(Jul 29, 2016) In VKI v. Amazon EU, the Court of Justice of the EU on Thursday clarified which Member State’s data protection laws should apply to a data processing operation established within the EU but directed at a number of EU Member States. The court held that “ … the processing of data … is governed by the law of the Member State in whose territory that establishment is situated.” The ECJ did not discuss the contract between Amazon and its customers, which provided that “Luxembourg law shall apply.” Ins... Read More

Daily Dashboard, Europe Data Protection Digest

Notes from the IAPP Europe Managing Director, July 29, 2016

(Jul 28, 2016) Greetings from Brussels! It has been a busy week for the Article 29 Working Party, meeting here in Brussels this week. The EU data protection authorities have temporarily given a "green light" to the Privacy Shield as indicated in a recent statement that they will hold off for at least one year on any new challenges to the EU-U.S. Privacy Shield. If you recall, in its original opinion on the draft Privacy Shield issued in April, the WP29 expressed concern and asked for various clarifications.... Read More

Europe Data Protection Digest

Irish DPC under fire for handling of SCC's case

(Jul 28, 2016) In the ongoing legal battle between Facebook and privacy advocate Max Schrems, both sides are voicing their displeasure with a decision made by Irish Data Protection Commissioner Helen Dixon, The Irish Times reports. Dixon wants the Court of Justice of the European Union to investigate the legality of Standard Contractual Clauses, an alternative method for organizations to legally transfer data across the Atlantic. The legal teams for both Facebook and Schrems are displeased with the DPC for goi... Read More

Europe Data Protection Digest

Article 29 Working Party releases ePrivacy Directive opinion

(Jul 28, 2016) The Article 29 Data Protection Working Party has released its opinion on the evaluation of the ePrivacy Directive. “The Article 29 Working Party (WP29) supports the European Commission’s recognition of the need to have specific rules for electronic communications in the EU,” the opinion read. The Article 29 opinion also discussed how the ePrivacy Directive must not undermine the General Data Protection Regulation. “The revised ePrivacy instrument should keep the substance of existing provisions ... Read More

Europe Data Protection Digest

Op-ed: UK will need something close to GDPR following Brexit results

(Jul 28, 2016) In an op-ed written by Amberhawk Training and picked up by The Register, the author argues the results of Brexit could have major implications for the U.K.’s future with data protection. The piece contends that if Privacy Shield is approved to conduct data transfers from the EU to the U.S., “then in a post-Brexit Britain, something akin to Privacy Shield can allow for adequate transfers of personal data to the U.K.” The “adequacy” determination would mean the U.K. does not need to implement the ... Read More

Europe Data Protection Digest

Irish DPC conducts information access audit on three agencies

(Jul 28, 2016) Ireland's Data Protection Commissioner conducted audits on three agencies regarding their access to citizens’ phone and internet records, The Irish Times reports. The Revenue Commissioners, the Army, and An Garda Síochána all have the ability to access citizen data for law enforcement investigations, and must complete reports for the requests under the Communications (Retention of Data) Act 2011. The office of DPC Helen Dixon said it performed several audits during the first half of 2016, with e... Read More

Europe Data Protection Digest

Scottish government's Named Person scheme shot down amid privacy concerns

(Jul 28, 2016) The British Supreme Court shot down the Scottish government’s Named Person scheme, citing privacy concerns within the plan, BBC News reports. The Named Person system would appoint a named individual, normally a teacher or health visitor, to “ensure the well-being of every child.” The judges said the proposals violate rights to privacy under the European Convention of Human Rights. While the court said the intentions of the scheme are legitimate, it has the potential to reveal confidential information about a child to a "wide range of public authorities without either the child or young person or her parents being aware." The Scottish government said it will rework the legislation, with the education secretary adding it will work to “provide greater clarity” about the information-sharing process. Read More

Europe Data Protection Digest

O2 customer accounts breached using data from separate cyberattack

(Jul 28, 2016) Hackers are selling O2 customer data on the dark web following a separate data breach against gaming website XSplit, BBC News reports. Thieves took usernames and passwords from XSplit in a breach three years ago, and likely used those credentials to log in to O2 accounts to steal sensitive information, including users’ phone numbers, email addresses, passwords and dates of birth. The hackers may have used a tactic known as “credential stuffing” to access the accounts by using software to repeatedly try to access an account by using login information taken from other websites. O2 denied any data breaches have taken place. "We have not suffered a data breach. Credential stuffing is a challenge for businesses and can result in many company's customer data being sold on the dark net,” O2 said in a statement. Read More

Europe Data Protection Digest

Op-ed: European Commission should repeal “cookie law”

(Jul 28, 2016) In an op-ed for, Alan McQuinn and Daniel Castro argue why the European Commission should repeal the EU “cookie law.” The authors detail the small amount of consumer complaints regarding cookies, as the U.K.'s "Information Commissioner’s Office received only 210 complaints regarding cookies between April 2015 and March 2016.” McQuinn and Castro cite the high cost of the cookie law as another reason why it needs to go. “The total annual cost of the directive for both compliance by Eur... Read More

Europe Data Protection Digest

Web con: PIAs, the GDPR and you

(Jul 28, 2016) Given the new and challenging requirements of the GDPR that will be enacted soon, companies and organizations doing business globally need to think hard about how to best implement efficient and effective data handling practices that are replicable and consistent. As a privacy professional responsible for overseeing these operations, what tools will you use, and how do you determine what privacy impacts your new products and services will have? A privacy impact assessment is the perfect tool to document and track these new initiatives, but it can be a complicated and challenging project to launch. Join “PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design” on Aug. 24 for a virtual discussion. Read More

Asia-Pacific Dashboard Digest, Canada Dashboard Digest, Daily Dashboard, Europe Data Protection Digest