June 2019 Legislative Updates

June 11, 2019

Share on facebook
Share on google
Share on twitter
Share on linkedin

EU-US Privacy Shield

Federal Trade Commission (FTC) Director of Consumer Protection Andrew Smith said in an interview that it is a goal of the FTC to bring more actions for substantial violations of the EU-U.S. Privacy Shield framework. The FTC has already taken action against companies for “technical” violations of the Privacy Shield Program (e.g., false claim to participation, misrepresentation in one’s privacy policy about participation) (here and here). According to Director Smith, the FTC will take Privacy Shield enforcement cases as the FTC finds them. The Privacy Shield program provides European and American companies a framework to move data freely between Europe and the U.S. in compliance with privacy protection laws, generally referred to as “cross-border transfers of data.” Read more here.

On May 28th, Tech Crunch reported that the General Court of the European Union agreed to hear a complaint brought by the French digital rights group La Quadrature du Net against the European Commission challenging the EU-U.S. Privacy Shield. La Quadrature du Net argued in the complaint that U.S. privacy laws and government surveillance practices fail to meet the data protection standards necessary by EU law and does not provide adequate protection for EU citizens’ data.

General Data Protection Regulation

On March 16th, the European Data Protection Board (EDPB) reported that in the one year since the General Data Protection Regulation (GDPR) took effect, European data protection authorities have received 65,000 data breach notifications and 94,000 total complaints. According to the article, the EDPB estimates that the frequency of data breaches has remained constant, but the rates at which organisations report data breaches has increased significantly.

On May 24th, Irish Commissioner for Data Protection Helen Dixon published a press release on the anniversary of the implementation of the General Data Protection Regulation (GDPR). According to Commissioner Dixon, in the first year of the GDPR:

  • 6,624 complaints were received;
  • 5,818 valid data security breaches were notified;
  • 54 investigations were opened, 19 of which were cross-border investigations; and
  • 1,206 Data Protection Officer notifications were received.

Irish Data Protection Commission

On May 22nd, the Irish Data Protection Commission (DPC) initiated a statutory inquiry into Google Ireland Limited for its processing of personal data on it’s the Google Exchange. The DPC investigation will consider if the Google Ad Exchange data processing and data retention practices are compliant with the General Data Protection Regulation.

International Data Flow

On May 27th, the Information Technology and Innovation Foundation (ITIF), a technology policy think tank, released a report recommending that G20 countries adopt trans-border data flow principles that include strong data protection standards. ITIF proposed four core principles for the G20 countries to consider at the G20 Ministerial Meeting on Trade and Digital Economy, which would promote trans-border data exchange while protecting the privacy of the individuals’ data. ITIF recommends that counties:

  • Hold organisations accountable for managing data that they collect, regardless if a third-party stores or processes that data;
  • Amend the processes for law enforcement requests for access to data stored in another country’s jurisdiction;
  • Develop legal and administrative policies to allow Internet service providers to block data flows that involve illegal distribution of unlicensed content; and
  • Support encryption in securing data flows and digital technologies.