EU Negotiators reach agreement on new Data Protection Regulation

And finally, the news we have all been waiting for... We can't believe that it has really happened! You may already have noticed that on Tuesday night, EU negotiators finally reached agreement on the new EU Data Protection Regulation. The European Commission press release is here.

As most of you will be well aware by now, negotiations on the EU data reform package have been ongoing since 2011 and whilst the final texts are not yet available, we do now have the final compromise texts for both the draft General Data Protection Regulation ("GDPR") and the draft Data Protection Directive relating to the police and criminal justice justice sectors covering data transfers between law enforcement agencies across Europe.

Following the agreement on 15th December, the European Parliament's Civil Liberties, Justice and Home Affairs ("LIBE") Committee voted on the proposals this morning, 17th December 2015. The GDPR was voted in with a large majority of 48 votes to 4 against and only 4 abstentions. The Directive was voted in with 53 votes to 2 against and 1 abstention.

Once the texts are translated into all the EU languages and ratified by the Council of the European Union and the European Parliament (anticipated early in the New Year), they will be published in the Official Journal of the European Union.

Each of the 28 EU member states must then amend their national laws within two years and 20 days after that publication. The new law will therefore become enforceable from early 2018.

What are the main elements of change?

The top 10 major changes under the new law are as follows:

1. Greater protection for the personal data of individuals - the key focus of the new law is to ensure that individuals have greater control over their personal data (especially in relation to data deletions, portability and access) and to ensure that organisations (especially those operating across several jurisdictions and/or using outsourcing partners) are forced to take more care in their approach to data sharing and transfers.
2. More liability for sub-contractors and outsourcing organisations - where an outsourced partner is used to process data, both the parties will be jointly liable. Traditional data processor outsourcing organisations will no longer be able to 'pass the buck' to their instructing data controller, instead being forced to comply directly. 
3. Fines of up to 4% annual worldwide turnover for non-compliance. Crucially, any company found to be in breach of the data protection regulations could be fined up to a maximum of €20 Million or 4% of annual global turnover (between a 2-5% cap had been negotiated but they have settled on 4%, higher than many speculated). Jan Philipp Albrecht, chief negotiator for the European Parliament, highlighted that "for global internet companies in particular, this could amount to billions". The first tier fines are for breaches of certain parts of the new law, such as failing to have lawful reason to process the data. A second and lower tier fine of up to €10 Million or 2% of annual worldwide turnover will apply to certain processor, security and administrative related breaches.
4. Easier complaints mechanism for individuals. Consumers will now be able to raise a complaint in their own country, as opposed to the country the offending company is headquartered in. Should a complaint cover several European countries, a newly created European Data Protection Board will help settle the dispute.
5. Explicit consent. Companies will need to ensure that consent to process any data is freely given, specific, informed, 'unambiguous' and, for personal data, consent is 'explicit'. Consent will need to be via an agreed statement or demonstrable, easily accessible and intelligible affirmative action. They will also need to take note of any consumer's request to have their details deleted under the tightened-up 'right to be forgotten'. These changes may require you to make changes to your current data collection and retention processes. The legitimate interest ground for processing personal data is now going to be more heavily qualified by specific and explicit notice requirements. 
6. Mandatory data breach reporting. Any data breaches that pose a high risk must be reported to regulators 'without undue delay' and, where feasible, within 72 hours. Individuals must also be notified without undue delay if there is a high risk to their rights and freedoms. This could be difficult to implement in practice and will require more careful public relations management and data breach response planning. 
7. Increased protection for Under 16yr olds. Data protection for under 16 year olds has been toughened up. Whilst the regulation sets the age of digital consent for using social media platforms at 16 years, individual member states can decide to lower it to 13 years. 13 is the current limit for many US social media companies, such as Facebook and Instagram. Companies will also be restricted on profiling and collecting data for users under 16 years and will require parental consent to do so. They'll also have to show they've made reasonable efforts to get this consent. Timothy Kirkhope, Conservative MEP said: "Concerns have been listened to and the UK's age of consent will not be forced to change". Watch this space.
8. Mandatory Data Protection Officer. The contentious requirement to appoint a Data Protection Officer seems to have been restricted to public authorities and organisations that process large amounts of sensitive personal data or that process personal data used for systematic monitoring on a large scale. Watch this space to see what implications this might have in practice. 
9. Mandatory Privacy Impact Assessments. More onerous requirements on organisations to ensure privacy by design, including a requirement to carry out privacy impact assessments (as we know them now) in certain circumstances. 
10. Requirement for formal data protection policies, procedures and training. The current requirement to register data processing activities with the EU regulators (such as the ICO Notification process) will now be replaced with perhaps much more onerous requirements to document, formalise and audit data processing practices internally within an organisation and to carry out training. Please do contact us if you need help with getting your "house" in order.
11. International Data Transfers - following the ECJ Safe Harbor case in Schrems, the GDPR will continue prohibiting data transfers to non-EEA countries unless they are recognised as being "adequate" by the EU. While there will now be stricter conditions for countries trying to obtain that "adequacy" status, new data transfer compliance mechanisms like privacy seals will be considered and binding corporate rules have been endorsed.
12. Application to a Greater Number of Organisations - Following recent ECJ cases, such as the Weltimmo case, the GDPR will apply to most organisations that offer goods or services in the EU, or that monitor the behaviour of EU citizens. This will include, most notably, online activities of non- EU organisations.
13. 'One Stop Shop' - the controversial one-stop shop enforcement process which aims to centralise data protection enforcement is to be introduced via one competent national regulator. There is a complicated process set out in the GDPR to help ensure consistency and co-operation, which only time will help us to truly understand.

(Who were we kidding - we couldn't keep this list to a Top 10!)

So What Next?

The headlines above, give a brief overview of some of the key changes. The next step for us and for you is to fully review the documents when they're finally published in the New Year.

We will follow up early in 2016 with a more detailed Pritchetts blog article on the key changes of the new law and preparations to be made. For now, all organisations should take note that they have 2 years to review their operations and carry out a data protection audit or gap analysis against the requirements of the new regulations. It is possible that many organisations will need to make potentially significant changes to the way that they currently collect, use and transfer personal data in order to avoid fines of up to 4% of annual worldwide turnover. The UK regulator, the ICO, has started to offer advice on key areas to consider as a priority.

Whilst further analysis and insight will be given in future Pritchetts newsletters and blogs, please don't hesitate to contact us if you require any additional information - particularly on our data protection audit services, the impact of the new EU GDPR reforms or indeed specific advice on how this new law will affect your particular organisation.

Data Protection Regulation negotiation process going well

Visibility has been gained on the output of the EU General Data Protection Regulation trilogue process.  To recap, the trilogue process is an important part of the negotiation process but is not a decision making process in itself.  Representatives of the Council, the European Parliament and the European Commission have come together to identify a workable way forward.  The planned timetable for the negotiations runs until December so it’s hoped decisions will be made and published on what will actually go into the regulations by Christmas.

3 months grace period to put US data transfer compliance measures in place post Schrems

How are the Article 29 Working Party and the EU member states reacting to the recent ECJ ruling on Safe Harbor?

Initial Comment and Guidance

Following the ECJ judgment on Schrems on 6^th October 2015, various regulators issued statements and guidance within a short space of time. For example: the EU Article 29 Working Party, the UK Information Commissioner’s Office and the Spanish DPA published statements (see links provided) on the judgment.  In basic terms each of those statements said they would consult with other EU data protection authorities to issue more detailed guidance for organisations on what to do next.  The European Commission also said that it will issue "clear guidance" in the coming weeks to prevent member states' data authorities issuing conflicting rulings.

German Schleswig-Holstein Guidance

On 14^th October 2015, Germany’s northern Schleswig-Holstein state issued its own guidance following the ECJ decision.  There are 16 federal states in Germany and each one directly oversees data protection matters.  Their approach can differ and Schleswig-Holstein is known to take a very conservative and stringent approach.  Perhaps unsurprisingly then, they produced a very strict paper, in which they questioned whether compliant data export to the USA could even be based on EU Model Clauses and further queried whether consent would be valid.

The Schleswig-Holstein authority draws on Article 5 (b) which outlines that an importer has to warrant “that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract.” The authority believes an importer in the US is no longer in the position to give such a warranty.

Also, the controllers transferring data to a US processor should “take into consideration terminating the data transfer agreement or suspending the data transfers.” Schleswig-Holstein states: “In consequential application of ECJ’s decision a data transfer based on model clauses is no longer admissible”.

This strict interpretation of the recent ruling – if adopted – would certainly call into question the operations of many multi-national companies where transferring data to the US.  Internal compliance management and monitoring within companies of all sizes, but most especially within the big multi-nationals, is set to become a hot topic. 

Ultimately though, as this particular German authority is the only one likely to publish such a formal response, all eyes are turning to the response and guidance from the Article 29 Working Party group.

So what is the WP29 view?

The European Article 29 Working Party group met on 16^th October 2015 to discuss the consequences of the ECJ’s ruling.  

Their subsequent statement has urged EU Member States and institutions to come together with the US authorities to work on appropriate political, legal and technical solutions to enable legally compliant data transfers to the US that also protect the fundamental rights of EU citizens.

It has also indicated that further analysis of the ECJ decision will be undertaken to look at its impact on other means of transferring data used by some companies - such as the European Standard Contractual Clauses and the Binding Corporate Rules. 

The WP29 group has indicated that, for now, other alternative EU approved compliance transfer mechanisms can continue to be put in place to ensure compliance, but it has warned that:  

• National data protection authorities can use their relevant powers to investigate and take punitive steps to protect individuals in the event of a complaint; 
• These national DPA’s could even come together the co-ordinate enforcement action if compliance solutions are not agreed with the US authorities by the end of January 2016.

So given that the EU-US Safe Harbor Scheme has been invalidated as a compliant transfer mechanism thanks to the Shrems case, organisations have effectively been given 3 months grace to consider their business processes and to adopt relevant legal and technical solutions when transferring personal data to the US in order to remain compliant.  

If you require any further information or advice on how to stay compliant when transferring data to the US, on implementing the European standard contractual clauses to ensure compliance, or indeed with any other data protection or privacy matter then please do not hesitate to contact Pritchetts.

US Safe Harbor Scheme no longer “Safe” for International Data Transfer

On 6^th October 2015, the Court of Justice of the European Union (the “CJEU”) delivered its judgment in the case of Maximillian Schrems v. Data Protection Commissioner (Case C-362/14) - see here for the full CJEU press release. 

The judgment was not altogether unexpected given the earlier Opinion of the Advocate General on 23 September 2015 but has still sent shockwaves through many industry sector bodies and organisations who already carry out international data transfers to the USA themselves or by using third party service providers to do so on their behalf.  

Safe Harbor no longer Safe

The CJEU found in its judgment that: 

i.          The US Safe Harbor Scheme is Invalid

The CJEU made it clear that it alone has the power to examine the validity of a European Commission finding of adequacy in relation to “safe” or “permitted” international data transfers and in this case has decided that Decision 2000/520/EC on the adequacy of the protection afforded by the US Safe Harbor scheme (“EC Safe Harbour Decision”) is invalid. 

This means that the Safe Harbor scheme used by more than 5,000 US companies can no longer be relied on as a lawful compliance mechanism permitting personal data about European data subjects to be transferred to the USA.

For those not familiar with the background to this case, in brief terms:

• The US Safe Harbor scheme was challenged by a Facebook user, Maximilian Schrems, following the Edward Snowden revelations about interception of communications by US intelligence agencies. 

• It was alleged that the NSA had accessed data about Europeans and other foreign citizens stored by the US tech giants via a surveillance scheme called Prism.  

• Schrems argued that US law and practice didn’t therefore offer sufficient protection against surveillance by public authorities of personal data transferred to the US and asked the Irish Data Protection Commissioner to investigate what information Facebook might be disclosing. 

• The Irish Data Protection Commissioner rejected Schrems’ complaint and request on the basis of the EC Safe Harbour Decision.  

• Schrems contested the decision and the matter was referred to the CJEU.

This CJEU judgment seems to have been made on the basis that:

(a)   The Safe Harbor scheme only applies to U.S. undertakings which are Safe Harbor registered, not to U.S. public authorities.

(b)  US national security, public interest and law enforcement requirements take precedence over the Safe Harbor scheme and when a conflict arises U.S. undertakings must disapply the Safe Harbor rules.  US Public law enforcement authorities which obtain personal data from organisations in the Safe Harbor scheme are not obliged to follow the Safe Harbor rules after disclosure

(c)   US law also allows storage on a general basis of all personal data relating to individuals whose data is transferred from the EU to the US irrespective of the reasons why and without any consideration as to when this data can be accessed and used by US public authorities.

(d)  The Safe Harbor rules don’t provide adequate rights for individuals to access their data or to require it to be rectified or erased where appropriate.

"I very much welcome the judgement of the court, which will hopefully be a milestone when it comes to online privacy," said Max Schrems on learning of the judgment.  "It clarifies that mass surveillance violates our fundamental rights." 

(ii)  National DPAs must make their own finding of Adequacy

National data protection authorities have the power to examine whether international data transfers comply with the EU Data Protection Directive (95/46/EC) (“EU Directive”) and to suspend them if they are not in compliance.  This power exists even where the European Commission have made a previous finding of adequacy provided by a non-EU country (i.e. in relation to the Safe Harbor Scheme) as DPAs have independent powers granted under the EU Directive.

National DPAs may therefore decide to prohibit or suspend international data transfers made under the US Safe Harbor Scheme if their investigation into the transfer finds that the transfer does not provide adequate protection.

So what happens next for Facebook?

In relation to the Facebook case, the Irish Data Protection Authority must now carry out a thorough investigation, exercising all due diligence, to decide whether the transfer of data to the US in relation to European users of Facebook should be prohibited on the basis that the Safe Harbor scheme no longer creates a permitted compliance mechanism.

And what about the rest of us?

While this case may seem, on the face of it, to be about taking on the mighty Facebook, in reality it is about all transfers of personal data to the US by all organisations.   \These may include: 

• Data transfers to head offices in the US or transfers sent to the US for particular service provision - either directly by organisations or via their sub-contractors; 

• transfers for data back-ups, CRM, accounting, payroll and personnel record hosting or services, data analytics, IT services, surveys carried out etc.  

The case therefore has wide-reaching implications for all organisations who transfer information from Europe to the USA. As a result, many industry sector bodies and organisations have been left reeling from the news of this case - each scrabbling to consider the full implications of the CJEU decision for them.

In essence, the many thousands of organisations carrying out international data transfers to the USA themselves (or using third party service providers (data processors) to do so on their behalf):

• Should no longer transfer personal data to US organisations solely on the basis that they are Safe Harbour registered;

• Are likely to face a huge additional compliance burden, potentially having to liaise with numerous European data protection authorities rather than relying on the Safe Harbour scheme; and 

• Will undoubtedly have to carry out more costly privacy impact assessments and put more legal paperwork in place to justify their US data transfers. 

The EU Article 29 Working Party, the UK Information Commissioner’s Office and the Spanish DPA have already published statements (see links provided) on the judgment.  In basic terms these statements say they will consult with other EU data protection authorities to issue guidance for organisations on what to do next.  The European Commission has also said that it will issue "clear guidance" in the coming weeks to prevent member states' data authorities issuing conflicting rulings.

Organisations will be keen to see this regulatory guidance published sooner rather than later as following the decision they may no longer have a compliant mechanism permitting data transfers to the USA. While there are potentially other legal pathways allowing compliant data transfers to take place, many will require further work, analysis, justification and paperwork before they can be relied on.  This will take organisations time to properly consider.  And yet the CJEU decision creates no time… there is no transition period to allow a new mechanism to be found, with the result that many organisations have become technically in breach of the legislation overnight.  

Many of us practitioners hope that the EU and US will agree a new compliant transfer agreement or system - but unfortunately this may be slow in coming as we understand that there have been ongoing negotiations for several years - trying but failing to agree on a better solution.

Watch this space!

If you require any further information or advice on how to stay compliant when transferring data to the US, on implementing the European standard contractual clauses to ensure compliance, or indeed with any other data protection or privacy matter then please do not hesitate to contact Pritchetts.