EU Issues Overview – 27 February – 4 March 2016 Thumbnail
Newsletters 14 March 2016

EU Issues Overview – 27 February – 4 March 2016

Data protection

EU/US: Commission publishes the text of the EU-US Privacy Shield

  • On 29 February, the European Commission published the legal texts and a draft adequacy decision which will establish the EU-US Privacy Shield. The new framework for transatlantic data transfers will replace the Safe Harbour which was struck down by the Court of Justice of the European Union in October 2015.
  • The Privacy Shield is based on a system of self-certification by which US organisations commit to a set of Privacy Principles issued by the US Department of Commerce. While an organisation’s decision to self-certify its adherence to the Privacy Shield is voluntary, effective compliance is compulsory and enforceable under the US Federal Trade Commission Act. 
  • The US Department of Commerce will be in charge of monitoring and verifying that companies’ privacy policies are presented in line with the relevant Privacy Shield principles and are readily available. A list of companies that have self-certified their adherence to the Privacy Principles will be regularly updated on the basis of annual re-certification submissions, and every time an organisation withdraws or is removed from the Privacy Shield. 
  • The Privacy Shield offers several redress possibilities for EU data subjects who can lodge a complaint with the company itself; take complaint to a national Data Protection Authority; use Alternative Dispute Resolution solution; or use a last resort arbitration mechanism – the Privacy Shield Panel.
  • The Privacy Shield includes written commitments and assurance by the US government that any access by public authorities to personal data transferred under the arrangement on national security grounds will be subject to clear conditions, limitations and oversight, preventing generalised access. The newly created Ombudsperson mechanism will handle and solve complaints or enquiries raised by EU individuals. 
  • The European Commission and the US Department of Commerce will conduct an annual joint review of the arrangement.

Next steps

  • Before the European Commission adopts the adequacy decision which will bring the Privacy Shield to life, it will consult the Article 31 Committee composed of Member States’ representatives and receive an opinion of the Article 29 Working Party (WP29), an umbrella organisation of national DPAs.
  • WP29 announced that its review of the Privacy Shield will be conducted in light of the October 2015 decision, the European jurisprudence on fundamental rights, the letter of the Working Party to the European Commission on Safe Harbour of 10 April 2014 and the Party’s Working Document on transfers of personal data to third countries.
  • WP29’s opinion, which is persuasive but not legally binding, will be adopted at its next plenary meeting on 12 and 13 April 2016. 
  • The European Commission hopes to receive green light before the end of June.

EU/US: Obligations of companies participating in the Privacy Shield

  • An organisation participating in the Privacy Shield must inform about the types of personal data it collects, purpose of data collection and data use. It also needs to provide information about the right of individuals to access their personal data, and the choices and means offered to them to limit the use and disclosure of the information. Dispute resolution mechanisms are also part of the obligations.
  • Companies are required to offer individuals the choice to decide whether their personal information is to be disclosed to a third party and used for other, materially different, purpose than the one it was collected for. In line with the data integrity and purpose limitation, an organisation cannot process personal information in a way that is incompatible with the purpose for which it was collected.
  • A Privacy Shield organisation has to provide mechanism to ensure compliance and recourse for EU data subjects whose data have been processed in a non-compliant manner, and annually re-certify its participation in the Privacy Shield. Providers that merely transmit, route or switch information (e.g. ISPs) are not liable under the Privacy Principles.

Germany: Facebook probed over possible abusive use of data

  • German antitrust authority (Bundeskartellamt) announced it has opened an investigation into Facebook over its contract terms for using consumer data. Bundeskartellamt suspects that the company’s terms of service are breaching data protection rules. Given Facebook’s size, the authority will investigate the link between potential market dominance and the use of such clauses. 
  • Bundeskartellamt is the first competition authority in the EU to launch an antitrust investigation on suspicions that contract terms for the use of data are being misused. The authority said that it was in close contact with data protection and antitrust watchdogs, including the European Commission.


UK: Home Office presents updated text of the proposed Investigatory Powers Bill

  • The UK Home Office presented an updated text of the proposed Investigatory Powers Bill. Despite criticisms made by different Parliamentary Committees and wider public, many of the most controversial powers remain in the re-drafted proposal. 
  • The new text expands the powers of police to look at users’ Internet Connection Records. Under the proposal, ISPs will be required to safe browsing histories of all of their users for a year, and hand them over to authorities if required.
  • The new draft also includes a clause that requires technology companies to weaken their security features when it is deemed practicable. 
  • Home Secretary Theresa May announced that the bill will require police to obtain ministerial and judicial approval for intercept warrants.
  • Gus Hosein, Executive Director of Privacy International, stated that no changes had been made to guarantee people’s security. Hosein added that the continued inclusion of powers for bulk interception and bulk equipment interference undermine the right to privacy and put security of infrastructure at risk.

Net neutrality

EU: Re-launch of an online platform to report net neutrality violations

  • A group of civil rights organisations including EDRi, La Quadrature du Net, Bits of Freedom, Access Now and Digitale Gesellschaft re-launched a joint initiative The platform allows individuals to report abusive behaviour by Internet access providers such as blocking or restricting access to certain kinds of online services, content and applications. 
  • The platform also provides an overview of tools which help monitoring whether or not an Internet Service Provider is manipulating or restricting Internet traffic.

EU: BEREC distances itself from proposals to ban zero rating

  • In the recently published report on OTT services, Body of European Regulators for Electronic Communications (BEREC) distanced itself from proposals to ban the practice of the so-called zero rating. BEREC argued that it is currently too soon to conclude how OTTs affect competition and consumers in the electronic communications service markets and requested stronger information-gathering powers to correctly assess the situation.
  • BEREC is scheduled to publish its guidelines on how national regulators should approach zero rating after its plenary session on 2-3 June.

Cloud computing

EU: Leaked draft of the European Cloud Initiative

  • The leaked draft of the European Cloud Initiative stipulates that the Commission wants to position the EU in a global leading role in scientific infrastructures and data-environment and make sure that European scientists reap the benefits of data-driven science. 
  • According to the draft, the European Open Science Cloud should offer 1.7 million European researchers and 70 million professionals in science and technology a free and open access to services for storage, management, analysis and re-use of research data across borders.
  • Furthermore, the Commission plans a common European data infrastructure designed to boost the development of super-computing and making the EU one of the global leaders in super-computing. 
  • The need to establish pan-European standards on data portability, security and interoperability is also underlined in the draft. The package of cloud initiatives is due for publication on 6 April, as part of the first DSM initiatives package.


EU: ENISA publishes a report on incident reporting

  • The European Network and Information Security Agency (ENISA) published a report analysing how mandatory incident reporting schemes have improved resilience and security in the EU telecoms sector. The report looked into the implementation of Article 13a of the 2009 Telecom Package which addresses incident reporting scheme within the EU.
  • The findings confirmed that in terms of incident reporting and security measures, a minimum set of services (fixed and mobile telephony, fixed and mobile Internet) are covered by all Member States. Some Member States cover even a broader range of services including country code top level domains (CC TLDs).
  • The top root causes disrupting EU telecommunications infrastructures are system failures (66%) and human errors (20%).


EU: Stakeholders call for substantial improvements to connectivity

  • On 3 March, the European Commission published an overview of contributions and preliminary trends of the public consultation on the Needs for Internet Speed and Quality Beyond 2020 which ended on 7 December 2015. 
  • The consultation which was designed to support the Commission in developing adequate policies helping investors to deploy connectivity networks gathered 1551 replies; a majority of respondents were based in Germany and France. 
  • The preliminary results showed that there is a clear need for a substantial improvement in connectivity features with download speed being perceived as the most important feature of fixed connectivity today. In the future, upload speeds, latency, reliability and uninterrupted access will become more important.

EU: Summary report on the public consultation on the evaluation and the review of the regulatory framework for electronic communications networks and services

  • The Commission also published a summary report focusing primarily on the quantitative analysis of the responses received to its consultation on the evaluation and the review of the regulatory framework for electronic communications networks and services
  • The preliminary results revealed that stakeholders want competition laws to continue to underpin telecoms regulation in the EU, however there is a need for policy adjustment to improve Internet connectivity
  • The results also revealed that administrations of several Member States see the need for updating the telecoms rules. The need to promote investment in next generation infrastructures and the need to respond to technological and market changes are among the reasons mentioned. 
  • The Commission is expected to present its reform proposal in the autumn

Related articles

Newsletters 3 April 2020

Kilima: Highlights from ISOC Africa – March 2020

Africa Regional Bureau Newsletter for March 2020

Newsletters 3 February 2020

Kilima: Highlights from ISOC Africa – January 2020

Africa Regional Bureau Newsletter for January 2020

Newsletters 12 December 2019

Kilima: Highlights from ISOC Africa – November 2019

Africa Regional Bureau Newsletter for November 2019