Data protection officials are assuming increasing prominence following Tuesday’s (6 October) ECJ decision to outlaw Safe Harbour, which called them to take on a bigger role in Europe’s privacy debacles.
National data protection authorities from member states will convene on Thursday (8 October) in Brussels, in order to coordinate a response to the ECJ decision.
The Article 29 data protection working party is made up of national privacy regulators and EU officials. The group of officials isn’t used to getting global attention — but the court’s verdict highlighted their significance.
Their task is to manage a potential flood of new privacy violation complaints from consumers all over Europe. With Safe Harbour knocked down, national data protection authorities are in the direct line of fire to receive complaints about companies that wrongly transferred user data to the US under the agreement.
In a statement yesterday afternoon, the Article 29 group said that even after the ECJ decision ruling Safe Harbour illegal, “serious questions exist regarding the continuity of the level of data protection when data are transferred to the United States”.
EU data protection supervisor Giovanni Buttarelli is also a member of the Article 29 working party.
Isabelle Falque-Pierrotin, head of French data protection authority CNIL, is the rotating chairwoman of the group.
In addition to this week’s meeting, Article 29 is planning an extraordinary plenary session to hammer out its approach on privacy complaints and data transfers. EurActiv has been told by officials that it will likely take place next week.
The meetings come at a time when national data protection authorities have been given new power to examine privacy complaints.
The ECJ decision denounced the now defunct Safe Harbour agreement for preventing national regulators from determining whether individual data transfers to the US violated EU citizens’ privacy rights.
About 4,400 companies signed onto the 15-year-old agreement, which allowed them to transfer European consumers’ data to the US. Companies were not individually required to prove they were upholding privacy standards on par with European rules.
In the absence of Safe Harbour, complaints against companies that previously transferred data through the agreement will be directed to national authorities.
But the new role given to national privacy regulators has caused some officials to warn against a fragmented system where authorities around Europe rule on cases in their own countries without regard for EU standards.
Responding to the ECJ decision, Commission First Vice-President Frans Timmermans said yesterday that the executive would give guidance to companies looking for alternative ways to transfer data to the US. The Commission’s advice “should help avoiding a patchwork of potentially contradicting decisions by the national data protection authorities,” Timmermans said.
A number of national data protection authorities praised the ruling on Safe Harbour yesterday, and even embraced their new, expanded role in fielding complaints.
Antonello Soro, president of Italy’s data protection authority, said yesterday, “we need a coordinated response at European level, also from national data protection authorities, and at this time we are considering the most effective ways to identify common guidelines”.
German data protection commissioner Andrea Voßhoff called the ECJ decision a “milestone for data protection”.
“The decision also means a drastic strengthening of the powers of European data protection authorities as watchdogs over the data security rights of European citizens,” she said.
This Thursday’s meeting of national regulators comes ahead of the Irish authorities’ pending decision on the case that spiralled into the ECJ verdict.
The ECJ bounced the case back to Irish authorities after it was referred to the top EU court by an Irish judge last year. Twenty-seven-year-old Austrian law graduate Max Schrems filed a complaint against Ireland-based Facebook for violating his privacy rights in 2013. Irish authorities are now required to take up the case again.
The Irish data protection authorities are frequently called less stringent in comparison to other privacy regulators. Authorities from other EU countries, especially those with strict privacy rules, may not want to follow the Irish regulator’s decision on Schrems’ case, potentially challenging national authorities’ push towards a coordinated response to privacy complaints.
Large American tech companies including Facebook and Google have their European headquarters in Ireland.
Some privacy experts are calling for a higher-level strategy on data protection complaints, and argue that there will be fragmentation if national privacy authorities are given too much power.
At a discussion in Brussels at the Lisbon Council think tank yesterday, following the ECJ decision, an OECD official expressed wariness about national authorities ruling on complaint cases one-by-one.
“You can’t do everything on a case-by-case basis,” said Anne Carblanc, head of digital economy policy, science, technology and innovation at the OECD and a former director of CNIL. “Something that will be a case-by-case analysis by each national data protection authority is not going to help.”
“There are too many national data protection authorities,” Carblanc added.
“We need something at a higher level. We need a whole society approach. It could be by heads of states or prime ministers looking at what the society wants and where the benefits are.”
Roberto Viola, the newly-minted head of DG CONNECT, sat on the discussion panel with Carblanc, but did not comment on Safe Harbour, or the role of national data protection authorities.
Mark Young, special counsel in Covington’s data privacy team (London): “This is a serious setback for legal certainty in the EU that could lead to less - not more - harmonization. The ruling is a boon for the independence and power of DPAs, but could undermine efforts in recent years - such as the proposed GDPR - to increased harmonized enforcement and rules across the EU.”
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.