1st Newsletter -> 8 - 14 July 2016

    UK ICO's opinion on the relevancy of the GDPR


    UK's Information Commissioner’s Office posted its official opinion on how the UK will or will not proceed with the implementation of the GDPR post Brexit vote. According to the ICO once the GDPR is implemented in the EU, it will be relevant for many organisations in the UK (most obviously those operating internationally). 

    It is important to point out that the GDPR has several new features, such as breach notification and data portability, so the ICO also launched an overview of the GDPR. The aim of this overview is to highlight the key themes of the GDPR to help organisations understand the new legal framework in the EU. It explains the similarities with the existing UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements.


    Read the opinion HERE


    Read the overview HERE


    _______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________


    European Commission launches EU-U.S. Privacy Shield


    On the 12th of July 2016 the European Commission adopted the EU-U.S. Privacy Shield – a set of principles that set out to protect the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as to bring legal clarity for businesses relying on transatlantic data transfers. The Privacy Shield comes as a consequence of the European Court of Justice's invalidation of the Safe Harbour framework.


    The most important principles of the Privacy Shield are:

    - Strong obligations on companies handling data,

    - Clear safeguards and transparency obligations on U.S. government access,

    - Effective protection of individual rights,

    - Annual joint review mechanism.


    The decision of the European Commission entered into force immediately. On the U.S. side, the Privacy Shield framework will be published in the Federal Register (an equivalent to the EU Official Journal). The Commission also made a promise that it will publish a short guide for citizens explaining the available remedies in case an individual considers that his personal data has been used without taking into account the data protection rules.


    Read more HERE


    Read the Adequacy Decision HERE


    _______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________


    Privacy Shield Certification


    Businesses that have previously been in the Safe Harbour cannot automatically transfer to the newly adopted Privacy Shield framework but have to assess their compliance against the new, more rigorous Privacy Shield requirements. They will be able to certify with the US Department of Commerce from 1 August onwards.


    Read more HERE

    _______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________



    Opinion of Max Schrems and Jan-Philipp Albrecht on Privacy Shield


    Jan-Philipp Albrecht (MEP) and Max Schrems (European privacy campaigner whose Facebook challenge ended the Safe Harbour agreement) wrote an interesting article for The Irish Times on the topic of (in)adequacy of Privacy Shield Framework. In the article the authors criticise many main aspects of the framework, including the “notice and choice” mechanism, the broad definition of purposes of sharing of personal data, guarantees and actual enforceability, blanket mass surveillance, the ombudsperson, etc.


    Read the article HERE


    _______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________


    Microsoft case ruling: U.S. authorities cannot seize overseas data based on SCA


    In December 2013, authorities obtained a Stored Communications Act (SCA) warrant, which was signed by a judge, as part of a drug investigation and served it upon Microsoft. When the company refused to comply, a lower court held the company in contempt. Microsoft has challenged that decision and the U.S. Court of Appeals has ruled in favour of Microsoft, stating that the company does not have to turn over the contents of an Outlook.com user’s inbox to the U.S. investigators because that user’s data is held abroad, in Ireland. More specifically the court concluded that § 2703 of SCA does not authorise courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer email content that is stored on foreign servers.


    Read more HERE


    Read the whole judgement HERE


    _______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________