Category Archives: U.S.

First guidelines of the EU data protection authorities after the ECJ Safe Harbour judgment

Yesterday, the EU data protection authorities (hereafter DPAs) assembled in the Article 29 Working Party made a first statement on the ECJ decision on the Safe Harbour agreement and defined the further steps to be taken by data protection authorities.

 

Here the main points of the statement:

  1. DPAs urge Member States and the European institutions to make a new intergovernmental agreement between EU and US. Nevertheless, this time, the agreement should provide adequate solutions in terms of data protection, which should be assisted “by clear and binding mechanisms and include at least obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights”.
  2. The Article 29 Working Party will continue the analysis of the impact of the ECJ judgment on the other transfer tools (i.e. Standard Contractual Clauses e Binding Corporate Rules), which can still be used by companies, until the definition of the new legal framework.
  3. In any case, DPAs will be able to investigate particular cases of trans-border data flows that are based on the transfer tools mentioned above.
  4. Ultimatum: “If by the end e end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions”.

DPAs clearly point out that, after the ECJ judgment, data transfers that are still taking place under the Safe Harbour decision are unlawful. In this light, the authorities will make an adequate communication campaign to ensure that all stakeholders are sufficiently informed on the effects of the ECJ decision.

 

A brief comment to the statement

First, European DPAs urge EU and US authorities to make a new and fair agreement for data transfer between the two sides of the Atlantic.

Second, companies should move from Safe Harbour system to different transfer tools, which are based on contractual agreements or co-regulation (i.e. Standard Contractual Clauses e Binding Corporate Rules).

Finally, it should be pointed out that the regional German DPA of Schleswig-Holstein has already expressed a negative opinion on the use of the standard contractual clauses to solve the problem of the EU-US data transfer. Nevertheless, Schleswig-Holstein authority is known for its rigorous interpretation of data protection rules and its position may not be adopted by the other DPAs.

NSA: The Google request

UNITED STATES FOREIGN
INTELLIGENCE SURVEILLANCE COURT
W ASHJNGTON, D.C.
IN RE AMENDED MOTION FOR DECLARATORY
JUDGMENT OF GOOGLE INC.’S FIRST
AMENDMENT RIGHT TO PUBLISH
INFORMATION ABOUT FISA ORDERS
)
)
)
)
)
)
Docket No. Misc. 13-03
AMENDED MOTION FOR DECLARATORY JUDGMENT OF
GOOGLE INC. ~s FIRST AMENDMENT RIGHT TO
PUBLISH AGGREGATE INFORMATION ABOUT FISA ORDERS
Pursuant to 28 U.S.C. § 2201 and Foreign Intelligence Surveillance Court (“FTSC”) Rule of Procedure 6(d), Google Inc. (“Google”) respectfully moves this Court for a declaratory judgment that Google may disclose statistics regarding Google’s receipt of orders issued by this Court, if any, without violating the Foreign Intelligence Surveillance Act (“FlSA”) or the FISC Rules of Procedure.

http://services.google.com/fh/files/blogs/google_fisc_motion_sep9_2013.pdf

U.S. Concern about the European Right to Be Forgotten and Free Speech: Much Ado About Nothing?

Contents: 1. Introduction. – 2. The right to be forgotten in Europe. – 3. The right to be forgotten in the U.S. – 4. The EU Proposal for a General Data Protection Regulation. – 5.
False perspectives and real problems.

1. – After the official presentation of the EU Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), various opinions of lawyers and law scholars have been published in U.S. newspapers, legal blogs and law reviews. Many of these do not consider the entire framework of the new provisions and seem to use the rhetorical figure of synecdoche, considering a part (the right to be forgotten) for the
whole.

Read the full paper here

 

Data Protection in a Global World

The initial approach to data protection was local, different countries adopted specific legislative measures, and in some cases concerned only specific sectors characterized by a high need for data protection. This approach is no more adequate in a world where data flows across national boundaries many times a second, and in the context of big data, where it is not possible to define in advance which kind of information is relevant and sensible.

Read the full article here (pdf format)