Article 29 Working Party Assesses Transatlantic Privacy Shield

On April 13, the Article 29 Working Party (WP29) of the European Union released its assessment of the draft framework for transatlantic data flows: EU-US Privacy Shield, which was announced on February 2. According to the assessment, the WP29 evaluated the Privacy Shield from a commercial as well as a national security perspective. Regarding commercial aspects of the Privacy Shield, the WP29 maintained that “key data protection principles as outlined in European law are not reflected in the draft adequacy decision and the annexes, or have been inadequately substituted by alternative notions.” The WP29 further opined that it “cannot find in the documents constituting the Privacy Shield any reference to the necessity for data controllers to ensure that the data are deleted once the purpose for which they were collected or further processed has become obsolete. Hence, as it seems, the Principles do not impose to the certified organisations [sic] a limit for the period of retention of the data comparable to what is imposed by the data retention limitation principle under EU law.” Regarding onward transfers and national security, the WP29 commented that, because the Privacy Shield will be used to transfer data outside the U.S., it must ensure the same level of protection on all aspects, including national security, and “should not lead to lower or circumvent EU data protection principles.” According to the WP29, as the Privacy Shield is currently drafted, “onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose and the guarantees applying to transfers to Agents.” Finally, the WP29 raised doubts about the effectiveness of the Ombudsperson at the U.S. State Department, questioning whether the designated person would be equal in independence to national security oversight bodies in other countries.


California AG Harris Announces Settlement with San Francisco-Based Bank Over Consumer Privacy Violations

On March 28, California AG Harris announced an $8.5 million settlement with a San Francisco-based bank for alleged violations of California consumer privacy laws. Specifically, AG Harris’s and five district attorneys’ investigation into the bank found that its employees failed to “timely and adequately disclose the recording of communications they had with members of the public” in violation of sections 632 and 632.7 of the California Penal Code. Without admitting liability, the bank agreed to (i) implement changes to its policies; (ii) comply fully with California’s laws concerning the recording of communications between the bank and California consumers, making a clear, conspicuous, and accurate disclosure (the Recorded Call Disclosure) at the beginning of any communication that is subject to recording; and (iii) implement an internal compliance program to “promote full compliance with the requirements of Penal Code sections 632.7 and 632, and the Recorded call disclosure.” Of the $8.5 million civil money penalty, $384,000 will be used to reimburse the prosecutors’ investigative costs, and $500,000 will be contributed to two California organization dedicated to advancing consumer protection and privacy rights.


Department of Commerce Reveals EU-U.S. Privacy Shield Framework

This week, the Department of Commerce released a package related to the EU-U.S. Privacy Shield Framework for transatlantic data flows. In February, the European Commission announced that the U.S. and the European Commission had agreed to a new Framework, but the Department of Commerce’s recently issued package is the first time the text of the agreement has been made available to the public. In addition to including the Framework itself, the package contains various copies of correspondence from U.S. officials discussing matters related to the Framework and how the appropriate U.S. government agencies will ensure the Framework, if adopted, will be enforced. Among other things, the new agreement (i) requires companies to respond to consumer complaints within 45 days of receiving the complaint; and (ii) describes a binding arbitration option for “certain ‘residual’ claims as to data covered by the EU-U.S. Privacy Shield.” Significantly, as noted in a statement from the European Commission, a final decision regarding the implementation of the Framework has not yet been made: “Now, a committee composed of representatives of the Member States will be consulted and the EU Data Protection Authorities (Article 29 Working Party) will give their opinion, before a final decision by the [members of the Commission]. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsperson mechanism.”

On a related note, President Obama signed the Judicial Redress Act last week, which will lead to the highly anticipated signature of the EU-U.S. Data Protection Umbrella Agreement.


President Obama Signs into Law the Judicial Redress Act

On February 24, President Obama signed the Judicial Redress Act, legislation that, according to the President, ensures “data is protected in the strongest possible way with our privacy laws.” The legislation is considered critical to EU-U.S. data flows in that it paves the way for the extension of Privacy Act rights to EU citizens, which will give them rights to seek Privacy Act remedies via civil action in U.S. courts. Regarding the Act, Věra Jourová, the EU Commissioner for Justice, Consumers, and Gender Equality, commented, “[t]he entry into force of this Judicial Redress Act will pave the way for the signature of the EU-U.S. Data Protection Umbrella Agreement. This agreement will guarantee a high level of protection of all personal data, regardless of nationality, when transferred across the Atlantic for law enforcement purposes.”

The signing of the Judicial Redress Act comes after the European Commission’s approval of the EU-U.S. Privacy Shield, a new framework for transatlantic data flows.


Obama Administration Announces Executive Orders: Commission on Enhancing National Cybersecurity; Establishment of the Federal Privacy Council

On February 9, President Obama issued two Executive Orders (EO) titled, Commission on Enhancing National Cybersecurity and Establishment of the Federal Privacy Council. The first EO creates a Commission on Enhancing National Cybersecurity (Commission), which will be comprised of top industry thinkers outside of the government. The President will appoint the Commission’s members, with the Speaker of the House of Representatives, the Minority Leader of the House of Representatives, the Majority Leader of the Senate, and the Minority Leader of the Senate each being invited to recommend one individual for membership. As outlined in the White House’s Fact Sheet on the EO, the Commission will, among other things, (i) assist in diagnosing and addressing the causes of cyber-vulnerabilities; (ii) “make detailed recommendations on actions that can be taken over the next decade to enhance cybersecurity awareness and protections throughout the private sector and at all levels of Government”; and (iii) report specific findings and recommendations to the President before the end of 2016. Read more…