European Union

Subscribe to European Union via RSS

The European Commission is considering modifying the standard contractual clauses (hereafter “SCCs”) established on December 27, 2001 and used by data controllers to transfer personal data to data processors located outside the EU. The new SCCs may introduce more flexibility in processing services and better reflect new business practices.

On May 12, 2009, the UK Information Commissioner’s Office (ICO) released a much anticipated report authored by the RAND Corporation assessing the strengths and weaknesses of the 1995 EU Data Protection Directive (95/46/EC) (the "Directive), the main source of privacy legislation in Europe. While the report highlighted a number of the Directive’s positive attributes, it nonetheless concluded that as society becomes more globally networked, "the Directive as it stands will not suffice in the long term."

The European Commission announced this week that it might sue the United Kingdom if that country fails to limit the tracking and collection of users’ Internet browsing habits and personal information without prior consent. The United Kingdom until now has adopted a self-regulatory approach similar to that followed by the

In a landmark ruling, the European Court of Human Rights (ECHR)—Europe’s highest court to take up cases affecting the privacy rights of EU citizens—ruled that some aspects of the UK’s DNA database violated EU law.  Specifically, on December 4, the ECHR issued its decision, S. and Marper v. The United Kingdom (Applications 30562/04, 30566/04), holding that the UK DNA database violated the EU’s Convention for the Human Rights and Fundamental Freedoms (the “Convention”) in retaining the DNA samples of individuals who had been acquitted of (or arrested and not charged with) any crime.

When a company is considering using cloud computing in its IT infrastructure, there are some privacy issues that need to be addressed.

While the value of cloud computing certainly holds much promise, companies wishing to make the leap into the cloud would be well advised to consider the potential privacy issues.  Cloud computing, in its essence, is the migration or outsourcing of computing, hardware and storage functions to a third-party service provider, which hosts applications on the Internet through linked servers located worldwide.  Cloud computing has captured the attention of IT professionals because it offers the appealing option of reducing a company’s computer infrastructure and placing it in the hands of a vendor who can perform a company’s computing needs more cheaply and efficiently than the company can itself.

A German court (Case No. 133 C 5677/08) recently issued a decision that Internet Protocol (IP) addresses stored on a company’s server do not constitute “personal data” under the German data protection law. An IP address is a unique number that every computer connected to the internet is assigned. Under German data protection law (and EU law generally), “personal data” is any data that identifies a natural person. Usually, whether or not a particular category of data constitutes “personal data” is fairly noncontroversial. However, the issue of whether IP addresses constitute personal data is a particularly thorny issue, as an IP address usually consists of a string of numbers, making it difficult to identify a natural person behind a given numerical combination. In fact, last year the EU article 29 Working Party (the EU Committee charged with clarifying the EU Data Protection Directive) has previously opined in 2007, and again in 2008 in more detail as reported here that there is “no doubt” IP addresses do in fact constitute “data relating to an identifiable person” under the EU Data Protection Directive.

Binding corporate rules (“BCRs”) may now be easier to implement due to much needed guidance issued last month by the European Union’s Article 29 Working Party, the group responsible for the oversight of the EU’s data protection regime. The guidance consists of three documents, which clarify the requirements for establishing BCRs. These documents are: (1) a checklist outlining the required elements of the BCRs; (2) a framework for the structure of BCRs; and (3) a list of frequently asked questions regarding BCRs.