French privacy regulator, CNIL, has rejected Google’s informal appeal against its ruling (as reported previously) that individuals’ right to have posts removed extends to Google’s websites worldwide, including Google.com (and not just Google’s European websites such as Google.de or Google.fr). In doing so CNIL stressed that, contrary to suggestions by Google, this would not amount to applying French law extraterritorially. Instead, CNIL characterised the decision simply as “[requesting] full observance of European legislation by non European players offering their services in Europe”.
Link (CNIL): CNIL Decision
An update of EU regulatory developments since the European Court of Justice ruled the US/EU Safe Harbour Agreement invalid:
The Unabhängiges Landeszentrum für Datenschutz (ULD), a German data protection agency, has issued a position paper stating that “organisations, which use Standard Contractual Clauses to transfer personal data to US, now need to consider terminating the underlying standard contract with the data importer in the US or suspending data transfers. In consistent application of the requirements explicated by the CJEU in its judgment, a data transfer on the basis of Standard Contractual Clauses to the US is no longer permitted“.
This has been closely following by a public statement from the Article 29 Working Group, which is currently analysing the impact of the European Court of Justice judgment on other transfer tools (such as Standard Contractual Clauses). The ULD noted that in the interim “data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used“, although “this will not prevent data protection authorities to investigate particular cases, for instance on the basis of
complaints, and to exercise their powers in order to protect individuals“.
Links: Article 29 Working Group Statement and ULD Position Paper
In a headline-making decision in Maximillian Schrems v Data Protection Commissioner, the European Court of Justice has invalidated the European Commission’s Decision 2000/520 (known as the “safe harbour decision”) on the transfer of EU citizens’ personal data from Europe to the US.
Until now the safe harbour decision has provided a simple way of achieving compliance with Article 25 of the EU data protection directive, which prohibits transfers of personal data to jurisdictions outside the EU unless they provide “adequate” privacy protections consistent with those available in the EU. The safe harbour decision allowed organisations to transfer EU citizens’ personal data to the US based on ‘self-certification’ that the transfer complied with certain principles outlined in the decision itself.
The latest ruling arises from a case brought by Maximillian Schrems, an Austrian privacy campaigner. Schrems had asked the Irish Data Protection Commissioner to prohibit Facebook from transferring his personal data to the US, alleging that the US surveillance activities revealed by Edward Snowden meant that the US did not provide “adequate” protection within the meaning of Article 25. The Data Protection Commissioner declined to investigate, taking the view that the safe harbour decision precluded any finding that protection was not “adequate”. The EUCJ has now held that the safe harbour decision is invalid, and does not preclude member states’ privacy regulators from inquiring into the “adequacy” of protection in the US.
The ruling means that organisations transferring EU citizens’ personal data from Europe to the US will need to find other ways to comply with Article 25, for example, implementing ‘model contract clauses‘ through bilateral agreements for data processing, or encrypting or tokenising data before transfer.
APEC hopes to have an update of its privacy framework completed by the end of this year. The New Zealand Privacy Commissioner has undertaken the review as part of an Australia, Canada and New Zealand stocktake group.
Areas identified for strengthening include:
- introducing the concept of privacy management programmes
- adding breach notification to the list of remedies, and
- outlining factors to be considered in balancing trade considerations when restricting cross-border transfers for privacy reasons.
See the full statement on the Privacy Commission website