“Battle-ready” Privacy Shield gets muted welcome from EU data protection authorities

On 26 July, the Article 29 Data Protection Working Party (WP29) released a statement outlining its opinion on the EU-U.S. Privacy Shield, which was adopted by the European Commission earlier this month. After praising the improvements implemented by the Commission and U.S. authorities since its last critical opinion, the WP29 outlined some remaining concerns, including the lack of:

  • specific rules on automated decisions and a general right to object;
  • clarity regarding how the Privacy Shield applies to processors;
  • strong guarantees regarding the independence and powers of the Ombudsperson mechanism; and
  • concrete assurances that the bulk, indiscriminate collection of EU citizens’ personal data will not take place.

The first annual review of the functioning of the Privacy Shield program in 2017, to be conducted by the U.S. Department of Commerce and the European Commission, is clearly seen as important by the WP29, which calls for a more defined role in that process and hints that an adverse review could impact negatively on other data transfer methods, including Binding Corporate Rules.

In the meantime, the EU data protection authorities (DPAs) within the WP29 “commit themselves to proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints”. The WP29 has announced it will be producing guidance for data controllers about their obligations under the Shield, and commenting on the citizens’ guide produced by the Department of Commerce.

1 August 2016 marks the start of a new chapter for transatlantic data transfers. U.S. companies will be able to self-certify that they abide by the privacy principles set out in the Privacy Shield, providing them with a legal basis to receive personal data from the EU. It is too early to offer predictions on the success of this replacement to Safe Harbor; however, in the short term, the EU DPAs look set to uphold individuals’ considerably enhanced rights under the program – and Privacy Shield joiners should prepare themselves accordingly.

The Stored Communications Act’s Warrant Provisions Do Not Apply Extraterritorially

On July 14, the Second Circuit in Microsoft v. United States ruled that the Stored Communications Act (SCA) “does not authorize a U.S. court to issue and enforce an SCA warrant against a United States-based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.”

The Justice Department sought and obtained a warrant under the SCA against Microsoft, seeking the contents of an email account on the grounds that the account was being used in furtherance of narcotics trafficking. Microsoft complied with the warrant by producing non-content information, but moved to quash the warrant as to the content because the content was stored on servers located in Ireland.  The U.S. District Court for the Southern District of New York denied the motion to quash, and ultimately held Microsoft in contempt for its failure to comply with the warrant. Continue Reading

European Commission Publishes Communication on Cybersecurity

On 5 July, the European Commission (“EC”) published a communication outlining measures to improve resilience to cyber incidents, improve cooperation and information sharing, and promote innovation and competition in the European cybersecurity industry.


The communication highlights the EC’s intention to take cooperation, knowledge, and capacity to the next level, particularly through the imminent introduction of the Network and Information Security Directive (“NIS Directive”), on which we reported in May. The EC announced it will publish a blueprint for the Cooperation Group (created by the NIS Directive) in early 2017, and proposes the creation of an ‘information hub’. Here, the member states, EU bodies, the European Union Agency for Network and Information Security (“ENISA”), and the Computer Emergency Response Team, will pool and share expertise and information on cybersecurity. Another NIS Directive initiative highlighted was the establishment of Computer Incident Response Teams in each member state. These will be responsible for conducting checks on key network infrastructures. The EC proposes to ensure the necessary conditions for these checks to take place.


The communication also proposes a move toward ENISA 2.0 by reviewing its mandate before 2018, alongside the establishment of a cybersecurity training platform. The communication provides a clear roadmap for the actions of the Commission in the field of cybersecurity in the months to come.

Electronic Signature Regulation Now Effective

Tasked with harmonising the disparate member state legislation that implemented the eSignatures Directive (Directive 1999/93/EC), Regulation (EU) N°910/2014 (the “eIDAS” Regulation) became effective 1 July this year.

The eIDAS Regulation repeals the eSignatures Directive and contains specific provisions governing electronic identification, trust services, and a range of online authentication methods, including electronic signatures, seals, time stamps, and registered delivery services. The new rules are a step in furthering the development of the Digital Single Market, improving trust in digital authentication methods, and breaking down the barriers to online trade and the provision of digital goods and services.

The eIDAS Regulation distinguishes between three types of eSignature:

  1. Electronic signatures

These shall not be denied legal effect or admissibility as evidence in legal proceedings based purely on the fact that they are in electronic form.

  1. Advanced electronic signatures

These allow unique identification of the person who signs the document, and act as a tamper-evident seal which can reveal any unauthorised changes to its content. Such signatures can now be provided on mobile devices, as well as on traditional desktop computers.

  1. Qualified electronic signatures

Similar to advanced electronic signatures but with increased security, these are based on ‘Qualified Certificates’ which can only be issued by a Certificate Authority duly accredited and supervised by EU member state designated authorities, tasked with ensuring that the requirements of eIDAS are met. Qualified Certificates must be stored on a qualified signature creation device (such as a USB token, a cloud-based trust service, or similar). This is the only type of signature which has the equivalent legal effect of a handwritten ‘wet ink’ signature, and ensures mutual recognition across the EU.

Qualified electronic signatures provide a higher level of security (e.g., the signing process creates a tamper-evident seal), and combined with its mutual recognition across the EU, gives rise to a variety of different applications. For example, it could be particularly beneficial in the mHealth and FinTech industries; it provides a secure method of obtaining the consent of mobile app users for processing their sensitive personal data.

The eIDAS Regulation is a welcome update to the 17-year-old eSignatures Directive, which struggled to cater to the demands of an increasingly digital European economy.

Bavarian Data Protection Authority issues guidance paper on video surveillance under the General Data Protection Regulation

On 6 July 2016, the Bavarian Data Protection Authority issued a brief guidance paper on video surveillance under the new EU General Data Protection Regulation (“GDPR”).

This short paper is the first issue within a series of non-binding guidance papers on selected topics in relation to the GDPR, which the Bavarian Data Protection Authority has planned to publish periodically, and which can be found here. Continue Reading

Practical Cybersecurity Guidance from TheCityUK and Marsh

TheCityUK and Marsh have jointly published a report urging UK financial and related professional services sectors to step up their efforts to address cyber risk. The report (headed “Cyber and the City”) suggests that cybersecurity is still not being given the priority it deserves, particularly given the substantial disruption, costs and reputational damage that can flow from a cyber-incident. The threat of cyber-attacks on British companies is growing, with 2.5 million cyber-crimes reported last year in the UK alone.  Alarmingly, the report reveals that only 30% of firms rated cyber threats in the top 10 risks to their business, and only 29% had tried to quantify their cyber exposure.


As we reported last year, company Boards are well-placed to reduce the risk of successful cyber-attacks and the ensuing financial and reputational consequences. The report makes a number of specific recommendations for individual firms and includes the following 10-point checklist:

  1. Identify and quantify the main cyber threats.
  2. Maintain an action plan to improve defence and response to these threats.
  3. Ensure that data assets are mapped and the actions necessary to secure them are clear.
  4. Manage supplier, customer, employee and infrastructure cyber risks.
  5. Implement independent testing against a recognised framework.
  6. Ensure the risk-appetite statement provides controls on cyber concentration risk.
  7. Test insurance for its cyber coverage and counter-party risk.
  8. Ensure preparations have been made to respond to a successful attack.
  9. Share cyber insights with peers.
  10. Provide regular Board review material to confirm status on the above.


Another key recommendation is that the financial services sector should set up an industry-wide “Cyber Forum” as a platform for industry participants to informally share important information and experiences, and help promote a unified response to cyber threats. The forum would consist of a steering committee of directors from various financial organisations, and a working group of information security officers or risk executives.

The report gives UK businesses that are facing increased and increasing cyber threats with a set of helpful, practical recommendations to complement (and build upon) their existing risk-management approach.

EU-U.S. Data Privacy Shield adopted by European Commission

Following a positive vote from the Article 31 Committee on 8 July, the EU-US Privacy Shield was formally adopted on 12 July and will enter immediately into force in the EU. In the U.S. the Privacy Shield will be published in the Federal Register, becoming effective on 1 August and will be operated by the U.S. Department of Commerce, as was the now invalidated Safe Harbor Framework. The Article 29 Working Party (WP29), consisting of representatives from each of the member states data protection authorities, is expected to meet on 25 July 2016 to give its view on the Privacy Shield framework.

Please click here to read our full alert





Brexit: Baroness Neville-Rolfe on Data Implications

At the beginning of July, Baroness Neville-Rolfe, Minister of State at the Department for Business, Energy and Industrial Strategy, gave a speech at the annual Privacy Laws & Business conference, outlining the government’s stance on the implications of Brexit for a range of data issues including the GDPR, cybersecurity, international data transfers and the Internet of Things. The speech emphasised the need to “think about the opportunities as well as the challenges” of Brexit.

Acknowledging that some aspects of the future are uncertain, the Minister for Data Protection stated that any country wishing to handle the data of EU citizens would need to provide an adequate level of data protection. This will be a major consideration in the UK’s withdrawal negotiations. The minister noted that there continues to be “explosive growth” in digital developments and that the need to protect personal data will remain a priority.

Also at the beginning of July, Interim Deputy Commissioner Steve Wood published a blog on the website of the Information Commissioner’s Office (“ICO”). The blog states that although the GDPR’s applicability to the UK is uncertain, the regulation remains relevant to many organisations in the UK, particularly those operating internationally. As such, the ICO will continue to publish guidance on its provisions.  Mr Wood also called for “clear laws with safeguards in place” to support the growing digital economy.

A legislative response to this is the Digital Economy Bill 2016-17, which was introduced to the House of Commons and given its first reading 5 July. The bill tackles a variety of digital economy issues, including:

  • Strengthening the ICO’s powers
  • New protections for individuals’ rights
  • A new Direct Marketing Code of Practice
  • Electronic communications infrastructure and services
  • Restriction of underage access to pornography

The bill will soon be considered by MPs at second reading, where amendments can be suggested and made.

CJEU Attorney General Opinion Seeks to Restrict the Interpretation of ‘Establishment’

In June, the Attorney General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued his opinion (English translation pending) in the case of Verein für Konsumenteninformation v Amazon EU Sàrl (Case C-191/15). The opinion makes potentially important observations about which law should apply to the processing of personal data under the Data Protection Directive (95/46/EC) (“Directive”).

Where an organisation conducts data processing operations in several Member States, the AG’s opinion is that Article 4(1)(a) of the Directive should be interpreted so that the law of one single Member State applies. To determine which Member State’s law should apply, the “establishment” of the controller should be analysed. The controller’s establishment should be where there is “real and effective activity” exercised “through stable arrangements” (the interpretation of ‘establishment’ provided by the CJEU in Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (C-230/14)).

The opinion is not binding on the CJEU; however, if the court were to follow it, then organisations that have structured their operations so that the law of only one Member State applies to processing activities will breathe a sigh of relief. The case law of the CJEU has recently been developing in such a way that organisations’ processing activities are potentially subject to the data protection laws of several different Member States, causing an increased compliance burden. The CJEU is now in a position to offer such organisations some administrative relief.

Ninth Circuit Rules that CFAA Imposes Criminal Penalties when Terminated Users Try To Access Systems With Borrowed Passwords

It can be a violation of the federal Computer Fraud and Abuse Act (“CFAA”) to “access[] a protected computer without authorization.” The CFAA clearly applies when criminals with no connection to a company try to force their way into information systems.  But in a recent decision a divided panel of the Ninth Circuit found the CFAA can apply even when someone uses a password willingly shared by an authorized user.

In this criminal case, the defendant, David Nosal, had left his employment at Korn/Ferry. Nosal was seeking confidential information on the Korn/Ferry computer system to use at a venture he had started to compete with his previous employer.  Nosal asked his former executive assistant to stay at Korn/Ferry so she could provide access to the systems, and other former employees he was working with borrowed her password to the system and used it to download trade secrets. Continue Reading