News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Privacy Shield legality 'rather doubtful,' says German DPA Related reading: German DPA Takes Steps After Safe Harbor Decision

rss_feed

""

The activist data protection authority from the German city-state of Hamburg has cast doubt on the legality of the new Privacy Shield agreement between the U.S. and EU.

The U.S. government and the European Commission unveiled the final text for the agreement, which would replace the struck-down Safe Harbor deal at the end of February.

Before the process moves forward, the EU's many data protection authorities (DPAs) need to assess its wording and see whether it will pass the tests for legality set out by the European Court of Justice last year, when it struck down Safe Harbor. They are due to report back in mid-April.

"If the agreement will meet the high level of the requirements the ECJ postulated in the Schrems ruling is rather doubtful," Johannes Caspar said in an interview. "This has to be assessed very closely by the [DPAs]."

If the DPAs do not like what they see, there is little point in the Commission issuing the so-called adequacy decision that would establish the Privacy Shield agreement. The main thrust of the ECJ's Schrems ruling was to bolster the regulators' ability to investigate and even suspend data transfers regardless of the Commission's adequacy decisions, if they think citizens' rights are not being respected in the third country.

The big question is whether the DPAs are satisfied with reforms made by the Obama administration since Edward Snowden's mass surveillance revelations, namely Presidential Policy Directive 28 and the USA Freedom Act, both of which are supposed to introduce greater targeting into the surveillance process. A lot hinges on whether American promises to limit the "use" of bulk signals intelligence meets the ECJ's requirements for restrictions on "access" to that data as well.

In the meantime, Safe Harbor is dead, and the Hamburg DPA has become the first to start cracking down on companies that still rely on it for their transatlantic data transfers. Last month it confirmed that it was preparing fines against three U.S. multinationals, and investigating another two.

According to Caspar, all this activity is stretching his office to the limit.

"The control of the companies we inspected related to Safe Harbor costs a lot of time," he said. "Especially at a time [when] we have to overview Privacy Shield and prepare the General Data Protection Regulation simultaneously, we are completely overloaded."

Caspar's office also suffered something of a setback this month when the Hamburg administrative court ruled against it in a case involving Facebook's real-names policy.

Facebook won't let its users hide behind pseudonyms, and Caspar has long been trying to get the social network to drop that policy, as German privacy law allows pseudonymous activity. Specifically, it tried to stop Facebook from blocking the account of a woman who used a fake name.

However, the court issued a provisional ruling on March 3 which said Facebook's establishment in Germany was only marketing-related, so Facebook was only answerable to the DPA in Ireland, where its international operations are headquartered.

This ruling ran counter to recent decisions by the ECJ (in the Google Spain and Weltimmo cases) and the Brussels Court of First Instance (regarding Facebook and its tracking cookies), so Caspar said he would continue to fight for the ability to enforce German law regarding pseudonyms.

Meanwhile, the DPA has had a spot of luck in his long-running battle with Facebook, which he has also hassled over issues such as facial-recognition technology and the Friend Finder feature.

At the start of March, the German federal competition authority, the Bundeskartellamt, opened an antitrust probe into Facebook over what it suspects are unfair user terms. The terms in question give Facebook the right to collect user data for ad-targeting purposes. The investigation is highly unusual, as it uses competition law to address what is essentially a data protection issue.

"In the Internet economy there are new questions on how competition law should be enforced," Bundeskartellamt president Andreas Mundt told The Privacy Advisor. "The access to data has developed into a significant competition parameter und potential source of market power."

Caspar heartily agrees. "I welcome the activities of the Bundeskartellamt in that matter. It is a logical consequence of the fact that user data is the very core of the business model of companies like Facebook," he said.

"If those companies base their growth upon ignoring legal obligations, particularly privacy-related ones — and according to highest German courts Facebook has done so [for example] in friend finding — law-abiding competitors are in a tough position."

It remains to be seen whether the German antitrust authorities will try this tack with other companies — Mundt would not be drawn on this, which is understandable as this is a new legal avenue.

However, the move certainly has others concerned. A Google economist, Fabien Curto Millet,  said this week that it "wouldn't be logical" to have competition officials delve into privacy issues. 

photo credit: Germany Grunge Flag via photopin (license)

Author
Headshot David Meyer Nonmember Contributor
Tags
Europe
U.S.
Enforcement
Privacy Law
Transborder Data Flow
2 Comments

If you want to comment on this post, you need to login.

  • comment John Berard • Mar 24, 2016 
    It is no surprise that local authorities given the right to investigate, would, and that EU citizens given the right to sue, will, too.  Neither is it a surprise that Germany was and is first and fast out of the gate.  No surprise.

Neither is it a surprise that the Privacy Shield (or whatever it is ultimately called) is essential. Data is the lingua franca of both society and business.  

There will be a time (I suspect three-to-five years) where the shield will seem more like a sword. Fines will be levied, suits settled, market departures threatened and regulators' offices expanded.  But cooler heads will (likely) prevail.

Until that time, it will be best for companies to focus on the privacy needs of their customers and be constantly clear about why the practices they deploy are the right ones.  Even Facebook's real names policy, under attack in jurisdictions where anonymity is a right, can and should be active in extolling the virtue and value of the practice.

Until all is resolved, companies are best to take a page from a book on yoga: Be Present. It is difficult to vilify people you know.
  • comment Duncan Smith • Mar 29, 2016 
    As EU DPAs take a different approach to enforcing the current overseas transfer rules, it is now impossible to adequately advise clients as to the risk and actions they should be taking. Businesses are now effectively forced into investing heavily in model contracts, BCRs or attempting a very complex re-consenting exercise. If DPAs are legally capable of acting independently, they should issue a clear, unambiguous statement, as to whether they will or will not pursue businesses for breach of extra EEA data transfer. "Get off the fence, everybody!"
Related Stories
German DPA Takes Steps After Safe Harbor Decision
The ULD, the data protection authority for the German state of Schleswig-Holstein, has taken the step that many have predicted and issued a position paper that follows the ECJ's logic to declare model contract clauses, even consent, to likely be invalid ways of transferring data to the U.S. "The ULD...
Read More queue Save This
German DPAs To Investigate Data Transfers
German data protection authorities (DPAs) have announced they will investigate “data transfers from the European Union to the U.S.” with particular focus on companies such as Facebook and Google, The Hill reports. "Anyone who wants to remain untouched by the legal and political implications of the j...
Read More queue Save This
DPA: Facebook Can’t Change Pseudonyms to Real Names
In Germany, Facebook has been prevented from disallowing users to create accounts under false names, BBC News reports. The Hamburg data protection authority has said the social network cannot change individuals’ chosen usernames or ask them to provide official identification, the report states. The ...
Read More queue Save This
Operating in Germany? This law matters to you
Companies operating in Germany may have cause to be wary of a new law that will allow consumer associations to sue them over perceived data protection violations in their commercial practices. The law, which cleared the Bundesrat (Senate) just before Christmas and is currently awaiting the signature...
Read More queue Save This
Related Stories
Tags
Europe
U.S.
Enforcement
Privacy Law
Transborder Data Flow
Recent Comments