Uncertainty surrounding the U.S.-EU Safe Harbor (Safe Harbor) replacement, the EU-U.S. Privacy Shield (Privacy Shield), will remain for now. On April 13, 2016 the European Union (EU) Article 29 Working Party (WP29) comprised of all 28 EU member state data protection authorities (DPAs) announced its official but non-binding opinion on the European Commission’s (EC) draft

On February 8, 2016, the French Data Protection Authority (CNIL) publicly issued a formal notice to Facebook, following a joint investigation with four other EU regulators, asking the U.S. social network provider to comply with the French Data Protection Act within three months’ time. The notice (unofficial English translation available here), outlined several alleged violations of the law, including:

  1. collection of non-user data;
  2. collection of sensitive data (sexual orientation and political/religious views) without users’ “explicit consent” (i.e., a tick box);
  3. collection of “excessive” information to verify identities (e.g., requesting medical records when users replace their surname with that of a celebrity);
  4. use of cookies without notice or consent;
  5. failure to define and observe proportional data retention periods and failure to ensure data security (e.g., stronger password requirements);
  6. failure to obtain CNIL authorization for processing related to preventing fraud and banning users; and
  7. transfer of data to the U.S. under the invalidated U.S.-EU Safe Harbor (Safe Harbor) (alleged based on the company’s privacy statement).

Continue Reading Facebook Hit with French Data Protection Authority Action – Including a Safe Harbor Count

Certain European Union (EU) Member States’ data protection authorities (DPAs) have already started to announce investigations and or “prudential measures” for data transfers solely relying on the invalidated “U.S.-EU Safe Harbor Framework” (Safe Harbor).

In the aftermath of the announcement of the “EU-U.S. Privacy Shield” (Privacy Shield), the Article 29 Working Party (WP29), comprised of all EU Member State DPAs, announced an extension of the “grace period” for U.S. data transfers based on alternative transfer mechanisms (e.g., EU standard contractual clauses and Binding Corporate Rules) other than Safe Harbor, at least until the Privacy Shield has been reviewed by WP29 (likely by the end of March 2016).Continue Reading EU Member States to Investigate EU-U.S. Transfers That Rely Solely on Invalidated Safe Harbor: Starting Now

Today, only 2 days after consensus was reached on the final text of the new EU Data Protection Regulation, the first step has been taken to officially adopt the law and enter a new era of data protection.  This morning, the Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) formally adopted the text

EU Data Protection Law Reform: Most of the General Data Protection Regulation (GDPR) text agreed in principle; Schrems’ second hit – Austrian citizen files three new complaints with EU Data Protection authorities to suspend data transfers outside the EU by Facebook; EU Privacy Regulators to Evaluate VTech Breach.

EU Data Protection Law Reform: Most of the General Data Protection Regulation (GDPR) text agreed in principle

Jan Philipp Albrecht, the European Parliament’s lead negotiator on November 30 stated that the European negotiators have agreed “in principle” on most of the text for the new General Data Protection Regulation (GDPR), which is aimed to be finalized by the end of 2015.

According to texts of the Luxembourg Presidency, which also include suggested compromise texts, important areas which still remain under discussion are the provisions on Data Breaches, the criteria for the appointment of a Data Protection Officer (“DPO”) and the amount of the Administrative Fines.Continue Reading Key EU Privacy & Cybersecurity Highlights, November 30 – December 6, 2015

EU Ministers of Home Affairs push for Passenger Records Directive; EU Member States Data Protection Authorities: News Regarding Safe Harbor (continuous update).

EU Ministers of Home Affairs push for Passenger Records Directive

In the aftermath of the November 13 attacks in Paris, European Union Ministers of Home Affairs push for the release of a Passenger

Record Fine: Belgium’s Court orders Facebook to stop Data Protection law violation under forfeiture of a penalty of € 250,000 per day; Big Data: Opinion of The European Data Protection Supervisor; Safe Harbor Topic 1: Hamburg DPA actively preparing enforcement actions; Data Protection vs. Terrorism: Belgium to push for Passenger Records Law following Paris attacks; Safe Harbor Topic 2: EU Chief Jourova confident about ongoing Safe Harbor negotiations; Safe Harbor Topic 3: Norwegian DPA requires authorization of US data transfers.

Penalties and Fines: Belgium’s Court orders Facebook to stop violations of Belgium Data Protection Act under forfeiture of a penalty of €250,000 per day

A Belgian Court has fined Facebook €250.000 per day for violations of the Belgian Data Protection Act.

Facebook had collected web data of millions of Belgians who are not members of Facebook’s social network page, but were simply visiting websites. The Court in its judgment of 9 November 2015 found that this way of collecting data is a “manifest” violation of Belgian data protection law. According to the court, this applies irrespective of the purposes Facebook uses this data after having collecting it. Facebook argued that European users of its social network are subject to the Irish Data Protection Law (instead of Belgian law). The court disagreed citing the well-known Google Spain case that ruled that a Member State law applies if the activities of a local establishment are inextricably linked to the activities of the data controller.

The Court ordered to stop the violations under forfeiture of a penalty of €250.000 per day. The court based this on the consideration that the penalty’s amount needs to be sufficiently deterrent. The Court pointed out that Facebook in 2014 realized a turnover of  US-$ 12.4 billion and a profit of US-$ 2.9 billion, so that the amount of € 250,000 per day was considered adequate.  Facebook has announced that it will file an appeal against the judgment, which however does suspend the initial judgment.Continue Reading Key EU Privacy & Cybersecurity Highlights, November 16 – November 22, 2015