Photo of Kate Brimsted

The U.S. Judicial Redress Act has been signed into law by President Obama. The move marks an important step in data transfer relations between the EU and the United States, gives the green light to the EU-U.S. law enforcement data Umbrella Agreement and helps to underpin the Privacy Shield.

Click here to read more in

The CNIL issued a press release February 4, setting expectations concerning the “EU-U.S. Privacy Shield” work-in-progress. In the same time, it has switched to enforcement mode concerning Safe Harbor remediation failure.

Click here to read more in the issued Client Alert.

On 3 February, the Article 29 Working Party (‘WP29’), a group comprising representatives of the EU Member States’ Data Protection Authorities (‘DPAs’), issued a statement cautiously welcoming the agreement on an “EU-U.S. Privacy Shield”. If it is formally adopted, the Privacy Shield will replace the Safe Harbor agreement that was declared

After what seemed like sure defeat, an agreement on Safe Harbor has apparently been reached. Dubbed the “EU-U.S. Privacy Shield”, the regime will, subject to approval processes, replace the existing Safe Harbor arrangement which was invalidated 6 October 2015.

Click here to read more in the issued Client Alert.

On 12 January 2016, the European Court of Human Rights handed down a decision on the lawfulness of monitoring private messages sent on an employee’s Yahoo! Messenger account using the employer’s computer system; the case was Barbulescu v. Romania.

The facts of this case were quite specific; however the key message, which reflects the

After almost three years, consensus has been finally reached on the text of the Network and Information Security (“NIS”) Directive, the first-ever, EU-wide cyber security regulation. The NIS Directive (or Cybersecurity Directive) lays down baseline cybersecurity and mandatory breach reporting obligations on critical infrastructure operators and digital service providers across the EU.

The Directive also envisages a “strategic cooperation group”, with the aim of encouraging Member States to exchange information and best practices on cybersecurity breaches. In addition, Member States will be required to set up Computer Security Incident Response Teams (CSIRTs) to handle incidents and identify coordinated responses alongside the other Member States.

The announcement, which was made 7 December 2015, has been a long time coming. Work on the Directive first began in February 2013, and has since been under trilogue negotiations between the European Commission, Parliament and Council.
Continue Reading A New EU Era of Cybersecurity on the Horizon

On 19 November, the CNIL released an article in order to provide companies impacted by the recent CJEU ruling on invalidation of Safe Harbor with guidance on the next steps. The article was published at the same time the CNIL sent a mailing to all data controllers relying on Safe Harbor to fix the issue.

In a ruling by the European Court of Human Rights (“ECHR”) handed down in July 2015, the right to respect for individuals’ privacy balance trumped journalists’ right to freedom of expression.

In the case of Satakunnan Markkinapörssi and Satamedia v. the Republic of Finland, it was decided that Finnish magazine, Veröporssi (“V”), could be prevented from storing, publishing and offering an SMS enquiry service involving personal tax information about individuals. This was despite the fact that (a) the information had already been published by the Finnish tax authorities and (b) V had been publishing annual information about individuals’ taxable income and assets. 
Continue Reading What is public can still be ‘private’: European Court of Human Rights halts journalists from re-publishing Finnish citizens’ public tax information

On 6 November, the European Commission released a communication on the implications of the Court of Justice of the European Union’s decision invalidating the Safe Harbor framework.

The key message, which echoes previous announcements by data protection authorities and the Article 29 Working Party, is that data exporters are ultimately responsible for ensuring that transfers

Giovanni Buttarelli, the European Data Protection Supervisor (“EDPS”), has announced plans to set up a new European Ethics Advisory Board to address the technological challenges of the 21st century in a world where there are now more connected devices on the planet than people. He stated, “in today’s digital environment, adherence to the law is not enough; we have to consider the ethical dimension of data processing”.

The Opinion paper, published by the EDPS 11 September 2015, highlights the difficulties in protecting the dignity of the human person, including the rights to privacy and protection of personal data, against a digital landscape in which there are now more connected devices on the planet than people. He has called for a broader discussion on how to “ensure the integrity of [European] values while embracing the benefits of new technologies”. While the EDPS considers that data protection principles have proved capable of safeguarding individuals and their privacy from the risks of irresponsible data processing, he believes that today’s trends “may require a completely fresh approach”, and has urged those responsible internationally to promote an “ethical dimension in future technologies”.
Continue Reading EU Data Protection Ethics Advisory Board to be Established because “adherence to the law is not enough”, says EDPS