sign in sign up
<<
Home , Max Schrems

ESTABLISHED 1987

Issue 134 May 2015 Processor BCRs: The process, NEWS 2 - Comment the hurdles and the benefits All eyes are now on Brussels and Riga Scott Singer , Nicola Harding and Tristan Jonckheer evaluate 8 - DPAs support UN resolution on privacy the merits of processor BCRs for multinationals, and additional 19 - The GPEN increases in size and scope requirements for approval. • Netherlands’ DPA and US FTC ver the last ten years, data obtained approval for its Controller sign MoU controller Binding Corpo - BCRs in November 2011, Controller 21 - Argentina adopts Do Not Call and rate Rules (Controller BCRs only covered a relatively small CCTV laws • : No access right BCRs) have become known as the proportion of the data processed by to unviewed CCTV • German DPAs O take action against Safe Harbor platinum standard for data protec - them and therefore dealt with a lim - tion compliance. However, for ited element of its compliance 23 - Hungary’s code on drones organisations such as First Data Cor - 24 - Hong Kong issues guidance on poration (First Data), which Continued on p.3 CCTV, drones 25 - Record NZ damages 31 - Japan plans to amend law, allowing for inspections • EU wants deal on Safe Harbor in the dock Safe Harbor by end of May • France: The Court of Justice of the European Union may consider the Criminal sanctions for CCTV breach • validity of the whole US Safe Harbor arrangement. Update: Employee data and CoE By Eduardo Ustaran . Convention 108 he fact that the Safe Harbor Court of Justice of the European ANALYSIS framework is permanently in Union (‘CJEU’) in Luxembourg in 6 - Three bad ideas in the US Consumer the firing line is not particu - March. Safe Harbor was the end Privacy Bill of Rights larly earth-shattering, but the result of several years of negotiations T 9 - ASEAN data privacy developments prospect of the top European court during the late 90s between the declaring its inadequacy later this and the US 16 - Global data privacy laws 2015: DPAs and their organisations year could have dramatic conse - Department of Commerce to create a quences. This prospect became all the MANAGEMENT more possible after a hearing at the Continued on p.4 13 - Managing data protection risks to your business in Italy 20 - Cooperation between DPAs Access back issues on intensifies and finds new forms www.privacylaws.com 22 - Latvia’s model for DPO role Subscribers to paper and electronic editions can access the following: 28 - Privacy by Design: From theory to • Back Issues since 1987 • Materials from PL&B events practice? • Special Reports • Videos and audio recordings LEGISLATION See the back page or www.privacylaws.com/subscription_info 26 - Going against the flow: Australia To check your type of subscription, contact enacts a data retention law [email protected] or telephone +44 (0)20 8868 9200. 30 - Landlocked Lesotho’s legislation

PL&B Services: Publications • Conferences • Consulting • Recruitment Training • Compliance Audits • Privacy Officers Networks • Roundtables • Research MANAGEMENT/ANALYSIS

approaching the local DPAs. It covers: customers – data controllers are Processor BCRs will be enhanced as • whether the authority accepts increasingly looking to pass its data data processors continue to work with transfers using BCRs; protection compliance obligations the local DPAs in each jurisdiction to • documents to be provided when to its data processors; develop fast-track processes for obtain - requesting authorisation; • Obtain a competitive advantage ing authorisation of data transfers for • which documents will be publicly over other data processors - the clients relying on its Processor BCRs. disclosed; high standards indicated by suc - However, given the high level of • the timings for authorisation; cessfully achieving approval for sophistication required for a company • whether any documents require Processor BCRs will place an to successfully gain approval and translation. organisation ahead of its competi - implement Controller and Processor In practice, it is beneficial to contact tors when competing for business; BCRs, for the time being they continue each DPA first to obtain further clarifica - and to be for the most innovative proces - tion of each jurisdiction’s requirements. • Reduce time and effort spent nego - sors who want to demonstrate market As regards the authorisation of tiating complex data protection leadership, rather than a universal Processor BCRs, each data controller is clauses – the Article 29 Working solution. responsible for obtaining local authori - Party believe the use of Processor sation. In practice, each DPA must BCRs will save negotiation costs decide how much a data processor, with parties being able to rely on with an approved set of Processor internationally approved standards BCRs, can assist its customers with the set out in the BCRs. local authorisation process where this The advantages to an organisation, is required. Data Processors with an such as First Data, that has obtained aUTHorS approved set of BCRs may be keen to approval of both its Processor and Scott Singer, Partner; Nicola Harding, work with local DPAs to agree a set of Controller BCRs are significant. The Associate; Tristan Jonckheer, Associate pre-approved documents or proce - combination of its Processor BCRs and at Dentons LLP. Emails: [email protected] dures for applicants relying on its Controller BCRs gives a compliance [email protected] BCRs so that their clients who wish to solution that can be used both inter - [email protected] rely on its Processor BCRs can benefit nally and by its customers. As the only from a fast-track process. However, payment processor to have a set of there is no universal EU-wide solution approved Processor and Controller rEfErENcES at this time, so must be dealt with on a BCRs, First Data has made clear to its 1 Working Document 02/2012 setting case-by-case basis as an individual clients that it not only has top-level pri - up a table with the elements and discussion with each DPA. vacy law compliance, but that it is will - principles to be found in Processor ing to invest time and resources in Binding Corporate Rules. See http://ec.europa.eu/justice/data- onClusIon he BenefIts C : t developing measures which make it protection/article- The Processor BCRs provide a easier for those clients to both meet 29/documentation/opinion- processor with international their own privacy obligations and, just recommendation/index_en.htm recognition for its business-as-usual as importantly, demonstrate such 2 See http://ec.europa.eu/justice/data- processes. Data processors can use the compliance to their regulators and end- protection/document/international- transfers/files/table_nat_admin_req_ approval to: customers. en.pdf • Provide confidence to its The full business benefits of the

Safe Harbor... from p.1 European style of its provisions have personal data. Activists’ calls for the attracted much criticism over the years revocation of the Safe Harbor self-regulatory framework that would – even amongst EU data protection framework led the European allow US-based organisations to over - authorities. Whether such criticism is Parliament to adopt a resolution come the restrictions on transfers of founded on an objective assessment of seeking its immediate suspension. As a personal data from the EU. The Safe Safe Harbor or just gut-instinct is result, the European Commission – Harbor agreement was a remarkable debatable but the situation in which always measured and pragmatic – had achievement which has facilitated legal Safe Harbor finds itself today was no choice but to reopen the dialogue compliance for the past 15 years. rather predictable. with the US government to find a way However, since its adoption, Safe of strengthening the framework and Harbor has been fraught with chal - the snowden effeCt restoring its credibility. lenges. Although the data protection The revelations triggered by Edward One particular individual, Austrian requirements set out in the Safe Harbor Snowden in 2013 about the mass law student , decided not Privacy Principles are meant to match surveillance operations carried out by to wait for the outcome of the renegoti - the adequacy standards of the Euro - the NSA had a very visible knock-on ation of Safe Harbor. Following the pean data protection directive, its self- effect on the way in which the EU Snowden revelations, he lodged a com - certification nature and the non- regulates international transfers of plaint with the Irish Data Protection

Q======j^v=OMNR PRIVACY LAWS & BUSINESS INTERNATIONAL REPORT © 2015 PRIVACY LAWS & BUSINESS ANALYSIS

Commissioner requesting the termina - light of the disclosures made by which also made representations at the tion of any transfers of personal data by regarding access of hearing put forward the same Facebook Ireland to the US. Schrems EU citizens’ data by the US authorities. argument. claimed that Facebook Ireland – the Since this is a matter of interpretation Other countries and EU institu - data controller for Facebook’s Euro - of the EU data protection legal frame - tions represented at the hearing pean users’ data – could no longer rely work, the High Court referred this par - included Belgium, Austria, Poland, on Safe Harbor to legitimise the trans - ticular point for decision by the CJEU. Slovenia, the UK, the European Par - fers of his data to the US because of the The CJEU held its first and only liament, the European Commission wide access that US authorities had to public hearing of this case on 24 March and the European Data Protection such data as revealed by Snowden. 2015. Schrems’ main argument was that Supervisor. Of those, only the UK However, the Irish Commissioner the European Commission’s Safe government and the European Com - rejected the complaint on the basis that Harbor adequacy finding should be mission sided with the Irish Data Pro - the adequacy of Safe Harbor had declared invalid because of its incom - tection Commissioner. The Austrian already been determined by the Euro - patibility with both the EU Data Pro - government’s comments were particu - pean Commission and therefore, it was tection Directive and the Charter of larly scathing as its representative not open to the Irish Commissioner to Fundamental Rights of the EU. reportedly said that “Safe Harbor is challenge the European Commission’s Schrems made a comparison with the just a safe harbor for data pirates”. ‘adequacy finding’. This was not CJEU’s own decision on the data reten - Similarly heated arguments were made accepted by Schrems who remained tion directive and argued that the inter - by representatives from the European adamant that the Safe Harbor frame - ference caused by the interception and Parliament who argued that the Safe work did not provide an adequate level surveillance of European citizens’ data Harbor presented “systematic ineffi - of protection for his data. Therefore, under Safe Harbor was even more seri - ciencies” which could not be avoided. Schrems took the unprecedented step ous. For this reason, Schrems urged the of seeking judicial review of the CJEU to question the validity of Safe whAt next ? Commissioner’s decision. Harbor as a whole, even though the The CJEU has certainly much to mull specific questions referred by the High over. Before a decision is made by the In the hAnds of the CJeu Court of Ireland did not formally CJEU, the Advocate General’s Throughout the EU, the decisions of concern such validity. Opinion is due on 24 June 2015. This the Data Protection Authorities may Schrems went on to argue that at Opinion is not binding on the CJEU be challenged in court. In the case of the very least the Irish Data Protection but it will give an indication of a the Irish Data Protection Commissioner had the overriding possible outcome. A final decision Commissioner, the High Court of duty to protect the fundamental right will probably be made by the end of Ireland is the competent tribunal for to privacy and that the Commis - the year. There are a number of these purposes and the forum where sioner’s competence must be inter - positions that the CJEU could take: Schrems sought relief by requesting preted in light of this objective. Fur - • Agreeing with the Irish Data Pro - that the Commissioner’s rejection be thermore, Schrems argued that it tection Commissioner and con - overturned. The High Court took the would be contrary to the independ - firming the duty of the EU Data view that the main issue at stake was a ence of Data Protection Authorities if Protection Authorities to be matter of EU law. The High Court those authorities were absolutely bound by the European Commis - explained that whilst the bound by the European Commission’s sion’s adequacy decisions – this Commissioner was indeed able to adequacy decisions. would be in direct contradiction direct an entity to suspend data flows The Irish Data Protection Com - with the points made by a number to a third country declared adequate by missioner’s position was quite simple: of government delegations which the European Commission, this was Data Protection Authorities’ powers argued strongly in favour of the only in circumstances where – unlike are limited by the national laws that ultimate decision-making power of in this case – the complaint was establish their office, and as such, the regulators. directed to the conduct of that entity. those authorities cannot strike down • Simply answering the questions Therefore, the High Court consid - national laws, EU directives or the acts referred by the High Court of Ire - ered that what needed to be determined enabled by those directives and laws. land by confirming Schrems’ argu - was whether the Irish Data Protection The Commissioner also seemed ments that it is possible for a data Commissioner was absolutely bound alarmed that Schrems was seeking to protection authority to challenge by the Safe Harbor adequacy finding, go beyond the questions referred by an adequacy finding made by the which is, a matter of EU law. In other the High Court and question the European Commission – this words, the High Court considered that validity of Safe Harbor altogether. would not require much interpre - Schrems’ real objection concerned not Ultimately, Safe Harbor was a frame - tative effort by the CJEU given the the conduct of Facebook Ireland as work negotiated by the European strong emphasis on the independ - such, but the fact that the European Commission and therefore, it was not ent role of data protection authori - Commission had determined that Safe up to the Irish Commissioner to disre - ties and that they are already enti - Harbor provided adequate protection gard that compromise. The lawyers tled to question such adequacy for data exported from the EU in the acting for the Irish Government, findings in some cases.

© 2015 PRIVACY LAWS & BUSINESS PRIVACY LAWS & BUSINESS INTERNATIONAL REPORT j^v=OMNR R ANALYSIS

• Going beyond the questions European Commission is progressing protections afforded by Safe Harbor referred by the High Court of its negotiations with the US govern - going forward are in line with the Ireland and taking a formal view on ment on an updated Safe Harbor expectations of regulators, Member the validity of Safe Harbor – This framework. The outcome of these States and indeed the CJEU. would be a very bold move that negotiations may well be a determining would have serious political and factor in the CJEU’s final decision. economic implications, but that in What seems clear is that it is of crucial aUTHor itself will not be a deterrent for the importance for the future of Safe Eduardo Ustaran is a partner in the global CJEU. Harbor and the regulation of interna - Privacy and Information Management To complicate matters, in parallel tional data transfers that the European practice at Hogan Lovells based in to the proceedings and deliberations Commission manages to demonstrate London. Email: [email protected] taking place at the CJEU, the beyond reasonable doubt that the

Three bad ideas in the US Consumer Privacy Bill of Rights robert Gellman reports from Washington DC. he Obama Administration part of the Department of Commerce) being taken that allowed multiple released its Consumer Privacy established in 2012. The originally attendees from the same companies or Bill of Rights (CPBR) late on a announced goal of the organisations to vote and resulted in no 1 TFriday afternoon (27 February 2015). multistakeholder process was “open, clear consensus. The groups that In Washington, a Friday afternoon transparent forums in which drafted the code, a small subset of the announcement is a classic way of trying stakeholders who share an interest in stakeholders, simply declared victory 3” to avoid attention and comment. The specific markets or business contexts and the process ended. privacy community in general did not will work toward consensus on The proposed legislation solves like the bill, with some calling it a step appropriate, legally enforceable codes none of the weaknesses of the multi - 2 backward from existing consumer pri - of conduct.” The topic of the first stakeholder process. There are at least vacy protections. Some politely wel - effort was mobile application three big problems. First, there is no comed the bill as a vehicle for further transparency. An ongoing effort formal procedure for adoption of a discussions, but no privacy or con - addresses commercial use of facial code. It was not clear during the first sumer group showed the slightest sup - recognition technology. multistakeholder effort (which lasted port for the actual proposal. Parts of The first NTIA multistakeholder more than a year) when the “code” the business community criticised the process developed a transparency code would be ripe for a vote. NTIA just bill, but I suspect that those paying for mobile apps, a narrow subset of fair pushed things along, and a vote attention secretly wish it could pass information practices. If you assumed occurred even through there was no and preclude a stronger bill. No one in that the legislative proposal resulted apparent consensus. In other words, the EU will be fooled into thinking that from some demonstrated success of the NTIA declared victory and moved on. the CPBR comes anywhere close to multistakeholder process, you were Second, anyone can participate, and meeting European adequacy standards. wrong. Susan Grant from Consumer anyone can vote. While there is nothing The CPBR strikes me as more of a Federation of America best described wrong with broad participation, the privacy-prevention law. I say that the shortcomings of the process in July lack of rules governing representation because it mostly proposes privacy 2013 comments about the mobile app (who represents what interest) is a real controls that range from weak to non- transparency code: problem. Consumer and privacy existent. It then, for the most part, pre - “It is not surprising that the prod - groups do not have the resources to empts, better state laws. I will limit uct is so flawed given the problems participate in multiple multistake - analysis here to three main issues raised with the process itself. There was never holder processes. Companies can send by the proposal: the multistakeholder any clear procedure for how it would staff, hire lawyers to represent them, or process, the idea of “context” and work and what would constitute suc - rely on trade associations. Industry can privacy risk management. cess. There was no legal framework on send as many people to meetings as it which the code could be built, so that chooses, and it can overwhelm any MultIstAkeholder proCess even terms such as ‘user data’ are not other participants by sheer numbers. The bill seeks to enshrine in law the clear and universally understood. The As a result, the playing field seems multistakeholder process that the last meeting of the stakeholder group inherently unequal, and the lack of pro - National Telecommunications and yesterday was as confusing as the cedures only makes this worse. Information Administration (NTIA, process has been all along, with a ‘vote’ Third, the Commerce Department

S======j^v=OMNR PRIVACY LAWS & BUSINESS INTERNATIONAL REPORT © 2015 PRIVACY LAWS & BUSINESS Join the Privacy Laws & Business community Six issues published annually

PL&B’s International Report will help you to: Stay informed of data protection legislative Find out about future regulatory plans. developments in 100+ countries. Understand laws, regulations, court Learn from others’ experience and tribunal decisions and what they through case studies and analysis. will mean to you. Incorporate compliance solutions Be alert to future privacy and data into your business strategy. protection law issues that will affect your organisation’s compliance.

Included in your subscription: 1. online search functionality 3. e-Mail updates 6. events documentation Search for the most relevant content E-mail updates help to keep you Access International and/or from all PL&B publications and regularly informed of the latest UK events documentation such as events. you can then click straight developments in data protection Roundtables with Data Protection through from the search results into and privacy issues worldwide. Commissioners and PL&B Annual the PDF documents. International Conferences , in 4. Back Issues July, in Cambridge, UK. 2. electronic Access Access all the PL&B International you will be sent the PDF version Report back issues since 1987. 7. helpline enquiry service of the new issue on the day of Contact the PL&B team with publication. you will also be able 5. special reports questions such as the current status to access the issue via the website. Access PL&B special reports on of privacy legislation worldwide, you may choose to receive one Data Privacy Laws in 100+ countries and sources for specific issues and printed copy of each Report. and a book on Data Privacy Laws in texts. This service does not offer the Asia-Pacific region. legal advice or provide consultancy.

To Subscribe: www.privacylaws.com/subscribe

PL&B’s International Report is a powerhouse of information that provides relevant insight across a variety of jurisdictions in a timely manner. Mark Keddie, Chief Privacy Officer, BT Retail, UK

Subscription Fees Single User Access International Postage (outside UK): International Edition £500 + VAT* Individual International or UK Edition UK Edition £400 + VAT* Rest of Europe = £22, Outside Europe = £30 UK & International Combined Edition £800 + VAT* Combined International and UK Editions Rest of Europe = £44, Outside Europe = £60 * VAT only applies to UK based subscribers

Multi User Access Discounts for 2-4 or 5-25 users – see website for details. Satisfaction Guarantee If you are dissatisfied with the Report in any way, the Subscription Discounts unexpired portion of your subscription will be repaid. Special charity and academic rate: 50% discount on all prices. Use HPSUB when subscribing. Number of years: 2 (10% discount) or 3 (15% discount) year subscriptions. Privacy Laws & Business also publishes the United Kingdom Report. www.privacylaws.com/UK