Over at Out-Law.com, data protection lawyer Kathryn Wynn sets out her views on why IP addresses are best treated as personal information, regardless of which way the European Court of Justice rules in a pending case in Germany.
The ECJ has been asked to rule on whether website operators’ collection of IP addresses automatically qualifies as the collection of personal information, by virtue of the fact that additional information in the hands of third party ISPs could be used to identify individuals based on those IP addresses.
The European Union’s new General Data Protection Regulation (GPDR) has passed its last major hurdle to adoption. On Dec. 18, 2015, the Permanent Representatives Committee of the European Council confirmed that the compromise texts on the legislative package had been agreed with the European Parliament.
The GPDR contains a number of features potentially of interest to privacy practitioners in other jurisdictions whose privacy laws may follow the direction set by the EU, including:
- codifying the ‘right to be forgotten’ confirmed by the European Court of Justice in the 2014 Costeja decision
- regulating algorithmic decision-making where it produces legal effects or significantly affects individuals, and
- introducing requirements for mandatory notification of data breaches.
Link: WSGR via Bloomberg BNA
French privacy regulator, CNIL, has rejected Google’s informal appeal against its ruling (as reported previously) that individuals’ right to have posts removed extends to Google’s websites worldwide, including Google.com (and not just Google’s European websites such as Google.de or Google.fr). In doing so CNIL stressed that, contrary to suggestions by Google, this would not amount to applying French law extraterritorially. Instead, CNIL characterised the decision simply as “[requesting] full observance of European legislation by non European players offering their services in Europe”.
Link (CNIL): CNIL Decision
An update of EU regulatory developments since the European Court of Justice ruled the US/EU Safe Harbour Agreement invalid:
The Unabhängiges Landeszentrum für Datenschutz (ULD), a German data protection agency, has issued a position paper stating that “organisations, which use Standard Contractual Clauses to transfer personal data to US, now need to consider terminating the underlying standard contract with the data importer in the US or suspending data transfers. In consistent application of the requirements explicated by the CJEU in its judgment, a data transfer on the basis of Standard Contractual Clauses to the US is no longer permitted“.
This has been closely following by a public statement from the Article 29 Working Group, which is currently analysing the impact of the European Court of Justice judgment on other transfer tools (such as Standard Contractual Clauses). The ULD noted that in the interim “data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used“, although “this will not prevent data protection authorities to investigate particular cases, for instance on the basis of
complaints, and to exercise their powers in order to protect individuals“.
Links: Article 29 Working Group Statement and ULD Position Paper
Europol’s European Cybercrime Centre has released the 2015 Internet Organised Crime Threat Assessment Report. The Report highlights the increasing professionalisation of cybercriminals in terms of how attacks are planned and orchestrated using new methods and techniques, and an increased risk appetite and willingness to confront victims.
Malware remains a key threat for private citizens and businesses. Ransomware attacks, particularly those incorporating encryption, were identified as a key threat both in terms of quantity and impact. Information stealers, such as banking Trojans, and the criminal use of Remote Access Tools also feature heavily in malware investigations.
The report notes that the attention of industry is yet not fully focused on cyber security or privacy-by-design – “many of the so-called smart devices are actually quite dumb when it comes to their security posture, being unaware of the fact that they are part of a botnet or being used for criminal attacks. The Simple Service Discovery Protocol, which is enabled by default on millions of Internet devices using the Universal Plug and Play protocol including routers, webcams, smart TVs or printers, became the leading Distributed Denial of Service amplification attack vector in the first quarter of 2015.”
Link: Europol Internet Organised Crime Threat Assessment Report 2015
In a headline-making decision in Maximillian Schrems v Data Protection Commissioner, the European Court of Justice has invalidated the European Commission’s Decision 2000/520 (known as the “safe harbour decision”) on the transfer of EU citizens’ personal data from Europe to the US.
Until now the safe harbour decision has provided a simple way of achieving compliance with Article 25 of the EU data protection directive, which prohibits transfers of personal data to jurisdictions outside the EU unless they provide “adequate” privacy protections consistent with those available in the EU. The safe harbour decision allowed organisations to transfer EU citizens’ personal data to the US based on ‘self-certification’ that the transfer complied with certain principles outlined in the decision itself.
The latest ruling arises from a case brought by Maximillian Schrems, an Austrian privacy campaigner. Schrems had asked the Irish Data Protection Commissioner to prohibit Facebook from transferring his personal data to the US, alleging that the US surveillance activities revealed by Edward Snowden meant that the US did not provide “adequate” protection within the meaning of Article 25. The Data Protection Commissioner declined to investigate, taking the view that the safe harbour decision precluded any finding that protection was not “adequate”. The EUCJ has now held that the safe harbour decision is invalid, and does not preclude member states’ privacy regulators from inquiring into the “adequacy” of protection in the US.
The ruling means that organisations transferring EU citizens’ personal data from Europe to the US will need to find other ways to comply with Article 25, for example, implementing ‘model contract clauses‘ through bilateral agreements for data processing, or encrypting or tokenising data before transfer.
The Advocate General of the European Court of Justice, Yves Bot, has just released an opinion finding that the EU-US data protection ‘safe harbour’ framework is invalid. In his view, “the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection.”
The AG also considers that the access enjoyed by the United States intelligence services to the transferred data constitutes an “interference with the right to respect for private life and the right to protection of personal data, which is guaranteed by the Charter of Fundamental Rights of the EU.” That interference with the fundamental rights is contrary to the principle of proportionality, in particular “because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance.”
The AG’s opinion is not a binding decision. The Court of Justice of the European Union may yet choose not to follow the Advocate General’s opinion.
Link: ECJ Press Release