Home Tags EEA

Tag: EEA

EU should not be 'too restrictive' with data protection law EU countries must not be too restrictive in how they apply EU data protection laws or risk damaging the development of big data projects, German chancellor Angela Merkel has said. Germany has traditionally been cautious over data collection, but if countries are too restrictive then "big data management will not be possible", Merkel told the 10th IT Summit (link to video in German) in Saarbrücken. Europeans are famous for banning things, Merkel said.

These bans are put in place for good reason, she said, but can be damaging if taken to excess. "In Germany we have the principle of 'data minimisation', but we may have to give a little on that.
Such a principle doesn't seem as appropriate when you are looking at big data," she said. While it is important to protect personal data, it is also important to enable new developments, she said. "Courts will have to be careful not to be too strict if that means limiting opportunities", Merkel said. Munich-based data protection expert Kirsten Wolgast of Pinsent Masons, the law firm behind Out-Law.com said Merkel's comments suggest a change of direction. "Merkel obviously wants to create some space for big data business models, and make it a bit easier to establish.

But we'll have to wait and see whether the data protection authorities or courts take her comments into account," Wolgast said. Berlin data protection commissioner Maja Smoltczyk said this month that nine of the country's federal data protection authorities are to conduct a review of 500 businesses' data transfer arrangements. The review will focus on arrangements the businesses have in place for transferring personal data outside of the European Economic Area (EEA). Copyright © 2016, Out-Law.com Out-Law.com is part of international law firm Pinsent Masons. Sponsored: Customer Identity and Access Management
Queued up to self-certify Internet giant Google has signed up to the Privacy Shield, a framework designed to facilitate the transfer of personal data between the EU and US by businesses. Data storage and software provider Dropbox has also self-certified under the Privacy Shield.

The companies are the latest major US technology businesses to sign up to the scheme.

Google's certification was registered on 22 September and Dropbox's on 23 September. Microsoft self-certified under the Privacy Shield in August. >Amazon also announced that it was in the process of self-certifying last month, but it appears that it has still to complete that process as its certification is not yet listed. Since 1 August, US businesses have been able to self-certify their compliance with a set of privacy principles that make up part of the Privacy Shield. Data protection law expert Cerys Wyn Davies of Pinsent Masons, the law firm behind Out-Law.com, previously explained that businesses that sign up to the Privacy Shield within the first two months of it becoming operational can do so without first having to update arrangements for sharing data with others. Wyn Davies said, though, that those businesses then only have a limited time in which to put new contracts in place. The European Commission has set out its view that businesses that transfer personal data from the EU to the US in line with the Privacy Shield principles and self-certify under the framework will adhere to EU data protection law requirements regarding the transfer of personal data outside the European Economic Area (EEA). However, Hamburg's data protection authority has said it is considering raising a legal challenge against the European Commission's endorsement of the Privacy Shield. Earlier this summer the Article 29 Working Party, a committee representing national data protection authorities from across the EU, stated that it retains some concern about aspects of the Privacy Shield, including in respect of "mass and indiscriminate collection of personal data" by US authorities as well as on some "commercial aspects" of the framework.
It said it "regrets … the lack of specific rules on automated decisions and of a general right to object" and said it "also remains unclear how the Privacy Shield Principles shall apply to [data] processors". Despite its concerns, however, the Working Party indicated that the watchdogs will not challenge the legitimacy of data transfer arrangements under the new Privacy Shield during the first year of its operation. Copyright © 2016, Out-Law.com Out-Law.com is part of international law firm Pinsent Masons.
The United States and the European Union agree to modify their data transfer pact, but what now for the United Kingdom? By Tom JowittThe United States and the European Union have agreed to changes to Safe Harbor 2.0 (or Privacy Shield), after an initial agreement was rejected by European Watchdogs for not being robust enough.The two have agreed to stricter rules for companies holding information on Europeans and clearer limits on U.S. surveillance.But the UK's shocking exit from the European Union has raised data protection concern for UK firms. Revised Deal The revised EU-U.S. Privacy Shield has been dispatched for review by European member states, according to Reuters. A vote on the matter is reportedly expected in early July, and then the new agreement will become law.All of this stems from the decision last October by Europe's top court to strike down the original data-sharing (Safe Habor) deal with the United States that had lasted 15 years. In February this year, the replacement agreement, now known as the Privacy Shield was agreed upon.That proposed replacement was designed to help firms on both sides of the Atlantic to move the personal data of European citizens to the United States without breaking strict EU data-transfer rules. But it failed to get the blessing of European data protection watchdogs, and they demanded much tougher regulations surrounding U.S. surveillance practices.In order to beef up the agreement, the U.S. government has explained the specific conditions under which intelligence services might have to collect data in bulk. They also detailed the safeguards on how the data would be used.A letter from the Office of the Director of National Intelligence, seen by Reuters, gave an example of the United States seeking information on the activities of a terrorist group in the Middle East believed to be plotting attacks against Europe. If Washington does not have information, such as names, phone numbers or email addresses, it would collect communications "to and from that region for further review and analysis to identify those communications that relate to the group," the letter states."Thus, even when targeting through the use of specific selectors is not possible, the United States does not collect all communications from all communications facilities in the world," the letter reportedly said.The United States has also pledged to create a new privacy official, who will be responsible to deal with complaints from EU citizens about U.S. spying. This official would reportedly be independent from the U.S. intelligence services. UK Exit The transfer of personal data from the United Kingdom to the United States was covered by the original Safe Harbor agreement, and then the revised Privacy Shield.But following the shocking decision by British voters to exit the European Union, some businesses could be concerned about the way forward.But at least one expert suggests firms should not panic, but just carry on."In my view, the long-term impact of a 'Brexit' on the legislative framework for privacy will probably not be hugely significant," said Peter Galdies, development director at data governance, risk and compliance firm DQM GRC."After Article 50 is invoked, which gives our official 'notice' to leave the EU [which now looks likely to be after October 2016], there will be a mandatory two-year minimum period in which we remain a member of the EU whilst we negotiate an exit," he said. "During this time, all existing legislation [including GDPR] will continue as before. Many forecast that this process might take much longer—with many estimates between three and six years.""The many organizations which already manage or contain personal data relating to EU/EEA state citizens [clients, prospects or employees] will continue to have to manage that data according to the requirements of the GDPR regardless of 'Brexit,' or they will be in breach of the GDPR and risk large fines—so for many organizations nothing will change—the GDPR will apply even when we leave," said Galdies."It is also highly likely that the UK [now with a strong new commissioner with a proven history of backing and enforcing consumer rights] will adopt a legislation directly modeled on the GDPR [as we will also need to do with the other legislations, such as worker's rights and other similar good laws that protect the rights of the individual which will now need replacing]," said Galdies."The pressure to negotiate a strong trade deal with the EU will also drive the adoption of 'mirroring' legislation—designed to minimize the barriers to continued trade," said Galdies. "Ultimately, we must continue to 'Keep Calm and Carry On.'"