TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | Notes from the IAPP Europe Managing Director, October 2, 2015 Related reading: A conversation on protecting children's privacy


Greetings from Brussels!

This week’s news sees the continuation of the transatlantic Safe Harbor debate. On Monday, the U.S. Mission to the European Union expressed alarm and was critical of Advocate General Yves Bot's opinion handed down last week. In a statement, the mission said it was concerned about damage to trade and privacy in Europe and the U.S. and so urged the European Court of Justice (ECJ), which if you recall usually follows its advocate general's advice, to reach different conclusions when it finally rules on the Max Schrems case. The ECJ is set to announce its ruling on October 6. Click here to register for a free web conference exploring the possible impacts of the decision.

The debate over Safe Harbor is particularly pertinent now as the EU is putting the final touches to the General Data Protection Regulation (GDPR), which is intended to become law in 2017. The GDPR has the potential to be much tougher than its predecessor. As a regulation, it will also be applied consistently in binding fashion across the EU member states, unlike the current directive. This is an important distinction, which I think escapes many.

If the ECJ were to follow the advocate general’s lead, and deem Safe Harbor invalid, think of the impact on those companies operating under the mechanism’s provisions, particularly those that operate (personal) data-centric business models: a minefield of potential challenges. This could have far-reaching consequences for some of the world’s largest multinationals; an estimated 4,000 companies rely on Safe Harbor for transfer and transatlantic data flow. An invalid ruling would have companies rethinking their global privacy policies.

In other significant news, the long-debated proposed Passenger Name Record (PNR) Directive has been thrown into the spotlight. In short, under the draft law, airlines would essentially have to give passenger data, including seat numbers and payment information, to law enforcement authorities for flights into and out of the EU. PNR data can also include any personal information collected during bookings for flights, including home addresses, mobile phone numbers, frequent flyer information and email addresses. This week, European Data Protection Supervisor (EDPS) Giovanni Buttarelli released an opinion stating that the current draft of the law goes too far. The opinion reads that the draft law "entails an interference with the fundamental rights of a very large number of air passengers, without differentiation, limitation or exception being made in the light of the objective of fighting against serious crime and terrorism." The opinion warns against the unjustified collection of passenger data contributing to a "surveillance society."

Given the current advanced state of GDPR negotiations, not to mention the latest Safe Harbor developments, the EDPS recommends that decisions on the EU PNR should be postponed until these negotiations are complete, "to fully align" the two sets of rules. Sensible advice, you have to think; our European legislators certainly have their work cut out on all fronts.


If you want to comment on this post, you need to login.