Last week was truly a historic week for privacy in Europe. None less than four major areas of privacy law were discussed, setting the scene for the adoption of global data protection standards that will apply to organisations for many years to come.
- General Data Protection Regulation finally adopted
After four years of intense negotiation, the European Parliament voted and adopted the final text of the General Data Protection Regulation (GDPR) on April 14th in its plenary session in Strasbourg. This marks the end of the ordinary legislation procedure. The text has already been translated in the 24 official languages of the European Union. All that now remains is for the text to be published in the Official Journal of the European Union. Once this has been done, a 20 day period will follow before the GDPR comes into force. Companies will then have two years to comply with the requirements of the GDPR before it becomes fully enforceable by the national data protection authorities and the courts of each EU Member State.
- EU – US Privacy Shield not good enough!
On April 13th, the Article 29 Working Party (WP29) issued its much-awaited opinion on the EU-U.S. Privacy Shield following the publication of the EU Commission's draft adequacy decision on 29th February 2016. It comes as no surprise that the WP29 remains overall quite critical of the text, despite some "significant improvements". See below for a selection of some of the WP29's arguments:
- The WP29 finds it difficult to navigate between the adequacy decision and its annexes. Overall, it finds the Privacy Shield lacks clarity and is at times inconsistent.
- Some of the terms used throughout the Privacy Shield are at times inconsistent and the WP29 urges the EU Commission to ensure that the scope and terminology of the Privacy Shield are consistent with EU data protection law.
- Some of the key data protection principles under EU law are not reflected in the draft adequacy decision, or have been inadequately substituted by alternative notions (e.g., "data retention", "automated individual decisions", "purpose limitation").
- Onward transfers from a Privacy Shield entity to third country recipients should provide the same level of protection on all aspects of the Privacy Shield (including national security) and should not lead to lower or circumvent EU data protection principles.
- Although the WP29 notes that additional recourses have been made available to individuals to exercise their rights, the new redress mechanisms in practice may prove to be too complex, difficult to use for EU individuals and therefore ineffective.
- While the WP29 acknowledges that the Privacy Shield now addresses the possible access to data by U.S. authorities for purposes of national security and law enforcement, it also notes that the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not exclude massive and indiscriminate collection of personal data originating from the EU.
- The WP29 has concerns that the new Ombudsperson is not sufficiently independent and is not vested with adequate powers to effectively exercise its duty and does not guarantee a satisfactory remedy in case of disagreement.
- The WP29 also welcomes the fact that the recently adopted Judicial Redress Act provides rights for judicial redress to non-U.S. persons; however, these rights are limited to clearly defined causes of action and the WP29 is not convinced that this would offer sufficient protection to EU individuals.
So what are the next steps and possible outcomes of the Privacy Shield?
First, we must wait to hear from another advisory body, namely the Article 31 Committee, which consists of national experts representing each Member State. The Article 31 Committee, who is expected to adopt a more favourable opinion on the Privacy Shield, is expected to hold its meetings in late April and May. Following that, the EU Commission will decide whether to adopt the adequacy decision for the Privacy Shield towards mid-June.
Although the opinion of the WP29 is not binding on the EU Commission, the WP 29 has become a very influential body and the EU Commission will probably think twice before adopting an adequacy decision that does not meet the requirements set out by the WP29. At the same time, the EU Commission will probably avoid delaying further the adoption of the Privacy Shield and thus will want to avoid re-engaging in lengthy negotiations with its U.S. counterparts (although this cannot be excluded). Realistically, what is likely to happen is that the EU Commission will try to take on board as many of the WP29's recommendations as possible without fundamentally changing the nature or content of the text that was agreed with the United States.
In the meantime, companies continue to face legal uncertainty regarding their transfers of data to the U.S. and there is no clear timing when the Privacy Shield will finally be adopted (if at all). Once (if) it does, the chances are it will be challenged almost immediately before or by the DPAs and/or individuals in court. Therefore, even if the Privacy Shield is finally adopted, it remains to be seen whether organisations will want to invest in a legal framework that has an uncertain future from the beginning. In the meantime, companies can continue to rely on the EU model clauses and BCR to transfer their data to the U.S.
- Revision of the ePrivacy Directive
The revision of the ePrivacy Directive is one of the key areas of the EU Commission's Digital Single Market Strategy that was launched in 2015. On 11thApril, the European Commission launched a public consultation on the ePrivacy Directive followed by a workshop in Brussels named "Towards a future proof ePrivacy Legal Framework". The public consultation will remain open until July 5th after which the Commission will make a proposal for a revision of the ePrivacy Directive possibly as soon as end of 2016.
The goal is to modernise the ePrivacy Directive in light of recent technological developments and to ensure consistency between the ePrivacy Directive and the GDPR. The EU Commission hopes that once the ePrivacy Directive has been revised (the ePrivacy Directive could possibly become a Regulation), the new text will then come into force at more or less the same time as the GDPR.
During the Brussels workshop, the EU Commission identified three key areas for discussion, namely:
- align the ePrivacy Directive with the GDPR: avoid overlaps between both texts, ensure consistency in the legal provisions (such as those on data security breach notification), align the ePrivacy Directive with the fines and cooperation mechanism under the GDPR, redefine the competencies of the national regulators under the ePrivacy Directive;
- broaden the scope of the ePrivacy Directive to cover new technologies, such as Voice over the Internet, instant messaging, and Wi-Fi connections;
- enhance security and confidentiality of electronic communications to cover all market players, amend the provisions on cookies and other tracking technologies to include new technologies (such as device fingerprinting), possibly introduce new exceptions to the opt-in rule for certain types of cookies (e.g., 1st party analytics cookies) and introduce new standards for the protection for web users (such as Do Not Track).
- PNR Directive
Following the terrorist attacks in Paris and Brussels, the vote on the EU Passenger Name record (PNR) Directive in the EU Parliament was accelerated under pressure from European leaders to adopt the text as soon as possible. The PNR Directive is viewed by many EU leaders as an important legislative tool in the fight against terrorism. Despite criticisms from several EU parliamentarians, the text was adopted by the EU Parliament on April 14thsimultaneously with the GDPR. The PNR Directive will impose an obligation on air carriers to share Passenger Name Records for extra-EU flights with a Passenger Information Unit (PIU) in each Member State. The Member States can decide, however, to apply this directive also to intra-EU flights. PIUs will be responsible for collecting, storing and processing the PNR data and for exchanging the PNR data and the result of the processing of those data with the PIUs of other Member States and with Europol.
The PNR Directive must now be approved by the Council of Ministers. After its entry into force, Member States will have a period of two years to implement the legislative and technical measures needed to transpose the Directive into their respective national laws.
EU privacy law has recently taken a new spin with an array of news laws soon to be adopted or to come into force. More than ever, 2018 seems to be the next crucial milestone for businesses as the year when the new global data protection standards will come into force.