The latest on the EU data protection reform
After continuous complaints that the EU Member States were dragging their feet and did not make significant progress on the adoption of the proposed EU Data Protection Regulation, the European Council announced on 13 March that it has reached “a partial general approach on specific issues of the draft regulation“, under the caveat that “nothing is agreed until everything is agreed“. More specifically the EU Member States seem to have reached agreement on the format of the ‘one stop shop principle’, in that it should only play a role in important cross-border matters.
The European Council goes on to clarify that the decisions in such cross border cases must be agreed jointly between the data protection authorities concerned and will be adopted by the data protection authority best placed to deliver the most effective protection to the data subject(s) involved. The European Council also endorsed a general set of principles for the lawful, fair and transparent processing of personal data. Despite progress being made, some – including EU Member States Italy and Austria – are worried that certain of the proposals submitted and accepted by the European Member States may lead to an even lower standard of protection than the current Directive 95/46/EC.
As to next steps, Germany’s federal Minister of the Interior, Thomas de Maizière, called for the use of the Council’s next meeting in June to finalise negotiations on the many still outstanding issues. This causes some to believe that the European Council may reach agreement on the entire package in June, allowing trilogue negotiations to take place between the European Council, Parliament and Commission over the summer and a potential adoption of the draft regulation before the end of this year. Although this timeline seems overly ambitious, data protection reform is more imminent than ever and companies would be wise to start preparing.
Safe Harbour on the rocks
The Safe Harbour regime has been in troubled waters for some time now and risks being torpedoed even sooner than expected. Following a referral by the Irish High Court in the case Schrems v Data Protection Commissioner in June of last year, the European Court of Justice (ECJ) is set to rule on the matter. More specifically, the ECJ has been requested for guidance on whether “the proper interpretation of the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the Commission Decision of 26 July 2000 on the adequacy of the protection provided by the safe harbour privacy principles should be re-evaluated“, and whether as a consequence, the Irish Data Protection Commission can “look beyond or otherwise disregard” the Commission Decision on Safe Harbour.
The hearing before the ECJ took place on 23 March. At the hearing the counsel for the European Commission conceded that “under Safe Harbour as it is currently applied in the US there is no guarantee that fundamental rights of EU data subjects will be respected“. The advocate general (Mr. Bot) is expected to submit his opinion to the ECJ on 24 June and the final decision by the ECJ is expected during the fall of this year. Needless to say that the decision by the ECJ may have major implications for data flows between the EU and the US. If the Safe Harbour regime is invalidated or annulled, US companies will still be able to extract personal data from the European Union, but will have to do so using other, more burdensome, tools available under the current Directive 95/46/EC.
Amidst all this turmoil, the European Commission still aims to finalise discussions with the US on the implementation of the Commission’s 13 recommendations to improve Safe Harbour by the end of May. Finally, EurActiv reports that according to some EU officials data flows could still be considered as part of the Transatlantic Trade and Investment Partnership, but only after an agreement on the EU’s Data Protection Regulation is reached.
Digital Single Market Strategy for Europe
President of the European Commission Jean-Claude Juncker already announced on 15 July 2014 that creating a connected digital single market would be a top priority for the European Commission for the years to come. Recently, Mr. Juncker and his team took this initiative one step further. In a press release of 25 March, the European Commission agreed on three areas for action:
- “Better access for consumers and businesses to digital goods and services“. This includes facilitating cross-border e-commerce, tackling geo-blocking and reforming copyright law and VAT arrangements.
- “Shaping the environment for digital networks and services to flourish“. This includes a review of the current telecoms and media rules, a coordinated European approach relating to the management of the spectrum (including roll-out of 4G technology), leveraging the importance of online platforms and pushing for the swift adoption of the Data Protection Regulation.
- “Creating a European Digital Economy and Society with long-term growth potential“. This includes managing the transition to a smart industrial system (“Industry 4.0”), speeding up the adoption of interoperability standards, unlocking the potential of big data and cloud computing and incentivising EU citizens to develop their digital skills.
More information on these three pillars will be revealed in the comprehensive Digital Single Market Strategy, which is set to be released by the European Commission on 6 May. Considering some of the ambitious initiatives cited above, achieving the Digital Single Market will require acceptance of certain major (legal and operational) reforms by all EU member states. We are following-up closely on this matter and will update you on the content of and implications for your business as soon as the final version of the strategy paper has been released.
Round–up of Article 29 Working Party recent publications
On 3 February the Article 29 Working Party (A29WP) released its long awaited cookie sweep combined analysis report. Together with several national regulators, the A29WP conducted a sweep of up to 478 websites in the e-commerce, media and public sectors across eight EU member states between fifteen and nineteen September 2014. The sweep aimed to uncover:
(i) the actual and current usage of cookies in the eight selected EU member states;
(iii) the control mechanisms in place.
On 4 February the A29WP adopted a statement on automatic inter-state exchanges of personal data for tax purposes. The statement, which is primarily directed to national governments and EU institutions, emphasises the need for putting into place appropriate and consistent safeguards at a data protection level when implementing mechanisms for automatic inter-state exchanges of personal data.
Our Belgian Privacy Commission a toothless tiger, … no more!
In an interview with the Belgian newspaper De Morgen, published on 4 April, the State Secretary for Privacy Bart Tommelein confirmed that the Belgian Privacy Commission (BPC) will be granted fining powers, preferably before the end of this year. The draft bill, under which such powers would be granted to the BPC, was introduced on 7 October of last year and is currently under debate in the Chamber of Representatives. How much a non-compliant company may end up paying, when fined, has not yet been determined. However, according to Willem Debeuckelaere, president of the Privacy Commission, fines may vary from 250 euro to 20.000 euro. The BPC will take into account the size of the data breach, negligent behaviour by the relevant company or natural person, efforts to resolve the breach swiftly, etc. when determining the actual amount of the fine.
This is yet another step in the direction of a more (pro-)active BPC and mirrors on-going trends in Europe as a whole. Increasingly we have seen the BPC take the lead in following-up on data protection infringements, not just against Belgian companies but also against global market players such as Facebook and Google. For more information on these actions, please see ‘Round-up of recent publications by the Belgian Privacy Commission‘.
In January the Belgian Privacy Commission (BPC) published its recommendations on the processing of personal data in employment relations, titled ‘Privacy on the work floor: a myth or reality?‘. Rather than introducing an entirely new set of recommendations, the document aims to collate and provide an overview of all the opinions and recommendations put forward by the BPC over the years, relating specifically to data protection in employment matters.
On 25 February the BPC issued its opinion on article 3 of the draft law on the reinforcement of the fight against terrorism. Article 3 of the draft law aims to expand the competency of the investigatory judge to now also include investigatory measures in relation to (suspected) crimes/acts of terrorism. More specifically, if adopted article 3 would allow the investigatory judge to request operators of communication networks (such as for instance internet service providers) to share certain traffic and other personal data pertaining to specific users or assist with the monitoring of private communications or telecommunications in the event of (suspected) acts/crimes of terrorism. The BPC determines that the aforementioned draft law includes sufficient safeguards with a view to ensuring the privacy of the data subjects involved and for these reasons endorses article 3.
The BPC has also been requested by the Belgian Minister of Social Affairs and Public Health to advise on the draft guidelines (“omzendbrief” or “circulaire“) relating to the use of the cloud by hospital facilities (Draft Guidelines). The BCP concluded that the Draft Guidelines can provide sufficient guarantees with a view to the protection of the personal data of the data subjects involved, provided however that they are supplemented with the use of an evaluation tool (like the one proposed by the BPC in attachment to its opinion). More specifically, the evaluation tool must allow hospital facilities to conduct their proper assessment of the level of security of the proposed cloud offering. Finally, still according to the BCP, the Draft Guidelines must not favour a private cloud above a public cloud offering. Rather, the focus should be on the actual data protection guarantees offered as part of the relevant cloud services and this is something that can equally be achieved in private as in public cloud offerings.
Finally, according to Willem Debeuckelaere (president of the BPC), quoted in an article of De Morgen, Google is prepared to conform its data collection practices to Belgian Privacy laws. This means obtaining explicit consent from users prior to processing their personal data. Google however, neither denied nor confirmed such an agreement with the BPC.