Our IT & Outsourcing eBulletin contains summaries of the following recent developments in technology, outsourcing and data protection developments in law, and regulation in the EU and the UK.
- US can stand under my EU data protection umbrella
- Is the US "Safe Harbor" sinking?
- US Microsoft case receives appellate scrutiny
- Life in the Fast Lane: EU consultation on internet speed and quality
- Cross-Border Clicks: EU Commission proposals for an online contracts sales law
- Googling compensation: Google granted leave to appeal Vidal-Hall decision
- GDPR Trilogue Preparation: ICO comments on Council's position
1. US can stand under my EU data protection umbrella
The EU and US have finally reached agreement on the so-called data protection "umbrella agreement", following protracted negotiations which officially began in March 2011.
The Umbrella Agreement puts in place a comprehensive data protection framework for EU-US law enforcement cooperation. It covers all personal data exchanged between the EU and the US for the purpose of the prevention, detection, investigation and prosecution of criminal offences, including terrorism.
Key aspects of the Umbrella Agreement
In essence, the Umbrella Agreement requires US law enforcement authorities to comply with EU-style data protection principles when processing personal data transferred to them from the EU. In particular:
- Purpose limitation – The data transferred between the EU and US may only be used for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism. The data may not be processed for further incompatible purposes.
- Onward transfer – Any onward transfer of personal data to a third country or international organisation must be subject to the consent of the competent authority that originally transferred the personal data.
- Data retention – Personal data must not be retained for longer than necessary or appropriate, and retention periods will be published or otherwise made publicly available.
- Data Subject rights – Individuals will be given rights to access their personal data subject to certain conditions. They may also request that any inaccurate data is corrected.
- Data security breaches – A mechanism will be put in place to deal with the notification of data security breaches to the competent authority that originally transferred the personal data, and possibly the individuals affected.
One of the sticking points in the negotiations related to the issue of judicial redress. In his opening statement to the European Parliament in October 2014, President Juncker spoke of data protection as a fundamental right of particular importance in the digital age. He said: "The US must […] guarantee that all EU citizens have the right to enforce data protection rights in US courts, whether or not they reside on US soil. This will be essential for restoring trust in transatlantic relations". As part of the Umbrella Agreement, it has therefore been agreed that the US will adopt legislation that grants EU citizens the same judicial redress rights as US citizens in the case of privacy breaches by US authorities to whom their personal data has been disclosed. This provision of the Umbrella Agreement depends upon the adoption by US Congress of the US Judicial Redress Bill which was introduced to Congress in June 2015 and will put in place the judicial redress requirements set out above.
The European Commission has outlined the following example of how this right will work in practice:
An EU citizen’s name is identical to that of a suspect in a transatlantic criminal investigation. Their data has been transferred from the EU to the US and erroneously gets collected and included on a US "black list". This can lead to a series of adverse consequences from the refusal of an entry visa, to a possible arrest. The EU citizen should be able to have their name deleted by the authorities – if necessary by a judge – once the mistake is discovered. Europeans (and Americans) have those rights in the EU. They should have them when their data is exchanged with the US too. The citizen who believes that their data is inaccurate also can authorise, where permitted under domestic law, an authority (for instance a Data Protection Authority) or another representative to seek correction or rectification on his or her behalf.
If correction or rectification is denied or restricted, the US authority processing the data should provide the individual or the data protection authority acting on their behalf with a response explaining the reasons for the denial or restriction of correction or rectification.
Although the Umbrella Agreement has been agreed and initialled, it will not be formally concluded until the adoption of the US Judicial Redress Bill described above.
2. Is the US "Safe Harbor" sinking?
The EU Advocate General Bot has published an opinion finding that the Commission decision of adequacy in relation to the US Safe Harbor does not prevent national authorities from suspending the transfer of the data of European Facebook subscribers to servers located in the United States. The AG further considers that the adequacy decision itself is invalid and should be repealed.
Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is kept. Mr Schrems lodged a complaint with the Irish data protection authority, taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services, the law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the Commission considered that, under the "safe harbour" scheme, the United States ensures an adequate level of protection of the personal data transferred.
The High Court of Ireland referred the case to the CJEU to ascertain whether the Commission's finding of adequacy has the effect of preventing a national supervisory authority from investigating a complaint alleging that the country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.
The CJEU does not have to follow the opinion of the AG but it often does.
To view a copy of the opinion, please click here.
3. US Microsoft case receives appellate scrutiny
A US federal appellate court heard argument on 9 September 2015 in a closely-watched dispute between the US Government and Microsoft. The case arises from Microsoft's opposition to a search warrant obtained by US law enforcement authorities that sought production, in the United States, of Microsoft customer e-mails stored on a server in Ireland.
Microsoft contended on appeal that, just as US courts cannot issue search warrants for physical property located outside the US, such courts also lack authority to issue a warrant requiring seizure of electronic data where that data is physically stored outside the US. In contrast, US authorities, who seek the e-mails as part of a drug-trafficking investigation, argued that the warrant was valid because Microsoft can access, and otherwise has control over, the data in the US, such that no search or seizure would take place until Microsoft downloads the e-mails in its US offices.
Last year, a lower federal court rejected Microsoft's argument, ruling that the warrant was valid under the US Stored Communications Act (our contemporaneous analysis of that decision is available here). A ruling, from the US Court of Appeals for the Second Circuit, is expected relatively soon, and may have important implications regarding the extent to which US authorities can reach data stored outside the US, which in turn may influence how personal data is handled and how US technology companies will do business with non-US customers, particularly in the data storage or cloud arenas.
4. Life in the Fast Lane: EU consultation on internet speed and quality
The European Commission has published a consultation seeking view on needs for internet speed and quality by 2020. It asks about current use of the internet (both fixed and mobile connectivity) and how this is likely to evolve by 2025.
In 2010, the Digital Agenda for Europe was adopted, which set out the following three "broadband targets" for Europe:
- basic broadband for all citizens by 2013;
- next generation networks (30Mbps or more) accessible for all by 2020; and
- 50% of households having 100Mbps subscriptions or higher by 2020.
In May 2015, the European Commission published its Digital Single Market ("DSM") Strategy (for further details, please see our eBulletin, available here). One of the three main pillars of the DSM is to create the right conditions for digital networks and services to flourish.
In the five years since the Digital Agenda for Europe, broadband roll-out has progressed, although take-up of superfast broadband is not at the level anticipated by the Digital Agenda for Europe. At the same time, demand for data and connectivity has increased hugely and continues to do so.
The European Commission has therefore published a consultation to assess and understand the needs for internet speed and quality beyond 2020. This is with a view to developing public policy to help investors to deploy future-proof connectivity networks and to ensure that all users can take advantage of the digital economy and society.
The results of the consultation will provide input to the design and the implementation of EU policy, regulatory and funding instruments that can contribute to facilitating broadband deployment, such as the review of the regulatory framework for telecommunications (for further information, please see our eBulletin, available here) and the use of public funding.
The Commission invites responses by 7 December 2015.
To view a copy of the Consultation, please click here.
5. Cross-Border Clicks: EU Commission proposals for an online contracts sales law
The European Commission has conducted a consultation on its plans for an online contract sales law. The plans appear to replace the Commission's previous controversial proposals for an all-encompassing Common European Sales Law.
According to the European Commission, cross-border e-commerce within the EU is far from reaching its full potential. Only 18% of consumers who used the Internet for private purposes in 2014 purchased online from another EU country, while 55% did so domestically. Only 12% of all EU retailers sell online to consumers in other EU countries, while more than one third (37%) do so domestically.
The Commission believes that one of the main barriers to cross-border e-commerce is the differing contract rules that apply in cross-border sales within the EU. Contracts for the supply of digital content products may be characterised differently in the various Member States. For example as service, lease or sales contracts. A number of Member States have also enacted or started work to adopt specific legislation on digital content products (for example, the Consumer Rights Act 2015 in the UK). This could further increase the differences between national rules that businesses would have to consider when providing digital content products throughout the EU.
The Commission has therefore conducted a consultation to collect interested parties' views on the possible ways forward to remove contract law obstacles related to the online purchases of digital content and tangible goods.
The consultation closed on 3 September 2015 and the Commission is currently considering the responses received.
6. Googling compensation: Google granted leave to appeal Vidal-Hall decision
The Supreme Court has given leave for Google to appeal certain aspects of the Court of Appeal's decision earlier this year in relation to the use of personal data collected via the so-called "Safari workaround".
The original case related to Google's collection - via the Apple Safari browser - of personal data about consumers' internet usage.
In March this year, the Court of Appeal issued a landmark ruling in the case, allowing claims for financial compensation for distress caused by breaches of the Data Protection Act 1998 ("DPA") despite there being no pecuniary loss or other material damage. In doing so, the Court of Appeal held that section 13(2) of the DPA which deals with compensation for individuals who suffer distress as a result of a data protection breach, was incompatible with Article 23 of EU Data Protection Directive (liability and compensation) and should be disapplied on the grounds that it conflicts with the rights guaranteed by the EU Charter of Fundamental Rights.
This left many commentators to speculate if the decision would result in a large increase in litigation claiming compensation under the DPA, as claimants would no longer need to prove pecuniary loss in order to claim damages for distress.
However, the story is not yet finished, as the Supreme Court has now granted leave for Google to appeal the decision on the following grounds:
- whether the Court of Appeal was right to hold that section 13(2) of the DPA was incompatible with Article 23 of the Data Protection Directive; and
- whether the Court of Appeal was right to disapply section 13(2) of the DPA on the grounds that it conflicts with the rights guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights.
To view a copy of the Court of Appeal's judgment from March this year, please click here.
7. GDPR Trilogue Preparation: ICO comments on Council's position
The UK Information Commissioner's Office ("ICO") has published a commentary on the Council of Europe's agreed position on the proposed General Data Protection Regulation ("GDPR").
In June 2015, the Council of Ministers of the European Union finally agreed a general approach on the proposed GDPR, paving the way for negotiations to commence between the three European institutions (the Commission, the Parliament and the Council) to agree a final version (for further information, please see our eBulletin, available here).
The ICO has now published its commentary on the Council's position. The text includes a discussion of the areas where the ICO considers that there is the greatest need for improvement as the trilogue progresses.
Key areas of interest include:
- Consent – One of the benefits of the approach to consent in the Commission’s original text was the removal of the confusing distinction between ‘consent’ and ‘explicit consent’. The ICO does not therefore welcome the references to ‘explicit’ or ‘unambiguous’ consent that appear in the Council's position. The ICO believes that a single, high standard of consent is required, and that should be either ‘explicit’, ‘unambiguous’ or both, but not one or the other depending on context.
- Subject Access – The ICO believes that the distinction between the right to access information for free and the right to obtain a copy of the personal data without excessive charge will be confusing. The ICO is not against a fixed but modest subject access fee, set on a national basis but it does not want to have to deal with disputes about whether the fees organisations charge are excessive or not.
- Data Security Breaches – The ICO has previously stated that it is concerned about the possibility of receiving a large number of notifications of trivial or inconsequential data breaches. Therefore the Council's added reference to ‘high-risk’ breaches is welcomed.
- One Stop Shop – The ICO believes that the part of the GDPR dealing with the competence of data protection supervisory authorities has become confusing and overly complex. It needs to be simplified. The ICO maintains its view that local data protection issues should continue to be dealt with on a local basis. The ICO is concerned that in many cases it will not be clear which supervisory authority is the lead. This could be a particular problem where a company, or group of companies, has a number of substantive establishments across the EU.
- Sanctions – The Council's basic three-tier system linked to levels of fine lacks flexibility and the option for the exercise of supervisory authority discretion. The ICO is concerned that within this structure some administrative breaches that could be relatively minor – for example a failure to designate a ‘representative’ – fall within the highest sanction tier. The ICO's preferred approach would be to remove the three tiers and have a single list of breaches that can attract a fine.
The first trilogue session between the European institutions took place on 24 June 2015 and a draft timetable for the remaining trilogue sessions published by the European Parliament envisages the institutions reaching final agreement on the GDPR by the end of 2015. Once adopted, there would then be a two year period before the GDPR was applied (i.e. it could practically come into effect towards the end of 2017).
To view a copy of the ICO's commentary, please click here.