Archive for the ‘Legislative reform’ Category

Why are German courts allowed to take my global privacy policy apart?

Posted on August 7th, 2015 by



Your service is innovative, you are ambitious, and the European digital market is there for the taking. Except that the EU is not the digital single market it strives to be just yet. Recent years have seen a rise in legal disputes in Germany over allegedly unlawful clauses in standard business terms – in more and more cases including privacy policies and consent wording. Apple, Facebook, Google have all been there. They all lost on part of the language.

The story goes…

The starting point often begins with an international business looking to have a single global or pan-European privacy policy. It might not be perfect in all respects, but it was considered to be a reasonable compromise between addressing multiple local law requirements, keeping your business scalable, and creating transparency for customers. Now, with global expansion comes the inevitable local litigation.

The typical scenario that arises for international businesses expanding into Germany is this: An aggressive local market player trying to hold on to its pre-new economy assets sends you a warning letter, alleging your privacy policy breaches German law requirements, and includes a cease-and-desist undertaking aimed at forcing you to refrain from using unlawful privacy policy clauses.

If you are big and established, the warning letter may come from a consumer protection association that happens to have singled out you or your industry. If you refuse to comply with the warning letter, the dispute may go to court. If you lose, the court will issue an injunction preventing you from using certain language in your privacy policy. If you infringe the injunction after being served the same, judicial fines may ensue.

The legal mechanism

These warning letters typically allege that your privacy policy is not in full compliance with strict German data protection and consumer protection law. Where this is the case, privacy infringements can be actioned by competitors and consumer protection associations – note: these actions are based solely on the language of your privacy policy, irrespective of your actual privacy practices. These actions are a kind of “privately-initiated law enforcement” as there is no public regulator generally watching over use of privacy policies.

Furthermore, in certain cases – and especially where privacy policies are peppered with language stating that the user “consents” to the collection and use of their information – the privacy policy may even qualify as ‘standard business terms’ under German consumer protection law, opening the door for the full broadside of German consumer protection law scrutiny.

So, what’s the solution?

In the long run, courts or lawmakers will have to resolve the dilemma between two conflicting EU law principles: privacy regulation on a “country of origin” basis vs. consumer protection and unfair competition laws that apply wherever consumers are targeted. In essence, the question is: Which should prevail, applicable law principles under the Data Protection Directive (or the General Data Protection Regulation bound to be issued any decade now) or local law consumer protection principles under Rome I and II Regulations?

In the short term, an approach to mitigating legal and practical risks is to provide a localised privacy policy just for German consumers that is compliant with local law. Or, usually less burdensome, make your policy information-only, i.e. delete consent wording and clauses curtailing consumers’ rights in order to at least keep the policy from being subjected to full consumer protection scrutiny.

The downside to this approach is that it may require deviating from your global approach on a privacy policy. On the upside, it will spare you the nuisance of dealing with this kind of warning letter which is difficult to fight off. Remember: This is all about the language of your privacy policy, not what your real-world privacy compliance looks like.

Stay tuned for more information on warning letter squabbles regarding e-mail marketing regulations.

Unravelling the mysteries of the GDPR trilogues

Posted on July 16th, 2015 by



In recent days, “trilogue” seems to be the buzz word on everyone’s lips following the adoption by the Council of Ministers of the European Union (the “Council”) of the General Data Protection Regulation (the “GDPR”) in a first reading on 11th June. But what exactly is a “trilogue”? What is the meaning of this obscure concept that only exists under European Union law? Following my previous article on the EU’s ordinary legislative procedure, I will try through this article to unravel the mysteries of the trilogue by explaining this concept in simple, layman terms.

What are “trilogues”?

Under the Treaty of Lisbon, the ordinary legislative procedure follows three stages: 1/ the first reading; 2/ the second reading; and 3/ the Conciliation agreement. The Treaty of Amsterdam (which entered into force on 1st May 1999) introduced the possibility for the co-legislative bodies of the European Union (namely, the Commission, the Parliament and the Council) to reach an agreement on a legislative proposal at first reading.

Trilogues are not formally defined in the founding treaties of the European Union (TEU and TFEU), even though article 295 of the TFEU does contain a general principle stating: “the European Parliament, the Council and the Commission shall consult each other and make arrangements for their cooperation by common agreement. To that end, they may, in compliance with the Treaties, conclude inter-institutional agreements, which may be of a binding nature.”

Instead, they result from a Joint Declaration on Practical Arrangements for the Codecision Procedure (the “Joint Declaration”) adopted by the Commission, the Council and the Parliament in 1999 and later updated in 2007. According to this Joint Declaration, “the institutions shall cooperate throughout the procedure with a view to reconciling their positions as far as possible and thereby clearing the way, where appropriate, for the adoption of the act concerned at an early stage of the procedure”. The reconciliation of positions is reached through informal interinstitutional negotiations called “trilogues”.

Are trilogue meetings common practise in the EU’s ordinary legislative procedure?

Yes. Since the entry into force of the Lisbon Treaty, fewer and fewer legislative proposals have been adopted after a second reading (only 10 %) and fewer even after a Conciliation (only 5%). In practise, the huge majority of legal texts are now adopted after a first reading (85%). With the increased number of Member States and a much bigger Parliament (751 MEPs), second readings simply take too long and are usually left for texts where there is a strong controversy. In recent years, the EU legislative bodies have been using “trilogues” instead as a means to speed up the legislative procedure.

When do the trilogue meetings begin?

There is no official starting date for trilogue meetings and they may be held at all stages of the legislative procedure and at different levels of representation, depending on the nature of the expected discussion. In the case of the GDPR, no agreement was found prior to the Parliament’s first reading vote (on 12th March 2014), nor prior to the Council’s first reading vote (11th June 2015).

In practise, trilogue meetings tend to kick-off officially once the Council has adopted its first reading position, which is where we stand now on the GDPR. A first trilogue meeting was held on June 24th, during which the three legislative bodies agreed on the overall roadmap for the trilogue negotiations. On 14th July, the three institutions met again to discuss article 3 on the territorial scope of the Regulation and chapter 5 on international data transfers. The next trilogue meeting is due to take place in September, although no date has yet been decided.

Who attends the trilogue meetings?

Each institution designates its participants for each meeting in accordance with its own rules of procedure. Trilogue meetings are attended by representatives of all three EU legislative bodies, namely:

the Council of Ministers: The Council is represented by the chairperson of relevant the working group (in this case, the Working Party on Information Exchange and Data Protection (DAPIX)), the chairperson of the Committee of Permanent Representatives of the Governments of the Member States to the European Union (COREPER), national officials, members of the Council’s Secretariat and Legal Service. With Luxembourg now taking over the six-month rotating presidency of the European Union, one can expect Luxembourg to play a decisive role in the trilogue discussions given that it is home to some of the largest Internet companies in the world.

the Parliament: The Parliament is represented by Jan Albrecht, the rapporteur on the legal text, Claude Moraes, the chairperson of the lead Parliament committee (LIBE committee), shadow rapporteurs, political group coordinators and various staff members of the Parliament.

the European Commission: The Commission is represented by Paul Nemitz, the Director of the Directorate General for Justice (DG Justice), Bruno Gencarelli, the Head of Unit for Data Protection of DJ Justice, and various representatives of the Commission’s Secretariat-General and Legal Service.

How are the trilogue meetings conducted?

Trilogues are chaired by the co-legislator hosting the meeting (i.e., either the Parliament or the Council) and are usually conducted in an informal manner. The co-legislative bodies undertake to exchange information regularly on the progress of codecision files in accordance with their own internal rules of procedure and to coordinate their respective calendars of work so as to conduct the proceedings in an efficient manner.

The discussions are organised around a four-column document which outlines the Commission’s initial proposal (Column 1), the Parliament’s position (Column 2) and the Council’s position (Column 3), the last column being reserved for the “compromise text”, which in the end constitutes the adopted version of the text.

During the trilogue meetings, the co-legislators (Parliament and Council) confront their positions, thus entering into a debate, with a view to reaching an agreement. In practise, the Commission often plays the role of a mediator or facilitator, making sure that an agreed position is reached.

How long will the GDPR trilogues last?

It is difficult to say as this will largely depend on how quickly the co-legislators are capable of adopting a compromise text. Under the Joint Declaration, the institutions must seek to establish an indicative timetable for the various stages leading to the final adoption of the legislative proposal. The frequency as well as the number of trilogues depends on various factors, such as the content of the legislative proposal and the political sensitivity surrounding the text.

In the case of the GDPR, the three institutions have set out to adopt the text before the end of 2015. There are examples in the past of some EU laws that were adopted within months, following fast-paced meetings taking place every month. In the given scenario, the Parliament and the Council seem to disagree quite strongly on some of the provisions, such as the rights of the individuals, international data transfers, data profiling, administrative fines and the one-stop shop mechanism. Furthermore, the EU Member States are not fully aligned, which could also further delay the adoption of the text.

While it is possible technically to reach a compromise text between now and December, it seems more likely that the text will be adopted in the beginning of 2016.

What will be the outcome of the trilogue meetings?

There are essentially two possible scenarios:

  1. The co-legislators agree on a compromise text: In this case, the agreement reached must be adopted by the Parliament’s general assembly in a second reading vote and by the Council in a second reading vote. Following adoption of the GDPR by the Parliament and the Council, the text shall be submitted for signature, to the President of the Parliament and the President of the Council and to the Secretaries-General of those institutions. The jointly signed text is then sent for publication in the Official Journal of the European Union.
  2. The co-legislators do not agree on a compromise text: Statistically speaking, a failure to reach a compromise at the end of the trilogue meetings seldom happens and this is usually limited to situations where the co-legislators strongly disagree on a particular text, making it impossible to reach a final agreement. It seems unlikely that this would happen here, but if it does, then the legislative procedure would continue to a second reading in the Parliament and Council.

 

Are trilogues transparent enough?

Trilogue meetings have been criticized for their lack of transparency due to the fact that the meetings are held behind closed doors and little is known about the actual position of each institution during the negotiations. Emily O’Reilly, the European Ombudsman, opened an inquiry on May 28th regarding the transparency of trilogues, asking why there is no publicly accessible list of on-going trilogues and why a complete record of the documents tabled and exchanged at such meetings is also not accessible to the public. In a letter addressed to the Presidents of the Council, the Parliament and the Commission, she asks each of them to answer several questions, in particular whether the trilogue documents are made available to the public.

This shows that while trilogue meetings were initially created to establish a structured dialogue between the co-legislators with a view to adopting EU laws more expeditiously, they are also conducted in an opaque manner and very little information filters to the general public. At a time where the European Union suffers from a lack of democracy and transparency between EU citizens and the institutions who represent them, one may ask whether the time has come to adopt a more open and transparent framework for the trilogue meetings.

 

By Olivier Proust , Of Counsel, Privacy & Information Law Group (olivier.proust@fieldfisher.com)

 

This article was first published in the IAPP‘s Privacy Tracker.

5 Practical Steps to help companies comply with the E-Privacy Directive (yes, it’s cookies again!)

Posted on July 13th, 2015 by



This month (July 2015), the IAB Europe published new Guidance titled “5 Practical Steps to help companies comply with the E-Privacy Directive“. These 5 sensible steps in the document are aimed at brand advertisers, publishers and advertising businesses.  The EU’s cookie compliance rules were remodelled as far back as 2009 when a broader set of telecommunications rules updated the e-Privacy Directive.  There’s been no change since so this Guidance has not been prompted by any regulatory change or significant shift in the compliance landscape.  It it does however serve as a useful practical reminder to anyone considering or revisiting their compliance strategy.

The context and Article 5.3

The advice in the Guidance centres around that now familiar extract from the e-Privacy Directive, Article 5.3.  This of course requires you obtain the prior informed consent for storage of, or access to, information stored on a user’s terminal equipment.

The Guidance rightly acknowledges that there are differences in both the national implementations of this rule as well as the related regulatory guidance Member State to Member State.  Therein lies the rub, as many are seeking a “one-size-fits-all” approach for Europe. Often criticised, the law requires you to get consent, but doesn’t actually say how. These 5 steps from the IAB delve into the “how” and may assist you.

The 5 recommended steps in the Guidance

At a high-level the Guidance makes the following practical observations:

  1. Monitor and assess your digital property – know your properties, their technology, and what data they collect. Regularly audit these to understand the data collected and how it is used. Be particularly cautious when using partners who are collecting data on your properties.
  2. Be clear and transparent in how you present information to consumers – use plain and easy-to-understand language and don’t mislead. Consider a layered approach and, where appropriate, use helpful websites (eg like aboutcookies.org or www.youronlinechoices.eu) to convey messages about how and why your property deploys its technologies (and for what purposes).
  3. Make things prominent – ensuring your privacy property is available and distinguishable. There are some short tips around ways you could go about this.
  4. Context is king! – the Guidance suggests you consider ways to achieve consent in a contextual way. Rightly this step suggests “that the key point is that you must gain consent by giving the user specific information about what they are agreeing to and providing them with a way to indicate their acceptance.” Fieldfisher reminds you that are a number of mechanisms (express and implied) by which you may achieve this and the Guidance suggests a few of the available approaches in this step.
  5. Consider joining the EU industry programme to provide greater contextual transparency and control to consumers over customised digital advertising – “why not?” we say, as this is another tactic for in staying in touch and demonstrating commitments. This step highlights the benefits of edaa.eu to behavioural advertisers and the “icon” initiative and transparency mechanisms available via www.youronlinechoices.eu.

The so what?

The e-Privacy Directive and the EU cookie compliance issues associated with it have been alive and well for years now. We’ve frequently updated readers on the enforcement issues, sweep days other stories where cookie compliance comes to the fore. It’s not entirely clear what prompted this “best practice” advice and steps from the IAB, but the short document is practical and insightful, whether you’re new to cookie compliance or revisiting your compliance approach.

As other members of the team have recently blogged, the CNIL recently issued a press release stating that, following its online cookies audits conducted last October (see our previous blog article), it has sent out  a formal letter of enforcement (“lettre de mise en demeure“) to approximately 20 companies requesting them to comply with the cookie rules in France.  Cookie compliance needs are not going away nor are they particularly difficult for most online properties.  What’s more, when looking at your peers, there’s no doubt that a level of compliance and transparency is fairly prevalent across EU and EU facing websites today.

What now?

So how should you deal with cookies?  Well, the steps in this Guidance give you a great practical head start. Cookie compliance and the approach to compliance has been market-led since the outset. When asked what “good” looks like, even among the regulators the thinking went that the online industry was better placed to innovate creative and unobtrusive ways to get consent than lawyers, regulators and legislative draftsmen. That’s where bodies like the IAB Europe have played a central role and, by aligning your own practices with the pack, you are rarely in a bad place in the world of cookie compliance.

 

Mark Webber, Partner – Digital Regulation and Technology (Silicon Valley)

mark.webber@fieldfisher.com

 

Q: Have we just passed a new EU data protection law? A: Not yet!

Posted on June 16th, 2015 by



For those of you keeping tabs on EU data protection developments, today’s exciting news was that the Council of the EU has reached a “general approach” on Europe’s proposed General Data Protection Regulation, with the twin aims of enhancing Europeans’ data protection rights and increasing business opportunities in the Digital Single Market.

And what a lot people have had to say about it! Some say it’s going to “kill off Europe’s cloud computing industry” (story here) while others describe it as “a brazen effort to destroy Europe’s world leading approach to data protection and privacy” (story here). It’s rather remarkable to note that both industry and civil liberties groups seem equally downcast about the new proposals, albeit for entirely opposing reasons.

But what these prophecies of doom all overlook is that we don’t have a new data protection law yet. In fact, far from it – we’re still only at the draft stage! And until we have agreed the final text of the new law, it’s very difficult to predict where exactly we will land on many of the issues.

For those of you struggling to understand timelines and where exactly we are in the process, here’s how things stand:

1. The European Commission (in simple terms, the executive branch of EU government) proposed a new EU data protection law in 2012 – this is the “General Data Protection Regulation”.

2. The EU Parliament (for our US audience, think the House of Representatives) and the Council of the EU (think the US Senate) each then got to review and table amendments to the draft legislation through various committee proceedings – the aim being for each institution to come up with its own preferred draft of the law.

3. The EU Parliament put forward its proposed “version” in March 2014, favouring strict protection of individuals’ rights. Today’s development is that the Council of the EU has finally (and reluctantly) put forward its own proposed “version”, with a greater leaning towards risk-based application of data protection rules. This some 3 years after the law was originally proposed by the Commission – progress has not been quick.

4. What happens next is that the Parliament, the Council and the Commission will now enter three-way “trilogue” negotiations (explained here). These are scheduled to begin on 24 June and their ultimate aim is to produce a final negotiated text that all three institutions agree on. Then, and only then, will the General Data Protection Regulation become law.

5. But, wait a minute! Even when the new law does get adopted, it’s unlikely to take effect for a further two years (unless this two year lead-in period is negotiated out during the trilogue). So, even assuming things go swimmingly and the three institutions agree on the language of the law this year, then it is still very unlikely to become effective before the middle of 2017 – and, given the rate of progress to date, 2018 frankly seems more realistic.

What all this means is that today was certainly a big day for EU data protection, but there’s still a long road to travel down. There are some things that seem almost certain to make it into the final text (application of EU data protection rules to any worldwide business servicing EU citizens, extension of liability to data processors, some notion of a one-stop shop, greater fines etc.), but many that still remain open to debate (mandatory DPOs, the role of consent, etc.).

Stay tuned, and we’ll keep you posted once we have a better assessment of the likely final text of the law. In the meantime, enjoy speculating along with everyone else but remember that, until the law is adopted, it’s just that – speculation!

German monopoly commission advises not to regulate algorithms

Posted on June 5th, 2015 by



This week, the German Monopoly Commission has published its extraordinary opinion on digital markets. Particularly interesting: the Commission advised not to regulate algorithms – which seems to be an answer to a question nobody posed only at first glance.

The study, which is available in German here, looks at a broad scope of digital business models and markets. One thing that immediately sprang to my mind is a section about the need to regulate algorithms. The background is that the Commission sees the risk that search engine providers that also offer other services such as review websites, map services or price comparison tools, may prioritize their own services against third-party offerings.

First, the Monopoly Commission clearly advocates against an unbundling of such businesses, arguing that the impact of such an unbundling is severe, and the unbundling would also contravene the general goal of competition regulation to generate an incentive for innovation by accepting organic, internal growth.

Second, the Commission also denied the feasibility of an “algorithm” regulation, i.e. an agency that would look into an algorithm to determine whether it works “neutrally”. Here, the Commission states that the number of changes that a typical search engine provider implements each year would constitute an unreasonable effort. Further, given the complexity of those algorithms, the commission doubts that it would be possible to detect a bias at all.

In particular the last point is interesting. At first glance, it seems to be the answer to a question nobody posed, but we have occasionally seen requests for an “algorithm police” in the recent past, and a couple of weeks ago, when I asked Jan Philipp Albrecht, very well-known for being the rapporteur of the European Parliament for the EU’s General Data Protection Regulation as well as for the EU-US data protection framework agreement, he clearly spoke in favour of regulating algorithms. The fact the Monopoly Commission addressed this topic may thus be more than just a side note, and it seems that this debate has only started.

Will the new EU General Data Protection Regulation prevent forum shopping?

Posted on May 12th, 2015 by



It’s a common criticism of the current EU Data Protection Directive that its provisions determining applicable law invite forum shopping – i.e. encourage businesses to establish themselves in the Member State perceived as being the most “friendly”.  In fact, while there is some truth to this belief, its effect is often overstated.  Typically, businesses choose which country to set up shop in based on a number of factors – size of the local market, access to talent and infrastructure, local labor laws and (normally the overwhelming consideration) the local tax regime.  We privacy pros like to consider data protection the determining factor but, at least in my experience, that’s hardly ever the case.

Nevertheless, it’s easy to understand why many worry about forum shopping.  Under the Directive, a business that has a data controlling “establishment” in one Member State is subject only to the national data protection laws of that Member State, to the exclusion of all other Member States.  So, for example, if I have a data controlling establishment in the UK, then the Directive says I’m subject only to UK data protection law, even when I collect data from individuals in France, Germany, Spain and so on.  A rule that works this way naturally lends itself to a concern that it might encourage a “race to the bottom”, with ill-intentioned businesses scampering to set up shop in “weak” data protection regimes where they face little to no risk of penalty – even if that concern is overstated in practice.

But a concern it is, nevertheless, and one that the new General Data Protection Regulation aims to resolve – most notably by applying a single, uniform set of rules throughout the EU.  However, the issue still arises as to which regulatory authorities should have jurisdiction over pan-EU businesses and this point has generated much excited debate among legislators looking to reach agreement on the so-called “one stop shop” mechanism under the Regulation.

This mechanism, which began life as a concept intended to provide greater regulatory certainty to businesses by providing them with a single “lead” authority to which they would be answerable, has slowly been whittled away to something scarcely recognizable.  For example, under the most recent proposals by the Council of the European Union, the concept of a lead protection authority remains but there are highly complicated rules for determining when other “concerned” data protection authorities may instead exercise jurisdiction or challenge the lead authority’s decision-making.

All of which begs the question, will the General Data Protection Regulation prevent forum shopping?  In my view, no, and here’s why:

  • Businesses don’t choose their homes based on data protection alone.  As already noted, businesses determine the Member States in which they will establish based on a number of factors, king of all being tax.  The General Data Protection Regulation will not alter this.  Countries, like Ireland or the UK, that are perceived as attractive on those other factors today will remain just as attractive once the new Regulation comes into effect.
  • While you can legislate the rules, you can’t legislate the culture. Anyone who practices data protection in the EU knows that the cultural and regulatory attitudes towards privacy vary enormously from Member State to Member State.  Even once the new Regulation comes in, bringing legislative uniformity throughout the EU with it, those cultural and regulatory differences will persist.  Countries whose regulators are perceived as being more open to relationship-building and “slow to temper” will remain just as attractive to businesses under the Regulation as they are under the Directive.
  • The penalties under the General Data Protection Regulation will incentivize forum shopping. It has been widely reported that the General Data Protection Regulation carries some pretty humungous fines for non-compliance – up to 5% of worldwide turnover.  In the face of that kind of risk, data protection takes on an entirely new level of significance and attracts serious Board level attention.  The inevitable behavioral consequence of this is that it will actively incentivize businesses to look for lower risk countries – on any grounds they can (local regulatory culture, resourcing of the local regulator and so on).
  • Mature businesses won’t restructure. The Regulation is unlikely to have an effect on the corporate structure of mature businesses, including the existing Internet giants, who have long since already established an EU controller in a particular Member State.  To the extent that historic corporate structuring decisions can be said to have been based on data protection forum shopping grounds, the General Data Protection Regulation won’t undo the effects of those decisions.  And new businesses moving into Europe always look to their longer-standing peers as a model for how they, too, should establish – meaning that those historic decisions will likely still have a distorting effect going forward.

The Digital Single Market: Has Europe bitten off more than it can chew?

Posted on May 8th, 2015 by



You may have read a lot of chatter about the European Commission’s Digital Single Market (DSM) over the last two days. The reaction in the blogosphere has already been a mix of optimism, hope, consternation, cynicism… and general Brussels fatigue.

What is the DSM?

In a nutshell, it is a strategy that seeks to create a true ‘single market’ within the EU – that is, a market where there is total free movement of goods, persons, services and capital; where individuals and businesses can seamlessly and fairly access online services, regardless of where in the EU they are situated.

Theoretically, EU citizens will finally be able to use their mobile phones across Europe without roaming charges, and access the same music, movies and sports events online at the same price wherever they are.

Whatever the public reaction, there is no doubt that the DSM is a highly ambitious strategy. It sets out wide legislative initiatives across a vast range of issues: from copyright, e-commerce, geo-blocking, competition, cross-border shipment, data protection, to telecoms regulation.

Much has already been written about these proposals and the Fieldfisher team has written this great summary of all the legislative proposals.

For the readers of this blog, we’d like to focus only on those proposals that relate to privacy and data protection.

Privacy & Data Protection issues

In our view, data issues lie at the heart of these reforms and there are 4 key initiatives that impact directly on these rights:

1. Review of data collection practices by online platforms

As part of the DSM, the Commission is proposing a “comprehensive analysis” of online platforms in general, including anything from search engines, social media sites, e-commerce platforms, app stores and price comparison sites.

One of the concerns of the Commission is that online platforms generate, accumulate and control an enormous amount of data about their customers and use algorithms to turn this into usable information. One study it looked at, for example, concluded that 12% of search engine results were personalized, mainly by geo-location, prior search history, or by whether the user was logged in or out of the site.

The Commission found that there was a worrying lack of awareness by consumers about the data collection practices of online platforms: they did not know what data about their online activities was being collected and how it was being used. In the Commission’s view, this not only interfered with the consumers’ fundamental rights to privacy and data protection, it also resulted in an asymmetry between market actors.

As platforms can exercise significant influence over how various players in the market are remunerated, the Commission has decided to gather “comprehensive evidence” about how online platforms use the information they acquire, how transparent they are about these practices and whether they seek to promote their own services to the disadvantage of competitors. Proposals for reform will then follow.

2. Review of the e-Privacy Directive

The e-Privacy Directive is currently a key piece of privacy legislation within the EU – governing the rules for cookie compliance, location data and electronic marketing amongst other things.

Not a huge amount has been said about this review in the DSM documents. All that we know at this stage is that the Commission plans to review the e-Privacy Directive after the adoption of the General Data Protection Regulation, with a focus on “ensuring a high level of protection for data subjects and a level playing field for all market players”. For instance, the Commission has said that it will review the e-Privacy Directive to ensure “coherence” with the new data protection provisions, and consider whether it should apply to a much wider set of service providers. It further says that the rules relating to online tracking and geo-location will be re-evaluated “in light of the constant evolution of technology” (Staff Working Document, p. 47).

3. Cloud computing and big data reforms

Cloud computing and big data services haven’t escaped the grasp of the Commission either. The Commission sees these types of services as central to the EU’s competitiveness. European companies are lagging significantly behind in their adoption and development of cloud computing and big data analytics services.

In its report, the Commission has diagnosed a number of key reasons for this lag:

  • EU businesses and consumers still do not feel confident enough to adopt cross-border cloud services for storing or processing data because of concerns relating to security, compliance with privacy rights, and data protection more generally.
  • Contracts with cloud providers often make it difficult to terminate or unsubscribe from the contract and to port their data to a different cloud provider.
  • Data localization requirements within Member States create barriers to cross-border data transfers, limiting competitive choice between providers and raising costs by forcing businesses to store data on servers physically located inside a particular countries.

The Commission are therefore proposing to remove what it sees as a series of “technical and legislative barriers” – such as rules restricting the cross-border storage of data within the EU, the fragmented rules relating to copyright, the lack of clarity over the rights to use data, the lack of open and interoperable systems, and the difficulty of data portability between services.

4. Step up of cyber-security reforms

Cyber threats have led to significant economic losses, huge disruptions in services, violations of citizens’ fundamental rights and a breakdown in public trust in online activities. The Commission proposes to step up its efforts to reduce cybersecurity threats by requiring a more “joined up” approach by the EU industry to stimulate take up of more secure solutions by enterprises, public authorities and citizens. In addition, it seeks a “more effective law enforcement response” to online criminal activity.

Too ambitious…? 

The above is just the tip of the iceberg of the reforms that are being proposed. Outside of privacy and data protection issues, the DSM Strategy includes initiatives such as harmonizing copyright laws, extending media regulation to all online platforms, and prohibiting unjustified geo-blocking.

As with all ambitious reforms of this kind in the EU, there will be vocal critics on both sides, and a huge degree of political scrutiny. The timetable for completion is either the end of 2015 or the end of 2016 but, no doubt, it will be years before any legislation is actually signed off and transposed into national law.

In an industry which changes at such a rapid speed – week after week, month after month – the real danger of EU reform is that such legislation can already be conceptually outdated by the time it is brought into force and a whole new set of problems may, by then, have emerged.

But whatever the eventual outcome of these legislative initiatives, it is clear that there is an important, wider debate to be had about the global digital market: Why is the rest of the world so behind the US? What is the secret to the US’ success and dominance? Do these proposals really go to the heart of the problem? Such questions merit a post, if not a treatise, of their own. We should perhaps show some admiration towards the European Commission for trying to tackle these deep and knotty issues head on.

 

 

Finally, some certainty around Europe’s Single Digital Market Strategy

Posted on May 7th, 2015 by



If you haven’t already spotted it among the leaks, tweets and general pre-announcement noise, today the EU released its Digital Single Market Strategy. In an orchestrated tweet-fest the clunky machine of the EU ventured online endlessly pronouncing “let’s go digital with European #DigitalSingleMarket thndr.it/1NqDGe4“. All the fanfare and hype was for a new Strategy “A Digital Single Market for Europe“.

The back-drop; a fear Europe is falling behind, a slow awakening to the inevitable truth – the Internet and digital technologies are transforming our world. Dealing with such technologies across 28 different Member States is at best extremely complex and frequently simply impossible. And yes, perhaps sometimes, the humble consumer is overwhelmed and exploited in order to deliver online gains for others.

There is a detailed commentary and explanation on our sister tech blog here.

However, readers should be aware that there are the following three privacy-related legislative initiatives:

  1. A review of the e-Privacy Directive (2002/58/EC)(by the end of 2016);
  2. The establishment of a cyber-security contractual public-privacy partnership (by the end of 2016); and
  3. Initiatives on data ownership, free flow of data (e.g. between cloud providers) and on a European cloud (by the end of 2016).

We’ll soon be reporting on the consequences and the interplay with the plans for the new General Data Protection Regulation.

What about timing?

The Single Digital Market Strategy promises: “The Digital Single Market project team will deliver on these different actions by the end of 2016. With the backing of the European Parliament and the Council, the Digital Single Market should be completed as soon as possible.” This will first be aired by the European Council in meetings on the 25th June 2015.

At the fore is a desire to champion and protect the consumer. As with the General Data Protection Regulation, perhaps underneath all this the US, Silicon Valley and the general success of its internet and online platforms in the EU markets is in the firing line. We all know these privacy law reform proposals have struggled to emerge and, even today, remain some way from agreement and becoming law. The constant leaking and previewing is over – will they now be able to deliver and advance any of these promises?

Perhaps the only certainty: this digital overhaul is likely to play out at analogue speed.

Mark Webber – Fieldfisher Silicon Valley Office

Mark.webber@fieldfisher.com
@digitechlaw for more and for updates

 

 

The EU General Data Protection Regulation is on its way…but when?

Posted on April 17th, 2015 by



As a privacy lawyer based in Brussels, I often get asked when the General Data Protection Regulation (the “GDPR”) will be adopted. People often look surprised or shocked when I tell them that it could take at least another year. Recently, there have been several announcements stating that the GDPR could be adopted before the end of 2015. While possible, this seems very unlikely due to the complex and lengthy legislative procedure of the European Union. Here’s an overview of how it all works…

The law-making procedure in Europe is enshrined in the founding treaties of the European Union called Treaty on European Union and Treaty on the Functioning of the European Union, which were updated by the Lisbon Treaty on 1st December 2009. Essentially, there are three institutions involved in the EU’s legislative procedure, whose powers and responsibilities are defined under the EU treaties:

the European Commission (the Commission”): which represents the interests of the Union as a whole.

the European Parliament (the Parliament”): which represents the EU’s citizens and is directly elected by them.

the Council of Ministers of the European Union (the Council”): which represents the governments of the 28 EU Member States. The Presidency of the Council is shared by the Member States on a rotating basis every six months. Currently, the EU presidency is held by Latvia until June 30th and will then will passed on to Luxembourg.

Together, these three institutions produce through the “Ordinary Legislative Procedure” the policies and laws that apply throughout the EU. The main steps of the Ordinary Legislative Procedure are described below.

Step 1: Commission’s initial proposal

The Commission submits its legislative proposal simultaneously to the Parliament and the Council. The Commission did so with its proposal for a GDPR on 25th January 2012.

Step 2: 1st reading in the Parliament

The President of the Parliament refers the proposal to a parliamentary committee (in this case, the Civil Liberties, Justice and Home Affairs committee, more commonly referred to as “LIBE committee”), which appoints a rapporteur (Jan Philipp Albrecht from the Group of the Greens/European Free Alliance party) who is responsible for drawing up a draft report containing amendments to the proposed text. The committee votes on this report and any amendments to it tabled by other members. This is usually the moment when all the lobbying in Brussels takes place, which as we know was immensely important for this text (more than 4,000 proposed amendments!). The Parliament then discusses and votes on the legislative proposal in its plenary session on the basis of the committee report and amendments. The result is the Parliament’s position, which in the case of the GDPR was adopted on 12th March 2014. The Parliament’s 1st reading position is then forwarded to the Council.

Step 3: 1st reading in the Council

The Council can begin preparatory work in parallel with the 1st reading in Parliament, but it may only formally conduct its 1st reading based on the Parliament’s position. The Council can either accept the Parliament’s position, in which case the legislative act is adopted; or where the Council does not adopt all the Parliament’s amendments or wants to introduce its own changes, it adopts a 1st reading position, which is sent to Parliament for a 2nd reading. This is currently where we stand with the GDPR . The Council is expected to adopt its amendments any time soon. However, it is worth noting that there is no time limit for the Council’s 1st reading, which explains why this can take a long time, particularly when the EU Member States disagree amongst themselves on some of the proposals (as is the case with the so-called “one-stop-shop” rule). The Commission may also decide at any time during the 1st reading to withdraw or alter its proposal, although this seems unlikely given the attention that the GDPR has drawn in Europe and abroad.

Step 4: 2nd reading in the Parliament

Upon receipt of the Council’s 1st reading position, the Parliament has three months (with a possible extension to four) to examine the Council’s position. The Council’s position goes first to the responsible committee (LIBE committee), which prepares a recommendation for the Parliament’s 2nd reading. In this case, the text to be amended is the Council’s 1st reading position rather than the Commission’s initial proposal.

The outcome of the 2nd reading can be that the Parliament:

– rejects the Council’s 1st reading position. This puts an end to the legislative procedure, which can only be re-launched if the Commission makes a new proposal. However, this has only happened once in July 2005 on the software patents directive.

– fails to vote within the time limit and in that case, the text is deemed to have been adopted in accordance with the Council’s 1st reading position.

– approves the Council’s 1st reading position without any amendments.

– proposes amendments to the Council’s 1st reading position.

In principle, 2nd reading amendments in Parliament are admissible only is they seek to (a) wholly or partly restore the Parliament’s 1st reading position; (b) reach a compromise between the Parliament and the Council; (c) amend part of the Council’s text that was not included in, or differs in content from, the original Commission’s proposal; or (d) take account of a new fact or legal situation that has arisen since the 1st reading. However, if European parliamentary elections have taken place since the 1st reading – which is the case here – the President may decide that the restrictions do not apply. In theory, this broadens the scope of amendments that the Parliament could make on the Council’s 1st reading of the GDPR .

Law-making behind the scenes

The EU treaties provide for a 2nd reading in the Parliament and Council and, where both institutions fail to agree on a common position, a Conciliation Committee (composed of an equal number of MEPs and Council representatives) is convened with a view to reaching an agreement on a joint text that is finally adopted in a 3rd reading in Parliament.

In recent years, however, the number of laws that have made it all the way to the Conciliation Committee has dropped significantly and, on the contrary, approximately 80% of law are now agreed after the first reading. In fact, most of the law-making now takes place behind the scenes. The so-called “trilogues” are not mentioned anywhere in the EU treaties, but are specifically designed to speed up the legislative procedure.

The way it works is that when the co-legislators are aiming for a 1st reading agreement they will then organise informal meetings that are held behind closed doors and are attended by representatives of the Parliament (rapporteur and, where appropriate, shadow rapporteurs), the Council (chair of the working party and/or Coreper), and the Commission (department responsible for the dossier and the Commission’s Secretariat-General). This is aimed at ensuring that the Parliament’s amendments adopted in plenary are acceptable to the Council. The Commission typically plays the role of a mediator or facilitator in respect of these compromise texts. However, due to its permanent staff of highly-qualified officials, the Commission is better equipped in terms of resources and expertise than the two other institutions to impose its view during these negotiations.

In conclusion, things will certainly accelerate once the Council adopts its 1st reading position, which is excepted at some point this year following the Justice and Home Affairs Council on 15-16 June. The question remains whether the Council and Parliament will succeed to reach a common position during the trilogues, in which case a swift adoption of the GDPR in 2016 (or possibly even end of 2015) seems possible. Otherwise, the adoption of this text could be pushed to the end of 2016 or 2017 if the legislative procedure continues all the way to the Conciliation Committee, which isn’t completely unfounded given the strong divergences around this text. Only time will tell…

This article was first published in the IAPP’s Privacy Tracker.

US and European moves to foster pro-active cybersecurity threat collaboration

Posted on March 12th, 2015 by



In this blog we report a little further on the proposals to share cybersecurity threat information within the United States. We also draw analogies with a similar initiative under the EU Cybersecurity Directive aimed at boosting security protections for critical infrastructure and enhancing information sharing around incidents that may impact that infrastructure within the EU.

Both of these mechanisms reflect a fully-formed ambition to see greater cybersecurity across the private sector. Whilst the approaches taken vary, both the EU and US wish to drive similar outcomes. Actors in the market are being asked to “up” their game. Cyber-crimes and cyber-threats are impacting companies financially, operationally and, at times, are having a detrimental impact on individuals and their privacy.

Sharing of cyber-threat information in the US

Last month we reported on Obama’s privacy proposals which included plans to enhance cybersecurity protection. These plans included requests to increase the budget available for detection and prevention mechanisms as well as for cybersecurity funding for the Pentagon. They also outlined plans for the creation of a single, central cybersecurity agency: the US government is establishing a new central agency, modelled on the National Counterterrorism Centre, to combat the threat from cyber attacks.

On February 12th 2015, President Obama signed a new Executive Order to encourage and promote sharing of cybersecurity threat information within the private sector and between the private sector and government.  In a Whitehouse Statement they emphasised that “[r]apid information sharing is an essential element of effective cybersecurity, because it enables U.S. companies to work together to respond to threats, rather than operating alone”.  The rhetoric is that, in sharing information about “risks”, all actors in the United States will be better protected and prepared to react.

This Executive Order therefore encourages a basis for more private sector and more private sector and government cybersecurity collaboration.  The Executive Order:

  • Encourages the development of Information Sharing Organizations: with the development of information sharing and analysis organizations (ISAOs) to serve as focal points for sharing;
  • Proposes the development of a common set of voluntary standards for information sharing organizations: with Department of Homeland Security being asked to fund the creation of a non-profit organization to develop a common set of voluntary standards for ISAOs;
  • Clarifies the Department of Homeland Security’s authority to enter into agreements with information sharing organizations: the Executive Order also increases collaboration between ISAOs and the federal government by streamlining the mechanism for the National Cybersecurity and Communications Integration Center (NCCIC) to enter into information sharing agreements with ISAOs. It goes on to propose streamlining private sector companies’ ability to access classified cybersecurity threat information.

All in, Obama’s plan is to streamline private sector companies’ ability to access cybersecurity threat information. These plans were generally well-received as a step towards collective responsibility and security. Though some have voiced concern that there is scant mention of liability protection for businesses that share information threats with an ISAO. Commentators have pointed out that it is this fear of liability which is a major barrier to effective threat sharing.

Past US initiatives around improving cybersecurity infrastructure

This latest Executive Order promoting private sector information sharing came one year after the launch of another US-centric development. In February 2014, the National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity pursuant to another Executive Order of President Obama’s issued back in February 2013.

This Cybersecurity Framework contains a list of recommended practices for those with “critical infrastructures”.   The Cybersecurity Framework’s executive summary explains that “[t]he national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk.”

Obama’s 2013 Executive Order had called for the “development of a voluntary risk-based Cybersecurity Framework” being a set of industry standards and best practices to help organisations manage cybersecurity risks.  The resulting technology neutral Cybersecurity Framework was the result of interaction between the private sector and Government institutions. For now the use of the Cybersecurity Framework is voluntary and it relies on a variety of existing standards, guidelines, and practices to enable critical infrastructure providers to achieve resilience. “Building from those standards, guidelines, and practices, the [Cybersecurity] Framework provides a common taxonomy and mechanism for organizations to:

  • Describe their current cybersecurity posture;
  • Describe their target state for cybersecurity;
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  • Assess progress toward the target state;
  • Communicate among internal and external stakeholders about cybersecurity risk.”

The Cybersecurity Framework was designed to complement, and not to replace, an organisation’s existing risk management process and cybersecurity program. There is recognition that it cannot be a one-size-fits-all solution and different organisations will have their own unique risks which may require additional considerations.

The Cybersecurity Framework states that it could be used a model for organisations outside of the United States. Yet even in the US there are open questions about how many are actually adopting and following it.

Similarities between US and European cybersecurity proposals

We have to draw analogies between the US initiatives in relation to cybersecurity and the more recent information sharing proposals with the draft EU Cybersecurity Directive which the team reported on in more detail in a recent blog. Both initiatives intend to drive behavioural change. But, as you may expect, the EU wants to introduce formal rules and consequences while the US remains focussed on building good cyber-citizens through awareness and information sharing.

The proposed Cybersecurity Directive would impose minimum obligations on “market operators” and “public administrations” to harmonise and strengthen cybersecurity across the European Union. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority (“NCA”). The NCA being analogous to the ISAO information sharing body concept being developed in the US.  In contrast to the US Framework the EU’s own cybersecurity initiatives are now delayed (with a likely date for mere agreement of the rules of summer 2015 and implementation not likely until 2018) and somewhat diluted compared to the original announced plans.

Both the US and EU cybersecurity initiatives aim to ensure that governments and private sector bodies involved in the provision of certain critical infrastructure take appropriate steps to deal with cybersecurity threats. Both encourage these actors to share information about cyber threats. Both facilitate a pro-active approach to cyber-risk. Whist the US approach is more about self-regulation within defined frameworks the EU is going further and mandating compliance – that’s a seismic shift.

In the EU we await to see the final extent of the “critical infrastructure providers” definition and whether or not “key internet enablers” will be caught within the rules or whether the more recent and narrower definition will prevail. Interplay with data breach notification rules within the upcoming General Data Protection Regulation is also of interest.

Impact

Undoubtedly cyber-risk can hit a corporate’s bottom-line. Keeping up with the pace of change and multitude of risks can be a real challenge for even the most agile of businesses. Taking adequate steps in this area is a continuous and often fast-moving process. Only time will tell us whether the information sharing and interactions that these US and EU proposals are predicated on are going to be frequent enough and fast enough to make any real difference. Cyber-readiness remains at the fore because the first to be hit still wants to preserve an adequate line of defence. The end game remains take appropriate technical and organisational measures to secure your networks and data.

Of course cyber-space does not respect or recognise borders. How national states co-operate and share cybersecurity threat information beyond the borders of the EU is a whole other story. What is certain is that as the cyber-threat response steps up, undoubtedly so too will the hackers and cyber-criminals. The EU’s challenge is to foster a uniform approach for more effective cybersecurity across all 28 Member States. The US also wants to improve its ability to identify and respond to cyber incidents. The US and EU understand that economic prosperity and national security depend on a collective responsibility to secure.

For those acting within the EU and beyond in the future, they will have to adjust to operating (and where required complying) in an effective way across each of the emerging cybersecurity systems.

Mark Webber, Partner Palo Alto, CAmark.webber@fieldfisher.com