This Communications & Media e-bulletin contains summaries of recent developments in law and regulation in the EU and the UK:
- Shockwaves after Schrems:Safe Harbor fallout continues
- Snooper's Charter Returns: Government announces new Investigatory Powers Bill
- Going Going Gone: New spectrum auction confirmed for 2016
- More Data Protection: CJEU decision on extra-territoriality in Weltimmo case
- Lights, Camera, Action! Ofcom confirms review of TV production sector
- Mind the Gap: Ofcom publishes decision on white space devices
- Consumer Rights Act comes into force
1. Shockwaves after Schrems: Safe Harbor fallout continues
Following the recent judgment finding the US Safe Harbor invalid for the transfer of personal data from Europe, data protection observers have witnessed a ripple effect across EU Member States and beyond, as regulators grapple with the consequences of the ruling.
On 6 October 2015, the Court of Justice of the European Union (the "CJEU") issued its long-awaited ruling in the case of Maximillian Schrems v Data Protection Commissioner (Case C-362/14). The CJEU found that the existence of the European Commission Decision 2000/520 in relation to the so-called US Safe Harbour (the "Safe Harbour Decision") did not prevent a national data protection authority from investigating individual complaints relating to the transfer of personal data to the United States. The CJEU further considered the Safe Harbour Decision itself and found it to be invalid (for further information, please see our eBulletin, available here).
Article 29 Working Party Statement
In its eagerly awaited statement released on 16 October 2015, the Article 29 Working Party (the "Working Party"), the body of representatives which includes representatives the European Member States' data protection authorities, as well as representatives from the European Commission and the European Data Protection Supervisor, clarified a number of consequences of the decision in the Schrems case:
- Safe Harbor transfers – the Working Party has reiterated that transfers taking place pursuant to the Safe Harbor Decision and following the CJEU judgment are unlawful.
- Binding Corporate Rules and Model Clauses – the Working Party has said that it will take some time to analyse the impact of the CJEU judgment on other transfer mechanisms under the Data Protection Directive. In the meantime, it has confirmed that Model Clauses and Binding Corporate Rules ("BCRs") are still valid mechanisms for the transfer of personal data to the US. However, the use of such mechanisms will not prevent data protection authorities from investigating particular cases, for example, if there has been a complaint.
- A new Safe Harbor? – the Working Party has called upon the Member States, European institutions, and the US authorities to urgently enter into negotiations to find solutions which will enable the transfer of data to the US. The current Safe Harbor negotiations could be a solution but the Working Party also suggests the negotiation of an intergovernmental agreement providing stronger guarantees to EU data subjects. It also confirms that any new agreement must include obligations on the necessary oversight of access by public authorities, transparency, proportionality and redress.
- Timetable – the Working Party states that if no alternative solution is found by the end of January 2016, the EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions, presumably to enforce the CJEU judgment and potentially suspend data flows.
The Working Party seems to therefore be trying to inject a level of urgency into negotiations to find a new data transfer solution by setting a deadline and hinting that even Model Clauses and BCRs will be subject to additional scrutiny going forward. To view a copy of the Working Party statement, please click here.
Selected Regulator Responses
From a practical perspective, in the aftermath of the CJEU judgment, some global organisations are reported to be in the process of establishing, or have already established, data centres in Europe to avoid transferring data to the US altogether. We have also seen movement from a regulatory perspective, with the following selected reactions from regulators in EU Member States and further afield:
UK – in his statement on the case dated 6 October 2015, the UK Information Commissioner stated that: "The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this." It appears therefore that the message from the UK regulator is that he will not immediately start taking enforcement action but that organisations should consider carefully the best steps to take before going ahead.
Israel – in the first example of the global ramifications of the CJEU judgment, on 19 October the Israeli Law, Information and Technology Authority ("ILITA") revoked its own decision giving prior authorisation for the transfer of data from Israel to US companies signed-up to the Safe Harbor. From a European data protection perspective, Israel is currently a so-called "white list" country, having been found by the European Commission to provide an adequate level of protection for personal data, including restricting data transfers to third countries that are not part of the EU or receive data from the EU under a valid legal arrangement. The European Commission's decision with respect to Israel means that personal data may currently be transferred from the EU to Israel without additional compliance measures (such as Model Clauses or consent) being required. The decision by ILIITA may be a pre-emptory one to try and ensure that Israel's own status as a white list country does not get called into question, but it will have a significant impact on Israel's burgeoning technology sector, which has historically often relied on the Safe Harbor to send data from Israel to the US.
Ireland – in Ireland, the Schrems case returned to the Irish High Court on 20 October 2015 following its referral to the CJEU. The presiding Judge in the Irish High Court held that the Irish Data Protection Commissioner (the "DPC") had an independent duty to investigate, and EU/US political developments that may or may not happen were irrelevant. The DPC will now investigate Facebook’s EU to US data transfers to see whether or not they meet Irish and EU data privacy requirements.
USA – the CJEU judgment has also had an effect in the US. In the aftermath of the ruling, the House of Representatives passed the Judicial Redress Bill on 20 October 2015, moving the Bill one step closer to law. The Judicial Redress Bill was proposed as part of the EU-US Umbrella Agreement announced in September (for further details, see our eBulletin available here). As part of that announcement, the EU had confirmed that, although the Umbrella Agreement had been finalised, it would not be signed until the Judicial Redress Bill was passed. Passing through the House of Representatives is the first step in moving this legislation forward – it must now be passed by the Senate (at present, the legislation is under review by the US Senate Judiciary Committee). However, the legislation is not just important for the Umbrella Agreement. Judicial redress was also mentioned by the Working Party in its statement as a vital component of any future agreement between the EU and the US with respect to the transfer of personal data to the US. The proposed Judicial Redress Bill would "designate foreign countries or regional economic integration organisations whose natural citizens may bring civil actions under the Privacy Act of 1974 against certain US government agencies for purposes of accessing, amending or redressing unlawful disclosures of records maintained by an agency." In theory, EU Member States could therefore be designated, giving European citizens legal redress with respect to privacy breaches. In an interview, European Data Protection Supervisor Giovanni Buttarelli identified the Bill specifically as something that would allow the US to move toward becoming "essentially equivalent" to the EU, which would address some of the concerns of the CJEU in the Schremscase. As a result, US tech companies with operations in the EU have a particular interest in the passage of the Judicial Redress Bill into law, and are continuing to re-evaluate their data transfer policies in the wake of the CJEU judgment.
Germany – most recently, the German data protection authorities have expressed a restrictive view with respect to the consequences of the CJEU judgment in their position paper dated 26 October 2015 (the "German Position Paper"). In the German Position Paper, the German data protection authorities confirmed that a data transfer solely based on Safe Harbour is unlawful, but also went further to state that:
- BCRs and "Export Agreements" (being data transfer agreements which deviate from the Model Clauses in some way) being used as the basis of a data transfer into the US will not be approved by the German data protection authorities going forward (although the German Position Paper does not confirm whether or not existing BCRs and Export Agreements may continue to be used as a transfer compliance mechanism); and
- any data transfer into the US on the basis of the consent of the data subject will only be permitted under very restrictive conditions (i.e. in general, consent of the data subject will not justify repeated mass transfers of personal data).
Prior to the German Position Paper, the German data protection authorities had published different views on the impacts of the CJEU judgment. The view of the competent data protection authority for Schleswig-Holstein was that Model Clauses and consent (as well as the Safe Harbor) are invalid ways of transferring data to the US. The authority in Schleswig-Holstein even recommended that German companies terminate their Model Clauses, perform a complete review of data transfers, and consult with the authority regarding data transfers to the US.
While the joint German Position Paper certainly has helped clarify the position in Germany, companies seeking to lawfully transfer data to the US are still left with considerable uncertainty as to what their future compliance mechanism will be:
- Companies previously relying on the US Safe Harbor have few options. Since obtaining data subject consents will not be feasible in the majority of cases, the most efficient way (except for companies located in Schleswig-Holstein) is likely to be to implement Model Clauses. In Germany, these do not require the prior approval of the German data protection authorities.
- Companies (except for those located in Schleswig-Holstein) with BCRs and Model Clauses already in place can continue to use these mechanisms for the time being.
In any event, it is recommended that companies closely monitor further developments and seek individual legal advice. It is not beyond the realms of possibility that the German data protection authorities will eventually share the view of the authority in Schleswig-Holstein in finding transfers to the US on the basis of Model Clauses to also be unlawful. However, for the time being, companies should bear in mind that any unlawful transfers are punishable by the German data protection authorities with a fine of up to EUR 300,000 per individual case.
2. Snooper's Charter Returns: Government announces new Investigatory Powers Bill
The Government has published its proposed Investigatory Powers Bill (the "Bill") governing the use and oversight of investigatory powers by law enforcement and the security and intelligence agencies.
In May 2015, the Queen's speech set out the Government's plans for a new Investigatory Powers Bill to "address gaps" in intelligence gathering and access to communications data which is putting "lives at risk". The proposed legislation would replace the emergency legislation passed in July 2014, the Data Retention and Investigatory Powers Act 2014 ("DRIPA"), which falls away on 31 December 2016. DRIPA replaced the Data Retention (EC Directive) Regulations 2009 following the judgment from the Court of Justice of the European Union in April 2014 which declared the EU Data Retention Directive invalid.
According to the guidance notes published by the Government, the new Bill will do three things:
- First, it will bring together all of the powers already available to law enforcement and the security and intelligence agencies to obtain communications and data about communications. It will make these powers – and the safeguards that apply to them – clear and understandable.
- Second, the draft Bill will radically overhaul the way these powers are authorised and overseen. It will introduce a "double-lock" for interception warrants, so that, following Secretary of State authorisation, these – and other warrants – cannot come into force until they have been approved by a judge. It will also create a powerful new Investigatory Powers Commissioner to oversee how these powers are used.
- Third, it will make sure powers are fit for the digital age. The draft Bill will make provision for the retention of internet connection records in order for law enforcement to identify the communications service to which a device has connected. The Government believes this will restore capabilities that have been lost as a result of changes in the way people communicate.
A previous attempt by the Government to pass similar legislation was blocked by the Liberal Democrat coalition and, in July this year the High Court ruled that the data retention provisions of DRIPA were themselves unlawful and should be disapplied from March 2016. It therefore remains to be seen whether or not the new Bill will make it through to law, and in what form.
To view a copy of the Investigatory Powers Bill, please click here.
3. Going Going Gone: New spectrum auction confirmed for 2016
Ofcom has published its final statement with respect to the 2.3 and 3.4GHz spectrum bands, which it plans to auction off in early 2016, without imposing spectrum caps and setting a reserve price of £10 million for a 10MHz 2.3GHz lot and £1 million for a 5MHz 3.4GHz lot.
The high-capacity 2.3GHz and 3.4GHz spectrum which is the subject of the new auction is being made available by the Ministry of Defence as part of a wider Government initiative to free-up public sector spectrum for civil uses. The public sector spectrum release programme was announced by the Government in 2010 as part of a comprehensive spending review. Under the programme, the Government announced a target of 500MHz of public sector spectrum below 5GHz to be released by 2020. A total of 190MHz of spectrum is being made available now, being spectrum which is suited to high speed mobile broadband services because of its ability to carry large amounts of data.
The 2.3GHz band is currently used for high-speed 4G mobile broadband networks in ten countries outside Europe: Australia, China, India, Norway, Oman, Russia, Saudi Arabia, South Africa, South Korea and Sri Lanka. The 3.4GHz band is already used for wireless broadband in a number of countries. In Europe there have been authorisations in the UK, Estonia, Germany, Ireland, Italy, Latvia, Macedonia, Norway, Portugal, Spain, Sweden and Switzerland.
The statement sets out a number of key decisions with respect to the proposed auction:
- Ofcom has rejected calls to delay the auction as a result of uncertainty in the market in relation to the BT/EE merger and H3G's proposed acquisition of O2. Applications for the auction will therefore be open from December 2015, with the bidding process to start early 2016.
- The auction will be of all available spectrum, reversing Ofcom's previous proposal (in May this year) to withhold some spectrum from the 2.3 and 3.4GHz award.
- No competition measures such as spectrum caps will be applied to the auction.
- The 3.4GHz spectrum will be auctioned in 5MHz lots, and the 2.3GHz spectrum in 10MHz lots.
- The reserve prices will be set at £1 million per 1MHz in the 2.3GHz band and £200,000 per 1MHz in the 3.4GHz band; that is £10 million per 10MHz lot in the 2.3GHz band and £1 million per 5MHz lot in the 3.4GHz band.
- Licences issued will include the following conditions:
- Licences will be issued for an indefinite period with an initial term of 20 years.
- Licences will be issued on a non-exclusive basis.
- The 2.3GHz licences will cover Great Britain, and the 3.4GHz licences will cover the whole of the UK.
- The newly available spectrum will be tradable under the provisions of the Mobile Trading Regulations.
- There will be no coverage obligations or use-it-or-lose-it obligations.
Ofcom's statement set out the following process for the auction:
- a deposit of £100,000 will be required at the time of application (scheduled to be in December 2015)
- during the principal stage, Ofcom will require that bidders have, on deposit with Ofcom, sufficient funds to cover their commitments;
- following the qualification period, Ofcom will refund deposits as soon as possible to those not qualified; and
- at the end of the auction, Ofcom will announce which specific frequencies were won by which bidders and the total price paid.
To view a copy of Ofcom's statement, please click here.
4. More Data Protection: CJEU decision on extra-territoriality in Weltimmo case
In another important data protection case, the Court of Justice of the European Union (the "CJEU") has ruled that data controllers are bound by the law of a Member State even if they are registered in a different Member State, provided that the data controller exercises a real and effective activity in the context of processing personal data in the territory.
Article 4(1) of the Data Protection Directive (the "Directive") establishes that companies should comply with the data protection laws of an individual Member State where processing is carried out in the context of the activities of an "establishment" of the data controller in the territory of the Member State.
Weltimmo, a Slovakian-registered business, operated a property dealing website related to Hungarian properties. Advertisers requested deletion of their advertisements but the requests were not granted. Their personal data was subsequently passed to debt collection agencies. Complaints were made to the Hungarian Data protection authority who issued a fine against Weltimmo.
The Hungarian Supreme Court referred the case to the CJEU with the question as to whether Hungarian data protection law could be applied to Slovakian-registered Weltimmo.
Weltimmo argued that the Hungarian authority ought to have asked the Slovak data protection authority to act in its place. Rejecting this argument, the CJEU held that the meaning of "establishment" under Article 4(1) was not limited to the location of a company's registered office. The Court noted that Recital 19 in the preamble to the Directive states that establishment in the territory of a Member State implies the effective and real exercise of activity through stable arrangements. The concept of establishment could therefore extend to any real and effective activity, even one which was minimal.
In a separate question, the CJEU also considered whether the Hungarian authority would be able to impose a penalty prescribed under Slovakian law if it had been held that Weltimmo was not "established" in Hungary. The Court held that this would not be possible. The Hungarian authority may consider breaches of Slovakian data protection law but the proper action would be to refer the matter to the relevant Slovakian authority.
To view a copy of the CJEU judgment, please click here.
5. Lights, Camera, Action! Ofcom confirms review of TV production sector
Ofcom has confirmed it will undertake a comprehensive review of the £3 billion UK production sector, examining areas including the impact of foreign ownership and the widespread consolidation in the content sector. The review is being conducted following an official request from John Whittingdale, the UK Secretary of State for culture, media and sport.
As background to the new review, Ofcom states that the consolidation of the independent production sector and the acquisition of major UK producers by large foreign media corporations means there is some uncertainty for the public service broadcasters ("PSBs") about the future shape of the programme supply market. In Ofcom's recent review of public service broadcasting, concerns were raised by stakeholders regarding consolidation in the production sector.
Ofcom's review will focus on four key work streams:
- The changing market context – Ofcom will set out how the market has developed and examine the changes that are affecting the structure of the industry. It will also consider scenarios for the likely future evolution of the sector.
- The effectiveness of the current regime – Ofcom will assess how well the objectives of the regime are being met, the extent to which this is due to regulation, and whether the current regulatory interventions are likely to deliver good outcomes in the future.
- The impact of regulation on PSBs – Ofcom will consider the ways in which the PSBs are affected by the production sector regime and what this means for each PSB and the delivery of wider PSB purposes and characteristics.
- Options for reform – Ofcom will consider how regulation could better deliver the objectives of the regime, lessen any negative impacts on the PSB system and improve the overall delivery of PSB goals.
Ofcom intends to publish its initial report by Christmas 2015.
To view a copy of Ofcom's statement, please click here.
6. Mind the Gap: Ofcom publishes decision on white space devices
Ofcom has published a decision licensing manually configurable white space devices on a transitional basis in an attempt to kick start further development of automatically configurable devices.
"White spaces" are gaps in the radio spectrum in frequency bands, which can be used to offer wireless applications. Under the TV White Spaces Framework, white space devices which meet certain requirements will be licence exempt. One key technical characteristic in order to qualify as licence exempt is that a device must not allow any manual configuration of the device parameters by the user or anyone else. This is to reduce the risk that a user could incorrectly configure the device, increasing the probability of harmful interference.
The market for white space devices is currently very immature, as it is a new technology currently only actively in commercial use in the US, where automatic configuration is not required. According to Ofcom, there are currently no devices on the market that are fully compliant with the terms of Ofcom's licence exemption. However, several manufacturers have products that would comply with all terms except the prohibition on manual configuration. Discussions with equipment manufacturers and databases suggest that there is no technical reason why devices do not meet the requirements but that, for commercial reasons, automatic configuration has not been the priority amongst manufacturers. This is because the UK is the only country in Europe putting a regulatory framework in place where automatic configuration is a requirement.
Ofcom has therefore proposed to introduce a transitional licensing regime which authorises manually configurable white space devices. This transitional licensing regime is intended to last no more than three years, in the hope that automatically configurable devices will be further developed soon. At the end of the three years, a review will take place to decide whether to extend the transitional licensing regime.
The risk of interference from manually configurable white space devices can be mitigated by further licence conditions including a "Quality Assurance" process. Ofcom also believes that the risk of increased costs of managing interference is low, as only professionals are likely to use manually configurable white space devices.
To view a copy of Ofcom's statement, please click here.
7. Consumer Rights Act comes into force
The Consumer Rights Act 2015 (the "CRA") came into force on 1 October 2015 and will apply to contracts entered into after that date.
Consumers have, for many years, enjoyed a high and increasing level of statutory protection under UK law. These protections include the imposition of implied terms into contracts for the supply of goods and services, enhanced remedies in the event of breach of contract and protection from unfair contract terms. However, because of the piecemeal way in which the law has developed, these protections are spread across numerous different Acts and Regulations.
The primary aim of the CRA is to consolidate the existing rules in order to provide clarity to both consumers and businesses. However, the legislators have also taken the opportunity to update existing rules, not least in order to keep pace with the changing way in which goods and services are bought. In particular, the CRA:
- extends consumer protection to cover the supply of digital content;
- consolidates and updates the remedies available to consumers who receive defective goods and services; and
- strengthens the existing law on the effect of unfair terms in consumer contracts and extends this regime to cover notices (i.e. oral or written announcements/communications to the consumer in relation to the contract) as well as contract terms.