Data & IT Law Monthly: October 2015

The overview of interesting Data & IT Law articles and news in October 2015!


Safe Harbor invalidated by the Court of Justice

The most important thing happening in the area of data protection law, at least in the EU-US world, was the decision of the Court of Justice of European union, invalidating the Safe Harbor agreement.

In the Maximillian Schrems v. Data Protection Commissioner, the Court held that due to the revelations of Edward Snowden, the PII transferred to US under Safe Harbor agreement, are not adequately protected. Both US and EU were given time to resolve the issue. There are organisations calling for new rules.


The current options for US companies

The EU’s Article 29 Working Party issued a statement on the Schrems decision. The Working Party gave a January 2016 deadline for companies to come into compliance with the ruling.

The options are: EU Standard Contractual Clauses, Intra-Group Agreements and other ad-hoc contracts, Binding Corporate Rules. Several articles deals with these specific options (such as model clauses). The overview of new rules which are now applicable for US companies are in this article.

Similarly, German Data Protection Authority issued a Position Paper. Most importantly, it “will not currently issue any new authorizations for data transfers to the U.S. on the basis of BCRs or data transfer agreements.


New EU Payment Services Directive

The article describes a new directive, which should be implemented in 2 years. It deals with the issues of banking data and APIs.

“Unfortunately, until now account information services (AIS) and payment initiation services (PIS) in the vast majority of the EU countries had no official and approved “channel” (aka Application Programing Interface, or API), through which they could communicate with banking systems. They were forced to use some workarounds like “screen scraping”: this technology involves logging to clients’ accounts with their credentials and obtaining the necessary information by mimicking user activity in a web browser.

The Directive gives “green light to existing AIS/PIS solutions (…) (T)he most promising part of the PSD2 are the requirements that shall be met by the EU member states within the next two years: payment services providers will be authorized and regulated, and all the client’s financial information currently held close by banks will be available to these legitimate third parties – of course, only when the client agrees upon that.”


Another EU important decision

It seems that Schrems case received all the attention. However, this month, the Court of Justice of European union had issued another important decision in the data protection area (case C-230/14). It dealt with the authority Data Protection authorities.

Where a company is not deemed to be established in a Member State, the local data protection authority has only limited powers, according to the CJEU. It may hear a claim and analyse it, but any sanction can only be imposed by the Member State authority whose laws apply. This means that, where a company has no establishment in a Member State, nothing changes as regards the current situation, i.e. if an authority of such Member State wants to investigate a claim, it would have to contact the competent authority. The question is, however, which authority would be deemed the competent authority if a company is established in several Member States. This would likely depend on the facts of each specific case.


EU Data Protection Directive – 20th birthday

In the end, read an interesting article about an anniversary of EU Data Protection Directive.

Leave a Reply

Your email address will not be published. Required fields are marked *