Archive for the ‘Legislative reform’ Category

DPAs react to the CJEU’s decision on Safe Harbor

Posted on October 22nd, 2015 by

Since the CJEU’s decision of 6 October 2015 revoking the EU/US Safe Harbor program, Safe Harbor continues to make the headlines and there are new legal developments each day. This blog post summarizes the public statements that were made in recent days by the data protection authorities (DPAs) in the EU and regulators in other parts of the world.

Reaction of the European DPAs

On 16 October 2015, the Article 29 Working Party (WP 29) issued a public statement which says that the DPAs have discussed the consequences of the CJEU’s decision. The position of the WP 29 is summarized below.

What is the WP 29’s analysis of the CJEU’s decision on Safe Harbor?

Unsurprisingly, the WP 29 says “it is clear that companies can no longer rely on Safe Harbor to transfer their data to the US“. If companies are still doubting whether their transfers under Safe Harbor are lawful, the WP 29 confirms that “transfers that are still taking place under the Safe Harbor decision are now considered to be unlawful.

The WP 29 also states: “It is absolutely essential to have a robust, collective and common position on the implementation of the judgment“.

The WP 29 highlights that “the question of massive and indiscriminate surveillance is a key element of the Court’s analysis” and “such surveillance is incompatible with the EU legal framework“. The WP 29 makes a particularly bold statement by saying that “countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers“, which it would seem is addressed at the US authorities.

What should companies do?

Unfortunately, the WP 29 does not provide a lot of practical guidance for companies. It simply says that “businesses should reflect on the possible risks that they are taking when transferring data and should consider putting in place any legal and technical solution in a timely manner to mitigate those risks and respect the EU data protection acquis“.

Two points are worth highlighting. First, the WP 29 calls upon companies to assess their level of compliance for all types of data transfers, not just those that are based on Safe Harbor. Second, companies need to do so in a “timely manner” which is the WP 29’s way of saying that there is no time to lose. Those companies who have already begun to implement measures to enforce the Safe Harbor decision are in a better position compared with those who haven’t.

Does the CJEU’s decision affect other data transfer mechanisms (e.g., the EU Model Clauses and Binding Corporate Rules)?

The WP 29 says that it “will continue to analyse the impact of the CJEU’s judgment on other data transfer tools“, which in itself is not very reassuring given the reactions of some of the DPAs. In Germany, for example, the data protection authority for the German state of Schleswig-Holstein issued a position paper in which it declares the EU model contract clauses invalid.

Nonetheless, the WP 29 does convey a more reassuring message to companies by saying that “EU model clauses and BCR can still be used”. At this point, it is difficult to predict what will be the impact of the Safe Harbor decision on Model Clauses and BCR and so we will continue to monitor the situation in the weeks to come.

How will the DPAs enforce the CJEU’s decision?

The good news is that the WP 29 has granted a grace period to find an appropriate solution with the US authorities. The bad news is that this grace period will expire at the end of January 2016, which leaves very little time for companies to adapt.

Until then, if no solution has been found (a Safe Harbor 2.0?) and depending on the assessment that is made by the WP 29 of the other data transfer mechanisms, then “the DPAs are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions“. As we have seen in recent months on other issues (such as mobile apps and cookies) the DPAs have demonstrated their ability to conduct pan-European enforcement actions. However, one should not forget that, even if the DPAs do launch a coordinated enforcement action, the actual enforcement measures can only be pronounced by each DPA at a national level. And the new enforcement provisions under the upcoming General Data Protection Regulation (GDPR) will not come into force before 2018 (assuming the text of the GDPR is formally adopted in 2016).

In the meantime, the WP 29 reminds that each national DPA can “investigate particular cases, for instance on the basis of complaints, and exercise their powers in order to protect individuals“, which means that each DPA can act independently against any company in accordance with its national law.

The WP 29 also says that the DPAs “will also put in place appropriate information campaigns at national level to ensure that stakeholders are sufficiently informed“, which may include “direct information to all known companies that used to rely on the Safe Harbor decision as well as general messages on the DPAs’ websites“. And so, companies who have filed their DPA notifications and/or obtained the approval of the DPAs to transfer data to the US on the basis of Safe Harbour could be contacted by the DPAs in the days or weeks to come and should therefore be prepared to explain to the DPAs what remediation measures they have put in place.

What next?

The WP 29 says that it “is urgently calling on the EU Member States and the European institutions to open discussions with the US authorities in order to find a political, legal and technical solution that enables companies to transfer personal data to the US in compliance with respect for fundamental rights. Such solutions could be found through the negotiations of an intergovernmental agreement providing stronger guarantees to EU data subjects“. It is interesting to note that the WP 29 does say that “the current negotiations around a new Safe Harbor could be a part of the solution” and so it has willingly left that window open.

The WP 29 also states: “The task that lies ahead to find a sustainable solution in order to implement the CJEU’s decision must be shared between the DPAs, the EU institutions, EU Member States and businesses“. With the GDPR soon to be adopted, this will be a challenge to get all the stakeholders to agree on a new Safe Harbor framework that complies with the provisions of the GDPR.

Reaction of the regulators in other parts of the world

The Safe Harbor decision has also caused a ripple effect beyond the European Union borders and regulators in other parts of the world have also reacted to the CJEU’s decision.

United States:

The US Department of Commerce published an advisory on the Safe Harbor website stating: “In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework“. Once fails to see how the Department of Commerce can actually continue to process submissions for self-certification to Safe Harbor when clearly such transfers are now unlawful under European law.


On October 19th, the Israeli Law, Information and Technology Authority (ILITA) issued a statement in which it revokes its prior authorization to transfer data from Israel to the U.S. on the basis of Safe Harbor. Pursuant to the data protection laws of Israel, transfers of data outside of Israel to third countries is permitted if the data is sent to a country that receives data from the EU under the same terms of acceptance. However, the CJEU’s decision invalidates the authorization to transfer personal data from Europe to companies committed to the Safe Harbor. Consequently, the position of ILITA is that organizations can no longer rely on this derogation as a basis for the transfer of personal data from Israel to organizations in the United States.

In the absence of an alternative valid arrangement or another formal decision of the EU with respect to the transfer of data from the EU to the US, companies who want to transfer personal data from Israel to the US are therefore required to assess whether they can legitimize their transfers on one of the other derogations set out in the data protection law of Israel.


On 7th October, 2015, the Swiss Data Protection Authority (FDPIC) issued a first press release on its website stating that the Swiss/US Safe Harbor decision “is also called into question” by the CJEU’s decision. “As far as Switzerland is concerned, in the event of renegotiation, only an internationally coordinated approach that includes the EU is appropriate.”

On 22nd October 2015, the FDPIC made a second statement which says that “as long as Switzerland has not renegotiated a new Safe Harbor Framework with the United States, Safe Harbor cannot be deemed a valid legal mechanism for transferring personal data to the US.” It would seem, therefore, that without officially revoking the Swiss/US Safe Harbor program, it is de facto no longer possible for Swiss based companies to transfer personal data to the US on the grounds of Safe Harbor.

Without explicitly mentioning any enforcement actions, the FDPIC calls upon businesses who are transferring personal data to the US to adapt their contracts with US companies before the end of January 2016. The FDPIC will also coordinate with the EU DPAs to determine what other actions may be required to protect the fundamental rights of the individuals.

By Olivier Proust

Getting to know the GDPR, Part 2 – Out-of-scope today, in scope in the future. What is caught?

Posted on October 20th, 2015 by

The GDPR expands the scope of application of EU data protection law requirements in two main respects:

  1. in addition to data “controllers” (i.e. persons who determine why and how personal data are processed), certain requirements will apply for the first time directly to data “processors” (i.e. persons who process personal data on behalf of a data controller); and
  2. by expanding the territorial scope of application of EU data protection law to capture not only the processing of personal data by a controller or a processor established in the EU, but also any processing of personal data of data subjects residing in the EU, where the processing relates to the offering of goods or services to them, or the monitoring of their behaviour.


The practical effect is that many organisations that were to date outside the scope of application of EU data protection law will now be directly subject to its requirements, for instance because they are EU-based processors or non EU-based controllers who target services to EU residents (e.g. through a website) or monitor their behaviour (e.g. through cookies). For such organisations, the GDPR will introduce a cultural change and there will be more distance to cover to get to a compliance-ready status.

What does the law require today?

The Directive

At present, the Data Protection Directive 95/46/EC (“Directive“) generally sets out direct statutory obligations for controllers, but not for processors. Processors are generally only subject to the obligations that the controller imposes on them by contract. By way of example, in a service provision scenario, say a cloud hosting service, the customer will typically be a controller and the service provider will be a processor.

Furthermore, at present the national data protection law of one or more EU Member States applies if:

  1. the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State. When the same controller is established on the territory of several Member States, each of these establishments should comply with the obligations laid down by the applicable national law (Article 4(1)(a)); or
  2. the controller is not established on EU territory and, for purposes of processing personal data makes use of equipment situated on the territory of a Member State (unless such equipment is used only for purposes of transit through the EU) (Article 4(1)(c)); or
  3. the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law (Article 4(1)(b)). Article 4(1)(b) has little practical significance in the commercial and business contexts and is therefore not further examined here. The GDPR sets out a similar rule.


CJEU case law

Two recent judgments of the Court of Justice of the European Union (“CJEU“) have introduced expansive interpretations of the meaning of “in the context of the activities” and “establishment”:

  1. In Google Spain, the CJEU held that “in the context of the activities” does not mean “carried out by”. The data processing activities by Google Inc are “inextricably linked” with Google Spain’s activities concerning the promotion, facilitation and sale of advertising space. Consequently, processing is carried out “in the context of the activities” of a controller’s branch or subsidiary when the latter is (i) intended to promote and sell ad space offered by the controller, and (ii) orientates its activity towards the inhabitants of that Member State.
  2. In Weltimmo, the CJEU held that the definition of “establishment” is flexible and departs from a formalistic approach that an “establishment” exists solely where a company is registered. The specific nature of the economic activities and the provision of services concerned must be taken into account, particularly where services are offered exclusively over the internet. The presence of only one representative, who acts with a sufficient degree of stability (even if the activity is minimal), coupled with websites that are mainly or entirely directed at that EU Member State suffice to trigger the application of that Member State’s law.


What will the GDPR require?

The GDPR will apply to the processing of personal data:

  1. in the context of the activities of an establishment of a controller or a processor in the EU; and
  2. of data subjects residing in the EU by a controller not established in the EU, where the processing activities are related to the offering of goods or services to them, or the monitoring of their behaviour in the EU.

It is irrelevant whether the actual data processing takes place within the EU or not.

As far as the substantive requirements are concerned, compared to the Directive, the GDPR introduces:

  1. new obligations and higher expectations of compliance for controllers, for instance around transparency, consent, accountability, privacy by design, privacy by default, data protection impact assessments, data breach notification, new rights of data subjects, engaging data processors and data processing agreements;
  2. for the first time, direct statutory obligations for processors, for instance around accountability, engaging sub-processors, data security and data breach notification; and
  3. severe sanctions for compliance failures.


What are the practical implications?

Controllers who are established in the EU are already caught by EU data protection law, and will therefore not be materially affected by the broader scope of application of the GDPR. For such controllers, the major change is the new substantive requirements they need to comply with.

Processors (such as technology vendors or other service providers) established in the EU will be subject to the GDPR’s direct statutory obligations for processors, as opposed to just the obligations imposed on them by contract by the controller. Such processors will need to understand their statutory obligations and take the necessary steps to comply. This is a major “cultural” change.

Perhaps the biggest change is that controllers who are not established in the EU but collect and process data on EU residents through websites, cookies and other remote activities are likely to be caught by the scope of the GDPR. E-commerce providers, online behavioural advertising networks, analytics companies that process personal data are all likely to be caught by the scope of application of the GDPR.

We still have at least 2 years before the GDPR comes into force. This may sound like a long time, but given the breadth and depth of change in the substantive requirements, it isn’t really! A lot of fact finding, careful thinking, planning and operational implementation will be required to be GDPR ready in 24 months.

So what should you be doing now?

  1. If you are a controller established in the EU, prepare your plan for transitioning to compliance with the GDPR.
  2. If you are a controller not established in the EU, assess whether your online activities amount to offering goods or services to, or monitoring the behaviour of, EU residents. If so, asses the level of awareness of / readiness for compliance with EU data protection law and create a road map for transitioning to compliance with the GDPR. You may need to appoint a representative in the EU.
  3. Assess whether any of your EU-based group companies act as processors. If so, asses the level of awareness of / readiness for compliance with EU data protection law and create a road map for transitioning to compliance with the GDPR.
  4. If you are a multinational business with EU and non-EU affiliates which will or may be caught by the GDPR, you will also need to consider intra-group relationships, how you position your group companies and how you structure your intra-group data transfers.

Europe now holds the key to the future of privacy

Posted on October 10th, 2015 by

A lot is being said about the CJEU’s ruling on Safe Harbour. Without any doubt, for the privacy community this is the most important legal development since the EU Commission’s announcement of a revision to the Data Protection Directive of 1995. What the Court’s ruling shows us is that privacy has become a major area of law and an absolute priority in terms of compliance for any company.

Among the many issues that this decision raises, I’d like to focus on two key issues. The first is enforcement. Many companies are wondering what is the risk for them now that Safe Harbor has been pronounced invalid. As a lawyer, I believe there is no point in arguing the CJEU’s ruling (click here to read our analysis of the CJEU’s ruling in the Max Schrems case). Some may disagree with it, but it is now the law in Europe, and we need to accept it.

As a practitioner, however, I think we need to analyse the Court’s decision in a practical and pragmatic manner. Strictly from a legal point of view, the CJEU’s decision leaves no room for interpretation: Safe Harbor is invalid, and so companies can no longer rely on it to transfer their data to the U.S. But, in practical terms, it is unrealistic to think that EU companies will suddenly pull the plug and stop transferring their data to the U.S.

Technically, I’m not sure this is feasible, and, certainly, this would have a devastating effect on our economy and on the relations between the EU and the U.S. It also seems unlikely that the national data protection authorities (DPAs) will suddenly begin to investigate companies, or worse, to sanction them because they continue to transfer personal data to the U.S. Let us not forget that in many EU member states, the national DPAs have approved the transfers of data to the U.S. on the basis of Safe Harbor. In my opinion, it would make no sense, and would serve no real purpose, if the DPAs would suddenly repeal the approvals that they have granted to thousands of companies over the last 15 years.

That is not to say that the DPAs will take no action. On the contrary, there is now a high expectation for companies to reassess their data flows and, where needed, to implement new measures for transferring data outside the EU. It is also important to note that, while Safe Harbor can no longer be used as a legal basis for transferring data outside the EU, the measures that companies have put in place to comply with the Safe Harbor principles should remain valid. In the end, what really matters is whether and how companies are safeguarding the data they transfer outside the EU, regardless of the legal basis on which they rely to do so. And so, as a short-term solution, a decision from the DPAs to grant companies a grace period that would allow them to leverage the efforts they have made in the past in order to transition toward another data-transfer mechanism would certainly be welcome. At the same time, let’s not be naïve. The CJEU’s ruling empowers the DPAs tremendously and, once the General Data Protection Regulation (GDPR) is finally adopted, they will have unprecedented powers to investigate and sanction companies. So the clock has already begun to tick for those companies that were relying on Safe Harbor…

The second point I’d like to make is that the national DPAs have here a unique opportunity to send a clear and consistent message to the world. Some people are already commenting—rightfully so!—that there is risk that the court’s decision will be interpreted differently by the DPAs in their respective jurisdictions, which would result in a patchwork of different interpretations and solutions across Europe. Well, I think the situation demands that the Article 29 Working Party adopt a common and unified position. Too often, Europe has been criticised for its lack of harmonisation and its fragmented approach to law. Now is the moment to show the world that Europe can speak in harmony. If the DPAs fail to seize this moment, the risk is that the relations between the EU and the U.S. will be significantly damaged, and this will leave literally thousands of companies in a limbo.

As for the issue regarding the disclosure of personal data to foreign authorities, which is really the pivotal issue here, the CJEU’s ruling has repercussions beyond Safe Harbor because it concerns data transfers as a whole—meaning that the analysis can be applied to adequacy decisions, the EU model clauses and Binding Corporate Rules. Thus, the CJEU’s decision calls for EU legislators to adopt a coherent and consistent position on this issue across the different legal frameworks that are currently being prepared: the GDPR, the “new” Safe Harbor framework and the so-called Umbrella Agreement on the transfers of personal data between the EU and the U.S. for justice and law-enforcement purposes. And so, once again, consistency seems to be the key word to ensure that a fair balance is found between the protection of the individual’s privacy and the freedom to conduct business—both of which are fundamental rights under the European Charter of Fundamental Rights.

Europe may be holding the key to the future of privacy, but it needs to embrace this future with a clear, pragmatic and realistic vision. Otherwise, I fear the upcoming GDPR will fail to achieve its goal.

This article was first published in the IAPP’s Europe Data Protection Digest on 9th October 2015.

What data protection reform would look like if it were up to me.

Posted on September 16th, 2015 by

Earlier today I attended a superb session of the Churchill Club in Palo Alto, at which the European Data Protection Supervisor was speaking on data protection and innovation.  As he spoke about the progress of the EU General Data Protection Regulation and what its impacts would be upon business, I found myself given to thinking about what EU data protection reform would be like if it were up to me.

Of course, this is by definition somewhat of a navel gazing exercise because EU data protection reform is not up to me.  Nevertheless, I thought I would at least share some of my thoughts to see to what extent they strike a chord with readers of our blog – and, perhaps, even reach the ears of those who do make the law.

So, if you’ll allow me this indulgence, here’s what my reforms would do:

1.  They would strike a balance between supporting privacy rights, economic and social well-being and innovation.  Fundamentally, I support the overarching goals of the GDPR described in its recitals – namely that “the principles and rules on the protection of individuals with regard to the processing of their personal data should …. respect their fundamental rights and freedoms, notably their right to protection of personal data” and that those rules should “contribute to an area of freedom, security and justice …, to economic and social progress, … and the well-being of individuals.”  Yet, sometimes within the draft texts of the GDPR, this balance has been lost, with provisions swinging so far towards conservatism and restrictiveness, that promotion of economic progress – including, critically for any economy, innovation – gets lost.  If it were up to me, my reforms would endeavour to restore this balance through some of the measures described below.

2.  They would recognize that over-prescription drives bad behaviours.  A problem with overly-prescriptive legislation is that it becomes inherently inflexible.  Yet data protection rules need to apply across all types of personal data, across all types of technologies and across all sectors.  Inevitably, the more prescriptive the legislation, the less well it flexes to adapt to ‘real world’ situations and the more it discourages innovation – pushing otherwise would-be good actors into non-compliance.  And, when those actors perceive compliance as unobtainable, their privacy programs become driven by concerns to avoid risk rather than to achieve compliance – a poor result for regulators, businesses and data subjects alike.  For this reason, my data protection reforms would focus on the goals to be achieved (data stays protected) rather than on the means of their achievement (e.g. specifying internal documentation needs).  This is precisely why the current Data Protection Directive has survived as long as it has.

3.  They would provide incentives for pseudonymisation.  Absent a few stray references to pseudonymisation here and there across the various drafts of the GDPR, there really is very little to incentivise adoption of pseudonymisation by controllers – psuedonymised data are protected to exactly the same standard as ‘ordinary’ personal data.  Every privacy professional recognizes the dangers of re-identification inherent in pseudonymised data, but treating it identically to ordinary personal data drives the wrong behaviour by controllers – perceiving little to no regulatory benefit to pseudonymisation, controllers decline to adopt pseudonymisaion for cost or other implementation reasons.  My reforms would explore whether pseudonymisation could be incentivised to encourage its adoption, for example by relaxing data minimization, purpose limitation or data export rules for pseudonymised data, in addition to existing proposals for relaxed data breach notification rules.

4.  They would recognize the distinct role of platforms.  European data protection professionals still operate in a binary world – businesses are either ‘data controllers’ or ‘data processors’.  Yet, increasingly, this binary division of responsibility and liability doesn’t reflect how things operate in reality – and especially in an app-centric world operating over third party cloud or mobile platforms.  The operators of these platforms don’t always sit neatly within a ‘controller’ or a ‘processor’ mold yet, vitally, are the gatekeepers through which the controllers of apps have access to the highly sensitive information we store on their platforms – our contact lists, our address books, our health data and so on.  We need an informed debate as to the role of platforms under revised data protection rules.

5.  They would abandon outdated data export restrictions.  It’s time to have a grown up conversation about data exports, and recognize that current data export rules simply do not work.  Who honestly believes that a model contract protects data?  And how can European regulators promote Binding Corporate Rules as a best practice standard for data export compliance, but then insist on reviewing each and every BCR applicant when they are too poorly resourced to do so within any kind of commercially acceptable timescale?  And how can we possibly complain about the US having poor Safe Harbor enforcement when we have little to no enforcement of data export breaches at home in the EU?  Any business of scale collects data internationally, operates internationally, and transfers data internationally; we should not prohibit this, but should instead have a regulatory framework that acknowledges this reality and requires businesses to self-assess and maintain protection of data wherever it goes in the world.  And, yes, we should hold businesses fully accountable when they fail to do so.

6.  They would recognise that consent is not a panacea.  There’s been a strong narrative in Europe for some time now that more data processing needs to be conditioned on individuals’ consent.  The consensus (and it’s not a wholly unfair one) is that individuals have lost control of their data and consent would somehow restore the balance.  It’s easy to have sympathy for this view, but consent is not all it’s cracked up to be.  Think about it, if consent were a requirement of processing, how would businesses be forced to respond?  Particularly within the European legislative environment that considers almost all types of data to be ‘personal’ and therefore regulated?  The answer would be a plurality of consent boxes, windows and buttons layered across every product and service you interact with.  And, to make matters worse, the language accompanying these consents would invariably become excessively detailed and drafted using ‘catch-all’ language to avoid any suggestion that the business failed to collect a sufficiently broad consent.  Clearly, there are places where consent is merited (collection and use of sensitive data being a prime example) but for other uses of data, a well-structured data protection regime would instead promote the use of legitimate interests and other non-consent based grounds for data processing – backed, of course, by effective regulatory audit and sanctions in order to provide the necessary checks and balances.

So there you have it.  Those are just a few of my views – I have others, but I’ll spare you them for now, and no doubt you’ll have views of your own.  If you agree with the views above, then share them; if you don’t, then share them anyway and continue the debate.  We’ll only ever achieve an appropriate regulatory framework that balances the needs of everyone if we all make our voices heard, debate hard, and strive to reach consensus on the right data protection regime fit for the future!

Why are German courts allowed to take my global privacy policy apart?

Posted on August 7th, 2015 by

Your service is innovative, you are ambitious, and the European digital market is there for the taking. Except that the EU is not the digital single market it strives to be just yet. Recent years have seen a rise in legal disputes in Germany over allegedly unlawful clauses in standard business terms – in more and more cases including privacy policies and consent wording. Apple, Facebook, Google have all been there. They all lost on part of the language.

The story goes…

The starting point often begins with an international business looking to have a single global or pan-European privacy policy. It might not be perfect in all respects, but it was considered to be a reasonable compromise between addressing multiple local law requirements, keeping your business scalable, and creating transparency for customers. Now, with global expansion comes the inevitable local litigation.

The typical scenario that arises for international businesses expanding into Germany is this: An aggressive local market player trying to hold on to its pre-new economy assets sends you a warning letter, alleging your privacy policy breaches German law requirements, and includes a cease-and-desist undertaking aimed at forcing you to refrain from using unlawful privacy policy clauses.

If you are big and established, the warning letter may come from a consumer protection association that happens to have singled out you or your industry. If you refuse to comply with the warning letter, the dispute may go to court. If you lose, the court will issue an injunction preventing you from using certain language in your privacy policy. If you infringe the injunction after being served the same, judicial fines may ensue.

The legal mechanism

These warning letters typically allege that your privacy policy is not in full compliance with strict German data protection and consumer protection law. Where this is the case, privacy infringements can be actioned by competitors and consumer protection associations – note: these actions are based solely on the language of your privacy policy, irrespective of your actual privacy practices. These actions are a kind of “privately-initiated law enforcement” as there is no public regulator generally watching over use of privacy policies.

Furthermore, in certain cases – and especially where privacy policies are peppered with language stating that the user “consents” to the collection and use of their information – the privacy policy may even qualify as ‘standard business terms’ under German consumer protection law, opening the door for the full broadside of German consumer protection law scrutiny.

So, what’s the solution?

In the long run, courts or lawmakers will have to resolve the dilemma between two conflicting EU law principles: privacy regulation on a “country of origin” basis vs. consumer protection and unfair competition laws that apply wherever consumers are targeted. In essence, the question is: Which should prevail, applicable law principles under the Data Protection Directive (or the General Data Protection Regulation bound to be issued any decade now) or local law consumer protection principles under Rome I and II Regulations?

In the short term, an approach to mitigating legal and practical risks is to provide a localised privacy policy just for German consumers that is compliant with local law. Or, usually less burdensome, make your policy information-only, i.e. delete consent wording and clauses curtailing consumers’ rights in order to at least keep the policy from being subjected to full consumer protection scrutiny.

The downside to this approach is that it may require deviating from your global approach on a privacy policy. On the upside, it will spare you the nuisance of dealing with this kind of warning letter which is difficult to fight off. Remember: This is all about the language of your privacy policy, not what your real-world privacy compliance looks like.

Stay tuned for more information on warning letter squabbles regarding e-mail marketing regulations.

Unravelling the mysteries of the GDPR trilogues

Posted on July 16th, 2015 by

In recent days, “trilogue” seems to be the buzz word on everyone’s lips following the adoption by the Council of Ministers of the European Union (the “Council”) of the General Data Protection Regulation (the “GDPR”) in a first reading on 11th June. But what exactly is a “trilogue”? What is the meaning of this obscure concept that only exists under European Union law? Following my previous article on the EU’s ordinary legislative procedure, I will try through this article to unravel the mysteries of the trilogue by explaining this concept in simple, layman terms.

What are “trilogues”?

Under the Treaty of Lisbon, the ordinary legislative procedure follows three stages: 1/ the first reading; 2/ the second reading; and 3/ the Conciliation agreement. The Treaty of Amsterdam (which entered into force on 1st May 1999) introduced the possibility for the co-legislative bodies of the European Union (namely, the Commission, the Parliament and the Council) to reach an agreement on a legislative proposal at first reading.

Trilogues are not formally defined in the founding treaties of the European Union (TEU and TFEU), even though article 295 of the TFEU does contain a general principle stating: “the European Parliament, the Council and the Commission shall consult each other and make arrangements for their cooperation by common agreement. To that end, they may, in compliance with the Treaties, conclude inter-institutional agreements, which may be of a binding nature.”

Instead, they result from a Joint Declaration on Practical Arrangements for the Codecision Procedure (the “Joint Declaration”) adopted by the Commission, the Council and the Parliament in 1999 and later updated in 2007. According to this Joint Declaration, “the institutions shall cooperate throughout the procedure with a view to reconciling their positions as far as possible and thereby clearing the way, where appropriate, for the adoption of the act concerned at an early stage of the procedure”. The reconciliation of positions is reached through informal interinstitutional negotiations called “trilogues”.

Are trilogue meetings common practise in the EU’s ordinary legislative procedure?

Yes. Since the entry into force of the Lisbon Treaty, fewer and fewer legislative proposals have been adopted after a second reading (only 10 %) and fewer even after a Conciliation (only 5%). In practise, the huge majority of legal texts are now adopted after a first reading (85%). With the increased number of Member States and a much bigger Parliament (751 MEPs), second readings simply take too long and are usually left for texts where there is a strong controversy. In recent years, the EU legislative bodies have been using “trilogues” instead as a means to speed up the legislative procedure.

When do the trilogue meetings begin?

There is no official starting date for trilogue meetings and they may be held at all stages of the legislative procedure and at different levels of representation, depending on the nature of the expected discussion. In the case of the GDPR, no agreement was found prior to the Parliament’s first reading vote (on 12th March 2014), nor prior to the Council’s first reading vote (11th June 2015).

In practise, trilogue meetings tend to kick-off officially once the Council has adopted its first reading position, which is where we stand now on the GDPR. A first trilogue meeting was held on June 24th, during which the three legislative bodies agreed on the overall roadmap for the trilogue negotiations. On 14th July, the three institutions met again to discuss article 3 on the territorial scope of the Regulation and chapter 5 on international data transfers. The next trilogue meeting is due to take place in September, although no date has yet been decided.

Who attends the trilogue meetings?

Each institution designates its participants for each meeting in accordance with its own rules of procedure. Trilogue meetings are attended by representatives of all three EU legislative bodies, namely:

the Council of Ministers: The Council is represented by the chairperson of relevant the working group (in this case, the Working Party on Information Exchange and Data Protection (DAPIX)), the chairperson of the Committee of Permanent Representatives of the Governments of the Member States to the European Union (COREPER), national officials, members of the Council’s Secretariat and Legal Service. With Luxembourg now taking over the six-month rotating presidency of the European Union, one can expect Luxembourg to play a decisive role in the trilogue discussions given that it is home to some of the largest Internet companies in the world.

the Parliament: The Parliament is represented by Jan Albrecht, the rapporteur on the legal text, Claude Moraes, the chairperson of the lead Parliament committee (LIBE committee), shadow rapporteurs, political group coordinators and various staff members of the Parliament.

the European Commission: The Commission is represented by Paul Nemitz, the Director of the Directorate General for Justice (DG Justice), Bruno Gencarelli, the Head of Unit for Data Protection of DJ Justice, and various representatives of the Commission’s Secretariat-General and Legal Service.

How are the trilogue meetings conducted?

Trilogues are chaired by the co-legislator hosting the meeting (i.e., either the Parliament or the Council) and are usually conducted in an informal manner. The co-legislative bodies undertake to exchange information regularly on the progress of codecision files in accordance with their own internal rules of procedure and to coordinate their respective calendars of work so as to conduct the proceedings in an efficient manner.

The discussions are organised around a four-column document which outlines the Commission’s initial proposal (Column 1), the Parliament’s position (Column 2) and the Council’s position (Column 3), the last column being reserved for the “compromise text”, which in the end constitutes the adopted version of the text.

During the trilogue meetings, the co-legislators (Parliament and Council) confront their positions, thus entering into a debate, with a view to reaching an agreement. In practise, the Commission often plays the role of a mediator or facilitator, making sure that an agreed position is reached.

How long will the GDPR trilogues last?

It is difficult to say as this will largely depend on how quickly the co-legislators are capable of adopting a compromise text. Under the Joint Declaration, the institutions must seek to establish an indicative timetable for the various stages leading to the final adoption of the legislative proposal. The frequency as well as the number of trilogues depends on various factors, such as the content of the legislative proposal and the political sensitivity surrounding the text.

In the case of the GDPR, the three institutions have set out to adopt the text before the end of 2015. There are examples in the past of some EU laws that were adopted within months, following fast-paced meetings taking place every month. In the given scenario, the Parliament and the Council seem to disagree quite strongly on some of the provisions, such as the rights of the individuals, international data transfers, data profiling, administrative fines and the one-stop shop mechanism. Furthermore, the EU Member States are not fully aligned, which could also further delay the adoption of the text.

While it is possible technically to reach a compromise text between now and December, it seems more likely that the text will be adopted in the beginning of 2016.

What will be the outcome of the trilogue meetings?

There are essentially two possible scenarios:

  1. The co-legislators agree on a compromise text: In this case, the agreement reached must be adopted by the Parliament’s general assembly in a second reading vote and by the Council in a second reading vote. Following adoption of the GDPR by the Parliament and the Council, the text shall be submitted for signature, to the President of the Parliament and the President of the Council and to the Secretaries-General of those institutions. The jointly signed text is then sent for publication in the Official Journal of the European Union.
  2. The co-legislators do not agree on a compromise text: Statistically speaking, a failure to reach a compromise at the end of the trilogue meetings seldom happens and this is usually limited to situations where the co-legislators strongly disagree on a particular text, making it impossible to reach a final agreement. It seems unlikely that this would happen here, but if it does, then the legislative procedure would continue to a second reading in the Parliament and Council.


Are trilogues transparent enough?

Trilogue meetings have been criticized for their lack of transparency due to the fact that the meetings are held behind closed doors and little is known about the actual position of each institution during the negotiations. Emily O’Reilly, the European Ombudsman, opened an inquiry on May 28th regarding the transparency of trilogues, asking why there is no publicly accessible list of on-going trilogues and why a complete record of the documents tabled and exchanged at such meetings is also not accessible to the public. In a letter addressed to the Presidents of the Council, the Parliament and the Commission, she asks each of them to answer several questions, in particular whether the trilogue documents are made available to the public.

This shows that while trilogue meetings were initially created to establish a structured dialogue between the co-legislators with a view to adopting EU laws more expeditiously, they are also conducted in an opaque manner and very little information filters to the general public. At a time where the European Union suffers from a lack of democracy and transparency between EU citizens and the institutions who represent them, one may ask whether the time has come to adopt a more open and transparent framework for the trilogue meetings.


By Olivier Proust , Of Counsel, Privacy & Information Law Group (


This article was first published in the IAPP‘s Privacy Tracker.

5 Practical Steps to help companies comply with the E-Privacy Directive (yes, it’s cookies again!)

Posted on July 13th, 2015 by

This month (July 2015), the IAB Europe published new Guidance titled “5 Practical Steps to help companies comply with the E-Privacy Directive“. These 5 sensible steps in the document are aimed at brand advertisers, publishers and advertising businesses.  The EU’s cookie compliance rules were remodelled as far back as 2009 when a broader set of telecommunications rules updated the e-Privacy Directive.  There’s been no change since so this Guidance has not been prompted by any regulatory change or significant shift in the compliance landscape.  It it does however serve as a useful practical reminder to anyone considering or revisiting their compliance strategy.

The context and Article 5.3

The advice in the Guidance centres around that now familiar extract from the e-Privacy Directive, Article 5.3.  This of course requires you obtain the prior informed consent for storage of, or access to, information stored on a user’s terminal equipment.

The Guidance rightly acknowledges that there are differences in both the national implementations of this rule as well as the related regulatory guidance Member State to Member State.  Therein lies the rub, as many are seeking a “one-size-fits-all” approach for Europe. Often criticised, the law requires you to get consent, but doesn’t actually say how. These 5 steps from the IAB delve into the “how” and may assist you.

The 5 recommended steps in the Guidance

At a high-level the Guidance makes the following practical observations:

  1. Monitor and assess your digital property – know your properties, their technology, and what data they collect. Regularly audit these to understand the data collected and how it is used. Be particularly cautious when using partners who are collecting data on your properties.
  2. Be clear and transparent in how you present information to consumers – use plain and easy-to-understand language and don’t mislead. Consider a layered approach and, where appropriate, use helpful websites (eg like or to convey messages about how and why your property deploys its technologies (and for what purposes).
  3. Make things prominent – ensuring your privacy property is available and distinguishable. There are some short tips around ways you could go about this.
  4. Context is king! – the Guidance suggests you consider ways to achieve consent in a contextual way. Rightly this step suggests “that the key point is that you must gain consent by giving the user specific information about what they are agreeing to and providing them with a way to indicate their acceptance.” Fieldfisher reminds you that are a number of mechanisms (express and implied) by which you may achieve this and the Guidance suggests a few of the available approaches in this step.
  5. Consider joining the EU industry programme to provide greater contextual transparency and control to consumers over customised digital advertising – “why not?” we say, as this is another tactic for in staying in touch and demonstrating commitments. This step highlights the benefits of to behavioural advertisers and the “icon” initiative and transparency mechanisms available via

The so what?

The e-Privacy Directive and the EU cookie compliance issues associated with it have been alive and well for years now. We’ve frequently updated readers on the enforcement issues, sweep days other stories where cookie compliance comes to the fore. It’s not entirely clear what prompted this “best practice” advice and steps from the IAB, but the short document is practical and insightful, whether you’re new to cookie compliance or revisiting your compliance approach.

As other members of the team have recently blogged, the CNIL recently issued a press release stating that, following its online cookies audits conducted last October (see our previous blog article), it has sent out  a formal letter of enforcement (“lettre de mise en demeure“) to approximately 20 companies requesting them to comply with the cookie rules in France.  Cookie compliance needs are not going away nor are they particularly difficult for most online properties.  What’s more, when looking at your peers, there’s no doubt that a level of compliance and transparency is fairly prevalent across EU and EU facing websites today.

What now?

So how should you deal with cookies?  Well, the steps in this Guidance give you a great practical head start. Cookie compliance and the approach to compliance has been market-led since the outset. When asked what “good” looks like, even among the regulators the thinking went that the online industry was better placed to innovate creative and unobtrusive ways to get consent than lawyers, regulators and legislative draftsmen. That’s where bodies like the IAB Europe have played a central role and, by aligning your own practices with the pack, you are rarely in a bad place in the world of cookie compliance.


Mark Webber, Partner – Digital Regulation and Technology (Silicon Valley)


Q: Have we just passed a new EU data protection law? A: Not yet!

Posted on June 16th, 2015 by

For those of you keeping tabs on EU data protection developments, today’s exciting news was that the Council of the EU has reached a “general approach” on Europe’s proposed General Data Protection Regulation, with the twin aims of enhancing Europeans’ data protection rights and increasing business opportunities in the Digital Single Market.

And what a lot people have had to say about it! Some say it’s going to “kill off Europe’s cloud computing industry” (story here) while others describe it as “a brazen effort to destroy Europe’s world leading approach to data protection and privacy” (story here). It’s rather remarkable to note that both industry and civil liberties groups seem equally downcast about the new proposals, albeit for entirely opposing reasons.

But what these prophecies of doom all overlook is that we don’t have a new data protection law yet. In fact, far from it – we’re still only at the draft stage! And until we have agreed the final text of the new law, it’s very difficult to predict where exactly we will land on many of the issues.

For those of you struggling to understand timelines and where exactly we are in the process, here’s how things stand:

1. The European Commission (in simple terms, the executive branch of EU government) proposed a new EU data protection law in 2012 – this is the “General Data Protection Regulation”.

2. The EU Parliament (for our US audience, think the House of Representatives) and the Council of the EU (think the US Senate) each then got to review and table amendments to the draft legislation through various committee proceedings – the aim being for each institution to come up with its own preferred draft of the law.

3. The EU Parliament put forward its proposed “version” in March 2014, favouring strict protection of individuals’ rights. Today’s development is that the Council of the EU has finally (and reluctantly) put forward its own proposed “version”, with a greater leaning towards risk-based application of data protection rules. This some 3 years after the law was originally proposed by the Commission – progress has not been quick.

4. What happens next is that the Parliament, the Council and the Commission will now enter three-way “trilogue” negotiations (explained here). These are scheduled to begin on 24 June and their ultimate aim is to produce a final negotiated text that all three institutions agree on. Then, and only then, will the General Data Protection Regulation become law.

5. But, wait a minute! Even when the new law does get adopted, it’s unlikely to take effect for a further two years (unless this two year lead-in period is negotiated out during the trilogue). So, even assuming things go swimmingly and the three institutions agree on the language of the law this year, then it is still very unlikely to become effective before the middle of 2017 – and, given the rate of progress to date, 2018 frankly seems more realistic.

What all this means is that today was certainly a big day for EU data protection, but there’s still a long road to travel down. There are some things that seem almost certain to make it into the final text (application of EU data protection rules to any worldwide business servicing EU citizens, extension of liability to data processors, some notion of a one-stop shop, greater fines etc.), but many that still remain open to debate (mandatory DPOs, the role of consent, etc.).

Stay tuned, and we’ll keep you posted once we have a better assessment of the likely final text of the law. In the meantime, enjoy speculating along with everyone else but remember that, until the law is adopted, it’s just that – speculation!

German monopoly commission advises not to regulate algorithms

Posted on June 5th, 2015 by

This week, the German Monopoly Commission has published its extraordinary opinion on digital markets. Particularly interesting: the Commission advised not to regulate algorithms – which seems to be an answer to a question nobody posed only at first glance.

The study, which is available in German here, looks at a broad scope of digital business models and markets. One thing that immediately sprang to my mind is a section about the need to regulate algorithms. The background is that the Commission sees the risk that search engine providers that also offer other services such as review websites, map services or price comparison tools, may prioritize their own services against third-party offerings.

First, the Monopoly Commission clearly advocates against an unbundling of such businesses, arguing that the impact of such an unbundling is severe, and the unbundling would also contravene the general goal of competition regulation to generate an incentive for innovation by accepting organic, internal growth.

Second, the Commission also denied the feasibility of an “algorithm” regulation, i.e. an agency that would look into an algorithm to determine whether it works “neutrally”. Here, the Commission states that the number of changes that a typical search engine provider implements each year would constitute an unreasonable effort. Further, given the complexity of those algorithms, the commission doubts that it would be possible to detect a bias at all.

In particular the last point is interesting. At first glance, it seems to be the answer to a question nobody posed, but we have occasionally seen requests for an “algorithm police” in the recent past, and a couple of weeks ago, when I asked Jan Philipp Albrecht, very well-known for being the rapporteur of the European Parliament for the EU’s General Data Protection Regulation as well as for the EU-US data protection framework agreement, he clearly spoke in favour of regulating algorithms. The fact the Monopoly Commission addressed this topic may thus be more than just a side note, and it seems that this debate has only started.

Will the new EU General Data Protection Regulation prevent forum shopping?

Posted on May 12th, 2015 by

It’s a common criticism of the current EU Data Protection Directive that its provisions determining applicable law invite forum shopping – i.e. encourage businesses to establish themselves in the Member State perceived as being the most “friendly”.  In fact, while there is some truth to this belief, its effect is often overstated.  Typically, businesses choose which country to set up shop in based on a number of factors – size of the local market, access to talent and infrastructure, local labor laws and (normally the overwhelming consideration) the local tax regime.  We privacy pros like to consider data protection the determining factor but, at least in my experience, that’s hardly ever the case.

Nevertheless, it’s easy to understand why many worry about forum shopping.  Under the Directive, a business that has a data controlling “establishment” in one Member State is subject only to the national data protection laws of that Member State, to the exclusion of all other Member States.  So, for example, if I have a data controlling establishment in the UK, then the Directive says I’m subject only to UK data protection law, even when I collect data from individuals in France, Germany, Spain and so on.  A rule that works this way naturally lends itself to a concern that it might encourage a “race to the bottom”, with ill-intentioned businesses scampering to set up shop in “weak” data protection regimes where they face little to no risk of penalty – even if that concern is overstated in practice.

But a concern it is, nevertheless, and one that the new General Data Protection Regulation aims to resolve – most notably by applying a single, uniform set of rules throughout the EU.  However, the issue still arises as to which regulatory authorities should have jurisdiction over pan-EU businesses and this point has generated much excited debate among legislators looking to reach agreement on the so-called “one stop shop” mechanism under the Regulation.

This mechanism, which began life as a concept intended to provide greater regulatory certainty to businesses by providing them with a single “lead” authority to which they would be answerable, has slowly been whittled away to something scarcely recognizable.  For example, under the most recent proposals by the Council of the European Union, the concept of a lead protection authority remains but there are highly complicated rules for determining when other “concerned” data protection authorities may instead exercise jurisdiction or challenge the lead authority’s decision-making.

All of which begs the question, will the General Data Protection Regulation prevent forum shopping?  In my view, no, and here’s why:

  • Businesses don’t choose their homes based on data protection alone.  As already noted, businesses determine the Member States in which they will establish based on a number of factors, king of all being tax.  The General Data Protection Regulation will not alter this.  Countries, like Ireland or the UK, that are perceived as attractive on those other factors today will remain just as attractive once the new Regulation comes into effect.
  • While you can legislate the rules, you can’t legislate the culture. Anyone who practices data protection in the EU knows that the cultural and regulatory attitudes towards privacy vary enormously from Member State to Member State.  Even once the new Regulation comes in, bringing legislative uniformity throughout the EU with it, those cultural and regulatory differences will persist.  Countries whose regulators are perceived as being more open to relationship-building and “slow to temper” will remain just as attractive to businesses under the Regulation as they are under the Directive.
  • The penalties under the General Data Protection Regulation will incentivize forum shopping. It has been widely reported that the General Data Protection Regulation carries some pretty humungous fines for non-compliance – up to 5% of worldwide turnover.  In the face of that kind of risk, data protection takes on an entirely new level of significance and attracts serious Board level attention.  The inevitable behavioral consequence of this is that it will actively incentivize businesses to look for lower risk countries – on any grounds they can (local regulatory culture, resourcing of the local regulator and so on).
  • Mature businesses won’t restructure. The Regulation is unlikely to have an effect on the corporate structure of mature businesses, including the existing Internet giants, who have long since already established an EU controller in a particular Member State.  To the extent that historic corporate structuring decisions can be said to have been based on data protection forum shopping grounds, the General Data Protection Regulation won’t undo the effects of those decisions.  And new businesses moving into Europe always look to their longer-standing peers as a model for how they, too, should establish – meaning that those historic decisions will likely still have a distorting effect going forward.