Irish Data Protection Commissioner to Request Court Declaration as to Validity of Personal Data Transfers to the US Under EU Model Clauses

Europe Data protection and privacy blog

On May 25, 2016, Austrian law student Max Schrems issued a press release stating that he has been informed that the Irish Data Protection Commissioner (DPC) is planning to refer a question to the Court of Justice of the European Union (CJEU) as to whether the EU model clauses remain a valid data transfer mechanism to the US, given the issues raised by the CJEU in its Schrems v. Facebook ruling last October, on mass surveillance of communication by US intelligence agencies and the lack of legal redress where this is disproportionate for EU data subjects. Such a referral would require the DPC to seek a declaratory judgement in the Irish High Court, which would in turn request a ruling from the CJEU.

We do not know the exact terms of the question that is being referred at this stage.

Our Take

As unwelcome as this latest challenge is for organisations whose operations rely on personal data flows to the US, there is a certain inevitability about it following the Article 29 Working Party’s negative reaction to the  EU/US Privacy Shield, the proposed replacement to the US/EU Safe Harbor Agreement, which was invalidated by the Schrems ruling. The referral will put further pressure on the EU/US negotiators to find an acceptable political solution that meets the CJEU requirements in the first Schrems decision. The referral also could provide an opportunity for the CJEU to specify less demanding criteria that the US surveillance practices and redress mechanisms must meet.

The CJEU ruling, if and when it comes, could have many nuances and is by no means certain to conclude that EU model clauses are invalid for all types of data transfers. In the meantime, use of the EU model clauses (together with compliance with local prior authorisation and data subject notice requirements) will remain a valid export method to the US and other non-EEA countries which have not been deemed to have adequate data protection regimes. They also remain the least onerous export route if other derogations (e.g., the data subject has consented or the transfer is necessary for the performance of a contract) are not available.

We will be tracking this challenge and the results of the Article 31 Committee vote on whether the Commission will adopt the EU/US Privacy Shield as presented by the Commission or as amended as a result of the current EU/US discussions. This committee, made up of EU Member State representatives, must approve the EU/US Privacy Shield before the Commission can adopt it. It is scheduled to meet on June 6th and 20th and a vote could be taken at either of these meetings or not taken at all.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.

IADC Issues Cybersecurity Guidelines for Drilling Assets

Norton Rose Fulbright - eDiscovery

With infrastructure cybersecurity becoming a growing concern for businesses globally, it is not surprising that yet another industry association – the International Association of Drilling Contractors (“IADC”) – has issued cybersecurity guidelines for its members.  IADC’s Guidelines for Assessing and Managing Cybersecurity Risks to Drilling Assets address the cyber risks affecting the “digital oilfield” – including wireless offshore technologies and automated drilling assets and drilling control systems.

Continue reading

Hong Kong Monetary Authority Strengthens Cybersecurity Controls on Banks

Norton Rose Fulbright - Data Protection

The Hong Kong Monetary Authority (HKMA) is taking action to tackle cyber security in the banking sector in Hong Kong through the Cybersecurity Fortification Initiative (CFI) – a new comprehensive initiative announced on May 18, 2016, which aims to raise the level of cybersecurity of the banks in Hong Kong. This follows the Hong Kong Securities and Futures Commission’s (SFC) similar initiative of issuing the Circular to All Licensed Corporations on Cybersecurity (see our previous post).

Continue reading

Hong Kong Regulators Step up Enforcement on Personal Data Protection

Traffic in Hong Kong at night - Data protection and privacy blog

Over the past month, Hong Kong Courts and the Securities and Futures Commission (“SFC”) have taken action under the Personal Data (Privacy) Ordinance (“PDPO”) against an insurance agent, a marketing company and a licensed individual for improper handling of personal data, resulting in a Community Service Order, a fine, and an SFC disciplinary action. These cases demonstrate increased citizen awareness of privacy rights, industry focus on the PDPO, and foreshadow further enforcement activity.

Continue reading

EU Network & Information Security Directive Expected to Become Effective in August 2016

Surveillance cameras Data protection and privacy blog

The EU Network & Information Security Directive (NISD) (also known as the “Cyber Security Directive”) got one step closer to adoption today when, on May 17, 2016, the EU Council confirmed at first reading the agreement reached with the European Parliament in December 2015. To be enacted, the text must be approved by the European Parliament at second reading. A press release from the European Council states that the NISD is expected to enter into force in August 2016.

The NISD establishes minimum obligations for all Member States on the prevention of, handling of, and response to, risks and incidents affecting networks and information systems; creates a cooperation mechanism between Member States; and establishes security requirements for certain market operators and public administrations. The NISD will impose new security-related obligations on market operators providing “essential services” in a wide range of industries. Providers of digital services (online marketplaces, cloud computing services and search engines) will also be covered by the NISD.

Once adopted, EU Member States will have 21 months to adopt the necessary national provisions to comply with the NISD.

For further details of the contents of the NISD please see our December 2015 post on the agreed text.

CJEU Advocate General Opinion: Dynamic IP Addresses are Personal Data; Member States cannot limit processing permitted by the Data Protection Directive

Europe Data protection and privacy blog

On May 12, 2016, the Court of Justice of the European Union’s (CJEU) Advocate General, Campos Sánchez-Bordona, published his opinion on a question referred to the CJEU for a preliminary ruling. The opinion argues that dynamic IP addresses should be considered to be personal data under European law. Moreover, the opinion asserts that Member States’ laws that limit the ability to store such personal data beyond the restrictions permitted in Directive 95/46EC (the Data Protection Directive) are non-compliant with European law. Although the CJEU’s final decision does not have to follow this opinion, the advocate general’s arguments are followed more often than not.

Continue reading

Big data: French and German authorities explore antitrust issues

CISA cybersecurity Data protection and privacy blog

On May 10, 2016, the French and German antitrust authorities published a joint study on competition law and the collection and use of data, particularly so-called big data (the Big Data Study). Data protection as such is outside the scope of EU competition laws, but antitrust authorities have considered the significance of data on a number of occasions, often in the context of merger reviews such as the EU Commission’s Facebook/WhatsApp case.

Continue reading

Legal update: Security issue could impact ADP customers

Norton Rose Fulbright - Privacy and information governance

Cyber criminals appear to have gained unauthorized access to ADP, Inc.’s self-service customer portal to file fraudulent tax returns for some ADP customer employees.

ADP has reportedly confirmed that a subset of its customers have been the victim of tax fraud perpetrated by hackers posing as customer employees on ADP’s portal. We recommend that ADP customers consider taking certain steps to protect their employees’ information against tax fraud.

Click here to read the full update.

FDA Warns of Link Between Anti-Malware and Medical Device Failure

Data protection report blog covering privacy, cybersecurity and other technology issues

Our sister blog, The Health Law Pulse, has just blogged on the first reported instance of anti-malware causing of a medical device failure. Medical device manufacturers may wish to keep this type of interruption in mind when considering the U.S. Food & Drug Administration’s past guidance regarding the need to balance cybersecurity safeguards and the usability of the medical device in its intended environment of use.

For more information about this incident, please read the post by our colleagues Mark Faccenda and Blake Walsh.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.

IAPP Profiles Norton Rose Fulbright Attorney

Norton Rose Fulbright - Data Protection

The International Association of Privacy Professionals (IAPP) recently profiled our colleague Nerushka Deosaran, a technology and privacy lawyer at Norton Rose Fulbright’s Johannesburg office.  Read more in the “volunteer spotlight” feature in the latest edition of The Privacy Advisor.

Nerushka was also appointed co-chair of the IAPP’s Johannesburg KnowledgeNet in January 2016.  The Johannesburg KnowledgeNet hosted its first event #HackPrivacy on March 17, 2016, bringing together local privacy pros to dissect topics such as Privacy-By-Design, IoT and resilience in privacy.