Category: EU Commission

Not so Safe Harbor: EU-US data protection cooperation on the rocks.

cameraAfter the Snowden relevations, the European Union is finally getting its data privacy act together and it looks like a brutal fight is ahead, possibly leaving global corporations’ reliance on the longstanding safe harbor provisions, standard clauses and consents listing somewhere mid-Atlantic.

Here’s the EU Commission VP & Commissioner for Justice, Fundamental Rights and Citizenship Reding on Safe Harbor at the Vilnius Informal Justice Council 19 July 2013:

The Safe Harbor agreement may not be so safe after all. It could be a loophole for data transfers because it allows data transfers from EU to US companies – although US data protection standards are lower than our European ones. I have informed ministers that the Commission is working on a solid assessment of the Safe Harbor Agreement which we will present before the end of the year.

The Safe Harbor agreement enables data to be transferred from the EU to the US. The Safe Harbor framework was developed by the US Department of Commerce, in consultation with the Commission, industry and non-governmental organisations to provide US organizations with a streamlined means of satisfying the Directive’s “adequate protection” requirement.

The Commission is working on an assessment which it will present before the end of the year. We can only hope that the US realizes what a hole it’s dug for its tech companies before then. Quick and decisive action is needed but nothing is coming from either the Obama Administration or the US Congress.

What you don’t know about EU DATA PRIVACY law and why you need to know it today.

Outside a select group of specialists in IT law (and the even more limited and select group of data privacy law specialists), few company advisors or corporate legal departments truly understand how to be in perfect compliance with European Union data privacy regulations.

Yet nearly every company doing business in the EU has to comply.

If you’re reading this, you have probably been frustrated by the complexity of the requirements, provisions such as Safe Harbor, Model Contractual Clauses, whether to appoint a Data Privacy Officer, etc.

Some of that is about to change.  Basic compliance could soon be achieved by simply amending your company’s internal policy documents.

How? By adopting Binding Corporate Rules, aka “BCRs”.

BCRs are internal policies that any company controlling data can adopt and apply to its entire group, wherever it is doing business, and be compliant with EU Data Privacy regulations, once and for all.

Until now, BCRs were only an option for ‘controllers’ – but the European Commission’s Article 29 Working Party has adopted a document (WP195) on BCRs for data ‘processors’ (the vast majority of companies are processors, not controllers; if you have to ask, you’re most likely a processor).

Why do you need to know this today?

Because the rules the Working Party published are essentially the same as those already in effect for data controllers – meaning that you can start drafting your BCRs today and ready them for submission. As soon as we are clear that the currently non-binding document is acceptable to EU Member State data authorities, you’re good to go.

Given the pressure from the private sector to simplify data privacy compliance, I think that we’ll soon have a win-win here.

If you need more information or would like help working on your data privacy issues, click the feedback button (on the left).

 

69 Questions: EU quizes the G on its new privacy policy.

France’s data privacy authority CNIL (acting under EU mandate) sent Google the following questionnaire in order to clarify a number of concerns on the policy’s implementation, Google’s due diligence vis-a-vis its users and compliance of the policy with EU regulations.

The EU’s Article 29 Working Party (grouping Member State data protection authorities) stated that it further needs to clarify the consequences of the policy for users; specifically different levels of users, such as whether or not they have a Google Account, are non-authenticated, or simply passive users of Google’s services through Google APIs via other websites and/or applications (advertising, analytics, etc.).

Many of the questions seem to point in the direction of Competition Law concerns. It’s hard to imagine that the EU would be posing the same questions about Yahoo!’s privacy policy (which to my eyes, looks compliant).

The CNIL asked Google to provide written responses by April 5. Under EU law, responses are confidential unless Google consents to their release.

 

Don’t touch that. Dawn raids and the EU seal.

A costly mistake.

While reading a Bloomberg news story on the EU probe into possible collusion between Veolia, Suez and Saur to fix French water services prices, I was reminded that last year Suez’s subsidiary Lyonnaise des Eaux stumbled across one of EU Competition law’s most onerous and unusual provisions.

Suez was fined €8 million for opening a door.

Unless you have actually been raided, you probably are not aware that the Commission’s inspectors often seal rooms when carrying out dawn raids at corporations suspected of violating Competition law. In the Suez case, when the EU team returned the day after the initial raid to continue its search, it found that a seal on an office door had been removed.

Under EU regulations, the Commission can fine a company up to 1% of its total turnover (worldwide) for a seal broken either intentionally or negligently. You basically have no excuse.

Since Suez cooperated with the Commission, the fine is much lower than 1% of their global turnover. Still, I’m not sure their CFO was impressed with the savings.

This is not the first time a seal has been broken. In an even more costly “seal case”, the EU fined E.ON Energie €38 million. E.ON challenged the fine and lost on appeal.

The moral of the story?

Competition law compliance training should be adapted to each employee and contractor in your organization. In this case, a short and frank discussion with the administrative and cleaning staff would have been worth say, €8 million. These discussions should be renewed any time there is a change in staff or service providers.

Photo: European Union © 2012