Belgium’s digital industry unites to discuss the use of Analytics cookies without prior op-tin with the Belgian Data Protection Authority (GBA)
Last week Sirius Legal met with the Belgian Data Protection Authorty as the legal representative of the united Belgian digital industry about the use of analytics cookies.
On 7 January sector organizations ACC, BAM, Cube, Feweb, SafeShops.be, UBA and UMA (representing agencies, advertisers, web builders and webshops) met with Belgium’s DPA to convey their concerns about the way in which prior explicit consent must be requested for the use of analytics cookies in online environments today. The sector organizations, which together represent the broad spectrum of the Belgian online world, did so on the basis of an extensively substantiated position paper that was written by Sirius Legal.
Concern about explicit consent for analytics cookies
Major concern in the entire sector is the fact that the obligation to request the consent of website visitors by means of a cookie banner causes very great economic damage to the sector. A lot of website visitors, some statistics speak of more than 80%, simply click away the often annoying cookie pop-ups or do not opt-in. As a consequence, webshops and online marketers miss out on essential statistical data about website visits and visitor behaviour on their website, that is crucially needed to optimize their web content. This creates a great deal of frustration because in neighbouring countries the use of such analytics cookies is possible without prior consent from the website visitor, which creates a serious competitive disadvantage for Belgian online entrepreneurs.
The entire industry is very committed to online privacy and welcomes the transparency that mandatory cookie opt-ins bring when it comes to data collection for marketing purposes. However, the industry insisted on the great urgency for the DPA to take action when it comes to (anonymous) analytics data. The same message will be presented to the competent minister, in order to provide for a similar exception for Belgium as those which already exist in France, the Netherlands or Germany for strictly analytical purposes. High-performance websites, which are adapted to the expectations and needs of the consumer, are in the first place also to the advantage of precisely that consumer. After all, good analytics data makes it possible to offer better services and products, under better conditions and at better prices, to precisely that consumer.
Position paper and relevant articles
The full position of the sector has been elaborated in a position paper that provides a very good outline of the current issue and reflects the point of view of the entire digital sector.
Over the past few months, we have written a number of articles about this issue at Sirius Legal and are particularly pleased that our position paper is so enthusiastically endorsed throughout the digital sector. Sirius Legal, together with BAM, the Belgian Association for Marketing, and the other associations, will take the necessary steps to arrive at a proposal for text and negotiations with the cabinet of the Minister Mathieu Michel. We will certainly keep you informed!
Sirius Legal is and has been the legal partner of several of the signing parties to this position paper, including BAM, UBA, SafeShops and Feweb. These partnerships place us in the center of the Belgian online industry and allow us to offer high quality legal services to the entire industry.
- No e-commerce without analytics data
- “No cookies without permission”, says the European Court of Justice
- New Cookie Guidelines in France (also relevant for Belgium, article in Dutch)
Questions about cookies or the position paper?
Feel free to contact Bart Van den Brande: bart@siriuslegal or book a short meeting into his agenda using this link.
UK companies and residents lose .eu domain names
In the beginning of this year, the EURid (the organisation in charge of managing .eu domain names) announced that 81,000 .eu domain names would be suspended as a result of Brexit. Those domain name holders now have three months to prove that they are entitled to the .eu domain name. This event is a perfect moment to refresh the importance of a good domain name policy.
European domain names
.eu domain names are top-level domain names (TLDs) managed by EURid (European Registry for Internet Domains).
These domain names are reserved for:
- Citizens of the EEA (EU + Norway, Iceland and Liechtenstein), even if they no longer live in the EEA.
- Residents of the EEA, irrespective of their nationality.
- Companies established in the EEA.
- Organisations established in the EEA.
Individuals and companies that do not belong to one of these categories cannot apply for or hold a .eu domain name. As a result of Brexit, 81,000 .eu domain names were suspended at the beginning of this year. In practical terms, this means that these .eu websites and email addresses are no longer accessible since the beginning of 2021.
The domain name holders in the UK now have another three months to update their data. They can, for example, establish their registered office within the EEA or prove that they have the nationality of an EEA member state in order to keep their domain name. The well-known pro-Brexit website and campaign Leave.EU has moved its registered office to Waterford in Ireland to be able to keep its domain name. If a domain name holder cannot prove the above, their .eu domain names will be officially cancelled and consequently released to the public from January 2022.
Checks for registration
This incident is the perfect moment to refresh the importance of a good domain name policy. We recently wrote an article about the steps you can take to prevent and fight cybersquatting. In this article, we emphasise the importance of registering the various extensions (.com, .net, .shop, .be, .eu). Because you run the risk that someone else will profit from your carefully built reputation or even cause damage to it.
Make sure that you don’t thoughtlessly search all databases for available domain names. That is how you awaken the cybersquatters. These are individuals who want to get hold of your domain name in order to sell it to you at a higher price, or place harmful content on it in order to give you a bad name, or want to profit from your good reputation, etc. You can easily prevent this by timely registering the relevant and crucial domain names:
- Make a list of all possible names and possible spelling mistakes. Perhaps also think about the domain name of your own name!
- Think carefully about which extensions you want to register.
- Register all names and extensions as soon as possible.
In itself this all seems obvious, but you would be surprised how often it goes wrong in practice. Often, certain extensions are not registered to reduce costs, but it has already happened more than once that a competitor or an unknown third party registers the other domain names to make a profit. Then, of course, there are possible legal steps you can take. For example, there are a number of alternative dispute procedures at the domain name registrars. In many cases, however, you will need to have a registered trademark to have a chance of justice. By the time you have gone through such a procedure, the damage may already be irreparable or your costs may have risen considerably.
Preventing is better than curing
Our team will be happy to help you with any questions concerning domain names, trademarks or intellectual property and the Internet in general. Feel free to contact us at email@example.com and firstname.lastname@example.org.
A bit of important GDPR news at the beginning of this new year: Brexit and Standard Contract Clauses
2020 was a turbulent year for the entire world for obvious reasons, but also specifically when it comes to GDPR the year did not go unnoticed. Anyone who has followed our blog in the past year has undoubtedly noticed that many companies throughout Europe have been fined, sometimes very high. Google, Amazon, Marriott, Ticketmaster, H&M, British Airways, Vodafone, … The list of names of companies that ran into difficulties is quite impressive. Moreover, there was a lot of fuss about the impact of the Planet 49 judgment and last summer also the Schrems II judgment.
At almost literally the very last minute, 2020 brought two more important novelties that we did not want to keep from you at the start of the new year: Brexit is a fact and against all odds a Brexit deal was found, which also includes data exports to the UK and in addition, but in the same sphere of data export, the European Commission published its long-awaited draft version of the new Standard Contract Clauses for data export outside the EEA. We summarize both briefly below.
The impact of the Brexit deal on data export
It seemed like The never-ending story, but at the very last minute, the EU and the UK have finally reached an agreement on (the broad outlines of) their cooperation after Brexit. This agreement also includes one short passage on data protection and data export between the UK and the EU.
After all, from 1 January 2021, the UK will be a ‘third country’ under GDPR. We explained earlier that without a Brexit deal that would mean that the UK would suddenly have to be equated with Russia or China in terms of data exports, since the UK cannot automatically be included in the list of “safe” countries, which are considered to offer an equivalent, adequate data protection level as the EU itself. That would mean that anyone sending data to the UK would have to start working on the implementation of the necessary alternative safeguards for data export. In most cases this would mean that agreements would have to be provided on the basis of the Standard Contract Clauses of the European Commission, possibly supplemented with the necessary additional guarantees in the light of the Schrems II judgment. In addition, existing Binding Corporate Rules would have to be replaced if approved by the UK ICO (which is no longer a European data protection authority) and many UK companies would have to appoint a representative in the EU.
Fortunately, the Brexit agreement remedied this at the last minute in the form of a commitment on the part of the EU to quickly grant the UK an adequacy decision and, in the meantime, to grant the UK temporary adequacy for a period of up to six months. As a consequence the UK can, at least for the time being and pending formal recognition, be considered a safe third country. The agreement works in both directions, so also for data that flows from the UK to the EU. Data exchange with the UK can – for the time being at least – continue undisturbed and without further legal or administrative intervention.
There is one small reserve for now: although the Brexit agreement has been provisionally in force since January 1, 2021, it still needs to be formally approved by the European Council and the European Parliament before it can be ratified and fully implemented. The deal also has to be approved by the British Parliament. If the agreement is still not approved, the previously foreseen problems regarding data exchange after Brexit threaten to emerge soon …
New Standard Contract Clauses
Just as long awaited as the Brexit deal were the new versions of the Standard Contract clauses for data export outside the EU. After all, the old versions were not aligned with the terminology from the GDPR and were very clumsy to use. Moreover, the Schrems II ruling made it clear last summer that the existing SCC’s are insufficient as a legal basis for data export outside the EEA (the EU, expanded with Norway and Liechtenstein). The European Commission has therefore been working on an update of the existing contract clauses for a long time.
In the meantime, on November 12, 2020, the European Commission has made its proposal for modified and supplemented SCC’s public for consultation. The envisaged consultation period has ended shortly before Christmas. The European Commission is now processing the received feedback in its final versions and is also awaiting, among other things, the final advice from the EDPB on appropriate additional safeguards for data export (following the Schrems II judgment). The intention of the Commission is to immediately encapsulate those safeguards in the SCC’s contractually, in order to ensure smooth and secure data exports outside the EEA based on the new SCC’s without any additional hassle.
The Commission provides for a transition period of 12 months for companies from the date the final version will be made public to implement the new SCC’s. Anyone who exports data on the basis of the old SCC’s or on the basis of the Privacy Shield that has since been annulled should therefore keep an eye on the Commission website.
The new (for now draft) SCC’s have a modular structure. There is one central version of the SCC that can be adapted based on additional text modules to cover four hypotheses:
- Exchange between two (or more) controllers
- Transfer from a controller to one (or more) processors
- Transfer from a processor to one (or more) more) (sub) processors
- Transfer from a processor to one (or more) controllers
The draft SCC’s focus much more than before on transparency, no doubt prompted by the Schrems II judgment. For example, when transferring from controller to controller, the data importer must provide a lot of information to the data subjects (directly or through the data exporter), such as the identity of the data importer and details of the intended processing.
The draft SCC’s also contain the obligation to sign a corresponding SCC with the receiving third party in the event of further data transfer by the data importer to such third party or to provide another sufficient legal basis.
The SCC’s also provide by default a guarantee by the data importer that no local law will affect his obligations as a data recipient. To this end, the parties must prepare an impact assessment in advance precisely to verify the possible impact of local legislation. In addition, the data importer must immediately notify the data exporter – and, if possible, data subjects – of access requests by local authorities and, for example, also to take appropriate legal action against illegal access requests.
The SCC’s also receive an extensive appendix this time. Concrete additions are expected by the European Commission with minimal technical and organizational measures to protect data during export. These additions will be based on the final advice of the EDPB on exactly those measures that will be published soon and that will be followed up on the Schrems II judgment.
The modernization of the Standard Contract Clauses is a step forward in terms of smooth data export outside the EEA, but the fear remains that this will not be sufficient in the long term. Most lawyers are anxiously looking forward to another Schrems judgment, which would this time around be directed against the SCC’s instead of the Privacy Shield like last year. After all, the underlying problem remains the same: no contractual or structural agreement can provide certainty about data security outside the EU. Foreign security services have widespread access, legal or otherwise, to European data and recipients outside the EEA can never guarantee that this could be prevented, even with new and stricter SCC’s …
Nevertheless, you should most certainly give priority to the implementation of the new SCC’s as soon as possible once they are final. We have already explained in a number of webinars (of which the recording is available on our YouTube channel) and on our website (with a handy questionnaire that you can send to partners outside the EEA to estimate whether the data you exchange with them is processed safely and correctly).
Questions about international data transfers or about GDPR in general?
The future Digital Services Act and Digital Markets Act in a nutshell
Just before the holiday season, on December 15, EC Vice President Margrethe Vestager announced the first drafts of the Digital Services Act and the Digital Markets Act. These are 2 new European regulations that together form the Digital Service Package and that should ensure more and better regulation of online platforms in the foreseeable future.
The European Commission itself speaks of ‘an ambitious reform of the digital space, a comprehensive set of new rules for all digital services, including social media, online marketplaces and other online platforms operating in the EU’.
Although these are two draft texts that have yet to be addressed by the European Parliament and the European Council, at Sirius Legal we are taking the time to outline the main points. After all, the potential impact on the online world and in particular on e-commerce and online marketing is considerable.
Digital Service Package?
The Digital Services Act (DSA) and Digital Markets Act (DMA) include a series of new rules that, as part of the European digital strategy, Shaping Europe’s Digital Future, should ensure a safer digital environment for European citizens and more competitive equality for businesses, which should increase innovation, growth and competitiveness, both in the European internal market and worldwide.
The DSA imposes new obligations on online intermediaries such as online marketplaces, social media platforms, app stores and booking websites, while the DMA is introducing new rules for major online platforms, which the European Commission calls “gatekeepers”. These are the large internet players who channel a lot of traffic through their platforms. In concrete terms, both (future) regulations want to ensure more transparency in online advertising, less counterfeiting, better privacy protection and, above all, more control for the EU over the economic power of some internet giants.
The European Commission is the first to recognize that online platforms have significantly changed the lives of consumers in the EU in a positive sense over the past 10 or 15 years. Online platforms have also become very important in the online world and even in our economy in general in recent years. Unfortunately, however, there are also some negative side effects associated with the success that platform websites have in today’s online landscape. For example, the trade in counterfeit goods and illegal goods and services is a recurring problem. The past few years have also shown that online services are also increasingly being misused to spread disinformation based on smart algorithms and to manipulate election results, for example. The fact that a handful of (American) companies de facto control a very large part of the internet is also a concern for the EU, for some time now. It is those companies that the EU refers to as “gatekeepers”, who direct and control access to online services on the Internet. The press releases of the European Commission do not mention names, but of course they refer to Amazon, Google, Facebook, Apple, Microsoft and other tech giants.
Digital Services Act
The first part of the Digital Service Package, the Digital Services Act, focuses mainly on online intermediaries and builds on the existing Electronic Commerce Directive. The draft regulation provides for a whole series of new obligations for operators of all types of online platforms, such as booking websites, marketplaces, app stores, cloud services, internet providers, messaging services and social media platforms.
Among other things, the regulation provides for:
- New obligations for very large platforms to take risk-based measures to prevent misuse of their systems
- Rules for removing illegal content, illegal services and counterfeit goods
- New rules to ensure that sellers of counterfeit or illegal content can be detected more quickly;
- Extensive transparency obligations for targeted (“targeted”) online marketing based on user profiles and algorithms
Online platforms must know who the actual seller is on their platform (“know your customer“) and must also clearly inform users of this, something that today is unfortunately often all too unclear until the moment an order is delivered. The EU hopes this will help track down rogue traders and protect online shoppers from illegal products, such as counterfeit and dangerous products. At the same time, citizens will easily report illegal content and products on a platform. Platforms will be obliged to remove illegal content or goods. Very large online platforms will be subject to even stricter rules and must undergo a risk analysis and if necessary take additional measures against counterfeiting and illegal content.
Platforms that reach more than 10% of the EU population or about 45 million users will have to take into account additional obligations because of their size. They will be subject to the supervision of a newly created Council of National Coordinators for Digital Services (“Digital Services Coordinators”).
The draft also provides rules to combat the spread of political disinformation, hoaxes and manipulation of public opinion (for example during pandemics). The rules apply mainly to very large platforms, which will have to conduct a risk analysis and take measures for additional protection of fundamental rights, public interests, public health and security. Online content will have to be better moderated and in certain cases will have to be removed. It is also important that the text pays a lot of attention to the protection of the freedom of expression against government interference in order to prevent content from being removed too quickly, too often or too extensively.
The Digital Services Act further contains a set of rules that threaten to fundamentally disrupt the online marketing world as we know it today and which, in addition to the recent GDPR and the ePrivacy Regulation announced for several years, will have a considerable impact for this sector. These new rules oblige online advertisers to inform visitors to websites transparently about why they see certain advertisements (and on the basis of which criteria this happens) and who the advertiser is. Website visitors should also clearly see that certain content is sponsored. Very large online platforms must also maintain “ad repositories”, which show which advertisements they have shown in certain periods and which groups were targeted (without, however, keeping personal data of individuals). Incidentally, the Digital Markets Act also contains provisions on online advertising, which we will discuss below when we go into more detail on this second draft.
Each Member State will have to appoint a Digital Services Coordinator, an independent authority responsible for supervising service providers established in their Member State. These new authorities will be able to impose sanctions, including, of course, financial fines that the Member States themselves can determine in national legislation. Here too there is a stricter regime for the very large platforms. These fall under the direct supervision of the European Commission, which can impose fines of up to 6% of a service provider’s worldwide turnover. This makes the sanction system even stricter than the monster fines introduced by GDPR at the time (up to 4% of global turnover).
The Digital Markets Act
While the Digital Services Act regulates all online intermediaries and provides for additional strict obligations for the very large players, the Digital Markets Act mainly focusses on limiting the economical power of the internet giants, who are referred to in the design as “gatekeepers”. A number of companies now have such a great grip on the internet, on e-commerce and on online marketing that they de facto control (a significant part of) access to digital services.
The usual suspects for the European Commission are Amazon, Google, Apple, Facebook and Microsoft or any other company that meets the criteria in the draft or that is unilaterally (!) designated as gatekeeper by the European Commission itself “following a market research”. These gatekeepers are platforms that have a significant impact on the internal market, act as an important gateway for professional providers to reach their customers and are firmly anchored in the digital economy. In a number of cases, this gives them a lot (too much one might say?) of economic power with regard to both the companies that want to use their services and towards consumers. This leads to, for example, the unfair use of data from companies operating on these platforms, or situations where users are tied to one service and have limited options to switch to another.
The Digital Markets Act wants to remedy exactly this. The Digital Markets Act aims to prevent gatekeepers from imposing unfair conditions on businesses and consumers and to ensure the openness of important digital services. Examples of these unfair conditions include it impossible to pre-installed software or remove apps (something that happens very often in smartphones and tablets today) or fail to make it to operate third-party software and cooperate with their own services
The Digital Markets Act only applies to large companies identified as “gatekeepers” according to the objective criteria set out in the proposal. These are companies that play a particularly important role in the internal market because of their size and importance as a gateway for professional providers to reach their customers.
These companies operate at least one so-called “core platform service” (such as search engines, social network services, certain messaging services, operating systems and online intermediation services), and have a persistently large user base in several countries in the EU.
In concrete terms, there are three main cumulative criteria that place a company under the scope of the Digital Markets Act:
- An annual turnover in the European Economic Area (the EU + Norway and Liechtenstein) of at least 6.5 billion euros in the past three financial years or average market capitalization or equivalent fair market value in the last financial year of at least EUR 65 billion and a core platform service available in at least three Member States
- Control of a major gateway for professional providers to end users: this is assumed to be the case if the company operates a core platform service with more than 45 million monthly active end-users in the EU and more than 10,000 professional providers in the EU annually
- An (expected) anchored and sustainable position: this is assumed to be the case if the company meets the other in each of the last three financial years met two criteria.
If not all of these thresholds are met, the Commission may evaluate the specific situation of a given company in the context of a market survey for the appointment of gatekeepers and decide to designate it as a gatekeeper based on a qualitative assessment.
What are the consequences for those considered to be gatekeepers?
The Digital Markets Act establishes a set of obligations that gatekeepers must implement in their day-to-day operations to ensure fair and open digital markets.
Some examples of the “do’s” include the following:
- Opening up proprietary services to third parties who want to work with them Providing
- companies that advertise on their platform access to gatekeeper performance metrics and the information advertisers and publishers need to build their own independent perform verification of their advertisements hosted by the gatekeeper
- Allow professional providers to also offer or promote their products or services outside the gatekeeper platform (think of hotels that also need to be able to offer their rooms outside booking platforms)
Some examples of the “don’ts” are:
- Preventing users from removing pre-installed software or apps;
- Do not use data obtained from their professional providers to compete with these professional providers
What happens if a gatekeeper ignores the rules?
Anyone who does not follow the rules can incur fines of up to 10% of the worldwide turnover in this case. Inflation in fines in recent EU regulations now seems to no longer keep up … For repeat offenders, these sanctions may also include an obligation to take structural measures, which could potentially extend to the divestment of certain businesses, where no other equally effective alternative measure is available to ensure compliance.
Who Enforces the Digital Markets Act?
Given the cross-border nature of gatekeepers and the complementarity of the Digital Markets Act with the Digital Service Act and other internal market rules and competition law in particular, enforcement of the instrument remains in the hands of the Commission. Member States can always request the Commission to open a market investigation in order to designate a new gatekeeper.
Both the Digital Services Act and the Digital Markets Act are preliminary draft texts of the European Commission. The texts have already been the subject of extensive public consultation rounds and the texts are largely fixed. Nevertheless, this still needs to be approved by the European Parliament and the European Council, and both institutions can still make extensive changes. So it remains to be seen what the final texts will deliver, but it seems to be certain that both regulations will eventually come into effect.
As far as timing is concerned, a discussion in both Parliament and the Council does not seem to be expected before 2023. In the meantime, we will of course be monitoring the most recent developments closely.
Questions about e-commerce, online marketing or Internet law in general?
The practical guide on retention periods for personal data
An important principle that companies must take into account when processing personal data is the principle of storage limitation. According to that principle you have the obligation to organise the “data lifecycle” of the personal data that you process and, more specifically, to set and monitor maximum retention periods for those personal data.
It is not always easy to determine exactly how long the personal data can be stored and many companies are struggling with this. How long can you store which personal data? How long is it “necessary” to store personal data? What should you take into account when setting retention periods? Can you always freely determine the storage periods?
In this article, we try to answer these questions on the basis of a practical guide from the French supervisory authority (the Commission Nationale de l’Informatique et des Libertés, or CNIL).
The data lifecycle, what is it?
Almost every company processes personal data. Data is collected, organised and stored, updated and further used, possibly forwarded and eventually deleted. The set of processing operations that personal data undergoes forms the life cycle of personal data.
In its practical guide, the CNIL divides this life cycle into three subsequent phases:
- The current use (“active basis”) of personal data: this stage concerns the current use of personal data by the various departments within the company responsible for processing them. In concrete terms, this means the collection of personal data and their daily use within the company. The personal data are accessible in the immediate working environment for the various stakeholders who have to work with the personal data.
- The interim archiving of personal data: the personal data are no longer actively used to achieve the recorded purposes (“closed files”), but are still of interest to the company because they can be useful later, for example in the context of possible future disputes or to comply with a legal obligation. The personal data may be consulted later than in an ad hoc and reasoned manner by specifically authorised persons.
- The final archiving of personal data: this concerns personal data that are archived without a time limit. It concerns processing carried out for the purpose of archiving in the public interest, scientific or historical research or statistical purposes. The CNIL notes that this last stage is mainly relevant for the public sector.
The CNIL emphasises the basic principle laid down in article 5 GDPR that personal data must be definitively deleted at the end of the intended processing, in other words: when the purpose for which your data was used has been achieved.
This does not mean that data should be systematically deleted everywhere and in all cases. Personal data can be used for various successive applications (and therefore purposes) and a different retention period may apply for each application and purpose.
For example, it is possible in certain cases to temporarily archive or anonymise personal data. In this respect, permanent anonymisation is on the same footing as deletion, since anonymised data are no longer personal data.
How do you determine appropriate retention periods?
The GDPR does not determine exactly how long personal data may be retained. In other words, the regulation does not provide a list of predetermined retention periods.
However, the CNIL does now provide some useful guidelines:
- Sometimes the law determines how long you may or must retain data (for example, the retention of certain accounting documents).
- There are also sector-specific guidelines from some supervisory authorities, such as the CNIL itself (see for example its “reference frameworks“, such as reference RS-001 “the management of health monitoring”).
- In some cases, references can also be found within the sector, for example in sector codes.
The CNIL offers an evaluation scheme to help companies determine retention periods. That scheme can be found here.
Some concrete examples
- How long can I retain (personal data in) the invoices from my accounts (bookkeeping)?
Each company has the obligation to keep its accounting documents for 7 years from the first day of the year following the closing of the financial year (Royal Decree of 21 October 2018).
Documents relating to construction and renovation – including invoices and contracts for (the sale of) real estate property, contractors and architects – are even subject to a retention period of 10 years.
This means that the retention period for personal data from accounting documents can be set at a minimum of 7 years, in some cases even 10 years.
- How long should/may I retain (personal data in) a CV or an employment contract?
A large number of social documents are subject to a mandatory retention period of 5 years (Royal Decree of 8 August 1980). The justification for the retention of personal data in these documents is therefore easy to find.
Furthermore, the purpose of processing the concrete personal data is of course important.
The Dutch supervisory authority, called the Autoriteit Persoonsgegevens, states that it is customary for an organisation to delete application data no later than 4 weeks after the end of the application procedure. However, the candidate may give his/her consent for the personal data to be stored for a longer period of time, for example because a suitable position for the candidate may be available at a later date. A maximum period of 1 year after the end of the application procedure is reasonable in the opinion of the Dutch supervisory authority.
For personal data in an employment contract, it is logical that the data should be kept for the period during which the employment contract is executed. The retention of such data after termination of the employment contract is perfectly possible, for instance on the basis of the above-mentioned mandatory retention period for a number of social documents (depending on the specific case).
- How long can I retain a customer’s contact details?
Also in this case the purpose of processing the concrete personal data is important.
When it comes to the data that is needed to execute an ongoing agreement, few questions arise. As long as the contract is in force (or more concretely, as long as certain obligations in the contract are executed or remain relevant – for example, guarantee provisions), personal data can be retained.
If the same personal data is also retained and used for another purpose (in addition to the execution of an agreement), such as for direct marketing purposes, then you can of course retain the data for a certain period after the termination of the agreement.
Finally, you can find another interesting example in this article “Retention periods under GDPR: Interesting decision by the Austrian supervisory authority“.
What if the personal data are also processed by your company’s partners (suppliers, subcontractors, etc.)?
Personal data that you, as the data controller, pass on to a data processor remains your responsibility. You must therefore ensure that the personal data is stored correctly and ultimately deleted by your partner (the data processor).
The obligations of the data processor have to be included in a data processing agreement and the data processor has to receive clear instructions, including on how to store the personal data in accordance with the specified retention periods.
Useful tips on the use of data processing agreement can be found in our article “data processing agreement with your website developer or hosting provider“.
Would you like to take further concrete steps towards GDPR compliance yourself?
Then be sure to take a look at our GDPR toolkit, which you can find here.
Questions about GDPR and data protection in Belgium or Europe, or more specifically about retention (periods) of personal data?
New rules for cryptocurrencies in the EU soon to come?
Cryptocurrencies such as Bitcoin and its countless derivatives have been steadily on the rise for years and we have come to a point where they simply cannot be ignored in our society. Cryptos are here to stay.
However, in most EU member states, legislation has not followed on this development at all in recent years, as a result of which cryptocurrencies are now subject to a very unclear legal framework in most European countries.
Legal uncertainty is always a brake on innovation, as the European Commission knows very well and that is why the EC has been working hard behind the scenes to prepare a draft regulation that should ensure unified legislation on cryptocurrencies throughout the EU. The proposal aims to better protect consumers and investors from the risks associated with digital financial operations.
For the time being it is only a draft text, but at Sirius Legal we would not be the innovation leaders we are if we did not want to give you an upfront insight into these rules, which will probably be finalized in legal texts in 1,5 to 2 years time.
MiCA is the name of the draft regulation, or Regulation of Markets in Cryptoassets. The draft regulation should create a clear legal framework for cryptoassets and more broadly for Distributed Ledger Technology. It wants to support innovation while also creating a secure and trustworthy framework for cryptocurrencies, with the same level of protection as for traditional financial products. The basic principles are investor protection, market integrity and financial stability.
Because MiCA wants to create the same safe framework as the one we already know from classic financial services, it should come as no surprise that many of the principles that MiCA imposes on issuers and service providers of crypto assets will sound familiar to lawyers from the banking world. Well-known from financial law is, for example, the prohibition of insider trading and market manipulation.
MiCA is primarily creating a new licensing system for crypto asset issuers and service providers at a European level. MiCA also provides substantive rules of conduct and many aspects of consumer protection. MiCA is also introducing a new EU-wide passport for operators licensed under the MiCA regime in their own Member State.
Who will MiCA apply to?
MiCA applies to companies involved in the actual issuance of cryptoassets (Initial Coin Offerings or ICOs) or providing other services related to cryptoassets in the EU, such as merchants and intermediaries.
The regulation distinguishes between three categories of issuers:
- Issuers of “asset referenced tokens”: These are cryptoassets that maintain a stable value by referring to the value of different fiat currencies that are legal tender, one or more assets or other cryptoassets, or to a combination of such assets. Anyone who wants to issue such tokens will need a license issued by their own national government. In order to obtain this license, the issuer in question will have to comply with a whole list of conditions, including, for example, the obligation to maintain sufficient coverage and the obligation to issue a prospectus.
- Issuers of “e-money tokens”: These are cryptoassets that can be used as a medium of exchange and are intended to maintain a stable value by referring to the value of a fiat currency that is itself legal tender. Issuers of e-money tokens must also be authorized by the regulator of their home state as a credit institution or as an issuer of e-money and as such will be subject to the requirements of the EMD II Directive (Eletronic Money Directive II). There are a number of rules to follow here. Issuers must provide a prospectus, Issuers of e-money tokens must ensure that holders of e-money tokens have recourse to the issuer, that such tokens are issued at face value upon receipt of funds, and that the terms and conditions for redemption are clearly stated. Electronic money token issuers are prohibited from paying interest on the tokens.
- Issuers of Other Tokens: Issuers of these types of cryptoassets (e.g. Utility tokens) do not require a license to offer their cryptoassets to the public or to access a crypto exchange and, provided they meet the requirements of MiCA, they are allowed to do this throughout the EU. Issuers do have to comply with a whole series of conditions, such as issuing a prospectus and strict advertising rules. In addition, issuers will have to be able to justify in advance why their cryptoasset is not a financial instrument or structured deposit under the MiFID II Directive, electronic money under the EMD II Directive or a deposit under the EU Directive on Deposit Guarantee Schemes.
Note that while there is a prospectus requirement, there is no need to obtain prior approval of the content of the prospectus or marketing communication. National regulators can suspend or ban a supply of cryptoassets in the event of violations of MiCA by the issuer.
Providers of other services must also obtain a license in most cases. There are eight types of such services and the listing is very similar to existing investment services and activities under MiFID II:
- crypto Assetand Management on behalf of Third Parties
- operating a Cryptoasset Trading Platform (In other words, Crypto exchanges )
- the exchange of assets for legal tender fiat currency
- exchange offices for cryptoassets
- executing orders for cryptoassets on behalf of third parties
- placing cryptoassets
- receiving and transmitting orders for cryptoassets on behalf of third parties Providing
- advice on cryptoassets
Existing credit and insurance companies
Existing banks and credit companies do not need obtained new license for offering cryptoasset services. This also applies to investment firms under MiFID, provided that the relevant cryptoasset service is linked to the relevant MiFID investment service or activity for which they are licensed.
Insurers and reinsurers under the Solvency II Directive are also outside the scope of MiCA for activities that fall under Solvency II.
Exemptions for public offering
The public offering of cryptoassets can be exempt from licensing obligations if a series of conditions are met:
- the cryptoassets must be offered for free.
- the cryptoassets are automatically created through mining as a reward for the maintenance or validation of transactions on a or comparable technology
- the cryptoasset is unique and cannot be exchanged with other cryptoassets.The
- offer is limited to a maximum of 150 natural or legal persons per member state, who all trade for their own account.The
- total value is maximum € 1,000,000 (or the equivalent in another currency or in cryptoassets) over a 12-month period
- the offering of cryptoassets is exclusively addressed to qualified investors and the cryptoassets can only be held by these qualified investors.
For asset referenced tokens or e-money tokens, the MiCA licensing requirement will not apply if:
- the asset referenced tokens / e-money tokens are exclusively sold and distributed to qualified investors and can only be held by qualified investors.
- the average outstanding amount of tokens does not exceed € 5,000,000 (or the corresponding equivalent in another currency) over a 12-month period.
Note that in case of such an exemption, the prospectus requirement still exists.
What about existing services and providers?
Cryptoasset service providers have 18 months from the date MiCA comes into effect to obtain a license. Until authorized, however, crypto asset service providers will have to continue to comply with existing national laws of member states.
Existing cryptoassets that are not asset-referenced tokens or e-money tokens that were offered in the EU prior to the date of MiCA entry into force will benefit from a “grandfathering” provision and will not be subject to the MiCA requirements.
What are the next steps?
As we stated in the introduction, this is just a first drfat of regulation. The legislative process within the EU will continue before this becomes a definitive regulation, which can take up to two more years.
There is, however, no doubt that the scheme will eventually come about. For those who are active in the crypto currency world, it is time to prepare for what is to come.
Questions about crypto currencies, DLT or blockchain?
The GBA attacks the IAB Europe TCF: a bomb under online marketing in Europe?
Earlier this week, a document (albeit internal and confidential) became public, in which the Belgian Data Protection Authority, in the context of an investigation following a complaint, is examining the Transparency and Consent Framework of iab Europe in a particularly critical way.
The GBA is of the opinion that TCF, which is the standard in the online marketing world for collecting and sharing online profile data with a view to offering personalized online advertisements, would be fundamentally contrary to GDPR on several points.
This is a first report, not a final decision, but it can have very far-reaching consequences for the entire online marketing world and the way personalized ads are displayed to website visitors.
A potential bomb under the online marketing world in other words …
What is the IAB TCF?
The so-called Transparency & Consent Framework of IAB Europe, or TCF for short, is a standard that is used within the online advertising sector to obtain permission for the placing of cookies and other trackers that should enable advertisers to show website visitors targeted, personalized advertisements across different websites based on their surfing behaviour or their online preferences and profile information.
TCF is also the engine behind Real Time Bidding or RTB, which allows advertisements in “real time”, through automated auction platforms to bid in a fraction of a few milliseconds on a particular ad space on a particular website that is just being visited by someone within the target audience of the advertiser.
Why is this a problem?
Personalized advertising in itself is a good thing without a doubt. After all, relevance is king in online marketing. As an advertiser, you want to be able to deliver the right message to the right person at the right time. Only then can you be sure that your message will get through. People are inundated with advertising messages and only record what really concerns them personally. That is better for the advertiser, who spends less money with unnecessary advertisements, and for the website visitor, who is not disturbed with irrelevant content.
However, there is a serious legal sting to that relevance. After all, creating relevance requires knowledge of your audience and you build that knowledge with as detailed profile information as possible.
That profile information does not fall out of the blue, of course. This is where GDPR and cookie regulations (ePrivacy) come into play. Both require absolute transparency and an appropriate legal basis that allows you to collect data and share it with third parties. In the case of cookies, this legal basis is always prior consent. In the case of GDPR, theoretically, this can also be done without permission, on the basis of the legitimate interest. However, the Belgian Data Protection Authority was very strict at the beginning of this year in its analysis of the legitimate interest in the context of direct marketing (which, according to its analysis, also includes online marketing). As a result, also under GDPR, a de facto free, prior and informed consent is required to collect personal data for online marketing purposes such as RTB …
The problem for a whole range of privacy activists (as many as 22 organizations from 16 countries) complaint to the GBA) lies in the determination (they believe) that this permission is absolutely not obtained correctly within the TCF framework. They have therefore collectively filed a complaint with the Belgian Data Protection Authority. The reason for filing the complaint in Belgium while it concerns a European platform is simple: iab Europe has its offices in Brussels.
What does the GBA say?
The GBA follows the complainants in a first – admittedly interim – report. She confirms that she also believes that the current way of data processing within the TCF framework is not in accordance with GDPR.
Perhaps the biggest objection of the GBA is that according to it, iab itself is responsible for the processing of data that is collected and processed through its TCF framework by advertising agencies and advertisers. After all, according to the GBA, iab Europe (co-) determines the purpose and means for the processing and that makes it a controller under GDPR. This also means that iab Europe has a whole series of obligations regarding transparency, obtaining consent, privacy by design, etc., which GDPR imposes on controllers of the processing.
We personally have questions about this approach because of the GBA. After all, iab only makes one tool available. It does not determine itself which data is collected, nor does it itself determine the purposes for which these data are processed by the recipients concerned. This seems at least open to criticism …
It is more difficult to refute the conclusion that when collecting profile data of website visitors via the TCF framework, “sensitive data” (or “particularly protected data”, as the GDPR actually calls them) may also be collect. this concerns, for example, medical data, data on sexual preference, political preference, etc ..; Under GDPR, this data may only be processed if you have received separate explicit consent from the data subject, which is usually not the case with online collection via cookies or trackers. All this, if the first conclusions of the DPA cannot be refuted by iab Europe, is a fundamental fault line between TCF and GDPR, one that is also very difficult to reconcile, taking into account the countless administrations and advertisers that now have such sensitive data. through TCF and which they also use daily in RTB campaigns.
Equally worrying for the future of TCF is the fact that TCF actively encourages the use of the legitimate interest as the legal basis for the processing of personal data in the context of online profiling and personalization. However, the Belgian Data Protection Authority already indicated last January in its Direct Marketing Recommendation that the legitimate interest can only serve as a legal basis for (direct) marketing purposes in very exceptional cases. However, consistently requesting separate consent for each collection and transfer of personal data is virtually impossible. The number of parties that intervene in particular in the Real Time Bidding process is so great that this seems difficult to achieve in practice.
In addition, the Belgian DPA has serious reservations about the security of the entire TCF system, in the sense that too few guarantees are built into the framework itself to guarantee the rights of the data subject. This too touches on one of the cornerstones of GDPR, making it a serious deception for the TCF.
Broader context: the end of third party cookies
This landslide received widespread attention last year when first the European Court of Justice and then the Belgian Data Protection Authority also took a hard look at websites that place cookies on the device of visitors without the prior free and informed consent of that same website visitor. But underlying things had been bubbling for a long time. Apple had previously announced that it would block all third party cookies (which mainly collect personal data for marketing purposes) via its ITP 2.1 protocol. Mozzila Firefox soon followed and went a step further by also blocking fingerprinting by third parties and when Google subsequently announced that third party cookies would also be blocked in Chrome from 2022, it was clear that the online marketing world was for one of the the greatest technical, practical and legal challenges of its existence and in which it will have to learn to survive in a context of cookieless advertizing …
We have already discussed this more dance once in the past year, including in Obsessed by Marc Bresseel and Renout Van Hove and in an extensive Cookie Cahier that will soon be published by Politeia Publishers. This week it is also exactly the subject of our legal webinar at BAM, the Belgian Association for Marketing.
What does this mean in practice?
In the longer term, the entire sector will have to shift to a different way of advertising, to more contextual campaigns, to using more of its own profile data (whereby the same questions about GDPR compliance and the use of analytics cookies in particular will continue to surface again and again).
Not much will change in the short term. The leaked report is just an interim report. iab Europe will still be able to defend itself (by 7 December 2020 at the latest) and there are certainly a whole series of useful arguments conceivable to water down the final position of the GBA. The final decision is not expected until the course of 2021.
However, all this is a sign on the wall for anyone who collects and processes personal data online, both within and outside TCF. More than 80% of websites in Belgium are still not cookie compliant and over 66% of Belgian companies are not yet GDPR compliant. In our practice, we see daily examples of marketing departments at large national and international companies in banking and insurance, industry, automotive, … that do not master the basics of a GDPR compliant marketing policy. The risks that this entails are magnified by the exponential growth of marketing automation tools, customer data platforms and other adtech toys that flood the market with promises of endless possibilities, but which very often do not comply with the basic rules of our privacy legislation.
So be careful. Have a GDPR compliance audit carried out on your marketing department in good time, think of Data Protection Impact Assessments before you get started with new tools and software and also consider an extensive cookie scan on your website (s) in time.
Questions about GDPR compliance for marketing departments?
Feel free to contact Bart Van den Brande without obligation. You can call or email us on 0486 901 931 or at email@example.com or you can also book a no-obligation introductory meeting via Google Meet directly.
Schrems-II, what now? Data export to the US in 7 steps
Schrems-II is not a look-alike of the Austrian privacy activist Max Schrems and it’s also not the name of his child. It’s the name of his second victory early this summer at the European Court of Justice. We already wrote an article about it because the consequences of this judgment are enormous for data exports abroad. No grace period was granted so each company that exports data to a third country immediately had to put its affairs in order. Schrems also did not allow himself a resting period, but immediately filed 101 complaints with various data protection authorities in the EU. Belgian companies have not been spared either: a complaint has already been lodged against bpost.be, neckermann.be, logic-immo.be and flair.be. So this is not something that doesn’t concern you, you’re exporting data to the US before you know it. Numerous frequently used tools such as Google Analytics, Hubspot, Sharpspring, Facebook and Twitter export data to the US, so almost every Belgian company is affected.
Recently a German data protection authority (from Baden-Württemberg) was the first to issue more concrete guidelines on how life continues after the Schrems-II judgment. We have studied these guidelines thoroughly and summarised the main findings in a number of concrete steps.
Step 1: Make an inventory of all data that you export to third countries
If you already have a data register, this is an easy step for you and you can immediately go to the next step. If you are not familiar with the word ‘data register’, we will gladly provide some further explanation.
The General Data Protection Regulation (GDPR) imposes an obligation on every controller to record all processing activities that take place under its responsibility. In concrete terms you map out a number of things in a data register for all the data you collect: the purposes, the means, the legal bases, the risks to the privacy of those involved, the access to that data, the transfer to third parties,… This provides an overview of all data flows within the company. It considerably simplifies possible inspections and audits.
You can use a number of qualitative questionnaires or evaluation tools for this, but of course Sirius Legal can offer you specialized assistance.
Step 2: Contact your service provider / contracting parties in the third country
We recommend you to inform all your contracting parties, service providers, etc about the Schrems-II judgment and its consequences. Sirius Legal has created a standard letter template for this with a Data Export Impact Assessment. You can download this template for free at the bottom of this blog post.
The term ‘third country’ doesn’t mean every country other than your own, but rather every country outside the European Economic Area, which is the EU expanded with Norway, Iceland and Liechtenstein.
Step 3: Check whether there is a decision on an adequate level of protection in the third country
For some third countries, the European Commission has decided that this country offers an adequate level of protection (‘an adequacy decision’), so you can export data to those countries based on that decision. The full list of those countries can be found on the website of the European Commission. Currently negotiations are ongoing with South Korea. We will of course follow this closely and keep you continuously informed about any changes through our blog and social media.
Step 4: Assess the legal situation of the third country
In the case of data export to a third country where there is no decision on an adequate level of protection, we arrive at the next step. In that case, the data protection authority of Baden-Württemberg recommends a thorough investigation of the legal situation of that third country. In this context, it is particularly interesting to check whether national safety authorities can gain access to the exported data.
You can consult your national data protection authority for this (in Belgium this is the GBA, in the Netherlands the AP, in France the CNIL and in England the ICO), the European Commission, the EDPB, your national ministry of foreign affairs, …
We understand that this is a complicated and time consuming job. Sirius Legal has an extensive network of foreign lawyers specialized in these matters. This allows us to make our own ‘adequacy assessment’ for almost every third country.
Step 5: Assess whether SCCs are sufficient
Now that you are aware of the legal situation in the third country, it is time to assess whether the Standard Contractual Clauses (SCCs) are sufficient. The SCCs have been created by the European Commission for data export to third countries. These are contracts that you can conclude with the controller or processor in that third country. If no problems were found in the step discussed above, you can use these SCCs without any problem. Keep in mind that the European Commission is reviewing the SCCs. If the SCCs do not suffice, go to the next step.
Step 6: Create additional guaranties and use customised SCCs
The Baden-Württemberg data protection authority proposes a number of additional safeguards. First, the encryption of the data on your end. In that case, make sure that you as an exporter are the only one with the ‘key’ to decrypt the data and that the encryption cannot simply be unlocked. We invite you to read the article ‘Is encryption mandatory under GDPR’ (only available in Dutch for the moment) if you want to know more about encryption.
Second, the anonymization or pseudonymization of the data on your end. This ensures that the recipient of the data cannot simply know who the datasubject really is. Keep in mind that this process often starts before you even enter the data or upload it somewhere.
Subsequently, the Baden-Württemberg data protection authority proposes a number of concrete adjustments and additions to the SCCs:
- An obligation for the data exporter to inform the data subject that his or her data is exported to a third country that does not provide an adequate level of protection;
- An obligation for the data importer to inform both the exporter and the data subject of any request for access to the data. If this is not possible, the obligation to notify the exporter’s national data protection authority;
- An obligation for the data importer to take legal action against any request for access and exhaust these legal measures;
- The granting of more rights to the data subject in a dispute with the data importer and the addition of a compensation clause.
Step 7: And if none of that helps …
It is possible that all of the above measures are either not possible or still do not provide sufficient guarantees. In that case, the Baden-Württemberg data protection authority states that an alternative option exists, but it emphasises that this alternative is interpreted very strictly and is therefore little accepted as a reason for exporting data to a third country. This includes, for example, the possibility to request the consent of the data subject for the data export. However this consent must meet all the requirements of the GDPR. In other words the consent must be free, specific, informed and unambiguous.
If all of the above did not help, it is probably safer to stop the cooperation with the partner.
A warned company counts for two
Our previous blog post about the Schrems-II judgment and this blog post should provide you with a running start. A number of recommendations and guidelines will surely be provided by other data protection authorities in the near future which will hopefully provide more clarity. We will of course continue our investigations and inform you about it on our blog and social media. For now you can already start with the following steps:
Step 1: consult your data register / set up a data register
Step 2: inform your service providers / contracting parties
Step 3: check whether a decision has been made about the appropriate level of protection
Step 4: assess the legal situation
Step 5: check whether SCCs are sufficient
Step 6: if not, create additional guaranties and close custom SCCs
Step 7: stop the data export / find an alternative
Do you have questions about data export under GDPR or need help with an audit of your current contracts?
Request a template letter and Data Export Impact Assessment
Here you can download the template of a letter with a Data Export Impact Assessment which you can use in your communication to third parties in countries outside the EEA.
Transferring personal data to the US after the Schrems-II judgment? Everything you need to know to avoid legal risks
The Austrian Max Schrems has once again been succesful in one of the many privacy lawsuits that he has regularly conducted over the past years. The consequences are significant this time. After the “Safe Harbor” system had already been brought down, the “Privacy Shield” has now also been brought to an end by Schrems (on perfectly logical grounds, by the way).
The “Privacy Shield” between the EU and the US ensured that personal data could be exported securely and in compliance with GDPR to the United States by European companies. Many US cloud services, apps and software tools have relied on the Privacy Shield to offer their services to European customers in a legally compliant manner.
But as it now shows, Privacy Shield itself is not compliant with European data protection laws and the ECJ has now put a ban on the whole system.
What does this mean for your company? Read all about it in this article.
Transfer of personal data outside the EU?
Transferring personal data to persons or companies outside the European Union is in principle not allowed under GDPR. The European legislator assumes that countries outside the EU (or rather the EEA, which is the EU, expanded with Norway, Iceland and Liechtenstein) cannot necessarily offer the same level of data protection as the level that exists in Europe under GDPR. Therefore, personal data may only be transferred outside the EEA under very specific conditions.
First, there is a (very short) list of “safe” countries, which are expected to provide a similar level of protection based on their own legislation. This list includes a number of British Commonwealth countries, as well as Japan, Canada, Argentina and Israel.
In order to transfer data to a recipient in a country that is not on this list, one can do so on the basis of two systems.
When it comes to transfers within a group of companies, so-called “Binding Corporate Rules” can be drawn up internally. BCR’s are internal regulations that must be approved by the competent Data Protection Authority and that have to guarantee the safety of data exchanges within the group.
If one wants to transfer data to a company that does not belong to the same group, such as a cloud provider, an external software developer, an offshore call center, etc … on the other hand, one must ensure that an agreement is signed with the recipient in which a whole series of guarantees is explicitly provided. The European Commission has created Standard Contractual Clauses for this purpose that can be copied one-to-one in such an agreement.
Anyone who transfers personal data and cannot fall back on one of these legal constructions, is at risk of incurring very high fines.
Many technology companies are located in the United States and there is therefore a lot of personal data export from the EU to the US. However. Since data protection laws in the US do not offer the same “adequate” level of protection as the stringent requirements set by GDPR in the EU, the US has never been shortlisted by the EU as a “safe country”.
In order to ensure that American companies could continue to trade with partners in the EU, a different and specific system for data exchange between Europe and the United States was set up many years ago. That system was successively called the Safe Harbor system and later the Privacy Shield and prevented US companies from having to enter into Standard Contractual Clauses with their customers in the EU whenever data had to be passed on to them, for example because they were stored or processed on their servers. Safe Harbor and Privacy Shield ensured that US companies provided an adequate level of security for personal data if they met a number of strict conditions and were certified in the US. It was in other words not the American legislation itself, but the safety level offered by American companies that was considered “adequate”.
The first version of this system, Safe Harbor, was successfully attacked in 2015 by Max Schrems, who believed that US companies could never guarantee an “adequate” level of security for personal data because US law grants far-reaching rights to US intelligence services that allows them to monitor and analyze personal data. This complaint ultimately resulted in the Safe Harbor system being declared invalid and replaced by a similar system called the Privacy Shield.
With regard to the validity of that Privacy Shield, the European Court now quite rightly says that this regulation in its turns still cannot provide a level of protection equivalent to the level of protection that exists within the EU. Again, this is due to the extensive interference of US intelligence services, which systematically and widely monitor data from emails and cloud storage services based on, amongst others, the Foreign Intelligence Surveillance Act or Executive Order 12333 or the Presidential Policy Directive. The Court of Justice therefore now declares the Privacy Shield to be invalid.
What does this mean for you?
This decision has far-reaching consequences. After all, a lot of online service providers from the US rely on the Privacy Shield to legally process personal data of their European customers. The whole system is now shattered with one stroke of a pen and thousands of American companies no longer meet the minimum conditions to store or process personal data of European citizens. This concerns, for example, cloud storage services, hosting services, all kinds of online tools for online marketing, CRM, accounting packages, ERP, but also, for example, local software developers, consultants, call centers, etc …
Strictly speaking, all of a sudden and overnight, European companies are no longer allowed to exchange personal data with their American partners. If they do so anyway, they will expose themselves to immense fines and if any data breach should occur at such a non-compliant partner in the US, the European companies involved may also be held liable for all damages following from such a data breach, in addition to the aforementioned fines.
An additional problem: Brexit
Not only data export to the US under the Privacy Shield is problematic, by the way. By the end of 2020, an equally serious legal problem will arise for European companies that export data to the United Kingdom. After all, if there is no Brexit deal by the end of 2020, the UK will from then on become a “third” country, which for the time being does not have an adequacy decision by the European Commission and to which personal data can therefore no longer be automatically exported.
In other words, British companies will be in the same situation as American companies by the end of this year: they will have to conclude data export agreements with their European customers on the basis of the Standard Contractual Clauses of the European Commission, failing which European companies will no longer be allowed to cooperate with them.
Fortunately, the Court ruled that the system of Standard Contractual Clauses is not invalid. The solution is therefore clear: European companies must ensure that all cooperation with US partners, which were based on the Privacy Shield as soon as possible to be replaced by an agreement based on the Standard Contractual Clauses of the European Commission …
The Commission has worked on modernizing those standard clauses, which go back to 2010 and are no longer GDPR-compliant. It has been waiting for the Schrems-II case to be resolved before releasing them officially, but we can now expect the updated clauses to be made public soon. Anyone who relied on the old clauses in the past may also have to update their agreements in the near future …
What exactly should you do?
- Look out for new guidelines from your local Data Protection Authority, the EDPB and the European Commission.
- In the meantime, do an internal audit of your pending agreements and watch out for:
- Data transfer to US partners previously covered by the Privacy Shield
- Data transfer to UK partners previously located within the EU
- Data transfer to any other country based on the old Standard Contractual Clauses
- Data transfer that is subject to binding corporate rules and that involves data transfer to the US. The ECJ does not mention Binding Corporate Rules, but they are a form of “appropriate protection” under Article 46, so the general comments on the need to review the law of the importing country may also apply here. Guidance from supervisory authorities on this point would be particularly welcome.
- Assess for each partner whether the existing framework is still sufficient
- Provide a new data export agreement where necessary based on the soon to be announced Standard Contractual Clauses.
- Keep in mind that transfer of data outside the EU is only possible if necessary and choose preference for European partners
- Take into account the need that the European Court of Justice also imposes to assess the “appropriate” nature of local legislation, even if Standard Contractual Clauses (or Binding Corporate Rules within a group of companies) are used.
- So -ideally based on a Vendor Assessment List- check the following points:
- Which country personal data is transferred to?
- Whether government authorities in that country could be entitled to access the data?
- Is the data encrypted or tokenized during transport?
- Whether, as GDPR requires, in addition to Standard Contractual Clauses or Binding Corporate Rules, sufficient safeguards have been taken by the recipient to make up for the lack of data protection in his or her country. The data exporter has a duty to ensure “appropriate safeguards”, especially as regards access by public authorities to data. If the (European) data importer may be required to submit data for inspection to his or her government, he cannot meet the requirement of an “adequate level of protection and must notify the data exporter in advance. This is a huge problem for the US in particular because of the previously cited intelligence legislation… In that case, the data exporter must immediately stop any transfer.
- If necessary, stop working with partners who are unable or unwilling to meet the required conditions. The potential impact on your business is far too great to take risks …
Are all data transfer to the US illegal from now on?
This judgment places a time bomb under just about every data transfer to the US, by the way. After all, almost all European data is transferred to the US via underwater fiber optic cables at the bottom of the ocean. The EHJ notes that the American NSA has systematic access to these cables and can collect and analyze data even before it arrives in the U.S.
The ECJ rightly says that this de facto means that personal data is never “secure” in the US and can never be “processed with the minimum safeguards … and as a result, the surveillance programs based on these provisions cannot be considered as limited to what is strictly necessary“. The ECJ further notes that: “In those circumstances, the restrictions on the protection of personal data that arise from United States national law regarding the access to and use by the United States government of such data transferred from the European Union to the United States States are transferred States, which the Commission has assessed in the Privacy Shield Decision, are not defined to meet requirements that are substantially equivalent to those required by EU law … “.
In other words, this means that US law itself is incompatible with the EU’s minimum data protection requirements. Since all data sent to the US via a submarine cable appears to be sensitive to access by the NSA, it is difficult to see how a data exporter could conclude that his data is sufficiently protected by the recipient in the US. It remains to be seen how the various Data Protection Authorities and the EDPB react to this …
Questions about data export under GDPR or need help with an audit of your current contracts?
Feel free to call or email us. Our team is happy to assist you. You can reach Bart Van den Brande at +32 486 901 931 or at firstname.lastname@example.org