Trust and confidence in the data protection framework is of paramount importance if European citizens are to embrace Internet services and further the aims of the Digital Single Market Strategy. EuroISPA believes that European citizens’ personal data should be granted a uniform level of protection, regardless of the geographical location or the economic sector of the service provider. Indeed, for several years EuroISPA has supported the spirit of the Commission’s efforts to modernise and harmonise the EU’s data protection framework. However there is still much to be done to ensure data protection rules are reflexive to the emergence of new services such as cloud computing, and do not burden ISPs with crippling compliance costs. This committee brings together all EuroISPA members with an interest in data protection issues, and works to ensure a legislative framework that guarantees users’ high standards of data and privacy protection while encouraging innovation in today’s digital environment.
Key ongoing dossiers
General Data Protection Regulation
July 2016: European Commission officially adopts Privacy Shield
On 12 July 2016 The European Commission officially adopted the EU-US Privacy Shield, the new framework for the continuation of transatlantic data transfers.
The key documents:
- European Commission press release – summarises the main features of the new agreement.
- European Commission Adequacy Decision – the legal text underpinning the new framework.
- European Commission fact sheet – responding to frequently-asked-questions on Privacy Shield.
- The data transfer Adequacy Decision (defining the legality of data transfers to the US) will enter into force immediately.
- Companies will be able to certify their Privacy Shield compliance with the US Commerce Department from 01 August.
- The Commission will publish a short guide to educate citizens on data protection remedies vis-à-vis the US government and US companies under the new framework
July 2016: Article 29 WP issues statement following Privacy Shield adoption
The Article 29 Working Party (WP29) – a body composed of representatives from the national data protection authorities (DPAs) and the European Data Protection Supervisor (EDPS) – issued a statement following the adoption by the European Commission of Privacy Shield (PS).
You can find the statement here.
In the statement, the WP29 generally welcomed the Privacy Shield decision, yet pointed a number of concerns with regard to both commercial aspects and access by US public authorities to data transferred from the Union:
- Lack of specific rules on automated decisions and a general right to object, as well as ambiguity regarding the application of the PS Principles to processors.
Access by US public authorities:
- Lack of concrete assurances that bulk collection of personal data does not take place.
The WP29 stressed the significance of the first joint annual review to assess the PS mechanism and, more specifically, to determine whether the safeguards on personal data were workable and effective. The WP29 further claimed that the results of this first joint review could impact transfer tools such as BCRs and SCCs.
June/July 2016: EuroISPA participates in GDPR Fab-lab event
EuroISPA was invited to participate in a workshop organised by the National Data Protection Authorities (Article 29 Working Party) on the implementation of the EU General Data Protection Regulation (GDPR) that took place in Brussels on 26 July. Andrea Monti attended the workshop on EuroISPA’s behalf.
The workshop focused on technical/operational aspects of the new EU data protection rules.
June/July 2016: EuroISPA submits e-Privacy Directive public consultation and co-signs joint industry coalition statement on e-privacy
EuroISPA submitted its response to the European Commission’s public consultation on the e-Privacy Directive and co-signed a joint industry statement which was circulated the same day, in which it – together with other tech and telecom associations – called for the e-Privacy Directive to be repealed.
The joint industry statement can be found here.
In the public consultation, EuroISPA suggested the European Commission to evaluate whether the sectorial approach contained in the e-privacy Directive was still relevant, specifically in light of the recent adoption of the General Data Protection Regulation (GDPR), which could provide clarity to certain obligations in the e-Privacy directive that had hitherto lacked harmonization and interpretation across the EU.
- The European Commission will present its legislative proposal on the revision of the e-Privacy Directive in Q4 2016.
May 2016: European Data Protection Supervisor (EDPS) adopts position vis-à-vis Privacy Shield framework
The European Data Protection Supervisor (EDPS), an independent supervisory authority that advises the European Commission institutions and bodies on matters relating to personal data, has published its Opinion on Privacy Shield.
In the executive summary of the Opinion, the EDPS notes that even though Privacy Shield may be a step in the right direction, it does not adequately include all appropriate safeguards to protect the EU rights of the individual to privacy and data protection, as well as rights concerning judicial redress.
The Opinion further provides main recommendations with regard to the adequacy decision (from page 7 onwards). These include:
- Privacy Shield is to be amended to better integrate all main EU data protection principles relating to – inter alia – data retention, onward transfers and the right to access and right to object.
- The derogations from the Privacy Shield principles should be more precise;
- The European Commission should seek more specific commitments with regard to the Ombudsperson’s requests for information and cooperation, as well as her decisions and recommendations, which should be effectively respected and implemented by all agencies and bodies
The EPDS underlines in its Conclusion that robust improvements are needed to achieve a solid, stable framework.
EuroISPA High-level letter calling for expeditious adoption Privacy Shield
In early May, EuroISPA circulated a letter to the respective Justice and Home Affairs ministers of the 28 EU Member States concerning Privacy Shield. The objective of the letter was to urge Member States to support the timely adoption of Privacy Shield, rather than taking any position with regard to the provisions of the new framework. The letter emphasised that further delays in adopting the transatlantic data transfer arrangement would result in new legal uncertainty for ISPs.
- The EDPS’s Opinion is non-binding and Commissioner Jourová already indicated in the European Parliament during a debate on Privacy Shield last week that the Commission would strive to have the Privacy Shield framework up and running by summer.
May 2016: European Commission publishes report on public consultation on data and cloud computing and organises workshop
On 12 May the European Commission published a synopsis report on the outcomes of the public consultation on data and cloud computing.
The main findings include:
- Data localisation restrictions are hampering the use of data services and commercial activity;
- While data localisation can be justified in some instances (e.g. national security), business respondents feel it could be a barrier to the development of the European data economy;
- The existing legal framework and contractual practices for access to and use of data are not fit for purpose;
- There are problems stemming from an unclear liability regime in relation to data and the Internet of Things;
- The majority of stakeholders consider that EU action is necessary to address liability uncertainty vis-à-vis IoT;
- With respect to cloud initiatives, stakeholders consider security and protection of users’ data to be critical;
- There is disagreement between users and service providers with respect to the transparency of commercial contracts governing cloud services;
- The majority of respondents consider that economic benefits would arise from EU-level regulatory action to boost interoperability and data portability;
- Many respondents favour a self-regulatory approach with respect to cloud-based services, incl. EU-endorsed model contracts.
The full preliminary report can be read here.
Following the its publication of the results of the public consultation on data and cloud computing, the Commission held a workshop on the free flow of data initiative.
At the workshop the European Commission emphasised that the free flow of data was pivotal to completing the Digital Single Market and identified two types of barriers:
- Data localisation barriers
- “Emerging issues” – implicit barriers such as liability, interoperability, unclear frameworks of ownership and portability of, and access to data.
The Commission further expanded on the instruments it could avail to with regard to the regulation of data and cloud computing. These options ranged from adopting a legislative instrument to a soft law approach where the Commission would issue Recommendations to Member States or publish a policy white paper.
EuroISPA meeting with the EC Head of Unit on free flow of data initiative
On the 25 May the EuroISPA President, together with the Secretariat, held a meeting with the Commission’s Head of Unit dealing with the free flow of data initiative to gain a better understanding of the Commission’s plans with regard to this dossier.
- The European Commission will publish a new legislative initiative on the free flow of data in Q4 (November) 2016.
- That initiative is likely to be accompanied by a new Commission white paper on data ownership.
March/April 2016: European Commission launches public consultation on E-Privacy Directive
The European Commission has launched a public consultation on the EU ePrivacy Directive. The consultation seeks to gather feedback on the implementation of the Directive and whether reform is needed as a result of new economic/regulatory developments.
The ePrivacy Directive defines sector-specific rules for electronic communications services regarding the processing of personal data. It was originally introduced to complement the 1995 Data Protection Directive.
Context of review
The new EU General Data Protection Regulation applies data protection rules horizontally across sectors. As such, a number of the provisions of the existing (sector-specific) ePrivacy Directive are no longer relevant.
Moreover, the spread of Internet-based communication services has led to questions as to whether the scope of the existing Directive properly captures all services that should be subject to it.
The Commission is seeking feedback on:
- How to ensure consistency of the ePrivacy Directive with the General Data Protection Regulation
- How the scope of the ePrivacy Directive should be amended in light of the new market and technological realities
- Whether technical advancements require enhanced measures for security and confidentiality of communications
- How to address inconsistent enforcement and fragmentation at national level
The consultation is open until 05 July 2016.
Secretariat has begun assessing the content of the consultation to understand what scope EuroISPA has to respond
March/April 2016: National Data Protection authorities outline their position on new Privacy Shield framework
The Article 29 Working Party has published the substantive text of its Opinion on the draft Privacy Shield Framework.
While considering the Privacy Shield agreement to be a substantial improvement on the old Safe Harbour framework, national Data Protection Authorities are concerned that key data protection principles are missing or inadequately accounted for in the draft agreement.
National DPAs highlight two major issues with the draft Privacy Shield Framework:
- Data transfer adequacy decisions must ensure that the third-country provides a data protection level that is “essentially equivalent” to that of the EU.
- The Privacy Shield does not ensure that because it does not properly account for several important EU data protection principles:
- Assurances that the US will respect the EU Data Retention principle is not apparent in the Privacy Shield. The principle states that data must only be kept as long as necessary to achieve the purpose for which the data have been collected.
- There is no safeguards to ensure adequate measures will be taken to protect EU citizens’ data when it is further processed in a third country (in addition to the US).
- The new redress mechanism in practice may prove to be too complex and difficult to use for EU individuals and therefore ineffective.
National security issues
- The vague derogations in the new agreement compromise the safeguards against “massive and indiscriminate collection of personal data originating from the EU”
- The new redress ombudsperson may not be sufficiently independent or sufficiently empowered to provide effective privacy redress for EU citizens
- The Opinion of the Article 29 Working Party is non-binding on the European Commission.
- EU Member States (through the Article 31 Working Party) will provide their own non-binding Opinion in the coming weeks.
- The European Commission is expected to formalise the new framework (through a data transfer Adequacy Decision) in June 2016.
- It is unclear at this point as to what extent the European Commission is willing and able to amend the Framework in response to the DPAs’ concerns.
- Once formalised, the new agreement is almost certain to be challenged before the Court of Justice of the European Union, to test whether it meets the criteria of the Schrems ruling.
February 2016: Legal texts EU – US Privacy Shield published by the Commission
On 29 February, the European Commission (EC) announced in a press release that it had issued the legal texts of the EU - US Privacy Shield. The new framework succeeds Safe Harbour, which was invalidated by Court of Justice of the EU (CJEU) in its Schrems ruling on 6 October 2015.
In the joint Communication entitled ‘Transatlantic Data Flows: Restoring Trust through Strong Safeguards’, the Commission mentioned the changes the new agreement is purported to bring with respect to its predecessor, including - for the first time - commitments by public authorities in the field of access to personal data for national security purposes.
The new arrangement contains supervision mechanisms which aim to ensure Privacy Shield companies adhere to obligations with regard to the processing of EU data, including transferring of data to third parties outside the framework, whether in the US or in other third countries (onward transfers). The US Department of Commerce has committed to a regular monitoring of the companies’ compliance with their commitments under the arrangement, which are legally binding and enforceable under US law by the Federal Trade Commission (FTC). Companies that do not comply face sanctions.
The US has also established a redress mechanism for EU data subjects in the area of national security through an Ombudsperson within the US Department of State.
Privacy Shield companies commit to reply to complaints by EU data subjects within a fixed deadline of 45 days upon receipt of a complaint. In addition, EU data subjects can submit their grievances to their national Data Protection Authorities (DPAs), who will work with the FTC to investigate and resolve complaints. Furthermore, there will be a free-of-charge dispute resolution body which can take binding and enforceable decisions against US Privacy Shield companies. Finally, companies can commit to comply with advice from European DPAs, which is obligatory for companies handling human resource data.
The EC, together with the US Department of Commerce, will conduct an annual review on the functioning of Privacy Shield, including commitments made with regard to access to data for law enforcement and national security purposes. On the basis of the annual review, the Commission will issue a public report to the European Parliament and the Council.
EU DPAs (Article 29 Working Party) will give their opinion - (late March/early April) on Privacy Shield before the College of Commissioners takes a final decision with regard to the new framework.
February 2016: Commission starts review on e-privacy directive
The European Commission announced it will come out with a legislative proposal to reform the ePrivacy directive in mid-2017.
The public consultation on the ePrivacy directive is expected to be opened either by the end of this week (11 March), or next week.
During the public consultation’s twelve-week run time, the Commission intends to hold workshops with telecoms and groups with vested interest in the legislation.
On 22 March, the Communications Committee of DG Communications Network, Content and Technology will hold a meeting during which it will – inter alia – discuss the state of play of the E-Privacy review.
On 12 April, the Commission will hold a stakeholders workshop entitled ‘Towards a future proof ePrivacy legal framework’. One member of the Secretariat will attend this workshop and report back to the members on the topics discussed.
January 2016: The European Commission and US Government reach political agreement on Safe Harbour replacement: the EU-US Privacy Shield
On 2 February 2016, the European Commission announced that they had managed to strike a deal to substitute the annulled Safe Harbour. This new agreement has been renamed as the EU-US Privacy Shield and it aims to answer the concerns of the European Court of Justice about the level of protection for European users whose data is transferred to the US.
The new agreement will be based on the following four points:
1. Limited scope of action for intelligence services and public authorities. The access to citizens’ data by public authorities will be limited to those circumstances where it is proportional and necessary.
2. Independent oversight and judicial redress. There will be an ombudsperson with the capacity to process complaints by EU citizens.
3. Resolution of individual complaints. The concerned companies will have to deal with the complaints, and in case this doesn't work, there will be an alternative dispute resolution mechanism free of charge.
4. Binding commitments from the US. This new agreement will not be an international treaty, just an exchange of letters signed by high-level representatives that will reflect the commitments subscribed by both parties. There will be an annual review mechanism to ensure that the different safeguards are respected.
On 3 February, the working group that gathers all national data protection authorities (Article 29 WP) issued its opinion on the EU-US Privacy Shield and the consequences it brings for the current transatlantic data flows (here). The Article 29 WP concluded that companies relying solely on Safe Harbour for their transatlantic data transfers are in an illegal situation. However, companies can still use alternative transfer methods (namely BCRs and Model Contract Clauses) until the Group decides if the new Privacy Shield framework provides adequate protection system to European citizens.
The Article 29 Working Party will have a plenary at the end of March to discuss the adequacy of the EU-US Privacy Shield and it will issue a final opinion in mid-April. This decision could give green light to the Privacy Shield agreement and restore legal certainty to transatlantic data flows. However, the Group could also rule that the US does not offer enough protection for citizens’ personal data and therefore invalidate the agreement and the alternative transfer methods.
December 2015: Trialogue agreement reached in General Data Protection Regulation negotiations
On 15 December, negotiators from the European Parliament and EU Council (Member States) reached an agreement on a compromise text for the General Data Protection Regulation.
The compromise agreement will be voted on by the full European Parliament and Member State Justice ministers in the spring.
A two-year implementation phase for the Regulation will begun once the Institutions' have given their final vote.
A detailed debriefing on the Regulation will be provided at the January General Meeting.
December 2015: Safe Harbour state of play
Following up on the Safe Harbour ruling, Max Schrems announced on 2 December that he will be challenging the standard contractual clauses that Facebook is currently using to transfer data to the US (here). Schrems filed two new complaints about the way Facebook treated his personal data: one complaint was filed with the Belgian Privacy Commission (here), whilst the other was directed towards the Data Protection and Freedom of Information Commissioner in Hamburg, Germany (here). Schrems further updated the complaint, filed with the Irish Data Protection Commissioner (IDPC), requesting the IDPC to suspend all data flows from “Facebook Ireland Ltd to “Facebook Inc” (here). On the same day, Vice-President Ansip delivered a speech (here) at the 3rd Annual Transatlantic Digital Economy Conference at AmCham EU, where he briefly referred to the on-going negotiations on a revised Safe Harbour Agreement, saying that both parties were working on new safeguards that would prevent access or use of personal data on a “generalized basis”.
On 30 November, the Dutch Justice Minister, Ard van der Steur, published a letter in response to Parliamentary questions on the implications of the invalidity of the Safe Harbour Agreement (here). In the letter, the Minister goes into depth on the implications of the European Court of Justice (ECJ) Safe Harbour ruling, as well as possible solutions on the EU and national level for the continuation of transatlantic data transfers. Van der Steur mentions that the Commission has started meeting the national data protection authorities (DPAs) to conclude an EU-wide code of conduct for the continuation of transatlantic data flows.
The Minister also devotes a part of his letter on the consequences of the ECJ ruling on EU legislation. He believes it is evident that the Commission will undertake steps to review whether the other adequacy decisions also fail to comply with the ruling. If the Commission finds out that some adequacy decisions fail to adhere to the ruling, the Minister refers to the Commission’s obligation – in accordance with article 25(5) of the Data Protection Directive – to negotiate with a third country ‘with a view to remedying the situation’.
Commissioner Jourová also touched upon the Commission’s negotiations on a new Safe Harbour regime in a speech (here), delivered at the Brookings Institution in Washington D.C. on 16 November. In the speech, she mentions the significance of expediting the discussions on a new framework for commercial transfers of personal data that will replace the old Safe Harbour Agreement following the European Court of Justice’s (ECJ) Schrems ruling. She reiterates that alternative ways of transferring data were a short-term solution and hopes to conclude the negotiations on the new framework as soon as possible. She is confident the deadline of January 2016 for a new Safe Harbour Agreement will be reached.
In addition, Jourová notes that, following the meeting of the Commission with business organizations, amongst which EuroISPA, on 16 October to discuss the Max Schrems ruling, the Commission issued on 6 November an explanatory Communication to give guidance on international data transfers after the ruling by providing an overview of alternative transfer tools (here).
The Commission is continuing negotiations with the US government on a new Safe Harbour regime and hopes to reach agreement by the end of January 2016. In the short term, the Commission will set up a consultation meeting with the Article 29 Working Group to come up with recommendations for the interim period. The Working Group has warned that, if no agreement is reached with the US by the end of January 2016, it will clear the path for national DPAs to take “necessary and appropriate actions”, including “coordinated enforcement actions”.
November 2015: EuroISPA meets with Commissioner Jourova, Oettinger and Ansip over Max Schrems ruling
On 16 October EuroISPA, among other industry associations, attended a high level meeting with the Commission to discuss the consequences of the Max Schrems ruling and the possible next steps. EuroISPA defended in front of the Commission:
- The necessity to have a "grace period" before the enforcement of the ruling to allow data-transfer to the US through alternative mechanisms.
- The "good faith" of the companies that relied upon the Safe Harbour;
- The necessity for clear legal guidelines on how to proceed;
- The risk of fragmenting the internal market if local DPAs issue different opinions on standard model clause, BCR and other alternatives.
November 2015: General Data Protection Regulation discussions move forward
Negotiations on the General Data Protection Regulation (GDPR) are moving forward and only four more trialogue meetings gathering EU legislators (Parliament, Commission and Council) are planned until the end of the year. At their last meeting the 28th of October, negotiators discussed:
- Joint several liability of the controller and processor: Negotiators are moving towards a solution similar to the one currently in place in Directive 95/46 where the controller (and not the processor) is the only point of reference for consumers in the event of security breaches. This a positive outcome for Indeed as it would mean having one ‘interface’ interacting with consumers.
- Administrative sanctions: Sanctions are a novelty introduced by the GDPR legislation. However, no agreement was reached at the meeting due to divergent views on the amount and categories of sanctions. The European Parliament pushes for Data Protection Authorities (DPAs) to be free to decide the max. /min. amount of sanction for any kind of non-compliance whereas the Council of the EU, representing Member States, prefers having only 3 levels of categories of sanctions applicable.
- Representation of the Data Subject: Discussions are on-going on whether to broaden the scope of data subject to the consumer associations.
EU legislator are confident that they should be able to close the file by the end of 2015. The next meeting is planned on 11-12 November and will focus on outstanding issue such as consent and legitimate interest for the processing of data. On the latter, the European Parliament pushes to limit the right for companies to process data for reasons other than for the original purpose which today allowed.
November 2015: Parliament passes Surveillance resolution as Commission works to deliver Safe Harbour 2.0
Following the ruling by the European Court of Justice in the Schrems case, the European Parliament (EP) approved on Thursday 29 October a follow-up resolution (here) to the EP’s resolution of 12 March 2014 on the electronic mass surveillance of EU citizens. MEPs also welcomed (here) the ECJ ruling in the Schrems case, which, according to MEPs, ‘has confirmed the long-standing position of Parliament regarding the lack of an adequate level of protection under this instrument’.
The follow-up resolution urges the Commission to ensure that all data transfers to the US are subject to an ‘effective level of protection’ and calls on the Commission to ‘immediately take the necessary measures that all personal data transferred to the US are subject to an effective level of protection that is essentially equivalent to that guaranteed in the EU.’
In a speech at the Amsterdam Privacy Conference delivered on 30 October, EU Commissioner Jourová reiterated the Commission’s commitment to abide by the Schrems ruling (here). She noted that, due to the declared invalidity of the Safe Harbour Agreement, in the short term the other means of data transfer foreseen under the 1995 Directive would now apply.
Next steps: The Commission will issue clear guidelines on the interpretation of this case in order to ensure harmonisation in November. The DPAs will start assessing the alternative clauses for data transfers, and depending on the assessment result, they will start enforcing the law from January onwards. This is in line with the grace period that EuroISPA requested in the meeting with the Commissioners. In addition, the Commission will continue to push for a mandatory reporting system under the new Safe Harbour agreement, which is being currently negotiated with the US. Commissioner Jourova will travel to Washington DC in mid-November to take stock of the negotiations.
September/October 2015: New momentum to achieve GDPR agreement by end of 2015
Negotiations on the GDPR are progressing well and the Presidency of the Council is confidence to reach a political agreement by the end of 2015. The September trilogues meetings focused on some of the most critical chapters of the regulation Chapter II (principles), III (data subject’s rights) and IV (data controller/processor).
EuroISPA’s position on key provisions such as the right to be forgotten, consent, profiling and legitimate interest is partly reflected in the texts under discussion. Even if the final result will never be fully satisfactory, EuroISPA’s intervention is playing a considerable damage control in the process.
Negotiators will meet next on October 15th to solve outstanding issues on Chapters II, III, IV and start negotiations on chapters VI (independent supervisory authority)and VII (co-operation and consistency).
September/October 2015: Court of Justice of the European Union declares Safe Harbour invalid
On October 6t the Court of Justice of the European Union invalidated the Safe Harbour data transfer agreement in its final ruling in the case “Schrems versus the Data Protection Commissioner.” The Court's press release on the judgement can be read here.
The Court held that:
- The existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities. The Commission did not have the competence to restrict the National Supervisory Authorities’’ powers in that way.
- The national supervisory authorities must be able to examine whether the transfer of a person’s data to third country complies with the requirements laid down by the directive.
- A legislation that does not provide any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.
As a consequence, the Irish Supervisory Authority has been required to examine Mr. Schrems’ complaint with all due diligence and will have to decide whether the transfer of data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.
The ambitious target of the Institutions is is to reach an agreement on a new General Data Protection Regulation by end of 2015, even if a more realistic timeline could be Q1 2016, according to internal sources in the Parliament.
In the context of the Industry Coalition for Data Protection, EuroISPA is organising a dinner during Parliament's plenary session of Strasbourg in October to provide technical support to relevant MEPs from different political groups. EuroISPA President, Oliver Sueme, will attend and intervene on behalf of the association.