with the requirement to provide information to individuals about how their personal data are processed. The exemption on small businesses employing less than 250 persons from having to retain such documentation has been removed.
- In the case of a security breach the period to notify the DPA is extended from 24 to 72 hours while the obligation to notify data subjects has also been extended to require that information be included regarding the rights of the data subject including redress.
- The obligation to appoint a Data Protection Officer (DPO) has been amended so a DPO is required where a legal entity processes personal data on more than 500 persons. The DPO must be a direct report to the head of management, such as the CEO, and the minimum appointment of the DPO is also extended from 2 years to 4 years. The DPO will also have an obligation to report suspected breaches to the DPA.
- The requirement to carry out data protection impact assessments where data involves specific risks (such as health data and data on children) remains as does the obligation to seek the views of data subjects. However, instead of having to consult with a DPA it is now proposed that a data controller can consult with their DPO.
Life Sciences and Scientific Research
- Importantly the report provides a comment that processing of sensitive data (e.g. health data) for the purposes of historical, statistical and scientific research are “not considered as urgent or compelling as public health or social protection.” This is of particular concern for the life sciences industry and other industries carrying out research including academic research.
- The provisions in the Regulation on processing of sensitive data (including health data) for the purposes of historical, statistical and scientific research are also amended to provide that such processing shall only be permitted with the consent of the data subject, but Member States may legislate for exceptions to the requirement of consent for research that serves an exceptionally high public interest, if that research cannot possibly be carried out otherwise. The amendments go on to provide that “The data in question shall be anonymized, or if that is not possible for the research purposes, pseudonymized under the highest technical standards, and all necessary measures shall be taken to prevent re-identification of the data subjects.” The possibility of EU Member States determining when scientific research is permitted, where consent has not been obtained, will also be of concern to the life sciences industry.
New One Stop Shop, Codes of Conduct and Certification Schemes
- A modified ‘one stop shop’ approach to regulation is proposed under which a DPA is competent to supervise processing operations within its territory or affecting data subjects resident in its territory. Where the processing activities of a controller or processor are established in more than one EU Member State or affecting data subjects in several Member States, the authority of the Member State of the main establishment of the data controller will be the lead authority acting as a single contact point for the controller or processor.
- Some of the powers of the European Commission to adopt delegated acts (i.e. to provide more detailed requirements) for certain provisions have been removed.
- Industry Codes of Conduct and data protection certification schemes are encouraged with a formal procedure required to be set down for the issue and withdrawal of a data protection seal or mark and to ensure the independence of the issuing organization.
The next steps in the EU legislative timetable include: (i) February 27, 2013: deadline for tabling amendments by MEPs on the Civil Liberties Committee; (ii) end of April 2013: vote by the Civil Liberties Committee; and (iii) from May 2013 on: (depending on progress in the EU’s Council of Ministers) negotiations between European Parliament, the Council and the Commission (the so called “Trilogue”).
For further details on the proposed EU Data Protection Regulation, please contact William Long (email@example.com) or John Casanova (firstname.lastname@example.org). Edward McNicholas (email@example.com) in Washington, D.C. is also available to assist U.S. companies in addressing the potential conflicts between U.S. and EU requirements.
This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.
Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.
Prior results do not guarantee a similar outcome.
Global corporations with offices or customers in the European Union should be aware of the latest European Union proposal for compliance with its Data Protection Directive 95/46/EC with respect to internal transfers of information among members of the same corporate group. Interested parties will be submitting comments through September 30, 2003.
As markets become more global, data protection awareness and compliance in transborder data flows is becoming increasingly important. There are important issues for companies wishing to send personal data to countries outside the European Economic Area (EEA). This paper considers in detail the Eighth Principle under the Data Protection Act 1998 (the Act) and the ways in which compliance with its requirements may be achieved.