Tag: DPA

Safe Harbour 2.0 – Not really safe nor sound

Round 2!

Round 2!

So, back in 2013, the revelations of the massive and indiscriminate surveillance conducted by the US authorities have prompted EU demands regarding the strengthening of the Safe Harbour mechanism.

As you may well be aware by now, the conclusion of the very lengthy negotiations between the EU and the U.S. for the new EU-US Safe Harbour – christened “EU-US Privacy Shield” and intended to replace the former Safe Harbour Agreement – has apparently come to an end.

Which seem to be quite good news, considering how intricate those negotiations were.

Certainly, the approval of the Cybersecurity Information Sharing Act (CISA), according to which, upon ‘cyber threat’ indicators, companies are encouraged to share threat intelligence information with the US government by being absolved of liability for data security, did not help the case. Indeed, this undoubtedly poses a problem for the EU when such information includes some European citizens’ personal data.

Similarly, the delays on the proposed Judicial Redress Act, which would allow European citizens to seek redress against the US if law enforcement agencies misused their personal data, only added up to the existing complication.

The fact that negotiators were running against the clock was another stressful point.

Time was pressing for companies which rely on the Safe Harbour framework to freely transfer data between the United States and the European Union. Indeed, last October, the Court of Justice of the EU ruled that the Safe Harbour decision was invalid (case C-362/14). Consequently, companies had to rely on other legal basis to justify the transfers of personal data to the US.

Moreover, the Article 29 Working Party established the end of January as the turning point date where it would all necessary and appropriate action if no alternative was provided.

The end of January indeed passed and at the beginning of February the conclusion of the negotiations was finally announced.

However no bilateral agreement was really reached, as the new framework is based on “an exchange of letters” with written binding assurances.

The US have indeed offered to address the concerns regarding the access of its authorities to personal data transferred under the Safe Harbour scheme by creating an entity aiming to control that such activity is not excessive. Moreover, access to information by public authorities will be subject to clear limitations, safeguards, and oversight mechanisms.

Thus said, the conclusion of these negotiations represent good news. At least in theory. Certainly, in the EU Commission own words, the new framework “will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses“.

The EU Commission further stated that the new mechanism reflects the requirements set out by the European Court of Justice in its Schrems ruling, namely by providing “stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities.”

Moreover, it said that the new mechanism “includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access.”

It appears that mass and indiscriminate surveillance would constitute a violation of the agreement. However, it would still be permissible if a targeted access would not be possible.

Furthermore, “Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.” This independent entity is yet to be appointed.

The cornerstones of the arrangement therefore seem to be the obligations impending on companies handling personal data of EU data subjects, the restriction on the US government access and the judicial redress possibilities.

A joint annual review is intended to be put in place in order to monitor the functioning of the agreement

Nevertheless, in spite of what is optimistically expected and what one is lead to believe by the EU Commission’s own press release, one must wonder… What has really been achieved in practice?

To begin with, it seems that we are supposed to rely on a declaration by the US authorities on their interpretation regarding surveillance.

Unsurprisingly, many fail to see in what way this new framework is fundamentally different from the Safe Harbour, let alone that it complies with the requirements set out by the CJEU in the Schrems ruling. Hence, it is perhaps expectable that the CJEU will invalidate it on the same grounds it invalidated the Safe Harbour framework.

While US access to EU citizen’s data is expected to be limited to what is necessary and proportionate, as the devil is generally in the details, one must legitimately ask what is to be deemed necessary and proportionate in regards of such surveillance.

It is indeed unavoidable to think that such a framework does not ensure the proper protection of the fundamental rights of Europeans where their data is transferred to the US, nor provide sEU citizens with adequate legal means to redress violations, namely in regards of possible interception by US security agencies.

Anyway, at the moment, the ‘Ombudsperson’ has not yet been set up by the US nor any adequacy decision has been drafted by the EU Commission.

What does this mean in practice?

Well, as transfers to the United States cannot take place on the basis of the invalidated Safe Harbour decision, transfers of data to the USA still lack any legal basis and companies will have to rely upon on alternative legal basis, such as Binding Corporate Rules, Model Contract Clauses or the derogations in Article 26(1).

However, the EU data protection authorities (DPAs) did not exclude the possibility, in particular cases, of preventing companies to adopt new binding corporate rules (BCRs) or install model contract clauses regarding new data transfer agreements. It will be assessed if personal data transfers to the United States can occur under these transfer mechanisms. However, the fact that the data transferred under these methods are subject to surveillance by U.S. national security agencies mechanism is the same issue which lead the CJEU to rule the Safe Harbour Framework as invalid.

In the meantime, the Art.29WP expects to receive, by the end of February, the relevant documents in order to assess its content and if it properly answers the concerns raised by the Schrems judgement.

It further outlined that framework for intelligence activities should be orientated by four ‘essential guarantees’:

A. Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;
B. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
C. An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
D. Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.

Thus said, an ‘adequacy decision’ still has to be drafted and, after consultation of the Art.29WP, approved by the College of Commissioners. In parallel, the U.S. Department of Commerce is expected to implement the agreed-upon mechanisms.

So, let’s wait and see how it goes from here…

CCTV: household security or how to be a data controller at home

CCTV, walking the thin line of protecting yourself or becoming a data processor.

CCTV, walking the thin line of protecting yourself or becoming a data processor.1)Copyright by Nïall Green under the Creative Commons Attribution-Share Alike 1.0 Generic

Having suffered several attacks, in which the windows of the family home had been broken on several occasions, by persons unknown, Mr Ryneš, a Czech citizen, installed a CCTV camera under the eaves of his home. In a fixed position, the camera recorded the entrance to his home, the public footpath and the entrance to the house opposite. The system allowed only a visual recording, which was stored on a hard disk drive. Reaching its full capacity, the device would record over the existing recording, erasing the old material. Although the images would not be monitored in real time, this video surveillance system made it possible to identify two suspects, who were subsequently prosecuted.

However, despite the happy outcome, the operation of this camera system, installed by an individual on his household, for the purposes of protecting the property, health and life of the owner and his family, raised some questions due to the continuous recording of a public space.

One of the suspects challenged the legality of Mr Ryneš recording of the images. The Czech Data Protection Authority (hereafter DPA) considered that this operation infringed data-protection rules because the data collection of persons moving along the street or entering the house opposite occurred lacked their consent; individuals were not informed of the processing of that personal data, the extent and purpose of that processing, by whom and by what means the personal data would be processed, or who would have access to the personal data; and this processing was reported to the Office as mandatory.

Mr Ryneš brought an action challenging that decision in court, which was dismissed. The case was appealed to the Czech Supreme Administrative Court which referred to the Court of Justice of the European Union (hereafter CJEU) for a preliminary ruling.

In this context, in its judgment in Case C-212/13, the CJEU addressed the application of the ‘household exception’, for the purposes of Article 3(2) of Directive 95/46/EC, which refers to the data processing carried out by a natural person in the course of a purely personal or household activity.

The CJEU considered that the image of a person recorded by a camera constitutes personal data within the meaning of the Directive 95/46 inasmuch as it makes it possible to identify the person concerned.

Moreover, the Court considered that video surveillance falls within the scope of the above mentioned directive in so far as it constitutes automatic processing, i.e., an operation which is performed upon personal data, such as collection, recording, storage.

Considering that the main goal of the this Directive is to guarantee a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, as foreseen in article 7 of the EU Charter of Fundamental Rights, the CJEU recalled that derogations and limitations must be strictly necessary.

Therefore, the Court deemed that the ‘household exception’ must be narrowly construed and applicable when the data processing activity is carried out ‘purely’ private and household context, even if it incidentally concerns the private life of other persons, such as correspondence and the keeping of address books.

In this context, the CJEU concluded as follows:

(…)the second indent of Article 3(2) of Directive 95/46 must be interpreted as meaning that the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision.

However, Mr Ryneš’s concerns, which motivated the installation of the camera, were not overlooked by the CJEU. Indeed, the Court outlined that the Directive itself allows, where appropriate, to consider the legitimate interests pursued by the controller, such as the protection of the property, health and life of his family and himself. This reflection is in line with the Opinion of the Article 29 Working Party in this regard as security was mentioned as an example of a legitimate interest of the data controller.

This implies that, even if the household exception is not applicable in this very particular case, a CCTV camera recording activity such as the one in the proceedings is lawful in the light of article 7(f) of the Directive. Thus said, the referring Court will now have to take this interpretative guidance into consideration and decide if the recording and processing at stake were legitimate, for instance, in regards of article 10 of the instrument. It is possible that the Czech Court may still consider that because no information regarding the recording was provided to the public (individuals were not informed of the processing of that personal data, the extent and purpose of that processing, by whom and by what means the personal data would be processed, or who would have access to the personal data) and considering that this processing was not reported to the Office constitute a breach of the data protection rules.

This is particularly relevant considering that, precisely for security purposes, individuals are equipping their households with CCTV systems which capture public space. Only time will tell how this decision will be applied to individuals in practice. Most certainly, DPAs across the EU will update their recommendations regarding the weighing between the necessity of the recording and storing of the data to pursue an interest deemed legitimate and the interests for fundamental rights and freedoms of the data subject.

At this point, it is expectable that householders who have surveillance cameras that capture public space will need to ensure that their collection and further use of any footage which contains images of identifiable individuals complies with the data protection requirements. Thus, they will have, for instance, to at least inform people of this monitoring and ensure that no footage is illegally retained.

References   [ + ]

1. Copyright by Nïall Green under the Creative Commons Attribution-Share Alike 1.0 Generic

(Un)Safe Harbour

Safe harbour for who?

Safe harbour for who?

As a general rule, the EU Data Protection Directive (Directive 95/46/EC) prevents businesses from transferring personal data from the EU to third-countries. Therefore, EU citizens’ personal data cannot be processed or hosted outside the EU, except if those countries do provide an adequate level of data protection. This adequacy requirement is met only when the European Commission recognize the data recipient country as providing an adequate level of protection. These decisions are commonly referred to as ‘adequacy decisions’.

It is deemed that the USA do not meet the above mentioned EU adequacy requirement, i.e., do not provide an adequate level of protection for data transfers to be accepted. Nevertheless, data can still be transferred from companies located in the EU on the basis of the Safe Harbour mechanism. In fact, by reason of the EU Data Protection Directive, the European Commission adopted a Decision (the “Safe Harbour decision”) recognising that the Safe Harbour Privacy Principles and the ‘Frequently Asked Questions’ provide an adequate protection for the purposes of personal data transfers from the EU to the USA.

The EU-USA Safe Harbour is an agreement concluded in 2000 which enables European data controllers to transfer personal data for commercial purposes, from companies located in the EU to companies in the USA that have signed up to the Principles. The framework aims to ensure that such transfers dully comply with the EU data protection law. To that end, USA companies pretending to lawfully receive personal data from the EU are required to self certificate the compliance of their personal data policies and practices to the Safe Harbour. Companies which voluntarily adhere to a set of principles issued by the Federal Trade Commission (FTC) are therefore presumed to qualify for the Safe Harbour ‘adequacy’.

This Framework has been greatly criticized since its implementation. Indeed, the Safe Harbour scheme has been used for the transfer of the personal data of EU citizens from the EU to the USA by companies required to give in data to USA intelligence agencies under the USA intelligence collection programmes. Moreover, some EU Data Protection Authorities manifested strong reservations about the rigour of the Safe Harbour framework, namely regarding the self-certification requirement. These concerns were echoed in the opinion of the Article 29 Working Party on Cloud Computing issued in July 2012, where it was suggested that EU data exporters could not rely on cloud provider’s self-certification regarding compliance.

As a result, it is no surprise that the framework has been reviewed twice, back in 2002 and 2004. Nevertheless, the Safe Harbour framework was endorsed by the European Commission, in January 2012, regarding the draft Data Protection Regulation, where adequacy decisions taken under the current Directive 95/46/CE would remain in effect unless amended, repealed or replaced by the Commission.

By contrast, the European Parliament’s LIBE (Civil Liberties, Justice and Home Affairs) Committee has proposed amending the proposal so that such adequacy decisions would only remain in force for five years after the Regulation comes into effect.

In the wake of the Snowden revelations regarding the USA covert surveillance programme, PRISM, for the interception and access to the electronic communications of EU citizens on a large scale, namely personal data that was transferred to online service providers in the USA under the Safe Harbour, the European Data Protection Authorities (DPAs) and the European Commission have been increasingly manifesting serious concerns regarding the safety of this agreement.

This led Viviane Reding, former Justice Commissioner, to argue that “the Safe Harbor agreement may not be so safe after all” and that it “could be a loophole for data transfers because it allows data transfers from EU to U.S. companies – although US data protection standards are lower than our European ones.” Vivian Reding further announced that the Commission would conduct an assessment of the EU-USA Safe Harbour agreement.

In July 2013 the European Parliament considered that the PRISM program constituted a “serious violation” of the Safe Harbour agreement and called on the European Commission to review the framework. Last March, following its report on mass surveillance activities, the European Parliament approved a resolution calling for the reversion or suspension of the EU-USA Safe Harbour scheme, considering that it fails to provide adequate protection for EU citizens.

Instead, in November 2013, the European Commission put forward a series of 13 recommendations for the USA to put into practice, which would make the Safe Harbour safer, if implemented. Nevertheless, the most controversial features of the framework, such as the voluntary adherence, were not adequately addressed. The expected conclusion of the discussions on the 13 recommendations proposed by the European Commission was set for the end of last summer. The deadline passed without any further developments.

Last June, following a complaint brought by the Austrian campaign group Europe v Facebook regarding the company’s part on NSA’s mass electronic surveillance programme, a Irish court (the Facebook’s international headquarters are in Ireland) referred to the Court of Justice of the EU on the compliance of the Safe Harbour with the EU Charter of Fundamental Rights.

There has been extensive debate regarding the future of the Safe Harbour, considering that some DPAs no longer recognize it as a valid data transfer mechanism. DPAs can exceptionally suspend data transfers based on the Safe Harbour, namely when it is likely that the Safe Harbour Principles are being violated. To date, no DPA has done so. Considering the serious economic implications, I think that it is very unlikely that the Safe Harbour will be suspended or reversed. In the meantime, the decision of the European Commission on the adequacy of Safe Harbour remains in force, until specifically repealed or changed.

Věra Jourová, the new Justice Commissioner, already expressed strong doubts on the security of the Safe Harbour mechanism. However, she did not favour a suspension or a cancellation of the programme. Andrus Ansip, the new Commissioner for the Digital Internal Market, for its turn, did not exclude that possibility.

 

The ‘One Stop Shop’ mechanism reloaded

Get all your data protection matters handled here!

Get all your data protection matters handled here!

The ‘one stop shop’ mechanism is one of the most heralded and yet most controversial features of the General Data Protection Regulation which draft is currently being negotiated within the Council of the European Union.

According to the most recent proposal of the Italian Presidency of the Council of the European Union, where data protection compliance of businesses operating across several EU Member States’ is in question or where individuals in different EU Member States are affected by a personal data processing operation, it would allow businesses to only deal with the Data Protection Authority (DPA) of the country where they are established.

Cases of pure national relevance, where the specific processing is solely carried out in a single Member State or only involves data subjects in that single Member State would not be covered by the model. In such circumstances, the local DPA would investigate and decide on its own without having to engage with other DPAs.

These are, however, deemed to be the exemption as the mechanism aims for a better cooperation among DPAs of the different EU Member States concerned by a specific matter.

Therefore, in cross-border cases, the competence of the DPA of the EU Member State of the main establishment does not lead to the exclusion of the intervention of all the other supervisory authorities concerned by the matter. In fact, while the supervisory authority of the Member State where the company is established will take the lead of the process which will ensue, the other authorities would be able to follow, cooperate and intervene in all the phases of the decision-making process.

In this context, if no consensus is reached among the several authorities involved, the European Data Protection Body (hereafter EDPB) will decide on the binding measures to be implemented by the controller or processor concerned in all of their establishments set up in the EU. Similarly, the EDPB will have legally binding powers in case of failure to reach an agreement over which authority should take the lead.

Multi-jurisdictional operating businesses operating in the EU, which handle vast amounts of personal data, would highly benefit from this ‘one stop shop’ concept, which would enable to reduce the number of regulators investigating the same cases. Indeed, as things stand presently, a company with operations in more than one EU Member State has to deal with 28 different data protection laws and regulators, which unavoidably leads to a lack of harmonization and legal uncertainty.

The Article 29 Working Party has already manifested its support for a ‘one stop shop’ mechanism under the proposed EU General Data Protection Regulation.

However, in the past, Member States have manifested numerous reservations regarding this mechanism. Among the main concerns expressed were the following: businesses would be able to ‘forum shop’ in order to ensure that their preferred DPA leads the process; a DPA would not be able to take enforcement action in another jurisdiction; individuals’ rights to an effective remedy under EU laws would not be appropriately recognised; authorities without the lead position would not be able to influence processes related to data protection breaches involving nationals of their Member States.

As the way the ‘one stop shop‘ mechanism would be implemented in practice is one of the main causes of the hindrance for the Member States to reach an agreement on the wording of a new EU General Data Protection Regulation, let’s hope that the solution proposed by the Italian Presidency of the Council of the European Union does get closer to a suitable accommodation of the various concerns expressed by Member States.

Security Breaches and the Bridge to Security

Is it?

Is it?

Data protection is a major concern for businesses of all sizes and across all sectors due to the constant risk of information security breaches. They fear the financial impact on operational budgets, the commercial costs it entails, the reputation damage it causes and the consequent liability to third parties.

The ongoing data protection reforms are intended to harmonize and strengthen the current data protection legislation across the EU member states. The new EU General Data Protection Regulation, currently being discussed within the Council of the EU, is awaited with great expectation. Just recently 16 Member States issued a joint declaration pressing the adoption of the reforms by 2015.

If this instrument will be approved in 2015, it will be in place by 2017, thus replacing the 1995 Data Protection Directive, which does no longer adequately cater for the current technological advances. As a regulation it will be directly applicable to all EU member states without a need for national implementing legislation.

For individuals, these news come as a promise that the protection of their rights will be strengthened. But the big changes ahead mean that businesses will face stricter data security requirements and additional compliance burden.

Indeed, although nothing is decided until everything is agreed, it is evident that the new EU Regulation will entail stronger restrictions on companies’ data protection policies and systems, regarding the implementation of appropriate technical and organizational measures. It thus will have major implications for all sectors (financial services, healthcare, the legal sector, manufacturing or the public sector, just to name a few) on the way data is collected, stored and accessed.

The announced reforms will, among others constraints, require businesses and organizations to gain explicit consent from individuals before processing their data, notifying them when their data is collected, and informing for what purpose it is being processed and how long it will be stored.

The conditions include as well the already famous so-called ‘right to be forgotten’, allowing individuals to demand the erasure of their data from companies’ computer systems, if there are no legitimate grounds for keeping it.
In parallel, upcoming changes include also a ‘right to data portability’, thus enabling individuals to easily transfer their personal data between service providers.

Furthermore, companies and organizations will have to report data security breaches to the national supervisory authority (the governmental body that handles data security within a member state). Similarly, users will have to be informed about any data breaches that could adversely affect them without undue delay. Businesses are, of course, worried with the eventual impact that this compulsory disclosure will have on their brand and reputation across the EU. However individuals should undoubtedly be able to take protective measures such as changing passwords if the safety of the information related to them has been compromised by a security breach.

Additionally, companies can incur in severe fines – up to 5 per cent of their global turnover – if they are found to have been negligent or abusive in protecting their data. Fines are intended to be effective, proportionate and dissuasive.

Despite the increased responsibility and accountability, businesses will be able to be free of unnecessary administrative requirements, as notifications, which will bring considerable annual savings.

According to the intended reform, a new ‘one stop shop’ regulatory regime will also be established, which would mean that businesses will have to deal with just one data protection authority (DPA) – the one based in the country of their main establishment – instead of each DPA in every EU country in which they operate.

Of course some of the proposals will undoubtedly be amended in the course of the co-legislative decision procedure, but is has already become obvious that the end-result will require businesses to adapt internal processes and technologies. The recent massive data breaches and security threats have outlined the unfortunate existing room for improvement regarding the monitoring and protection of corporate data.

So the big question to ask is: are businesses ready for the forthcoming legislation?

Though there is no need to panic, the clock is ticking, and businesses should look ahead and prepare themselves for the major shake-up requirements.

In order to move towards compliance, it is important to reflect what are the required adjustments that need to be developped internally to that end.

It will be necessary, for instance, to ensure the legitimacy of the data processed, assessing which data currently stored actually needs to be kept and analysing the legal basis according to which personal data is used. For example, if consent has to be obtained, it must be ascertained if it is adequately documented and if it is specific, informed, explicit and freely given.

It is a paramount principle to identify vulnerabilities, build protective measures and adequate safeguards to all data processing activities which will require, for instance, the restriction of access to data to some employees, anonymising and encrypting data, assigning ownership and attributing responsibilities regarding non-compliance with legislation, namely to an appointed data protection officer.

Offering adequate data security training and education to employees is also an important feature of an effective security precaution, especially regarding their obligations of confidentiality.

The development and application of adequate procedures in order to deal properly with breaches of data security, namely the implementation of an incident management and a breach notification process, will ensure that, once detected, occurrences are notified in due time to the data protection authority.

Similarly, all data processing operations should be well documented and up to date in order to be made available promptly to the data protection authority on request at any time.

Last, but not the least, as individuals will be able to demand that organizations erase records of their personal information, businesses should have in place a system of storage, classification and search which will allow effectively finding and erasing the data collected.

The bottom line is that, regardless what the final version of the upcoming regulation will be shaped like, businesses cannot ignore the EU’s data protection reforms and the challenges and opportunities which lie ahead.

Failing to be well prepared for the impending changes represents putting the whole business at risk due to the reputation damages and the financial losses associated to a potential data breach.

In this context, news of cyber-attacks, as of the most recent software bug Shellshock, might be the greatest of incentives…

© 2017 The Public Privacy

Theme by Anders NorenUp ↑