Data Law Insights

EU Data Protection Law Reform: Most of the General Data Protection Regulation (GDPR) text agreed in principle; Schrems’ second hit – Austrian citizen files three new complaints with EU Data Protection authorities to suspend data transfers outside the EU by Facebook; EU Privacy Regulators to Evaluate VTech Breach.

EU Data Protection Law Reform: Most of the General Data Protection Regulation (GDPR) text agreed in principle

Jan Philipp Albrecht, the European Parliament’s lead negotiator on November 30 stated that the European negotiators have agreed “in principle” on most of the text for the new General Data Protection Regulation (GDPR), which is aimed to be finalized by the end of 2015.

According to texts of the Luxembourg Presidency, which also include suggested compromise texts, important areas which still remain under discussion are the provisions on Data Breaches, the criteria for the appointment of a Data Protection Officer (“DPO”) and the amount of the Administrative Fines.

With respect to data breaches, the discussion seems to be mainly about whether notifications should be made in all circumstances, or only in a more limited number of cases, and about the timing (notifications within 24 hours, 72 hours, …). With respect to the DPO, the discussion is mainly about the criteria that would trigger the obligation to appoint a DPA (as from a certain number of employees, as from a certain number of data subjects concerned by the processing, …).

Regarding the administrative fines, the Parliament’s draft initially suggested maximum fines of 100,000,000 EUR or 5 percent of the annual global turnover. The Council’s text provided a maximum of 1,000,000 EUR or 2 percent of the annual global turnover.  The EU Presidency’s is now proposing a compromise that would include a three-step system mechanism, with a maximum administrative fine of the higher of either 2,000,000 EUR or 4 percent of turnover for direct violations of Data Subjects’ rights.

Everything seems to confirm that a final political agreement will be reached by the end of the year.

Schrems’ second hit – Austrian citizen files three new complaints with EU Data Protection authorities to suspend data transfers outside the EU by Facebook

Data Protection pioneer Max Schrems is going forward in his battle against Facebook. On December 1st, the Austrian law student sent complaints to the Data Protection Authorities (DPA’s) of Ireland, Belgium and the German federal state of Hamburg, asking the authorities to apply the findings of the European Court of Justice’s (ECJ) October 6, 2015 invalidation of the U.S.-EU safe-harbor framework .

In a December 2 statement, Schrems stated: “We want to ensure that this very crucial judgement is also enforced in practice when it comes to the US companies that are involved in US mass surveillance. The court’s judgment was very clear in this respect.”

He announced that he is also considering filing complaints (regarding data transfers to the US) against other major companies US Internet companies.

Schrems’ new complaints can be seen as attempts to test whether individual DPA’s will actually investigate the complaints – and enforce the law in light of the ECJ judgment – during the so called “grace period” until the end of January 2016, which the Article 29 Working Party had put forward after the ECJ decision .  The Article 29 Working Party had expressly stated that investigations would also be possible before this date, provided that individuals would file complaints.

EU Privacy Regulators to Evaluate VTech Breach

An intrusion by hackers into online profiles of more than 6 million children on their Japanese VTech Holdings Ltd’s electronic toys is currently evaluated by the European Data Protection Authorities (DPA’s) in the Article 29 Working Party.

The attack took place on November 14 and, among others, the children’s names, gender and birth date were affected. “The children were put at serious risk”, the director of the French Data Protection Authority (CNIL), Gwendal Le Grand, was quoted.  Due to the sensitivity of the case and its importance for the protection of children, it is likely to be handled with top priority by the DPA’s.

Whereas under the current legal framework not all DPA’s have the authority to impose fines, several of them do. As a result, if several of them end up imposing fines, this could sum up to a significant amount.  The Hong-Kong privacy regulator is also investigating the breach.