Archive for the ‘Legislative reform’ Category

NIS Directive establishes first EU-wide cyber security rules

Posted on February 10th, 2016 by



In December 2015 the EU institutions came to an agreement on the Network and Information Security Directive (‘NIS Directive’), establishing a set of EU-wide rules on cyber security for the first time; formal adoption of the Directive by the European Parliament and the Council of the EU is pending at the time of publication. For those businesses that fall under its scope, such as search engines and cloud computing providers, the advent of the NIS Directive will mean that incident handling and notification will take on a more serious role than previously, and numerous security obligations will need to be satisfied.

Mark Webber and Michael Brown of Fieldfisher discuss five key issues for online businesses to consider in reaction to the Directive.

 

Under the NIS Directive, certain companies operating in critical sectors such as health, energy and transport, as well as some online businesses like search engines, online marketplaces and cloud computing providers, will be required to satisfy wide-ranging security and incident reporting obligations.

From the TalkTalk hack to the Ashley Madison breach, cyber security issues and risks have captured the attention of journalists, CEOs, legislators and ordinary citizens in recent years. The NIS Directive represents a legislative attempt to address some of these cyber issues and risks and, in doing so, safeguard EU critical infrastructure and the much-vaunted EU Digital Single Market.

Although the NIS Directive has yet to be formally adopted by the European Parliament and the Council of the EU, the authors of this article have obtained a copy of the agreed text. We understand from sources in Brussels that there are unlikely to be any notable amendments to the text that we reviewed. The law makes for fascinating reading and will undoubtedly raise significant compliance challenges for all of the entities who will be subject to its requirements. These entities are divided into the following two categories: (i) operators of essential services; and (ii) digital service providers.

In February/March 2016, the European Parliament and Council of the EU will formally approve the law. After that, the text will be published in the EU Official Journal and will officially enter into force. Member States will have 21 months to implement the NIS Directive into their national laws and six months more to identify operators of essential services. During this time, the European Commission will adopt implementing acts, which will realise some of the more specific elements of the law on security measures and incident notification. Here we set out five key issues with which online businesses will have to wrestle to ensure cyber security compliance and, in turn, hopefully reduce their chances of becoming the next breach story.

1. ASSESSING WHETHER YOU ARE IN SCOPE

The first critical issue for online businesses is to assess whether they are subject to the law’s requirements. The NIS Directive applies to operators of essential services and digital service providers. It does not apply to telcos or payment service providers who are subject to separate security and incident reporting obligations. It also does not apply to hardware/software developers or small/micro-sized digital service providers.

Operators of essential services can be public or private entities and are defined as follows: ‘(i) the entity provides a service which is essential for the maintenance of critical societal and/or economic activities; (ii) provision of that service depends on network and information systems; and (iii) an incident to the network and information systems of that service would have significant disruptive effects on its provision.’ There is little merit in analysing this definition since each Member State will be responsible for identifying its operators of essential services. These entities will then be listed in the national laws that implement the Directive. One of the law’s purposes is to protect critical infrastructure in the event of a cyber attack and so it is highly likely that energy suppliers, airports, banks, utility companies and healthcare providers will be considered as operators of essential services.

Digital service providers are defined to consist of online marketplaces, online search engines and cloud computing services. From the law’s recitals, it seems that all three categories will be interpreted very widely.

An online marketplace is defined as ‘a digital service that allows consumers and/or traders as defined respectively in Article 4(1)(a) and 4(1)(b) of Directive 2013/11/EU to conclude online sales and service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace.’ The breadth of this definition means that large players like Amazon and eBay will be caught but, equally, small e-commerce stores where consumers can purchase products/services from third party traders may also be subject to the law. App stores are also deemed to be in scope but price comparison websites are not.

An online search engine is defined as ‘a digital service that allows users to perform searches of in principle all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input; and returns links in which information related to the requested content can be found.’ Clearly, the likes of Google and Bing will fall within this definition. A cloud computing service is defined as ‘a digital service that enables access to a scalable and elastic pool of shareable computing resources.’ The law’s recitals provide brief guidance on the following different elements of this definition: ‘computing resources’; ‘scalable’; ‘elastic pool’; and ‘shareable.’ However, it remains very unclear how this definition will be applied in practice. Put simply, a vast number of online businesses provide cloud computing services (even if they are not the business’ primary commercial offering) and thus are likely to fall within this definition as drafted.

Given the opaqueness of the definition and recitals, online businesses should carry out a careful legal analysis of whether they are defined as a cloud computing service. The need for this analysis is heightened by the fact that, unlike operators of essential services, the obligation is on online businesses to self-assess whether they are subject to the law’s requirements.

Despite the NIS Directive’s apparent broad net, the good news for online businesses is that the law sets out a more ‘light-touch’ approach towards its security and notification obligations compared to operators of essential services. Information on these obligations is set out below.

2. COMPLYING WITH THE NIS DIRECTIVE’S NATIONAL IMPLEMENTING LAW

As a brief recap, the NIS Directive will be transposed into a national law for each Member State. Therefore, online businesses in scope will need to assess which national law applies to their network and information systems. It seems that operators of essential services and digital service providers that are active in multiple Member States may not need to comply with the national implementing law in each of these countries. The entity will only have to comply with the national law in the Member State where it is established. In this context, establishment means where an entity has an ‘effective and real exercise of activity through stable arrangements’ rather than, for example, the physical location of its network and information systems or location of its legal branch.

If a digital service provider is not established in a Member State but still provides services within the EU then it must appoint a ‘representative.’ At this stage, there is little guidance on who can perform the role of a representative.

Finally, as a ‘minimum harmonisation’ law, Member States are entitled to adopt or maintain provisions with a view to achieving a higher level of cyber security than set out in the law. For example, certain Member States like Germany and Spain are likely to enact stricter security legislation than other Member States. All in all, the national implementations of the NIS Directive represent an additional issue (though clearly not as significant as tax or employment  issues) for an online business to consider when deciding upon its EU country of establishment.

3. DEALING WITH NEWLY ESTABLISHED CYBER SECURITY AUTHORITIES

Online businesses in scope should acquaint themselves with the new authorities/bodies established by the NIS Directive. This is crucial so that a business knows the following: (i) to which authority incidents should be notified; and (ii) the authority that has the power to sanction non-compliance.

The NIS Directive refers to two bodies of importance to online businesses. The first is the national competent authority (‘NCA’). An NCA will be formed in each Member State and will be in charge of regulating the law’s application at national level. It may be an existing regulator or a new body (the UK Information Commissioner’s Office has already made known its reluctance to perform this role). Each NCA will have differing powers in relation to operators of essential services and digital service providers.

Unlike with operators of essential services, the NCA will have no general power to regulate the conduct of digital service providers. However, it will be able to take ‘action’ when provided with ‘evidence’ that a digital service provider is failing to comply with the NIS Directive. Such evidence can be provided by the digital service provider itself, a user of its service or another NCA.

In an environment of user activism regarding data protection and cyber security, it is reasonable to think that evidence will be submitted. Thus, online businesses should prepare themselves for such scenarios. The ‘action’ that the NCA will be able to take will be to require the digital service provider to remedy any failure to fulfil its security and incident notification requirements. No explanation is provided as to how the NCA will require remedial action to be taken. This, along with other enforcement measures (like fines, undertakings etc.) will be determined by each Member State and then set out in the national law.

The second body of importance is the Computer Security Incident Response Team (‘CSIRT’). Each Member State will have a CSIRT, which will provide guidance to operators of essential services and digital service providers on cyber security issues as well as cooperate internationally to ensure that cross-border threats are detected and handled. Online businesses may wish to liaise with a CSIRT regarding the practical issues/questions relating to incident preparedness.

At present, the precise powers and responsibilities of the NCAs and CSIRTs are uncertain. For example, the NIS Directive provides that incident notifications can be made to an NCA, a CSIRT or both. Clearly, this is not ideal since an online business needs certainty on the appropriate notifying body and also to bake this information into its incident handling policies/procedures. Hopefully, this point will be resolved in the implementing acts or national transpositions. Online businesses should keep a watching brief on these and the formation of the NCAs/CSIRTs to determine their regulatory approach.

4. PUTTING IN PLACE SECURITY MEASURES

Online businesses in scope will be required to put in place ‘appropriate and proportionate technical and organisational measures’ to protect NIS. These measures must ensure that digital service providers manage the risks posed to the security of networks and information systems that they use in the provision of their service.

In implementing these security measures, digital service providers must take into account the following elements: (i) security of systems and facilities; (ii) incident management; (iii) business continuity management; (iv) monitoring, auditing and testing; and (v) compliance with international standards.

The European Commission will adopt implementing acts that set out in more detail the specifications of the security measures. These are intended to be harmonised across Member States for digital service providers. Putting in place security measures is a key requirement under the NIS Directive but one that remains up in the air (despite the fact that it is similar to the ‘data security’ requirement in the Data Protection Directive). In light of this uncertainty, an online business should monitor the publication of European Commission implementing acts and then conduct a review of its security measures for compliance.

5. DEVELOPING AN EFFECTIVE CYBER INCIDENT NOTIFICATION PROCESS

Online businesses in scope will be required to notify any incident having a ‘substantial impact’ to the provision of its digital service. The European Commission will adopt implementing acts on the notification requirement, which is intended to be harmonised across Member States for digital service providers. However, what we know so far is that the notification should be made to the NCA or the CSIRT ‘without undue delay.’ The notification should contain information to enable the NCA or the CSIRT to determine the significance of any cross-border impact. After consulting with the digital service provider, the NCA or the CSIRT may choose to publicise the incident in certain circumstances.

In order to determine whether the impact is ‘substantial,’ the digital service provider should consider the following parameters: (i) the number of users affected by the incident, in particular users relying on the service for the provision of their own services; (ii) the duration of the incident; (iii) the geographical spread with regard to the area affected by the incident; (iv) the extent of the disruption of the functioning of the service; and (v) the extent of the impact on economic and societal activities.

No guidance has been provided as to how overlapping notification obligations (e.g. under the NIS Directive and the General Data Protection Regulation) will work in practice. Hopefully this business headache will be resolved in the implementing acts.

This is a landmark requirement since digital service providers are not currently obliged to notify data security or cyber security incidents in EU Member States. Therefore, the new law mandates notification (which is voluntary in most Member States) thereby meaning that digital service providers need to take incident handling and notification more seriously than ever before. This means that online businesses in scope should formulate and agree upon incident handling and notification policies and procedures to ensure they are ready to deal with likely incidents and mitigate commercial, reputational and regulatory risks.

This article first appeared in the January 2016 edition of E-Commerce Law and Policy.

The slow but inexorable fall of Safe Harbor

Posted on January 31st, 2016 by



Recently, my colleague Phil Lee posted an obituary on Safe Harbor. The article was funny, a touch provocative, but especially well grounded. As we reach towards the end of January, never has the fate of Safe Harbour seemed so uncertain.

For those who have been following our blog, you’ll know that on October 6th, 2015, the Court of Justice of the European Union (“CJEU“) ruled in a ground-breaking decision that the “massive and indiscriminate surveillance” of EU citizens by US public authorities (as revealed by Edward Snowden) after their personal data has been transferred to the US, is incompatible with the fundamental right to the protection of personal data under European law. As a result, the Safe Harbor framework was declared invalid and the national data protection authorities (“DPAs“) were ordered to act accordingly under their respective national laws.

Soon after, the Article 29 Working Party (“WP29“) issued an opinion, which gave the EU and US officials in charge of re-negotiating the Safe Harbor framework (now referred to as the “Transatlantic Data Transfer Agreement”) until the end of January 2016 to reach an agreement. A failure to do so would mean that the DPAs would begin to coordinate enforcement actions across Europe. Several DPAs (such as the CNIL in France and the AGPD in Spain) did not wait for this deadline to expire to initiate “soft” enforcement measures such as sending notice letters to all registered data controllers in their respective countries informing them that Safe Harbor could no longer be relied upon to transfer personal data to the US and, as a result, those controllers needed to implement an alternative data transfer mechanism that would enable them to continue transferring data lawfully.

This has usually required companies to quickly sign an intragroup data transfer agreement incorporating the EU standard contractual clauses between all the entities of the group and to update their data processing registrations with the relevant DPAs, including (where required) to obtain the DPA’s prior approval to transfer personal data to the US. For the bolder and more perspicacious organizations, they may also have started discussing Binding Corporate Rules as a more solid data transfer solution but also as a global privacy compliance framework that will enable them to better comply with the upcoming General Data Protection Regulation (“GDPR“).

In recent days, EU officials have been publicly alluding to the fact that we are nowhere closer to reaching a new deal on Safe Harbor. The blocking points remain the same. On the one hand, the vote in the Senate on the USA Judicial Redress Act has been delayed. This is viewed by EU officials as an essential condition for reaching a new Safe Harbor agreement because it would grant the same rights to EU citizens. This could take a while…

On the other hand, the US and EU cannot seem to agree on a common position regarding access to EU personal data by US public authorities for law enforcement purposes and reasons of national security. This is by far the most contentious point. The European Commission’s top officials recently reminded that the European Union would not agree to a new transatlantic data transfer agreement unless both sides agree on this point. This raises fundamental legal, cultural and philosophical questions between Europe and the US. Whatever is decided in the end is likely to shape US-EU political and diplomatic relations for many years to come. Needless to say the negotiations are not over and concessions will need to be made on both sides if a deal is to be struck.

The question now is: what will happen when the clock strikes midnight on January 31st if no new Safe Harbor agreement is concluded? The more optimistic ones may still think that a last minute compromise is possible, but that is wishful thinking. The reality is that it is very unlikely now a deal will be struck before the end of January and, on the contrary, discussions will continue for several months at least. As stated by Isabelle Falque-Pierrotin (chairwoman of the CNIL and the WP 29) a few weeks ago, the end of January was never meant as a hard deadline but rather a sign that political leaders were committed to the task. Simultaneously, this does not mean that the DPAs will not engage in enforcement actions post January. I believe they will.

The impact this will have for companies will largely depend on what they have done in the last three months. Those who have acted immediately following the WP29’s guidance (or who are in the process of doing so) and have adopted EU model clauses as an alternative for transferring personal data to the US are in a better place than those who have done nothing and who were thinking (or hoping?) that a new agreement would be reached before the end of January, which would enable them simply to transition their transfers under the “new” Safe Harbor framework.

But here’s the interesting bit. The DPAs themselves have not yet reached a common position regarding the practical implications of the CJEU’s decision on other data transfer mechanisms, such as EU model clauses and BCR. The more conservative DPAs are calling for a general freeze on all data transfers, including those that are based on the EU model clauses or BCR on the grounds that these data export solutions do not legally prevent foreign authorities in the importing countries from accessing EU data for law enforcement purposes. The more business-friendly DPAs are more focused on the consequences this would have for businesses if all means for transferring personal data are frozen.

As you can see, not only is the fate of a new Safe Harbor agreement uncertain, but also, it is unclear at this point how the DPAs will decide to enforce the CJEU’s decision on other data export solutions. The WP29 is holding a plenary meeting on February 2nd and is expected to reach a common position on this issue. Once again, the outcome of this meeting is twofold. Either the WP29 adopts a strict and extensive interpretation of the CJEU’s decision, which as a consequence, would mean that all transfers of personal data to the US would be prohibited (including those that are based on the EU model clauses or BCR). This would have a catastrophic effect on the economy, not to mention that it would seriously impede transatlantic relations. Or else, the WP29 decides (in line with its previous opinion) that companies may continue to transfer personal data on the grounds of the EU model clauses and BCR.

The final outcome could be found somewhere between those two lines. One solution could be to ask companies to adopt additional measures, such as an anti-surveillance pledge, under which the business would pledge not to disclose individuals’ data to government or law enforcement authorities unless either (1) legally compelled to do so (for example, by way of a warrant or court order), or (2) there is a risk of serious and imminent harm were disclosure to be withheld.

Let us also not forget that under the new article 43a of the GDPR, “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.” The terms are clear and Europe has set its conditions. Once in force, this provision will apply to all third countries, including China, Russia and India.

Stay tuned for more updates on Safe Harbor in the coming days.

This article was first published on the IAPP’s website under The Privacy Advisor.

By Olivier Proust, Of Counsel, Privacy Security & Information.

Getting to know the General Data Protection Regulation, Part 6 – Designing for compliance

Posted on January 5th, 2016 by



Introduction

One of the changes due to be implemented under the new General Data Protection Regulation (“GDPR”) is the explicit recognition of the concepts of ‘privacy by design’ and ‘privacy by default’.  Businesses will now find themselves subject to a specific obligation to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.

What does the law require today? 

The current EU Data Protection Directive (the “Directive”) has no concept of ‘privacy by design’ or ‘privacy by default’, nor is there an explicit obligation that states that privacy should be a paramount consideration at the design stage of any project. However, the Directive imposes an obligation on the data controller to implement appropriate technical and organisational measures to protect personal data against unlawful processing. By imposing a specific ‘privacy by design’ requirement, the GDPR expands the requirement to implement appropriate technical and organisational measures to ensure that privacy and the protection of data is no longer an after-thought.

Since we first saw the draft of the GDPR in 2012, ‘privacy by design’ has been the subject of discussions by many regulators in order to ensure that the concept achieves the desired effectiveness. For example, the UK’s ICO has already issued guidance on ‘privacy by design’ and encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle.

What will the General Data Protection Regulation require?

While the concept of ‘privacy by design’ already exists, it has now been given specific recognition, and is linked to enforcement. Under the proposed ‘privacy by design’ requirement, companies will need to design compliant policies, procedures and systems at the outset of any product or process development.

When implementing appropriate technical and organisation measures in this context, regard should be given to the state of the art and the cost of implementation. In the near agreed unofficial final drafts of the GDPR (referenced by our colleagues Phil Lee and Hazel Grant here), it looks as if the risk-based approach favoured by the Council has won the day. In deciding what measures are appropriate, businesses may also take account of the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of individuals. This approach will mean that businesses will have greater flexibility to determine how compliance looks in practice.

In making such determination, businesses may need to consider matters such as whether a system which processes the personal data of customers/employees would, for example:

  • allow personal data to be collated with ease in order to comply with subject access requests;
  • allow suppression of data of customers who have objected to receiving direct marketing; or
  • allow the data controller to satisfy the data portability requirements of the GDPR.

Data controllers should also consider whether the relevant personal data can be pseudonymised – the latest unofficial draft of the GDPR makes specific reference to pseudonymisation as one example of a measure that is designed to integrate the necessary safeguards into the processing of personal data.

The GDPR also introduces a specific ‘privacy by default’ obligation. ‘Privacy by default’ requires that controllers implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. According to the latest unofficial draft of the GDPR, the effect of this requirement is that data controllers should minimise the amount of the data collected, the extent of their processing, the period of their storage and their accessibility.   The bottom line is that, by default, businesses should only process personal data to the extent necessary for their intended purposes and should not store it for longer than is necessary for these purposes. In particular, the data controller should ensure that, by default, personal data are not made available without the individual’s intervention to an indefinite number of people.

While the current Directive contains requirements in relation to ensuring that excessive personal data is not processed/retaining it only for as long as is necessary, the GDPR contains an explicit obligation to implement appropriate technical and organisational measures designed to meet these requirements.

What are the practical implications?

The explicit mention in the GDPR of the requirements of ‘privacy by design’ and ‘privacy by default’ will mean that businesses must implement internal processes and procedures to address these requirements.   Some practical steps that may be advisable include:

  • implementing a privacy impact assessment template that the business can populate each time it designs, procures or implements a new system;
  • revising standard contracts with data processors to set out how risk/liability will be apportioned between the parties in relation to the implementation of ‘privacy by design’ and ‘privacy by default’ requirements;
  • revisiting data collection forms/web-pages to ensure that excessive data is not collected;
  • having automated deletion processes for particular personal data, implementing technical measures to ensure that personal data is flagged for deletion after a particular period etc.

The Directive is Dead (Almost)! Long live the GDPR!

Posted on December 15th, 2015 by



It’s here: after years and years of debate, the negotiating parties to the trilogue are reported finally to have agreed the text of the European Union’s successor privacy legislation: the General Data Protection Regulation.  Jan Albrecht, the German MEP leading up the European Parliament’s negotiations on the GDPR, even tweeted this picture of the negotiators who struck today’s deal – somehow a fitting use of social media technology, given that the key driver behind this legislative change is to bring Europe’s aging data privacy rules up to date for the modern technological era.

This isn’t the formal end of the legislative process though – while the text of the GDPR has been agreed by the trilogue negotiation parties (and if you’re wondering what a trilogue is, see my colleague Olivier’s post here), it still has yet to be formally adopted by the European Parliament and Council.  This is very likely to be a rubber-stamping process taking place early in 2016 – only then will the GDPR actually become law.  When it does, the countdown clock will begin ticking down to the date when the GDPR comes fully into effect – two years after its adoption (so 2018).

The agreed text has not yet been made publicly available, even though near final drafts of it have been leaked.  Rest assured, Fieldfisher’s Privacy, Security and Information team will be reporting as and when it is, and in the meantime, you can find excellent analyses of the changes being brought in by the GDPR in our “Getting to know the GDPR” blog series posted on this blog –  in particular:

1.  Getting to know the GDPR, Part 1 – You may be processing more personal information than you think

2.  Getting to know the GDPR, Part 2 – Out-of-scope today, in scope in the future. What is caught?

3.  Getting to know the General Data Protection Regulation, Part 3 – If you receive personal data from a third party, you may need to “re-think” your legal justification for processing it

4.  Getting to know the GDPR, Part 4 – “Souped-up” individual rights.

5.  Getting to know the GDPR, Part 5: Your big data analytics and profiling activities may be seriously curtailed

In a nutshell, what can you expect?  Well, the GDPR will usher in an era of greater accountability, with significantly increased transparency and controls for individuals to exercise management of their data.  It will have a global effect, so that any business that collects and uses data from European citizens – whether established in the EU or not – will potentially find itself subject to EU data protection rules.

It will apply both to “controllers” and to “processors”, meaning service provider businesses (think the B2B cloud) that previously had not been directly subject to EU data protection compliance requirements will find themselves caught by the new rules.  And, of course, there is the headline grabbing news that non-compliant businesses risk fines of up to 4% of global turnover.

Finally, there is the good news that the patchwork quilt of 28 different EU Member States’ laws, all with their own quirks and kinks, will be replaced by a single, unifying data protection law, leading (hopefully) to significantly greater data protection harmonization throughout the EU – a “win, win” for consumers and businesses alike.  Data protection authorities must live up to this challenge of harmonization through the mechanics of the GDPR’s ‘one stop shop’ and consistency mechanism.

What a journey!  While there have been skeptics along the way (and I count myself among them), there’s no denying that this is an achievement of simply epic proportions and one that will define the future of Europe’s Digital Single Market, of data protection, and of our identities and rights as individuals, for decades to come.

For more information, see this European Commission press release here.

EU proposes new consumer rights for the return of data exchanged for digital content

Posted on December 10th, 2015 by



We’ve previously commented in some depth on the EU’s Digital Single Market proposals, most of which are currently out to consultation. The European Commission today set out new plans for two proposals under this DSM strategy to better protect consumers who shop online across the EU and help businesses expand their online sales. There’s more detail on the ecommerce issues at our sister Tech Blog.

The online context

In a nutshell, the EU is concerned that EU based online consumers enjoy a variety of different online rights country to country and this significantly complicates compliance for eVendors. This creates real difficulties for any eVendor looking to address all EU markets with their services. In particular, there are no consistent consumer rights around the supply of “digital content” (a term not even recognized in the laws of some Member States).

The EU proposal for a Digital Content Directive

One of today’s proposals from the European Commission included a draft for a new Directive on the supply of digital content (e.g. streaming music, online games, apps or e-books (see text here)) (the “draft Directive“). We’re told the “proposals will tackle the main obstacles to cross-border e-commerce in the EU: legal fragmentation in the area of consumer contract law and resulting high costs for businesses – especially SMEs- and low consumer trust when buying online from another country.”

But what’s this got to do with “data”?

“That’s all ecommerce” – “this is a data privacy blog” you say. Well, in today’s digital economy, information about individuals is often as valuable as money. Digital content is often supplied in exchange for the consumer giving access to personal or other data. In this draft Directive this is somewhat clumsily termed “use of the counter-performance other than money“. With this in mind, and with the desire to treat the exchange of data in the same way as the exchange of money, Articles 12 to 16 of the draft Directive address consumer rights in digital content contracts established in exchange for data.

An eVendor must cease data use upon contract termination

Importantly, under the draft Directive proposals, if an EU consumer has obtained digital content or a digital service, in exchange for data or personal data, the new rules clarify that the eVendor should stop using that data in case the contract is ended. What’s more, the eVendor should return it!

In the cases of a lack of conformity with the contract, the consumer shall be entitled to have digital content they’ve “purchased” (or participated in the “use of the counter-performance other than money”!) brought into conformity with the contract free of charge. If this can’t be done (and subject to some other provisions I’ll spare you from here), the consumer may be either entitled to a proportionate reduction in price or to terminate the contract – Article 12.

There are similar proposals in the event termination rights are exercised in respect of digital content provided and then modified by the eVendor over a period of time. If a subsequent modification adversely impacts the access to, or use of the content, then the consumer has a termination right in certain prescribed circumstances – Article 15.

There are also similar termination rights proposed in respect of long-term contracts (lasting more than 12 months) – Article 16.

When a contract for digital content terminates

What’s more, in any of the above circumstances, where the consumer terminates the contract for digital content that has been entered into in exchange for data instead of money:

  • The eVendor “shall take all measures which could be expected” and cease use of (1) any data which the consumer has provided in exchange for the digital content and; (2) any other data collected by the eVendor in relation to the supply of the digital content (including any content provided by the consumer but with the exception of the content which has been generated jointly by the consumer and others who continue to make use of the content); and
  • The eVendor shall provide the consumer with technical means to “retrieve all content provided by the consumer and any other data produced or generated through the consumer’s use of the digital content to the extent that data has been retained by the eVendor“. What’s more the consumer “shall be entitled to retrieve the content free of charge, without significant inconvenience, in reasonable time and in a commonly used data format unless this is impossible, disproportionate or unlawful“.

There is no distinction between personal data and data so the proposed rules are quite pervasive. The Recitals to the draft Directive state “[f]ulfilling the obligation to refrain from using data should mean in the case when the counter-performance consists of personal data, that the supplier should take all measures in order to comply with data protection rules by deleting it or rendering it anonymous in such a way that the consumer cannot be identified by any means likely reasonably to be used either by the supplier or by any other person.” This reads as a positive obligation to delete and not purely a reactionary step should the consumer request it.

This is HUGE! For any eVendor, isolating and stopping the use of discrete data sets relating to an individual consumer is hard enough. Designing and perfecting a mechanism to trace and then return any and all data sets specific to a customer is something else. This is a data identification and portability conundrum of extreme proportions. As above, the draft expressly applies to any data (and not just personal data).

In context, say I download a free eBook in return for my personal details and perhaps the completion of an online survey. That book reads well, but at chapter 7, I can no longer advance the pages and the eVendor cannot cure this despite my demands. As a consumer, I’ll have a right to terminate. At that point the eVendor of the book must stop using my details, cease using the data from my survey. Additionally, all that data must be identified and returned! Thankfully, the eVendor would not have to identify and cease to use certain meta-data relating to the how fast, when and on which devices I read the eBook (see below as it seems that’s out of the draft Directive’s scope). If I’m honest, for a free eBook, I’m not sure I care about the return of my data (but an Austrian student with a good legal background and time on his or her hands will!).

When would the rules apply?

This is a first draft proposal and will undoubtedly be subject to intense lobbying and debate in the coming months. Even once passed, as a directive, it would take up to 24 months to incorporate the rules into the local law of Member States.

The accompanying impact assessment stressed that in particular the draft Directive should cover services which allow the creation, processing or storage of data. “While there are numerous ways for digital content to be supplied, such as transmission on a durable medium, downloading by consumers on their devices, web-streaming, allowing access to storage capabilities of digital content or access to the use of social media, this Directive should apply to all digital content independently of the medium used for its transmission“. The Directive does not cover services performed with a significant element of human intervention or contracts governing specific sectorial services such as healthcare, gambling or financial services.

For now, the draft Directive should apply only to contracts where the eVendor “requests and the consumer actively provides data, such as name and e-mail address or photos, directly or indirectly to the supplier for example through individual registration or on the basis of a contract which allows access to consumers’ photos“.

This Directive should not apply to situations where:

  • the eVendor “collects data necessary for the digital content to function in conformity with the contract, for example geographical location where necessary for a mobile application to function properly, or for the sole purpose of meeting legal requirements, for instance where the registration of the consumer is required for security and identification purposes by applicable laws”; and
  • data collected is “strictly necessary for the performance of the contract or for meeting legal requirements and the supplier does not further process them in a way incompatible with this purpose“;
  • the eVendor collects information, “including personal data, such as the IP address, or other automatically generated information such as information collected and transmitted by a cookie, without the consumer actively supplying it, even if the consumer accepts the cookie“; and
  • the consumer is “exposed to advertisements exclusively in order to gain access to digital content“.

What about other privacy rules (and presumably the GDPR)?

Article 3 of the draft Directive clarifies that in case of conflict between the Directive and another EU act, the other EU act takes precedence. In particular, it clarifies that the Directive is without prejudice to the rules on data protection.

In terms of general proposed scope, the draft Directive “covers the supply of all types of digital content“. It also covers “digital content supplied not only for a monetary payment but also in exchange for (personal and other) data provided by consumers, except where the data have been collected for the sole purpose of meeting legal requirements“.

You thought you had enough new law to deal with.

Mark Webber – Partner, Silicon Valley California mark.webber@fieldfisher.com

Europe’s first ever EU-wide cyber-security rules “agreed”

Posted on December 9th, 2015 by



On 7 December 2015 a European Parliament press release reported that EU MEPs had closed a deal with the European Council on the first ever EU rules on cyber-security. Though we’re yet to see the full text, we now know that the final text of the Network and Information Security Directive (“NIS Directive“) has been agreed. We’re just over two years away from implementation of NIS Directive (and potentially the General Data Protection Regulation) – a cyber and data revolution that will test many a legal team.

Why do we need it?

The NIS Directive aims to bolster the security of Europe’s critical infrastructure. When NIS incidents occur, they can have a huge impact by compromising services or by interrupting the day-to-day operations of business. It is recognised that with increasing cross-border technological co-dependencies, a NIS incident in one country can may have impact across the whole EU and undermine both market and consumer confidence.

By introducing more consistent risk management measures and systematic reporting of incidents the NIS Directive aims to help sectors dependent on IT systems to be more reliable and stable. The European Commission’s proposed the NIS Directive back in February 2013, is part of a wider EU cybersecurity strategy aimed at creating a secure and trustworthy digital environment. The stated aims at that time were to ensure that key institutions such as banks, energy companies and other entities involved in critical infrastructure maintain secure information systems.

The rhetoric is clear; the NIS Directive aims to impose a minimum level of security for digital technologies, networks and services across all Member States. It also proposes to make it compulsory for certain businesses and organisations to report significant cyber incidents.

At its inception, Neelie Kroes, then EC Vice-President for the Digital Agenda, emphasised: “The more people rely on the internet the more people rely on it to be secure. A secure internet protects our freedoms and rights and our ability to do business. It’s time to take coordinated action – the cost of not acting is much higher than the cost of acting.”

The threat of a cyber-attack is more immediate now than ever

Though increasingly common, the risks and damage posed by cyber-threats has been a reality for some time. The NIS Directive will impose minimum obligations on “market operators” and “public administrations” to harmonise and strengthen cybersecurity across the EU. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority (“NCA”).

Key question – which market operators actually fall within its scope?

Ever since 2013, there has been extensive lobbying and debate about which of market operators would be caught within its terms and the scope of the “market operators” definition has been a bone of contention throughout negotiations. Even following this week’s press release we’re still not clear about where this debate has fallen out. At inception, the proposed Directive had in its sights operators including “search engines, cloud providers, social networks, public administrations, online payment platforms like PayPal, and major eCommerce websites, such as Amazon“.

Recent word from Brussels indicates that market operators will take on a broad definition and be categorised as either “digital service providers” or “operators providing essential services” in the final law, thereby catching the likes of e-commerce platforms and cloud service providers. Despite reaching an agreement, the December 7th press release does not clarify all the ambiguity but it does confirm the sectors and services already known to be in scope:

MEPs put an end to current fragmentation of 28 cybersecurity systems by listing sectors – energy, transport, banking, financial market, health and water supply – in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. These companies must also be ready to report serious security breaches to public authorities.”

Critical infrastructure is in – but are “digital service providers” caught?

Among others, the UK Government had long argued that “digital services” should not be required to report cyber-threat issues to the NCA. The press release confirms that Member States will have to identify concrete “operators of essential services” from these sectors using certain criteria: whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety. Signs of a test emerging?

A leaked memo from the Presidency to the Council (dated 8 December 2015) and published on www.statewatch.org indicates little more:

On substance, the co-legislators agreed to provide for uniform rules on certain aspects in the area of digital service providers. In particular, Member State should not impose stricter security and notification requirements on those providers and the European Commission will have the power to further specify certain elements in implementing acts. Moreover, both institutions agreed to link jurisdiction of operators of essential services to an establishment on the Member States’ territory and also reached an agreement on the role of the cooperation group and on the remaining horizontal issues.” (My emphasis)

So we’re actually no closer to understanding which “digital service platforms” the NIS Directive will extend to and therefore which “digital service providers” will incur the mandatory obligation to report security incidents to a national competent authority (“NCA”). We only learn that: “In addition, some internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. Micro and small digital companies will get an exemption, the deal says.” The “and clouds” mention had the Team here in Silicon Valley laughing as it’s unclear quite what is meant by this and in reality the vast majority of businesses have a cloud-based element to their services these days.

So while the EU is consulting around the definition of “online platforms” and “cloud” under the Digital Single Market initiative, it seems that here it has made up its mind. To be fair the press release quotes the European Parliament’s rapporteur Andreas Schwab (EPP, DE) saying:

“……. this directive marks the beginning of platform regulation. Whilst the Commission’s consultation on online platforms is still on-going, the new rules already foresee concrete definitions – a request that Parliament had made since the beginning in order to give its consent to the inclusion of digital services“.

Equally, the ink hasn’t yet dried on the drafts and it’s wrong to speculate too much until the future rules are agreed once and for all. We’ll update you soon on exactly what this “concrete definition” is and it’s impact once we know more.

What next

We’re not quite there yet. This provisionally-agreed text still needs to be formally approved by Parliament’s Internal Market Committee and the Council Committee of Permanent Representatives. The leaked memo establishes the Presidency’s aim is to present the agreed text for approval by the Permanent Representatives Committee (Coreper) on 18 December 2015. This will be followed by the legal-linguistic revision by quality advisors of both institutions early next year. To conclude the procedure, formal adoption by both the Council and the Parliament is required.

As a directive, EU Member States would then have 21 months to publish national regulations implementing the NIS Directive’s principles and a further six months to bring those new rules into force (during which time it seems Member States will be expected to carry out the identification of operators of essential services).  We we anticipate key elements of this directive will stipulate maximum harmonisation so, in certain areas, Member States will be restricted from implementing rules that go further than the NIS Directive’s terms.

Further comment will be possible as and when the final text is released (or leaked) as a public document. As we all monitor www.statewatch.org and the press for the all-too-common leak your Fieldfisher team will update you.

In the meantime – what’s the practical consequence?

This is an entirely new obligation for businesses that fall within the NIS Directive’s ambit. Those businesses that are caught will need to take a serious look at their preparedness for preventing, managing and responding to a cyber-security breach. This will necessitate system-wide security reviews and the creation of cyber breach management policies, incident response teams and awareness-raising programs. This is of course the reaction the EU is looking for.

The agreement of the NIS Directive represents one step in ongoing changes to wider ongoing regulatory reform around digital platform regulation and data privacy rules. 2016 will herald a wealth of legal development – including the General Data Privacy Regulation (reforming the EU’s privacy laws)?

Mark Webber – Partner, Silicon Valley California mark.webber@fieldfisher.com

 

Getting to know the GDPR, Part 5: Your big data analytics and profiling activities may be seriously curtailed

Posted on December 4th, 2015 by



What does the law require today? 

Currently, there is no legal definition of ‘profiling’ under European data protection law. The Directive 95/46/EC refers to ‘automated individual decisions’ without explicitly mentioning the word ‘profiling’.

Article 15 of the Directive grants “the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.”., unless such decision is:

– taken in the course of entering into or performance of a contract; or

– authorized by a law.

What will the General Data Protection Regulation (GDPR) require?

Geographical scope of the GDPR:

The scope of the GDRP is broader than the current Directive 95/46/EC because it will apply not only to controllers who are established in the EU, but also to controllers who are not established in the EU “where the processing activities are related to (…) the monitoring of their behaviour as far as their behaviour takes place within the European Union.” [Emphasis added] (Article 3 of the GDPR).

Recital 21 of the GDPR explains that “in order to determine whether a processing activity can be considered to ‘monitor the behaviour’ of data subjects, it should be ascertained whether individuals are tracked on the internet with data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”

As a result, companies that are based outside the EU but are nonetheless processing personal data about EU residents in the context of profiling activities, will be subject to the GDPR, and consequently, will have to comply with the rules on automated decision-making. This will have the effect of levelling the scope of the GDPR to most companies that carry out marketing activities in Europe, regardless of whether they are established within or outside Europe.

Material scope of the GDPR:

Under the GDPR, ‘profiling’ is defined as “… any form of automated processing of personal data consisting of using those data to evaluate personal aspects relating to a natural person, in particular to analyse and predict aspects concerning performance at work, economic situation, health, personal preferences, or interests, reliability or behaviour, location or movements” (Section 12(a) of Article 4 of the Council’s version).

‘Profiling’ is therefore composed of three elements:

  • it has to be an automated form of processing;
  • it has to be carried out on personal data; and
  • the purpose of the profiling must be to evaluate personal aspects about a natural person.

There is no general prohibition of ‘profiling’ activities under the GDPR. In its current reading, Article 20 of the GDPR states in similar wording to article 15 of the Directive 95/46/EC:

The data subject shall have the right not to be subject to a decision (…) based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her.”

The GDPR therefore sets out three criteria which may trigger the restrictions on automated processing of personal data (of which profiling is a part of), namely:

  • a decision has to be made about an individual;
  • which has a legal effect for that individual or significantly affects him or her; and
  • this decision must be based solely on automated processing.

If those three criteria are met, then such automated processing would normally be prohibited, unless one of the following conditions applies:

  • A law or regulation within a Member State to which the controller is subject authorizes the profiling activity; or
  • The profiling activity is necessary for the purpose of entering into (or performing) a contract with the individual concerned; or
  • The individual concerned has given his/her explicit consent to use his/her personal data for profiling purposes.

Where the profiling is based on a contractual relationship with the data subject or the data subject’s explicit consent, the controller must implement “suitable measures” to safeguard the rights of the individuals. In particular, the controller must allow for a human intervention and the right for individuals to express their point of view, to obtain further information about the decision that has been reached on the basis of this automated processing, and the right to contest this decision. Data controllers must also inform individuals specifically about “the existence of automated decision making including profiling and information concerning the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject” (Article 14(a) of the GDPR).

Finally, the GDPR prohibits explicitly the use of an individual’s sensitive personal data for profiling purposes, unless:

  • that individual has given his/her explicit consent (except where a law provides that such prohibition cannot be lifted by the individual’s consent); or
  • such profiling is necessary for reasons of public interest.

What are the practical implications?

Article 20 of the GDPR lays out similar restrictions on automated decision-making to those that currently exist under article 15 of the Directive 95/46/EC. However, the GDPR does make several important changes, including:

  • a specific definition for the term ‘profiling’;
  • explicit consent as a new legal basis for profiling activities;
  • a prohibition to profile individuals based on their sensitive data (unless explicit consent is obtained); and
  • an obligation to inform the data subjects specifically about any profiling activities.

Companies will therefore have to assess the lawfulness of their profiling activities in order to determine whether their intended profiling activities produce any legal effects or significantly affect the individuals concerned in order to determine on what legal basis they may carry out their profiling activities (i.e., a law, an existing contract with the data subject or the data subject’s prior consent). Regrettably, the GDPR does not explain what constitutes a “legal effect” or “significantly affects” the individual, and therefore, we are likely to see variations in interpretation of these legal concepts by the national data protection authorities and the courts.

Once companies have assessed that their profiling activities are lawful, they must ensure that they have implemented appropriate measures to guarantee that individuals can exercise their rights (for example, the right not to be subject to profiling activities) and to ensure that their profiling activities remain within the remit of the law. This can be done by using certain techniques, such as data minimisation and pseudonymisation, to minimize the risk of affecting the privacy of individuals, and by carrying out privacy impact assessments prior to conducting their profiling activities, particularly if there is a risk of discrimination, identity theft or fraud, financial loss, damage to reputation, or other adverse effects for individuals.

 

By Olivier Proust, Of Counsel (olivier.proust@fieldfisher.com)

Getting to know the GDPR, Part 4 – “Souped-up” individual rights.

Posted on November 27th, 2015 by



A key area of proposed change under the General data Protection Regulation (“GDPR“) relates to individual rights. The proposal is both to refresh individuals’ existing rights, by clarifying and extending them, and to introduce new rights. Most notably, the GDPR creates two new rights: the (in)famous “right to be forgotten” and the right to data portability.

What does the law require today? 

Currently, individuals have the following rights under the Data Protection Directive:

  • The right to be provided with fair processing information – this right requires the data controller to provide individuals with certain minimum information regarding the processing of their personal data;
  • The right of access – this right permits individuals to query the data controller as to whether personal data related to them are being processed. Upon request, the data controller must also provide a copy of any such personal data. This copy must be provided without excessive delay and may be subject to payment of a small fee;
  • The right to object to the processing of their data – this right applies in certain limited circumstances prescribed by the Data Protection Directive;
  • The right to rectification, erasure or blocking of data – this right can only be exercised when the processing is not in compliance with the Data Protection Directive;
  • The right not to be subjected to solely automated processes – this right applies where such processes evaluate the individual’s personal attributes, resulting in a decision that significantly affects him or has legal consequences for him.

What will the General Data Protection Regulation require?

Proposed extension of existing rights

Most proposed modifications to the existing rights bring clarity without extending them too much.

  • The right to be provided with fair processing information will be expanded. The bottom line is that the data controller will need to provide more detailed information, such as the source of the data and the retention period. In addition, the GDPR requires this information to be provided in an intelligible form, using clear and plain language that is adapted for the individual. The practical effect of this requirement is that policies will need to be drafted differently depending on whether they are aimed at children or adults.
  • Regarding the right of access, under the GDPR proposals, data controllers will be required to provide additional information to individuals (e.g. storage period of the data). Further, the proposed new requirements are somewhat more burdensome for businesses – in particular, businesses will need to set up a specific process in order to deal with access requests. Further, unless the request is “manifestly excessive“, data controllers will in principle be obliged to provide the information free of charge.
  • The rectification right is mostly the same and the changes will have very limited practical impact.
  • More significantly, the right to object is now broader as, when the processing is based on the legitimate interests of the controller or is undertaken for direct marketing purposes, the individual can object without having to provide specific justifications.

Proposed new rights

A controversial right from the start, the proposed right to be forgotten was influenced by the CJEU’s decision in the Costeja v. Google case. Following this ruling, the Parliament proposed renaming it the “right to erasure” and the Council has proposed dropping the obligation on the data controller to ensure third parties also erase the data. It therefore remains to be seen what form this right will take in the finalised GDPR.

  • It is likely though that this right would apply in one of the following scenarios:
  • The data are no longer needed for the original purpose;
  • The data subject has withdrawn his/her consent and there are no other grounds for the processing of the data;
  • The data subject has objected to the processing;
  • A court order requiring the erasure of the data has been issued;
  • The processing is unlawful.

Another proposed new right is the right of data portability. This right was created in order to improve the interoperability of data processing. The proposal of the Commission puts a heavy burden on the data controller as it imposes a requirement to provide personal data to the data subject in a commonly used format. The rationale behind the proposal is to facilitate the ease of transfer of personal data from one data controller to another.

The Parliament suggests that data portability should not be a right but rather that data controllers should be encouraged to promote interoperability, whereas the Council is of the view that this right should apply only to cases where the data subject has transmitted the relevant personal data to the data controller.

As things stand, we will have to wait to see what form this right will take or whether it will be scrapped in favour of some form of encouragement for data controllers to provide data in a commonly used format.

As regards other new rights, both the European Parliament and Council have proposed a definition of profiling as a form of automated processing. One key departure from the Data Protection Directive vis-à-vis such automated processing is that explicit consent is likely to be required for profiling which produces a legal effect or significantly affects an individual. This topic will be discussed in further detail in our next blog on the GDPR.

What are the practical implications?

  • All businesses will have to update and revamp their privacy policies and data protection notices to make sure that the extended rights are properly addressed. Businesses should check that the data protection notices that they provide to individuals contain all the required information.
  • Businesses will need to assess whether they should put in place new or updated processes and procedures to deal with the practical implications of the extended rights, e.g. a specific data procedure for dealing with access requests.
  • Finally, the right to be forgotten (and the right of portability) may require changes to companies’ operational processes and IT systems, depending on what these rights will look like in their final form.

 

DPAs react to the CJEU’s decision on Safe Harbor

Posted on October 22nd, 2015 by



Since the CJEU’s decision of 6 October 2015 revoking the EU/US Safe Harbor program, Safe Harbor continues to make the headlines and there are new legal developments each day. This blog post summarizes the public statements that were made in recent days by the data protection authorities (DPAs) in the EU and regulators in other parts of the world.

Reaction of the European DPAs

On 16 October 2015, the Article 29 Working Party (WP 29) issued a public statement which says that the DPAs have discussed the consequences of the CJEU’s decision. The position of the WP 29 is summarized below.

What is the WP 29’s analysis of the CJEU’s decision on Safe Harbor?

Unsurprisingly, the WP 29 says “it is clear that companies can no longer rely on Safe Harbor to transfer their data to the US“. If companies are still doubting whether their transfers under Safe Harbor are lawful, the WP 29 confirms that “transfers that are still taking place under the Safe Harbor decision are now considered to be unlawful.

The WP 29 also states: “It is absolutely essential to have a robust, collective and common position on the implementation of the judgment“.

The WP 29 highlights that “the question of massive and indiscriminate surveillance is a key element of the Court’s analysis” and “such surveillance is incompatible with the EU legal framework“. The WP 29 makes a particularly bold statement by saying that “countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers“, which it would seem is addressed at the US authorities.

What should companies do?

Unfortunately, the WP 29 does not provide a lot of practical guidance for companies. It simply says that “businesses should reflect on the possible risks that they are taking when transferring data and should consider putting in place any legal and technical solution in a timely manner to mitigate those risks and respect the EU data protection acquis“.

Two points are worth highlighting. First, the WP 29 calls upon companies to assess their level of compliance for all types of data transfers, not just those that are based on Safe Harbor. Second, companies need to do so in a “timely manner” which is the WP 29’s way of saying that there is no time to lose. Those companies who have already begun to implement measures to enforce the Safe Harbor decision are in a better position compared with those who haven’t.

Does the CJEU’s decision affect other data transfer mechanisms (e.g., the EU Model Clauses and Binding Corporate Rules)?

The WP 29 says that it “will continue to analyse the impact of the CJEU’s judgment on other data transfer tools“, which in itself is not very reassuring given the reactions of some of the DPAs. In Germany, for example, the data protection authority for the German state of Schleswig-Holstein issued a position paper in which it declares the EU model contract clauses invalid.

Nonetheless, the WP 29 does convey a more reassuring message to companies by saying that “EU model clauses and BCR can still be used”. At this point, it is difficult to predict what will be the impact of the Safe Harbor decision on Model Clauses and BCR and so we will continue to monitor the situation in the weeks to come.

How will the DPAs enforce the CJEU’s decision?

The good news is that the WP 29 has granted a grace period to find an appropriate solution with the US authorities. The bad news is that this grace period will expire at the end of January 2016, which leaves very little time for companies to adapt.

Until then, if no solution has been found (a Safe Harbor 2.0?) and depending on the assessment that is made by the WP 29 of the other data transfer mechanisms, then “the DPAs are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions“. As we have seen in recent months on other issues (such as mobile apps and cookies) the DPAs have demonstrated their ability to conduct pan-European enforcement actions. However, one should not forget that, even if the DPAs do launch a coordinated enforcement action, the actual enforcement measures can only be pronounced by each DPA at a national level. And the new enforcement provisions under the upcoming General Data Protection Regulation (GDPR) will not come into force before 2018 (assuming the text of the GDPR is formally adopted in 2016).

In the meantime, the WP 29 reminds that each national DPA can “investigate particular cases, for instance on the basis of complaints, and exercise their powers in order to protect individuals“, which means that each DPA can act independently against any company in accordance with its national law.

The WP 29 also says that the DPAs “will also put in place appropriate information campaigns at national level to ensure that stakeholders are sufficiently informed“, which may include “direct information to all known companies that used to rely on the Safe Harbor decision as well as general messages on the DPAs’ websites“. And so, companies who have filed their DPA notifications and/or obtained the approval of the DPAs to transfer data to the US on the basis of Safe Harbour could be contacted by the DPAs in the days or weeks to come and should therefore be prepared to explain to the DPAs what remediation measures they have put in place.

What next?

The WP 29 says that it “is urgently calling on the EU Member States and the European institutions to open discussions with the US authorities in order to find a political, legal and technical solution that enables companies to transfer personal data to the US in compliance with respect for fundamental rights. Such solutions could be found through the negotiations of an intergovernmental agreement providing stronger guarantees to EU data subjects“. It is interesting to note that the WP 29 does say that “the current negotiations around a new Safe Harbor could be a part of the solution” and so it has willingly left that window open.

The WP 29 also states: “The task that lies ahead to find a sustainable solution in order to implement the CJEU’s decision must be shared between the DPAs, the EU institutions, EU Member States and businesses“. With the GDPR soon to be adopted, this will be a challenge to get all the stakeholders to agree on a new Safe Harbor framework that complies with the provisions of the GDPR.

Reaction of the regulators in other parts of the world

The Safe Harbor decision has also caused a ripple effect beyond the European Union borders and regulators in other parts of the world have also reacted to the CJEU’s decision.

United States:

The US Department of Commerce published an advisory on the Safe Harbor website stating: “In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework“. Once fails to see how the Department of Commerce can actually continue to process submissions for self-certification to Safe Harbor when clearly such transfers are now unlawful under European law.

Israel:

On October 19th, the Israeli Law, Information and Technology Authority (ILITA) issued a statement in which it revokes its prior authorization to transfer data from Israel to the U.S. on the basis of Safe Harbor. Pursuant to the data protection laws of Israel, transfers of data outside of Israel to third countries is permitted if the data is sent to a country that receives data from the EU under the same terms of acceptance. However, the CJEU’s decision invalidates the authorization to transfer personal data from Europe to companies committed to the Safe Harbor. Consequently, the position of ILITA is that organizations can no longer rely on this derogation as a basis for the transfer of personal data from Israel to organizations in the United States.

In the absence of an alternative valid arrangement or another formal decision of the EU with respect to the transfer of data from the EU to the US, companies who want to transfer personal data from Israel to the US are therefore required to assess whether they can legitimize their transfers on one of the other derogations set out in the data protection law of Israel.

Switzerland:

On 7th October, 2015, the Swiss Data Protection Authority (FDPIC) issued a first press release on its website stating that the Swiss/US Safe Harbor decision “is also called into question” by the CJEU’s decision. “As far as Switzerland is concerned, in the event of renegotiation, only an internationally coordinated approach that includes the EU is appropriate.”

On 22nd October 2015, the FDPIC made a second statement which says that “as long as Switzerland has not renegotiated a new Safe Harbor Framework with the United States, Safe Harbor cannot be deemed a valid legal mechanism for transferring personal data to the US.” It would seem, therefore, that without officially revoking the Swiss/US Safe Harbor program, it is de facto no longer possible for Swiss based companies to transfer personal data to the US on the grounds of Safe Harbor.

Without explicitly mentioning any enforcement actions, the FDPIC calls upon businesses who are transferring personal data to the US to adapt their contracts with US companies before the end of January 2016. The FDPIC will also coordinate with the EU DPAs to determine what other actions may be required to protect the fundamental rights of the individuals.

By Olivier Proust

Getting to know the GDPR, Part 2 – Out-of-scope today, in scope in the future. What is caught?

Posted on October 20th, 2015 by



The GDPR expands the scope of application of EU data protection law requirements in two main respects:

  1. in addition to data “controllers” (i.e. persons who determine why and how personal data are processed), certain requirements will apply for the first time directly to data “processors” (i.e. persons who process personal data on behalf of a data controller); and
  2. by expanding the territorial scope of application of EU data protection law to capture not only the processing of personal data by a controller or a processor established in the EU, but also any processing of personal data of data subjects residing in the EU, where the processing relates to the offering of goods or services to them, or the monitoring of their behaviour.

 

The practical effect is that many organisations that were to date outside the scope of application of EU data protection law will now be directly subject to its requirements, for instance because they are EU-based processors or non EU-based controllers who target services to EU residents (e.g. through a website) or monitor their behaviour (e.g. through cookies). For such organisations, the GDPR will introduce a cultural change and there will be more distance to cover to get to a compliance-ready status.

What does the law require today?

The Directive

At present, the Data Protection Directive 95/46/EC (“Directive“) generally sets out direct statutory obligations for controllers, but not for processors. Processors are generally only subject to the obligations that the controller imposes on them by contract. By way of example, in a service provision scenario, say a cloud hosting service, the customer will typically be a controller and the service provider will be a processor.

Furthermore, at present the national data protection law of one or more EU Member States applies if:

  1. the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State. When the same controller is established on the territory of several Member States, each of these establishments should comply with the obligations laid down by the applicable national law (Article 4(1)(a)); or
  2. the controller is not established on EU territory and, for purposes of processing personal data makes use of equipment situated on the territory of a Member State (unless such equipment is used only for purposes of transit through the EU) (Article 4(1)(c)); or
  3. the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law (Article 4(1)(b)). Article 4(1)(b) has little practical significance in the commercial and business contexts and is therefore not further examined here. The GDPR sets out a similar rule.

 

CJEU case law

Two recent judgments of the Court of Justice of the European Union (“CJEU“) have introduced expansive interpretations of the meaning of “in the context of the activities” and “establishment”:

  1. In Google Spain, the CJEU held that “in the context of the activities” does not mean “carried out by”. The data processing activities by Google Inc are “inextricably linked” with Google Spain’s activities concerning the promotion, facilitation and sale of advertising space. Consequently, processing is carried out “in the context of the activities” of a controller’s branch or subsidiary when the latter is (i) intended to promote and sell ad space offered by the controller, and (ii) orientates its activity towards the inhabitants of that Member State.
  2. In Weltimmo, the CJEU held that the definition of “establishment” is flexible and departs from a formalistic approach that an “establishment” exists solely where a company is registered. The specific nature of the economic activities and the provision of services concerned must be taken into account, particularly where services are offered exclusively over the internet. The presence of only one representative, who acts with a sufficient degree of stability (even if the activity is minimal), coupled with websites that are mainly or entirely directed at that EU Member State suffice to trigger the application of that Member State’s law.

 

What will the GDPR require?

The GDPR will apply to the processing of personal data:

  1. in the context of the activities of an establishment of a controller or a processor in the EU; and
  2. of data subjects residing in the EU by a controller not established in the EU, where the processing activities are related to the offering of goods or services to them, or the monitoring of their behaviour in the EU.

It is irrelevant whether the actual data processing takes place within the EU or not.

As far as the substantive requirements are concerned, compared to the Directive, the GDPR introduces:

  1. new obligations and higher expectations of compliance for controllers, for instance around transparency, consent, accountability, privacy by design, privacy by default, data protection impact assessments, data breach notification, new rights of data subjects, engaging data processors and data processing agreements;
  2. for the first time, direct statutory obligations for processors, for instance around accountability, engaging sub-processors, data security and data breach notification; and
  3. severe sanctions for compliance failures.

 

What are the practical implications?

Controllers who are established in the EU are already caught by EU data protection law, and will therefore not be materially affected by the broader scope of application of the GDPR. For such controllers, the major change is the new substantive requirements they need to comply with.

Processors (such as technology vendors or other service providers) established in the EU will be subject to the GDPR’s direct statutory obligations for processors, as opposed to just the obligations imposed on them by contract by the controller. Such processors will need to understand their statutory obligations and take the necessary steps to comply. This is a major “cultural” change.

Perhaps the biggest change is that controllers who are not established in the EU but collect and process data on EU residents through websites, cookies and other remote activities are likely to be caught by the scope of the GDPR. E-commerce providers, online behavioural advertising networks, analytics companies that process personal data are all likely to be caught by the scope of application of the GDPR.

We still have at least 2 years before the GDPR comes into force. This may sound like a long time, but given the breadth and depth of change in the substantive requirements, it isn’t really! A lot of fact finding, careful thinking, planning and operational implementation will be required to be GDPR ready in 24 months.

So what should you be doing now?

  1. If you are a controller established in the EU, prepare your plan for transitioning to compliance with the GDPR.
  2. If you are a controller not established in the EU, assess whether your online activities amount to offering goods or services to, or monitoring the behaviour of, EU residents. If so, asses the level of awareness of / readiness for compliance with EU data protection law and create a road map for transitioning to compliance with the GDPR. You may need to appoint a representative in the EU.
  3. Assess whether any of your EU-based group companies act as processors. If so, asses the level of awareness of / readiness for compliance with EU data protection law and create a road map for transitioning to compliance with the GDPR.
  4. If you are a multinational business with EU and non-EU affiliates which will or may be caught by the GDPR, you will also need to consider intra-group relationships, how you position your group companies and how you structure your intra-group data transfers.