You Are Viewing Europe

Enhancing Safeguards for US Signals Intelligence Activities

Posted by fgilbert on October 13th, 2022

President Biden October 7, 2022 Executive Order on

Enhancing Safeguards for US Signals Intelligence Activities –

Towards an Updated EU-US Privacy Shield Framework

When the European Court of Justice issued its decision on Schrems and Facebook Ireland v. Data Protection Commissioner in July 2020 (Schrems II),[1] it triggered a brutal disruption and stoppage in the operations of the EU-US Privacy Shield framework (Framework). It also caused significant chaos in the operations of numerous US or EU/EEA businesses and organizations that were relying on the Framework as a strategic tool and structure for providing a legal basis for exchanges or transfers of personal data for commercial and business purposes between the two sides of the Atlantic.

After lengthy and challenging negotiations between representatives of the European Commission and the United States, a new proposed Trans-Atlantic Data Privacy Framework was published at the end of March 2022. According to the White House, the EU-US Trans-Atlantic Data Privacy Framework of March 2022 was intended to lay the ground for providing a legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union raised in July 2020 in the Schrems II case.

Under the March 2022 EU-US Trans-Atlantic Data Privacy Framework, the United States made commitments to:

  • Strengthen the privacy and civil liberties safeguards governing the U.S. signals intelligence activities;
  • Establish a new redress mechanism with independent and binding authority ; and
  • Enhance the existing rigorous and layered oversight of signals intelligence activities.

On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.), which defines the steps that the United States will take to implement the commitments it made in the March 2022 European Union-U.S. Trans-Atlantic Data Privacy Framework. The Executive Order addresses in depth the three commitments made in the Trans-Atlantic Data Privacy Framework, as detailed below.

[1] Strengthening the Privacy and Civil Liberty Safeguards

The October 7, 2022 Executive Order requires that U.S. signals intelligence activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.

Principles and Objectives

Section 2(a) of the EO defines the principles that will be used to determine whether a signals intelligence activities may be authorized and conducted. Section 2(b) of the EO identifies those objectives that will be deemed legitimate and those that will be prohibited.

Privacy and Civil Liberties Safeguards

Section 2(c) of the Executive Order focuses on the safeguards that must be used to ensure that privacy and civil liberties are integral considerations in the planning and implementation of the signal intelligence activities.

  • Collection of Signals Intelligence

Section 2(c)(i) identifies general requirements that apply to all forms of such intelligence activities, while Section 2(c)(ii) provides specific requirements in the event bulk collection of signals intelligence. Bulk collection may be used only in the pursuit of specified objectives, such as protection against espionage, sabotage, or protection against cybersecurity threats created or exploited by or on behalf of foreign person, organizations or government.

  • Handing of Personal Information Collected Through Signals Intelligence

In Section 2(c)(iii), the EO defines mandatory handling requirements for personal information collected through signals intelligence activities. It also extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance.

The most prominent requirement is minimization of the dissemination and the retention of personal information collected through signals intelligence. In addition, there are specific requirements for data security and limitation of access to the information. Other provisions focus on ensuring data quality, accuracy and objectivity.

  • Policies and Procedures to be Updated within One Year

Section 2(c)(iv) focuses on policies and procedures. U.S. Intelligence Community services are required to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the Executive Order within one year of the date of the Executive Order. The review of these updates must be conducted in consultation with the Attorney General, the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (CLPO), and the Privacy and Civil Liberties Oversight Board (PCLOB).

  • Review of the Policies and Their Implementation

The Executive Order provides for numerous levels of review, such as a review of the updated policies and procedures by the Privacy and Civil Liberties Oversight Board (PCLOB), once they have been issued to ensure their consistency with the enhanced safeguards contained in the Executive Order.  Moreover, there are provisions for rigorous legal oversight as well as the use of compliance officials to conduct periodic oversight of signals intelligence activities, including an Inspector General, a Privacy and Civil Liberties Officer and the appointment of Officers with compliance roles to conduct oversight and ensure compliance with applicable US laws.

[2] Establishment of a New Redress Mechanism

Section 3 of the Executive Order provides for a redress mechanism to review qualifying complaints transmitted by the appropriate public authority in a “qualifying state”[2] concerning United States Signal intelligence activities for any covered violation of US laws.

The new redress mechanism will be multi-layer, independent and binding, and is intended to enable individuals in qualifying states and regional economic integration organizations, as designated under the E.O., to obtain an independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O.

Initial Investigation of Qualifying Complaints by the CLPO

Under the first layer, the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) will conduct an initial investigation of qualifying complaints received to determine whether the enhanced safeguards or other applicable U.S. law were violated and, if so, to determine the appropriate remediation.

The process to be followed by the CLPO will be established by the Director of National Intelligence, in consultation with the Attorney General. Section 3(c) of the Executive Order defines in minute details the elements of that process, including review of the information necessary to investigate the complaint, determining whether there was a violation, preparation of a classified report on the alleged violation, and issuing a classified decision. The complainant or the element of the Intelligent Community affected by the decision may seek review of the CLPO’s decision by the Data Protection Review Court. Otherwise, the decision becomes binding.

Independence of the CLPO

One of the issues raised in the decision of the European Court of Justice in the Schrems II case was that the oversight over the data processing conducted by the US intelligence agencies as defined under the 2016 version of the EU US Privacy Shield lacked independence from the US government. Section 3(c)(iv) of the Executive Order, titled [Independence], specifically provides that the Director of National Intelligence shall not interfere with a review by the CLPO of a qualifying complaint, and shall not remove the CLPO for any action taken unless there has been misconduct, malfeasance, neglect of duty or incapacity.

Data Protection Review Court

The second layer of review, described in Section 3(d) of the Executive Order is provided by a Data Protection Review Court. Section 3(d) directs the Attorney General to establish a Data Protection Review Court (DPRC) to provide independent and binding review of the CLPO’s decisions, upon an application from the individual or an element of the Intelligence Community. The EO directs the Attorney General to promulgate regulations establishing the Data Protection Review Court along the lines defined in the EO, within sixty (60) days of the publication of the EO.

Independence of the Data Protection Review Court

In accordance with the focus on ensuring the Court’s independence, as discussed above, the Judges designated to serve on the DPRC must be appointed from outside the U.S. Government. review cases independently, and enjoy protections against removal. In addition, they must have relevant experience in the fields of data privacy and national security.

Further, Section 3(d)(iv), titled [Independence], specifically mandates that the Attorney General shall not interfere with a review by a Data Protection Review Court panel of a determination made by the CLPO regarding a qualifying complaint, and shall not revoke any judge appointed to service on that court except in case of misconduct, malfeasance, breach of security, neglect of duty or incapacity.

Binding Effect

Decisions of the DPRC regarding whether there was a violation of applicable U.S. law and, if so, what remediation is to be implemented will be binding. Under Section 3(d)(iii) each element of the Intelligence Community and each agency containing an element of the Intelligence Community is required to comply with any determination by the Data Protection Review Court panel to undertake appropriate remediation.

Annual Review of the Redress Process by PCLOB

In addition to the reviews and oversight described above, Section 3(e) of the Executive Order “encourages” the Privacy and Civil Liberties Oversight Board (PCLOB) to conduct annual reviews of the processing of qualified complaints by the redress mechanism discussed above, with respect to issues such as timeliness, full access to information, and whether the elements of the Intelligence Community have fully complied with determinations made by the CLPO and the Data Protection Review Court. The role and powers of the PCLOB are discussed in the next section.

[3] Enhancement of Oversight of Signals Intelligence Activities by the PCLOB

The CJEU decision in Schrems II voiced concern about the lack of oversight of the intelligence activities and the weakness of the protection granted to the personal data being collected and processed. The October 7, 2022 Executive Order gives specific authority to the Privacy and Civil Liberties Oversight Board (PCLOB) to review Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order and to conduct an annual review of the redress process, including to review whether the Intelligence Community has fully complied with determinations made by the CLPO and the DPRC. The role of the PCLOB is detailed in several sections of the Executive Order, as explained below.

Participation in the Drafting of the New Policies and Procedures

First, in Section 2, which defines the rules concerning privacy safeguards, Section 2(c)(iv)(B) provides for PCLOB participation in the drafting of the updates to the policies and procedures. In this case, PCLOB only has a consultative role, and the goal is to ensure that the updates to the policies and procedures required by the Executive Order implement the privacy and civil liberty safeguards outlined in the Executive Order.

Review of the Final Policies and Procedures

Once the policies and procedures have been updated and issued as described above, Section 2(c)(v)(A) encourages the PCLOB to conduct a review of the updated policies and procedures to ensure that they are consistent with the enhanced safeguards contained in this order. In addition, Section 2(c)(v)(B) requires that, within 180 days of the completion of the PCLOB review, the head of each element of the Intelligence Community “carefully” consider and implement or otherwise address all recommendations contained in the PCLOB review, consistent with applicable law.

Participation in the Appointment of Judges to Serve on the Data Protection Review Court

Section 3 of the Executive Order, which focuses on Signals Intelligence Redress Mechanism, allocates a role to the PCLOB in connection with the activities of the Data Protection Review Court. Under Section 3(d)(A) of the Executive Order provides that the Attorney General, must consult with the PCLOB – as well as with the Secretary of Commerce, and the Director of National Intelligence –, to appoint individuals to serve as judges on the Data Protection Review Court.

Annual Review of the Redress Process

Finally, in addition to the consultation, reviews and oversight described above, Section 3(e)(i) of the Executive Order “encourages” the Privacy and Civil Liberties Oversight Board (PCLOB) to conduct annual reviews of the processing of qualified complaints by the redress mechanism discussed above, including whether

  • the CLPO and the Data Protection Review Court processed qualifying complaints in a timely manner;
  • the CLPO and the Data Protection Review Court are obtaining full access to necessary information;
  • the CLPO and the Data Protection Review Court are operating in a manner consistent with the Executive Order
  • the safeguards established in the Executive Order a properly considered in the processes of the CLPO and the Data Protection Review Court; and
  • the elements of the Intelligence Community have fully complied with the determinations made by the CLPO and the Data Protection Review Court.

To assist the PCLOB in its review, Section 3(e)(ii) instructs the Attorney General, the CLPO, and the elements of the Intelligence Community (inter alia) to provide the PCLOB with access to information necessary to conduct the review. In addition, Section 3(2)(iii) provides for the preparation of a classified report to be provided to the President, and the congressional intelligence committees (inter alia) and requires the PCLOB to make an annual public certification as to whether the redress mechanism is processing complaints consistent with the terms of the Executive Order, and to release to the public an unclassified version of the report.

[4] Designation of the Qualifying States for Purposes of the Redress Mechanism

Several provisions of the Executive Order refer to the rights granted to citizens of a “qualifying state.” Section 3(f) provides the criteria for a country or regional economic integration organization for be deemed a “qualifying state” for purpose of the redress mechanism defined in the Executive Order. Section 3(f)(i) grants the Attorney general the authority to designate a country or regional integration organization the status of “qualifying state”. The designation must be made in consultation with the US Secretary of State, US Secretary of Commerce, and the Director of National Intelligence.

The criteria for make the determination that the state or economic integration organization is a “qualifying state,” as listed in Section 3(f)(i)(A) include:

  • the laws of the country, organization, or member of the organization require appropriate safeguards in the conduct of signals intelligence activities for United States persons’ personal information that is transferred from the United States to the territory of the country or a member of the organization;
  • the country, organization, or member of the organization permit, or are anticipated to permit, the transfer of personal information for commercial purposes between the territory of that country or those member countries and the territory of the United States; and
  • such designation would advance the national interests of the United States.

The designation may be revoked or amended.

 [5] Next Steps and Ultimate Goal

The next steps in the development of a new EU-US agreement on trans-Atlantic data transfers and data protection will likely focus on the development or update of the building blocks necessary for the preparation of an Adequacy Evaluation package, that, in the end, will be presented to the European Commission for its review and approval and issuance of a new adequacy decision. In the end, once the formalities have been completed, entities that wish to take advantage of the updated crossborder personal data transfer framework will continue to be required to adhere to the EU-US Privacy Shield Principles – or an updated version -. Those that had self-certified under the 2016 version of the EU-US Privacy Shield Framework, will have to re-certify their adherence to the Principles through the US Department of Commerce, and update their legal terms accordingly.

[1] Schrems and Facebook Ireland v. Data Protection Commissioner (2020) CJEU Case C-311/18; press release available at:; July 16, 2020 decision available at:;jsessionid=EBF54609D179D36D02BD7BB10DC3BDF3?text=&docid=228728&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=1285293.

[2] While Section 4(k), in the Definitions section, provides the criteria for a complaint to be deemed a “qualifying complaint”, in Section 4(k), there is no similar definition of the tern “qualifying state”. Instead, the criteria for a state to be deemed a “qualifying state,” and the method to be used for identifying a state as a “qualifying state” are defined in Section 3(f) of the Executive Order.

Posted in Europe, US Law
Comments Off on Enhancing Safeguards for US Signals Intelligence Activities

Final Versions of Standard Contractual Clauses Adopted!

Posted by fgilbert on June 6th, 2021

Three years after the GDPR came into effect, the European Commission has issued the much-awaited final version of two new sets of Standard Contractual Clauses that are expected to enable data controllers and processors to address some of the thorny issues in the transfer of personal data of EU/EEA citizens. The Press Release of the EU Commission, dated June 4, 2021, is available here.

Five New Templates

As anticipated from prior drafts, the new Standard Contractual Clauses framework is comprised of two sets of documents that address two distinct settings. A total of five documents can be used depending on the circumstances:

One category provides one document, intended to address transfers between controllers and processors when both parties are in the EU/EEA (or otherwise subject to the GDPR) and must meet the GDPR Art. 28.

The other group addresses, in addition, the issues arising from crossborder data transfers where one of the entities is established outside the EU/EEA (and not subject to the GDPR).  Four scenarios are addressed: Controller-to-controller transfers; Controller-to-processor transfers; Processor-to-processor transfers; and Processor-to-controller transfers.

Compliance Date

The texts provided in the links above are the final working documents. Before they can take effect, they must first be published in the Official Journal of the European Commission. After that, there is series of steps for their entry into force, repeal of the existing Standard Contractual Clauses, and a transition period, so that the compliance date is expected to be December 27, 2022.

GDPR Issues

The modernized SCCs address many of the new issues that were raised in the General Data Protection Regulation (GDPR). For example there are enhanced requirements for transparency (Clause 8.2), accuracy and data minimization (Clause 8.3), right of erasure (Clause 8.5) and accountability (Clause 8.9).  There are also lengthy provisions concerning security, enhanced security measures, notification of the data controller in case of a breach of security (clause 8.6).  Data subject rights and redress provisions in Clauses 10 and 11 are extensively covered, taking over two pages.

Access by Public Authorities

The modernized SSC address, but only in part, the recent decision of the European Court of Justice in the Schrems II case. For example, the new SCCs set forth detailed obligations related to the performance of due diligence for assessing the potential impact of local laws on the data. Clause 14 contains obligations to assess the local laws in the recipient country to determine their effect on compliance with the Clauses.  Further, Clause 15 addresses the obligations of the data importer in case of access request by authorities in the recipient country.

Due Diligence and Supplementary Measures Still Needed

The new SCC are not intended to provide a one size fits-all cure that fully addresses the deeper issues and the much more complex effect of national security laws raised by the CJEU decision of July 2020 in Schrems II. These issues vary depending on the country, the type of personal data at stake, and other factors. Due diligence, evaluation, and gap analysis in a form similar to that which is described in draft Recommendations 01/2020 of the EDPB remains necessary. And these activities must be documented.

Recitals 18 to 22 of the SCC Implementing decision stress the need to address the mandates of the CJEU decision of July 2020 in Schrems II in advance of signing any document that incorporates the new SCCs for crossborder transfers.

Recital 19 of the Implementing Decision warns that the transfer and processing of personal data under the SCC should not take place if the laws and practices of the third country of destination prevent the data importer from complying with the clauses. It also stresses that the parties should warrant that, at the time of agreeing to the standard contractual clauses, they have no reason to believe that the laws and practices applicable to the data importer are not in line with these requirements.

Recital 20 provides further guidance, and clarifies that when evaluating the impact of local laws on compliance with the SCCs, different elements may be considered, including reliable information on the application of the law in practice, such as case law and reports by independent oversight bodies; the existence or absence of requests in the same sector; and the documented practical experience of the data exporter and/or data importer.

Next Steps

While the publication of the final draft of the SCCs has provided certainty as to the detail of the SCCs, it has also made more urgent the need for businesses to pay attention to their use or processing of personal data originating from the EU/EEA and revamp their data processing practices and policies and their data transfer agreements.  Before trading the old for the new, it is becoming critical that they complete the due diligence and activities suggested in EDPS Recommendations 01/2020 in conjunction with the using the additional guidance provided in the Implementing Decision as necessary to ensure that a specific data transfer or specific data to a specific country is feasible.

Posted in Europe, International
Comments Off on Final Versions of Standard Contractual Clauses Adopted!

European Court of Justice Decision Creates Havoc in Global Digital Exchanges: One Shot Down, One seriously Injured; 5,300 Stranded

Posted by fgilbert on July 16th, 2020

At long last, the European Court of Justice (EUCJ) has published its decision in the “Schrems 2” case. The EUCJ was tasked with reviewing the effectiveness of the mechanisms used in the context of crossborder data transfers. A key question was whether standard contractual clauses (SCC) used as a means of establishing “adequate protection” for personal data transferred out of the European Union or European Economic Area did in fact result in ensuring the level of “adequate protection” defined in the EU General Data Protection Regulation and the European Charter of Fundamental Rights.

The decision, published on July 16, looked at both the EU-US Privacy Shield and the SCCs. It invalidated the Privacy Shield, thereby destroying the virtual bridge that allowed 5,378 US based Shield self-certified organizations to conduct business with entities located in the European Union and European Economic Area. It preserved, but created significant challenges to the SCC (Controller to Processor) ecosystem  by creating new constraints and obstacles, to the countless organizations located both in the US and abroad, in their global digital trade with their European Partners.

The Basic Premise

The premise of the decision is that currently the US national security, public interest and law enforcement laws, have primacy over the fundamental rights of persons whose personal data are transferred to the US.  They do not take into account the principles of proportionality and are not limited to collecting only that data which is necessary. In addition, according to the EUCJ decision, US law does not grant data subjects actionable rights before the courts against US authorities.

EU-US Privacy Shield Invalidation

The EUCJ determined that the protection provided to personal data in the United States is inadequate to meet the level of protection of privacy and privacy rights guaranteed in the EU by the GDPR and the EU Charter of Fundamental rights.

According to the decision, the US surveillance programs  are not limited to what is strictly necessary, and the United States does not grant data subject actional rights against the US authorities. Further, the Ombudsperson program does not provide data subjects with any cause of action before a body that offers guarantees substantially equivalent to those required by EU law. Therefore, the EU-US Privacy Shield is no longer a legal instrument for the transfer of personal data from the EU to the US.

The immediate consequence of the invalidation of the EU-US Privacy Shield is that more than 5,000 US organizations, and their trading partners throughout the European Union and the European Economic Area are left stranded with no way out.  The invalidation declared by the EUCJ take immediate effect.  These transfers must cease.  This is likely to prove a catastrophic hurdle for many companies already weakened by the Covid pandemic.

Standard Contractual Clauses

The Standard Contractual Clauses for the transfer of personal data to processors established in third countries remain valid.  However, the Court found that, before a transfer of data may occur, there must be a prior assessment of the context of each individual transfer, that evaluates the laws of the country where the recipient is based, the nature of the data to be transferred, the privacy risks to such data, and any additional safeguards adopted by the parties to ensure that the data will receive adequate protection, as defined under EU Law.  Further, the data importer is required to inform the data exporter of any inability to comply with the standard data protection clauses.  If such protection is lacking the parties are obligated to suspend the transfer, or terminate the contract.  Thus, while the SCC (controller-to-processor) remain valid, their continued validity is subject to an additional step: the obligation to conduct the equivalent of a data protection impact assessment to ensure that the adequate protection is and will be provided and, subsequently, continuously monitored.

What’s Next?

  • Organizations that exchange or have access to personal data of residents of the EU or EEA should promptly assess the mechanisms currently in place to ensure the legality of their transfer of personal data outside the European Union.
  • If the organization has relied only on the EU-US Privacy Shield as a mechanism to ensure the legality of its personal data transfers, it should immediately halt the transfer of personal data out of the EU.  It should evaluate alternative means, most likely in the form of Standard Contractual Clauses.  For transfers that cannot be covered by SCCs, derogations under Article 49 of the GDPR might apply.
  • If the organization – whether located in the United States, or anywhere in the world – has already in place SCC, the EUCJ decision adds a significant hurdle in the form of a requirement for a prior evaluation of the protection to be offered to individuals and ongoing monitoring.
  • As always, ensure that these decisions and analysis are adequately documented, and proper records kept.
  • Remember to ensure integration and consistency with existing documents such as the organization’s privacy policy or its records of processing activities.
  • Keep in mind that while the Privacy Shield is invalidated as a means to legalize cross-border data transfers, US organizations that have signed up with the Shield program remain responsible for continuing to protect previously collected data in accordance with the promises and representations made in their self-certifications.
  • Stay informed of the developments in the next few days. It is expected that EU/EEA member state data supervisory authorities will publish useful guidance on how to react to the decision.  Some have already published comments and provided guidance.

EUR 14.5 Million Fine for Violation of GDPR Minimization and Retention Limitation Principles

Posted by fgilbert on December 2nd, 2019

EUR 14.5 million fine

At the beginning of November 2019, the Berlin Commissioner for Data Protection and Freedom of Information assessed a EUR 14.5 million fine against Deutsche Wohnen SE, a German residential real estate company, for violations of the GDPR, specifically violation of the data minimization and storage limitation principles. The decision has been made public, but is not yet final; it has been appealed.

According to Berlin Data Commissioner, the EUR 14.5 million fine was related to alleged deficiencies in the company’s archiving system, which did not allow for deletion of legacy data. The data affected included financial information about tenants, such as pay-slips, self-disclosure forms, extracts from employment agreements, tax data, social security and health insurance data and bank statements. The Berlin Data Commissioner also found that the practices of the company constituted an infringement of the data protection by design requirements. It focused primarily on violations of the data minimization principle and the failure to dispose of the data upon expiration of the retention period.

Basic Rules

Companies that are subject to the GDPR should keep in might that the GDPR provides for fines significantly higher than those that were assessed under the national laws that derived from the 1995 EU Data Protection Directive. GDPR Article 83 provides for two levels of fines, which depend on the nature of the violation, but even the lower range would allow for significant fine amounts. The highest level of fines is up to EUR 20 Million or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. The lowest level of fines is up to EUR 10 Million or 2% of the worldwide annual revenue, whichever is higher.

Germany, where the Deutsche Wohnen case was handled, is taking a structured approach to the determination of fines for violation of the GDPR. In October 2019, DSK, the joint coordinating board of the German Data Protection Authorities, published a detailed chart for the calculation of GDPR fines. Among other things, it sets out several levels of severity of the violation, and associates to each of these levels a multiplier range between 1 and 14.4.  A fine is computed according to that multiplier and the daily global revenue for the company or group of companies. According to the Berlin Data Commissioner, the fine in the Deutsche Wohnen case has been computed by using the DSK model.

Recent Cases

As the EU Data Supervisory Authorities are reviewing cases and assessing fines that are based on the provisions of the GDPR, we note an increasing number of decisions that provide for significant fines. Earlier this year, for example, CNIL, the French Data Protection Authority, assessed a EUR 50 million fine against Google for aggressive marketing practices. This was followed, during the summer by a £100 million fine assessed against Marriott Hotel, and a £183.39 million against British Airways. Both cases were handled by the UK Information Commissioner’s Office.

Lessons Learned

While the nature of the Deutsche Wohnen case is different from that of the earlier cases discussed above, and the level of fines assessed against the real estate company is significantly lower than those described above, they show that

  • Supervisory Authorities handle a wide variety of cases, react to numerous forms of alleged violations of the GDPR; not just data breaches
  • Compliance with the basic data protection principle is a significant element; they should be reviewed at each legal and technical audit.
  • Periodic compliance and technical audits may help identify deficiencies and reduce legal and technical risk when these deficiencies are corrected.
  • Fine levels under GDPR are generally significantly higher than under prior regimes.


The abundance of storage space and the increased pressure to keep interacting with current or former customers prompt businesses to collect large amounts of data, and retain as much of this data as possible, often well beyond actual useful period. Too often, businesses may not spend the time and resources necessary to periodically audit their practices and evaluate the nature of the data collected or to be collected, how the data is used, or why it is needed in view their then-current needs. And they may neglect to purge their databases and securely dispose of this data.

As discussed above, these practices might lead to an investigation and result in a fine. Companies that are subject to the EU General Data Protection Regulation (GDPR) and the related EU data protection laws should remember that GDPR and those national laws contain detailed and specific provisions requiring, among other, that entities collect only the minimum amount of data necessary, and limit the retention of this data to the shortest, most reasonable time. Among other things, periodic reevaluation of data handling practices, data needs, and legal obligations such those related to retention limitation, are essential to maintain an appropriate level of compliance with the GDPR and national applicable laws.

Posted in Europe, International
Comments Off on EUR 14.5 Million Fine for Violation of GDPR Minimization and Retention Limitation Principles

GDPR and Blockchain: Can they Coexist?

Posted by fgilbert on December 16th, 2018

GDPR and blockchain do not coexist easily. GDPR attempts to ensure that personal data is retained for as short a period as possible, give in- dividuals control over their personal data, and allow easy modifica- tion, correction or erasure at any time at the individual’s request. Blockchain is intended to serve as an immutable ledger, where trans- actions cannot be repudiated, and records cannot be changed by any- one. Public or permissionless blockchains are operated under rigid rules that may not be compatible with GDPR. Private or permissioned blockchains, which can establish rules of operation, have more flexi- bility and may have a better chance of being in line with GDPR.

The GDPR applies worldwide, within and outside the European Economic Area (EEA), to the extent that personal data is processed in connection with the sale of goods or services to individuals located in the EEA. There has not been any guidance on how blockchain can meet GDPR requirements. It is clear that it might be very difficult to accommodate some aspects of the GDPR when personal data is recorded in a blockchain ledger. Given the speed of development of blockchain around the world, guidance is urgently needed.

Personal Data

Blockchain is undoubtedly a vehicle for the processing of “personal data”. Under GDPR, the term is defined broadly to apply to any infor- mation about an individual who is, or can be, identified. It incorpo- rates a wide variety of data from contact or health information to cookies, IP addresses or devices identifiers. Because of this broad defi- nition, almost anything that is or can be linked to an individual is deemed personal data under GDPR. Personal data that has undergone pseudonymization, and that could be attributed to a natural person through the use of additional information is also deemed “personal data” subject to GDPR.

Blockchain is often used to record events associated with an individual, as opposed to a corporate entity. It is common to do so by using pseudonymized information that has been associated with the public cryptographic key of the participants. The mere use of an identifier instead of the name of a person would not be sufficient to take pseudonymized data outside the scope of the definition of personal data if the person may be re-identified because that identifier is otherwise available. Only personal data that has been rendered anonymous in such a manner that the individual is not, or no longer, identifiable is outside the scope of the GDPR.

Legal Basis for the Processing

The GDPR prohibits the collection or processing of personal data un- less there is a “legal basis” for the processing. A blockchain based appli- cation must be able to identify one or more of these six “legal basis”. The most relevant ones are likely to be that the processing is necessary for: (i) the performance of a contract to which the individual is a party; (ii) compliance with a legal obligation to which the data con- troller is subject; or (iii) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless these inter- ests are overridden by the interests or fundamental rights and freedoms of the individuals. In some cases, legal basis is provided only by obtaining the consent to the process- ing of the personal data.

Blockchain projects are usually associated with the performance of a contract or a trans- action, where the parties wish the transaction to be recorded. In most cases, the project is likely to meet one or more of the require- ments above. Blockchain users should make sure that this information is recorded and shared with the affected individuals.

Storage Limitation

The GDPR wants the interaction with personal data to last only while the data is needed. Blockchain is intended to create an immutable record. One of its key features is the ability to retain data indefinitely, to enable the parties to prove that a transaction occurred. Blockchain users will have to be prepared to argue why the transaction recorded in the blockchain must remain accessible indefinitely. For example, if the event is the sale of ephemeral or perishable goods (e.g. food or flowers), while there is no doubt that the record of the sale from per- son A to person B should be kept for a certain time in order to retain evidence, it would be much more difficult to argue that it should be kept indefinitely, past the statute of limitation for claims under the sales contract. In a permissioned blockchain environment, these concerns might be addressed through the rules of operation of that blockchain, for example by allowing for the deletion or archival of the data after a specified period of time.

Security, Integrity and Confidentiality

The GDPR requires both data controllers and data processors toadopt a written information security program to reduce the risk of se- curity breach, intrusion, modification of the data, or ransomware at- tack. The program is expected to include appropriate technical, physical and administrative measures. Who is responsible for main- taining proper security when the network can be accessed through multiple nodes? To date, blockchain technology has suffered spectacu- lar security breaches, in particular targeting cryptocurrencies. Keep in mind that any chain or network is only as strong as its weakest link.

Data Protection by Default

The GDPR requires that companies follow “data protection by de- fault” principles. “Data Protection by Default” requires that, by de- fault, the data should not be accessible to an indefinite number of natural persons without the data subject’s intervention. In the blockchain ecosystem, the content of the ledger must be accessible to others. Until the meaning of “data protection by default” is clarified, there is a problem. Should the blockchain application ensure that no personal data of a participant is recorded, until the participant has confirmed that their personal data can be made public?

Cross Border Data Transfers

The GDPR restricts the transfer of personal data to countries that do not provide adequate protection. Aside from a small number of coun- tries outside the EEA (for example, Canada, Israel, Switzerland or Uruguay), the remainder of the world does meet the GDPR standards. A permissionless blockchain ignores borders. It is intended to be ac- cessible from any geography through multiple nodes. In that case, all nodes might be required to execute proper data processing agree- ments that incorporate appropriate EU Commission Standard Con- tractual Clauses to guarantee proper protection of the personal data of EEA residents. Further, any entity that accesses data stored on the blockchain may also have to provide appropriate guarantees that it will meet the GDPR standards.

A permissioned blockchain might be better able to address cross- border data transfer restrictions. It could make it a condition for participation that the applicant execute all documents necessary as part of the admission process, and these documents could include EU Standard Contractual Clauses or a Code of Conduct that meets the GDPR requirements.

Right of Correction

The GDPR grants numerous rights to data subjects, some of which appear to be incompatible with the blockchain. The GDPR grants the right to have incorrect personal data rectified and to have incomplete personal data supplemented. The structure of the blockchain does not allow for any such changes. Any attempt to modify the information recorded about a prior transaction could break the chain, and the transactions that were conducted in reliance on the preexisting data could not be erased or superseded. In a permissioned blockchains, there might be more flexibility, through the addition of special rules. However, it should be kept in mind that individuals cannot give up their right to have incorrect personal data rectified. This is a funda- mental right in the European Union, under Article 8 of the EU Char- ter of Fundamental Rights.

Right of Erasure

The blockchain may be able to resist the “right of erasure” under the GDPR. The “right of erasure” exists only in limited specific circum- stances, including:

  • The data is no longer necessary for the purpose for which it was collected.
  • The data subject withdraws consent to the use of the data
  • The data subject objects to the processing of the data and there are no other legal grounds for the processing
  • The data subject objects to use of the data for marketing purposes
  •  The data has been unlawfully collected

There are numerous exceptions; two of them appear the most vi- able in the blockchain environment. The right of erasure does not apply if the data is necessary “for archiving purposes in the public in- terest” in so far as the erasure likely would “render impossible or seri- ously impair the achievement of the objectives of that processing.” It also does not apply if the processing is necessary for the establish- ment, exercise or defense of legal claims. Since the primary purpose of the blockchain is to provide the ability to prove that a transaction has occurred, it seems that either or both of these exceptions would stop attempts at erasing existing records.


Some of the essential features of blockchain tend to conflict with GDPR. Blockchain promotes immutability and data sharing, among others. With GDPR, personal data must be able to be changed so that it remains accurate, and data sharing is prohibited without permis- sion. Companies that wish to take advantage of blockchain should carefully evaluate the potential obstacles created by the GDPR when structuring their application. When privacy is a concern, a permis- sioned blockchain might be a more viable option than a permission- less one because it allows the creation of supplemental rules of operation that might have a better chance of meeting the numerous, stringent GDPR requirements.

Comments Off on GDPR and Blockchain: Can they Coexist?

GDPR and Privacy Shield: Different Tools for Different Goals

Posted by fgilbert on November 26th, 2018

By Paola Zeni, Francoise Gilbert, Max Calehuff

Paola Zeni is the senior director of global privacy at Palo Alto Networks.

Francoise Gilbert is a shareholder in Greenberg Traurig LLP where she focuses her practice on
US and global data privacy and cybersecurity.

Maxwell Calehuff is an attorney in the Cybersecurity and Privacy Group of Greenberg Traurig

US-based organizations are realizing that they must comply with the EU General Data Protection Regulation (GDPR) — even if they do not do business anywhere in Europe — because their practices include the collection or processing of personal data of individuals located in the European Union (EU) or the monitoring of their activities. Unlike its predecessor – Directive
95/46/EC, known as the EU Data Protection Directive – the GDPR was drafted to apply to many organizations established outside the EU, so that the protection follows the data when the data is moved or processed abroad.

GDPR Art. 3 is the key provision regarding the territorial reach of the GDPR. Under Article
3(1), the GDPR applies to the processing of personal data in the context of the activities of the establishment of an entity in the European Union. In practice, the protection extends as well to individuals located in Norway, Iceland and Lichtenstein, because, like most laws of the European Union, the GDPR is incorporated into the laws of these three countries, and thus its scope covers the entire European Economic Area (EEA) – which is comprised of the European Union and
these three additional countries.

Article 3(2) extends the territorial scope of the GDPR outside the EU or EEA borders. It states that GDPR applies to the processing of personal data of individuals who are in the EU / EEA by a data controller or processor established outside the EU /EEA, when the processing is related to the offering of goods or services to such individuals, or the monitoring of their behavior. Article
3(2) attaches to numerous US entities and requires them to comply with the entire GDPR.

Some organizations assume that it is enough for them to have self-certified their adherence to the
EU-US Privacy Shield (Privacy Shield) and that their self-certification is sufficient to address all
99 articles of the GDPR. This is incorrect. While the Privacy Shield and GDPR overlap in some areas, the GDPR is much broader and contains many more requirements.

This article compares the Privacy Shield and the GDPR, to highlight commonalities, but also gaps that organizations need to address to achieve compliance under both frameworks.


The EU-US Privacy Shield framework, which relies on the Privacy Shield Principles and Supplemental Principles (collectively Shield Principles), was developed in consultation between the US Department of Commerce and the European Commission, and finalized in July 2016, is a cross-border data transfer mechanism. It addresses the restrictions to the transfer of personal data outside the EU or EEA under Articles 44-50 of the GDPR (and before that, Articles 25-26 of the EU Data Protection Directive 95/46/EC). These provisions require the data exporter to ensure that EU or EEA data subjects will continue to benefit from effective safeguards and protection after their data has been transferred outside the EU or EEA. This assurance can be provided through different means. The EU-US Privacy Shield framework, is one of these means of providing the assurances required by GDPR Art. 44-50.

The Privacy Shield framework was not drafted to meet the requirements of the GDPR or as an alternative to GDPR. It was drafted separately from the GDPR; it is not even mentioned in the GDPR. The Shield Principles meet only a small aspect of the GDPR. The Shield is limited to providing a legal ground for the processing of EU or EEA data in the United States, and to establishing for EU or EEA individuals and regulators a means for reaching US-based organizations in the United States, and initiating enforcement. It is a data transfer mechanism only. It also addresses some concerns regarding access by US national security to EU or EEA data stored in the United States; this aspect of the Privacy Shield framework is not discussed here.

Common elements of the Privacy Shield Principles and GDPR

There are similarities and, at times, overlap between the Shield Principles and the GDPR. The latter is significantly broader, deeper, and more specific than the Shield Principles. In this section, we look at the seven basic Principles of the EU-US Privacy Shield and compare them with the equivalent provisions found in the GDPR.

1. Notice

The Notice Principle requires an organization, among other things, to inform individuals about its commitment to process all personal data received from the EEA in compliance with the Privacy Shield Principles and in reliance upon the Shield; the fact that the organization is subject to investigatory and enforcement powers of the Federal Trade Commission or the US
Department of Transportation; the requirement to disclose personal data in response to lawful requests; the possibility of invoking binding arbitration; how to contact the organization with
inquiries and complaints; and the independent dispute resolution body designated to address such complaints.

An organization must also inform individuals of the types of personal data collected, the
purposes for which it collects and uses personal data about them, the individuals’ rights to access their data, the choices and means the organization offers them to limit the use and dissemination of their personal data, the identity of third parties to which the data is disclosed, and the organization’s liability in cases involving transfer to third parties.

Most of these requirements are found in GDPR Art. 5(1)(a) [Lawfulness, Fairness, and Transparency] and GDPR Art. 5(1(b) [Purpose Limitation], and further detailed in GDPR Art. 12 [Transparent information], Art. 13 and 14 [Information to be Provided], among others.

2. Choice

Under the Choice Principle, an organization must offer individuals the opportunity to opt out of having their personal data disclosed to a third party or used for a purpose materially different from the purpose for which it was originally collected. It is unnecessary to provide choice when the disclosure is made to a third party acting as an agent of the organization. However, the organization must enter into a contract with the agent.

For sensitive information (medical or health condition, information specifying the sex life of the individual, racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership), organizations must obtain the individual’s express affirmative consent before such information is disclosed to a third party or used for a purpose that is materially different than the purpose for which it was originally collected.

Most of these requirements are found in GDPR, for example in Articles 6(4) [Lawfulness of the
Processing, 7 [Conditions for Consent], 9 [Special Categories of Data] as well as GDPR Article
5(1)(a), [Lawfulness, Fairness, and Transparency] and Article 5(1(b) [Purpose Limitation].

The Choice Principle requires offering individuals the opportunity to opt-out from the disclosure of their personal data to a third party, or the use of the data for a materially different purpose than the one originally announced. GDPR Art. 21 [Right to Object] grants individuals the right to object to the use of personal data for the legitimate interest of the data controller, and to the use
of personal data for marketing purposes.

Notably missing from the Privacy Shield framework are the right of EU or EEA citizens not to be subjected to automated decision-making, including profiling, found in GDPR Art. 22(1) the right to restrict the processing of their personal data, such as when it is contested or no longer needed, found in GDPR Article 18(1).

3. Accountability for onward transfer

To transfer personal data to a third-party acting as a data controller, organizations must comply with the Notice and Choice Principles and enter into a contract with the controller. The contract must specify that personal data may only be processed for limited and specified purposes consistent with the consent obtained from the individual. The contract must also specify that the recipient will provide the same level of protection as the Shield Principles and will notify the organization if it can no longer meet this obligation, and take reasonable steps to remediate.

To transfer personal data to a third-party agent, organizations must transfer the personal data only for limited specified purposes, and ensure that the agent provides at least the level of protection required by the Shield Principles. They must take reasonable and appropriate steps to ensure that the agent effectively processes the personal data transferred in a manner consistent with the organization’s obligations under the Shield Principles. They must also require the agent
to notify the organization if it can no longer comply with the Principles, and must take reasonable steps to remediate unauthorized processing.

Under the GDPR, when a US-based data controller wishes to transmit data to a data processor located outside the EU or EEA, two sets of provisions apply: GDPR Art. 28 deals with the use of a processor. GDPR Art. 44 and 46 address the adequacy of the safeguards to be provided by the foreign entity; these provisions focus on cross-border data transfers and further transfers to third parties and are consistent with the Shield Onward Transfer Principle.

The comprehensive GDPR Art. 28 outlines in detail the required content of the contract between the controller and the processor. For example, the contract must stipulate that the processor may process the data only on documented instructions of the controller; must assist the controller in responding to data subjects’ exercise of their rights, must obtain the controller’s consent before enrolling a subcontractor, and must notify the controller if the controller’s instructions would infringe applicable law.

4. Security

The Security Principle requires organizations that self-certify compliance with the Shield to take reasonable and appropriate measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. GDPR Art. 5(1)(f) [Integrity and Confidentiality] also requires organizations to ensure appropriate security of the personal data. GDPR Art. 32 [Security of Process] provides additional parameters for the identification and choice of security measures, including a number of specific security measures that organizations must undertake when handling personal data originating from the EU or EEA.

The Shield Principles do not deal with the impact of security breaches. While the Security Principle requires the use of appropriate measures to protect data from loss, misuse, unauthorized access disclosure, alteration or destruction, it does not address the potential effect of a security incident or require any form of notice to supervisory authorities or affected data subjects.

On the other hand, GDPR Articles 33 and 34 detail with great specificity the actions to be taken in the event of a data breach. Among those, the affected data controller must notify the supervisory authority or authorities within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedom of individuals.
They must also notify individuals “without undue delay” if the breach is likely to result in a high
risk to the rights and freedoms of the individuals.

Data processors who suffer a data breach must notify the controller without undue delay after becoming aware of the breach. Further, GDPR Art. 28(3)(c) and Art. 28(3)(f) flow down these requirements to processors and their own subprocessors.

5. Data Integrity, purpose, retention

The Shield Principles require that the collection of personal data be limited to what is relevant for the purposes of processing. An organization must take reasonable steps to ensure that personal data is reliable, accurate, complete, and current, and must retain the data in a form that
makes the individual identifiable only for as long as reasonably necessary to serve the purpose for which it has been collected and to which the individual has consented.

GDPR Art. 5(1)(b) [Purpose Limitation], GDPR Art. 5(1)(e) [Storage Limitation] and GDPR Art. 5(1)(f) [Integrity and Confidentiality] cover similar issues.

6. Access

The Access Principle grants individuals the ability to have access to personal data about them that an organization holds. They are also able to request the amendment or deletion of information that is inaccurate or was collected in violation of the Privacy Shield Principles.

The scope of individuals rights under the GDPR is much greater; it extends beyond the right of access, correction or deletion. Art. 20 provides the right to data portability, while Art. 21 [Right to Object], includes, for example, the right to object to certain uses of personal data and the right to object to the use of personal data for marketing purposes. GDPR Art. 22 [Automated Individual Decision-Making] grants the right not to be subject to a decision solely based on automated processing.

The right of erasure, under GDPR Art. 17, is also more complex and more nuanced. The Privacy Shield limits the right of deletion to situations where the data is inaccurate or was collected in violation of the Shield Principles. The GDPR right of erasure or “right to be forgotten” provides for the right to have data deleted when the individual withdraws consent on which the processing is based, if there are no other legal grounds for the processing. It also includes a provision for the deletion of data about children that has been collected in connection with the use of internet services.

7. Recourse, enforcement, and liability

Both the Shield Principles and the GDPR require organizations to have mechanisms in place for ensuring compliance with the applicable rules. In the Privacy Shield, the Recourse Principle requires the use of independent recourse mechanisms (such as the American Arbitration Association, or the Better Business Bureau). The mechanisms must be readily available at no cost to the individual. The recourse mechanism also must allow for the award of damages in
accordance with applicable law or the rules of the recourse mechanism. There must be follow-up procedures for verifying the accuracy of the assertions made by organizations about their data protection practices. Furthermore, organizations must respond promptly to requests from the Department of Commerce for information related to the Privacy Shield and to complaints referred by EU / EEA Member State supervisory authorities through the Department of Commerce.

In addition to the independent recourse mechanisms, violation of the Shield Principles, or misrepresentation as to compliance with them, may be subject to investigations by the Federal Trade Commission (FTC). When an organization becomes subject to an FTC or court order based on non-compliance, it must make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. The Recourse and Enforcement Principle allows affected individuals to bring their complaints directly within the purview of US-based enforcement
authorities, private or governmental, which might make enforcement easier, faster, and more effective. The Recourse and Enforcement Principle does not identify specific administrative fines. FTC consent decrees issued after investigations of non-compliance with the Shield Principles have included significant obligations, such as record keeping requirements for 20 years after the issuance of the order, which can present a significant financial burden, among other things.

GDPR Articles 77 to 84, on the other hand, provide extensive remedies and significant fines. Individuals have the right to lodge a complaint with a Supervisory Authority under GDPR Art.
77, and the right to judicial remedy in the courts of the Member State where the individual reside, under GDPR Art. 79. Individuals can also mandate a nonprofit organization to lodge a complaint on their behalf, under GDPR Art. 80, and may receive compensation under GDPR Art
82 [Right to Compensation]. Most important, GDPR Art. 83 [Administrative Fines] allows for the imposition of administrative fines that may reach €20 million or four percent of the total worldwide annual turner of a global entity, whichever is higher.

In the case of recourse and enforcement under the GDPR, it remains to be seen how EU or EEA authorities and courts will be able to assert jurisdiction or to enforce judgments, damages or fines over organizations located outside the EU or EEA. GDPR Art. 27 requires non-EU or EEA controllers and processors to appoint a representative located in the EU or EEA. The representative can be addressed in addition to, or instead of, the controller or processor by supervisory authorities and data subjects for ensuring compliance with the GDPR. GDPR Recital
80 indicates that the designated representative could be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

At this time, there is little clarity on how enforcement proceeding could be conducted and what the potential outcome might be. Would the role of the representative be limited in most cases to that of an agent for receiving communications and providing responses or could the representative become jointly and severally liable with the non-EEA entity? GDPR Art. 27 is silent and so far, no guidelines have been issued. In addition, it is also not clear how a judgment rendered in the EU or EEA against an organization established abroad would be enforced against that foreign entity.

When addressing recourse and enforcement, GDPR and Privacy Shield adopt different routes and pertain to different subject matters. Privacy Shield focuses on enforcement of violation of the Privacy Shield Principles in the United States, where the FTC is likely to have a significant role in stopping a US company from conducting non-compliant activities, and historically has been a tough enforcer.

GDPR focuses on enforcement in the EU or EEA, pertains to the entire GDPR, provides local government agencies with the ability to assess significant fines, and grants individuals a private right of action to seek damages. In the past, EU or EEA agencies have not been as aggressive as their US counterparts but the landscape is likely to change with the significant fines available under GDPR Art. 83.
It remains to be seen what will happen in practice, which of these avenues will be more frequently used in case of a dispute, what the outcome of enforcement action will be, and which mechanism will provide more effective enforcement or recourse for affected individuals or create more barriers or hurdles for organizations.

GDPR concepts that are not addressed in the Shield Principles

In the first part of this article, we showed that in six of the areas covered by the Shield Principles the GDPR takes a more comprehensive view and contains more stringent, detailed, and specific requirements. The seventh Shield Principle, Enforcement, differs significantly from the enforcement provisions of the GDPR. Given that enforcement of the Shield Principles has been limited to a handful of FTC actions, it is difficult to make a practical comparison between the
two enforcement mechanisms at this time.

When we move the analysis and the comparison to other areas, it becomes even clearer that a self-certification of adherence to the Shield Principle is insufficient to show compliance with all GDPR provisions that may be applicable to organizations. We provide several examples below:

1. Legal grounds for processing data

The Privacy Shield Notice and Choice principles require organizations to disclose the purpose of collecting personal data and obtain consent to conduct certain activities, such as disclosure to third parties or use for a purpose materially different from the originally disclosed purpose. However, it assumes, a priori, that the data have been legally collected or that the consent was implied from the conduct of the parties.

The GDPR Article 6 (1) requires that the collection and processing of personal data be lawful. It identifies only six limited grounds for collection and processing to be legal. For example, processing will be lawful if it is necessary for the performance of a contract to which the data subject is a party, or to comply with a legal obligation. Processing will also be lawful if it is conducted for the legitimate interests of the controller or a third party, so long as these interests are not overridden by the fundamental rights and freedoms of the individual. In some cases, a data controller may have no other choice than seeking and obtaining the explicit consent of the individual (opt-in consent) to provide the required legal basis for the contemplated processing.

2. Obligations regarding data subject rights

In addition to providing extensive rights to individuals located in the EU or EEA, the GDPR imposes obligations on data controllers to facilitate the exercise of those rights. Controllers must provide individuals with information about their rights as data subjects and must facilitate the exercise of those rights electronically. Controllers must respond to a data subject’s request within one month, and provide information on actions taken or not taken in response to a request. In addition, data processors are contractually required to cooperate with the data controller to address such rights.

3. Data protection by design and default

GDPR Art. 25 [Data Protection by Design and by Default] requires data controllers to implement appropriate measures to ensure that the processing implements the data protection principles. It also requires that the processing meet the GDPR principles and requirements, assure and protect the rights of the individual, and that, by default, the processing be limited to the personal data necessary for a specific purpose.

4. Documentation of processing and data protection impact assessment

GDPR Art. 30 [Record of Processing Activities] requires controllers and processors to keep electronic records of their processing activities, to be made available to supervisory authorities upon request. When processing activities are likely to result in a high risk for the rights and freedoms of individuals, GDPR Art. 35 [Data Protection Impact Assessment] requires data controllers to assess the impact of the envisaged processing on the protection of personal data. Both Articles 30 and 35 are likely to have a significant operational impact on organizations.


Even if a company does not do business in the European Union or the European Economic Area, it may be subject to GDPR. Compliance with the GDPR requires significant efforts, time and financial investments.

The Privacy Shield Principles provide a simple, easy to, use means for organizations to address their obligations under Chapter V, Articles 44-50 of the GDPR [Transfer of Personal Data to Third Countries or International Organizations]. However, the use of the Shield just serves its original purpose: providing a means for US entities to show their commitment to protecting personal data originating in the EU or EEA when the processing is conducted in the United States, and to respond to complaints and enforcement actions that may be initiated in the EU or EEA and subsequently transmitted to US agencies. The Privacy Shield is not a data protection law or a comprehensive data protection compliance framework. It is a cross-border transfer mechanism.

As both the Privacy Shield and the GDPR are further explained and clarified, organizations should understand the narrow, limited, and specific role of the Privacy Shield, the significant gaps between the Privacy Shield and the GDPR, and that they cannot meet their obligations under GDPR solely through a self-certification of their commitment to observe the Privacy Shield principles.

Posted in Europe, US Law
Comments Off on GDPR and Privacy Shield: Different Tools for Different Goals

The EU General Data Protection Regulation and Its Implications for US Insurance Companies

Posted by fgilbert on August 2nd, 2018

An article published by Francoise Gilbert in collaboration with the Greenberg Traurig Insurance Department.

Summer 2018 Magazine Reprint

Comments Off on The EU General Data Protection Regulation and Its Implications for US Insurance Companies

All you wanted to know about the GDPR

Posted by fgilbert on April 2nd, 2018

Extensive presentation by Francoise at a Bay Pay event.


Comments Off on All you wanted to know about the GDPR

90 days to May 25, 2018 – Does your Business Meet its GDPR Obligations?

Posted by fgilbert on February 21st, 2018

The EU General Data Protection Regulations – or GDPR – goes into effect in 90 days, on May 25, 2018.  With such a name, it would be easy to conclude that the law governs only the activities of businesses established in the European Union (EU) or European Economic Area (EEA), and that those established elsewhere are not concerned.

This is not the case.  Organizations that are not established within the EU/EEA are subject to GDPR when they process personal data of individuals who are in the EU/EEA if the processing activities are related to:

  • The offering of goods or services to such individuals in the EU/EEA, even if payment is not required, or
  • The monitoring of their behavior, to the extent that their behavior takes place within the EU/EEA. Profiling of individuals based on their use of the Internet is an example of such monitoring.

In practice, most US businesses – probably 70% – are subject to the GDPR where they collect or process the personal data of individuals located in the US.  According to our observations, only a very small fraction of those US businesses that are subject to the GDPR have completed their GDPR compliance overhaul.  Those who have ignored the GDPR or have failed to properly evaluate the extent to which the GDPR might apply to their activities should rethink this analysis and take action as soon as possible to address these obligations, if relevant.

The GDPR is a significant, complex document.  Compliance, therefore, is commensurate to its complexity.  For most businesses, evaluating their practices and conducting all activities that are required to achieve compliance can take three to six months. Numerous larger businesses, such as multinationals, have been working on GDPR implementation for more than two years.

The list of obligations under the GDPR is very long.  The document is comprised of 272 provisions, which are divided into 173 recitals and 99 Articles. It is also supplemented by documents issued by the EU institutions, or the Member States themselves. The EU’s Article 29 Working Party, so far, has published at least 13 guidelines. Some local supervisory authorities have published their own guidelines. Some Member States have adopted laws or amendments that relate to the GDPR.

Here are some highlights to keep in mind, among the many others that are written in the GDPR and related documents.

  • Violations of the law are subject to significant administrative fines that can reach up to 20 Million euros, or in the case of multi-national businesses, 4% of their global revenue.
  • In addition, individuals have a private right of action that allows them to file a complaint in court when they believe that their rights under the GDPR have been violated as a result of the processing of their personal data in non-compliance with the GDPR. They can mandate certain non-profit organizations to lodge the complaint and exercise their right to receive compensation on their behalf, a process that, in its effect, is likely to be similar to that of class action lawsuits customary in the United States.
  • Businesses are prohibited from collecting or processing personal data unless one of six circumstances occurs. They are required to state on their privacy notice why they have the right to collect and process the personal data of individuals. Company can no longer just infer from a person’s visit of a website that the individual has consented to the collection and use of his/her data. Specific consent is required.
  • Businesses have significant obligations that go well beyond current common practices. In particular, there are significant record keeping requirements as well as limitation to data retention.
  • Products must be designed in accordance with Data Protection by Design and Data Protection by Default principles. In some cases, businesses are required to conduct Data Protection Impact Assessments.
  • Individuals have significant rights, such as right of access, right of correction, right of data portability or right to be forgotten. Businesses have 30 days to respond to a request, which makes it necessary to implement the appropriate technical measures and administrative procedures to respond promptly to requests from individuals.
  • If a company’s core activities require the regular and systematic monitoring of individuals on a large scale, or the processing of special categories of data on a large scale, it must appoint a Data Protection Officer. Special categories of data include, for example, data about health, genetic data and biometric data, religion or sexual life.
  • Privacy notices must be updated to include a large amount of information required by the law.
  • Businesses must amend most of their contracts with third party service providers, or with their own customers if they act as service provider to another entity. These contracts must include numerous provisions mandated by the GDPR.

These are just example. There is much more. GDPR compliance project takes a significant amount of time.

To address their obligations under the GDPR, businesses must to conduct numerous activities, such as:

  • Start with understanding whether and how the business may have access to personal data of individuals in the EU/EEA, what is done to or with this data, with whom it shared, and how the business interacts with the individual for marketing purposes
  • Conduct a gap analysis to determine what needs to be done to comply with the GDPR, and prioritize these activities
  • Address the company’s obligations as a controller or processor
  • Address the restrictions to marketing, targeting, profiling
  • Update the contracts with data processors, subprocessors
  • Document the security program; update the security breach response plan
  • Address the crossborder data transfer restrictions
  • Identify the legal grounds for processing the personal data
  • Update the privacy notice
  • Develop processes to address obligations regarding individuals’ rights
  • Update training for personnel
  • Identify the lead supervisory authority

The GDPR has become a significant part of the US Privacy and Security legal landscape. It is important for US businesses to pay attention to compliance now because a majority of US businesses – as well as business located in other countries outside the EU/EEA – are and will continue to be subject to the GDPR for some of the personal data that they collect.

The GDPR will affect many of the business deals that a company may conduct. As businesses acquire or do business with businesses that are subject to the GDPR, the contracts that are drafted will likely have to address GDPR issues.

There are only 90 days left to take action and address GDPR compliance. There is still time if you have not already done so.  If you don’t, those individuals and businesses located in the EU/EEA with whom you want to do business may soon inquire whether your company can demonstrate whether it is compliant with the GDPR, and if your answer is not satisfactory, may take their business to others who do comply.

Comments Off on 90 days to May 25, 2018 – Does your Business Meet its GDPR Obligations?

NIS Directive Adopted in August 2016 – What’s Next

Posted by fgilbert on August 12th, 2016

Directive (EU) 2016/1148 of the European Parliament and of the Council of July 6, 2016, Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union Network and Information (“NIS Directive” or “Directive”), entered into force in August 2016, outlines plans for establishing a base level of network and information security that is coherent across the European Union (EU) and European Economic Area (EEA). It defines a framework for enabling networks and information systems to be better prepared to respond to actions that compromise the availability, authenticity, integrity, or confidentiality of the data that they process, store, or transmit. In addition, each Member State will be required to adopt a Network Information Security strategy defining its objectives and policy and regulatory measures regarding cybersecurity.

Scope and Affected Entities

The Directive will primarily affect “operators of essential services” and “digital Service providers”. Under the Directive, an entity provides an essential service if the entity provides a service that is essential for the maintenance of critical societal and/or economic activities; the provision of that service depends on network and information systems; and an incident to the network and information systems of that service would have significant disruptive effects on the provision of that service. Examples of such operators of essential services include entities in the following industries: Energy; Transportation; Banking; Financial Markets Infrastructures; Health care; Drinking water supply and distribution; and Digital infrastructure. The second group of companies impacted by the NIS Directive is digital services providers located in the Member States, which includes online market places, such as e-commerce platforms; cloud computing services; and online search engines.

Obligations of Operators of Essential Services

The Directive outlines specific obligations on operators of essential services. For example, they will have to take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems that they use in their operation and to prevent and minimize the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, to facilitate the continuation of those services.

They will be required to notify the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide. Notifications must include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident.

They will also have to provide information necessary to assess the security of their network and information systems including documented security policies.; and provide evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor, and, in the latter case, to make the results thereof, including underlying evidence, available to the competent authority.

Obligations of Digital Service Providers

Digital service providers will also be required to identify and take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems use to offer services and to prevent and minimize the impact of security incidents. These measures will have to ensure a level of security and take into account the security of systems and facilities, incident handling, business continuity management, monitoring, auditing and testing, and compliance with international standards.

Digital service providers will have to notify the competent authorities without undue delay of any incident having a substantial impact on the provision of a service that they offer in the EU. Such notification will have to include information to enable the competent authorities to determine the significance of any cross-border impact.

Cooperation Among Member States

The Directive puts in place several structures for ensuring efficient activities within each Member State and cooperation among the Member States. For example, Member States will have to designate a competent national authority responsible for implementation and enforcement of the NIS Directive.  They will also be required to establish Computer Security Incident Response Teams (CSIRTs) which will be responsible for handling cybersecurity incidents and risks.

A network of Computer Security Incident Response Teams (CSIRTs Network), also established by the Directive, will help promote swift and effective operational cooperation on cybersecurity incidents and for sharing information about security risks among Member States. The CSIRTs Network will consist of representatives of the CSIRTs established in the Member States and the Computer Emergency Response Team (CERT-EU).

A “Cooperation Group”, composed of representatives of the EU Member States, representative of ENISA (EU Agency for Network and Information Security) and the European Commission will facilitate strategic cooperation and information exchanges among Member States. It will prepare strategic guidelines for the activities of the CSIRTs Network and discuss the capabilities and preparedness of Member States.

Between Now and May 2018

The NIS Directive entered into force in August 2016. The EU/EEA Member States now have until May 2018 to implement its principles into their national laws. Companies that do business in the EU/EEA and fall within the scope of the NIS Directive should monitor the implementation process in the Member States where they operate, and the further guidance that the competent authorities will issue. They also should be aware that the EU Commission has the power to adopt implementing acts regarding the required formats and procedures to be used for notification and incident assessment.

Comments Off on NIS Directive Adopted in August 2016 – What’s Next