Choosing an out-of-court procedure to recover domain names : a fast and cost effective process

 Cybersquatting consists in the practice of registering domain names using unauthorized third-party trademarks. The cybersquatter may then try to resell the domain names to their rights owners. Some cybersquatters use these “fraudulent” domain names to redirect online traffic to websites distributing similar competing products or services, while other cybersquatters use these domain names to operate websites selling infringing products or services.

The businesses most affected by cybersquatting are primarily fashion brands, followed by banking and finance services, and internet and IT services.

The rights owners can either enter into legal proceedings or opt for an out-of-court procedure to recover or remove the domain names that include their trademarks. Out-of-court procedures such as the ICANN Uniform Domain-Name Dispute Resolution Policy (UDRP) are now widely used as a fast and cost-effective process to recover domain names.


1. Using the UDRP to recover a domain name

The UDRP can be used by rights owners for disputes involving domain names registered abusively using their trademark, and only for domain names with the following generic extensions (gTLDs): .com, .net, .org, but also .aero, .asia, .biz, .cat, .coop, .info, .jobs, .mobi, .museum, .name, .pro, .tel, .travel and new gTLDs. (1)

UDRP cases are handled by ICANN-accredited dispute resolution organizations, including the WIPO Arbitration and Mediation Center (based in Geneva, with an office in Singapore), the National Arbitration Forum (United States) and the Asian Domain Name Dispute Resolution Center (ADNDRC) (based in Hong Kong, with offices in China, Korea and Malaysia). (2)

To be admitted, the rights owner’s complaint must meet three cumulative conditions:
    i) Identical or confusingly similar: the allegedly fraudulent domain name must be identical or similar to a trademark owned by the rights owner and create confusion in the mind of the public/consumers ;
    ii) Rights or legitimate interests: the registrant of the allegedly fraudulent domain name must have no rights on the domain name and no legitimate interest related to that domain name; and
    iii) Registered and used in bad faith: the allegedly fraudulent domain name must have been registered and used in bad faith.

The proceedings are quite simple and include the following steps: a complaint is filed by the complainant, a response is sent by the respondent, the case is reviewed by an expert panel, the expert panel renders a decision and the decision is executed.

The case is usually handled over a period of 60 days. The administrative charges are reasonable and are usually between USD1,500 and USD5,000. The administrative charges are paid by the complainant unless the respondent requests a panel of several experts, in which case the cost is split between complainant and respondent. However, under this process, the complainant cannot request damages. A UDRP decision will either order the disputed domain names to be removed, transferred to the complainant (rights owner), or the complaint may be rejected if it doesn’t meet the three cumulative conditions mentioned above.

In its 2016 annual report, the WIPO claims a 10.5% increase in the number of UDRP cybersquatting cases handled concerning 4,364 domain names, compared to the previous year. (3)


2. The Moncler case: an example of a cybersquatting case handled through UDRP (4)

The Moncler case, held in early 2016, is a good example of cybersquatting and how a rights owner can claim back disputed domain names under the UDRP process.

Moncler, an Italian high end fashion sportswear company owns several trademarks, including the Moncler trademark and several domain names including moncler.com.

Three Chinese individuals had registered fifty domain names including the Moncler trademark (<monclersaleie.com>, <monclersaleireland.com>, <ukmoncleroutlet.com>, <outletmoncleruk2015.com>, <moncleroutletbest.com>, etc.). Most of these domain names led to websites using the same format, wording and pictures from the Moncler official website and selling counterfeit goods. Other domain names led to parking pages offering pay-per-click links, some of which leading to competitors’ websites.

Moncler filed a UDRP complaint with the WIPO Arbitration and Mediation Center to claim back the infringing domain names.

The case was reviewed by the WIPO panel according to the three conditions of the UDRP :

- After confirming Moncler’s rights in the Moncler trademark, the panel found that each disputed domain name contained the full Moncler trademark. The panel held, citing a previous case, that “The fact that a domain name wholly incorporates a complainant’s registered mark is sufficient to establish identity or confusing similarity for purposes of the Policy.”

Most of the disputed domain names also included the word “outlet” which, used with the trademark, was confusingly similar to that trademark.

- Moncler argued that the respondents had no rights or legitimate interests in respect of the Moncler domain names. The respondents had not been authorized to include the Moncler trademark in the domain names or to make any other use of the trademark, and they were using the domain names to sell counterfeit goods online and to refer to activities in competition with Moncler’s activities.

The panel found that the complainant had established its prima facie case. Without any evidence from the respondent to the contrary, the panel held that the complainant had satisfied the second element of the policy.

- The third element of the Policy is whether the domain name was registered and used in bad faith.

Moncler argued that the domain names were used in connection with websites offering counterfeit goods for sale, that the domain names were used in connection with PPC websites (parking pages) containing links to Moncler’s competitors and that by registering 50 domain names using the Moncler trademark, the respondents had engaged in a pattern of conduct that also constituted bad faith.

The panel held that the complainant had satisfied the third element of the policy.

Therefore, the Panel decided that the complainant had met the three conditions of the policy and ordered that the disputed domain names be transferred to Moncler.

The decision was issued on 18 January 2016, less than six weeks after the complaint was filed with the WIPO Arbitration and Mediation Center.


      In conclusion, the UDRP process allows to resolve trademarks vs. domain names disputes within a few weeks and for a lesser cost than a full legal procedure. This process is also often used for international cases, when complainant and respondent are located in different jurisdictions. With a UDRP decision, the complainant may get the disputed domain names removed or transferred, without an exequatur process, which would usually be necessary to get a court decision recognized and enforced in another jurisdiction.

However, as mentioned above, a UDRP complaint cannot include a claim for damages and the administrative costs are usually borne by the complainant. UDRP decisions are final, with no appeal process. This is the reason why complainants often choose to file legal proceedings in addition to a UDRP process, and claim damages especially if several domain names are involved and if they also have an intellectual property claim (such a the sale of counterfeit goods), an e-reputation claim or a fraud claim.


                                                                    * * * * * * * * * * *


(1) See www.icann.org, Domain Name Dispute Resolution Policies.

(2) Country domain names (ccTLDs) disputes can also be filed with the WIPO Arbitration and Mediation Center under their Domain Name Dispute Resolution Service. Not all ccTLDs are concerned though (see http://www.wipo.int/amc/en/domains/cctld/). Also, for .fr domain names, Afnic, the French registrar and country code manager has launched a domain names dispute resolution policy in 2011 called Syreli (https://www.syreli.fr/)

(3) Report of the Director General to the 2016 WIPO Assemblies

(4) WIPO Arbitration and Mediation Center, Administrative Panel Decision, Moncler S.p.A. v. Yao Tom, Lee Fei & Geriy Wang, Case n°D2015-2244


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

December 2016

ICANN - The end of the US administration oversight on the internet

The Internet Corporation for Assigned Names and Numbers (ICANN) is a US-based not-for-profit public-benefit corporation which includes participants from all over the world. ICANN’s role has been to manage internet governance and to coordinate the global internet's systems of unique identifiers (allocation and assignment of domain names, internet protocol (IP) addresses and autonomous system numbers) and to facilitate the coordination of the operation and evolution of the Domain Name System (DNS) root name server system. (1)

Despite last minute blocking attempts by several US Congressmen, including Texas Senator Ted Cruz, the NTIA contract (National telecommunications and information administration) for the stewardship of ICANN expired on 30 September 2016.

From now on, ICANN will be supervised by the private sector represented by the “Global Internet Community”. The new ICANN governance model is based on the integration of stakeholders from a variety of horizons: corporations, professors, technical experts, members of the civil society, government representatives, etc.

According to Ed Black, President and CEO of the Computer and Communications Industry, the transition process to ensure long term internet stability and perpetuate an open internet - which has direct repercussions on the US economy and national security, should be carried out to completion. However, for those against such transfer, the end of the NTIA supervision creates a risk to see ICANN be a victim of undue influence or any appropriation by governments, multilateral or intergovernmental organizations, or commercial or non-commercial stakeholders jeopardizing freedom on the internet.

ICANN assures that the users will experience no change in their internet use after the transition.

                                                                 * * * * * * * * * * * *

(1) See the Icann website at www.icann.org and the Digital watch website at digitalwatch.giplatform.org, and the page on IANA transition and ICANN accountability


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

December 2016

New double tax convention between Singapore and France: when does the withholding tax apply to French companies for services performed in Singapore?

A foreign company providing services - including consulting services, software or web development services, cloud services, etc. to a company based in Singapore (i.e. a Singapore company or a foreign company with a permanent establishment in Singapore) is in principle subject to a withholding tax of 15% in Singapore. (1)

This withholding tax applies if the service is performed by the foreign company in Singapore. If the service is performed outside of Singapore, and the resulting work product is then sent to Singapore or made available to a Singapore company, then no withholding tax applies.

The withholding tax may be reduced, or even avoided if there is a tax treaty between Singapore and the country of the company providing services.

Singapore has signed several such double taxation avoidance conventions with foreign countries, including France.

A new convention for the avoidance of double taxation between Singapore and France entered into force on 1st June 2016, replacing the previous convention dated 9 September 1974. (2)

For example, for French IT companies providing services to Singapore companies, the application of the double taxation avoidance convention means that, provided that the French service company does not have a permanent establishment in Singapore (as defined in article 5 of the Convention), then the full revenue earned and invoiced by the French service company will be taxed in France and Singapore shall not tax this revenue. The Singapore company paying fees to the French company will not have to apply withholding tax, provided these conditions are met. (3)

Singapore is an important trading partner for France and a growing number of French companies choose Singapore, often as a hub and a gateway to the ASEAN market, to develop their activity into Asia. The renewal of this double tax convention between the two countries should be an incentive for bilateral business relationships to further develop and thrive.

For any specific questions about tax, withholding tax, VAT or GST, we recommend to consult a tax lawyer.


                                                                       * * * * * * * * * * *

Note: in this short article, we focus on service companies and withholding tax. However, the Convention encompasses many more tax issues, not addressed here.

(1) The applicable rate depends on the service provided and nature of payment. For more details, check the Inland Revenue Authority of Singapore at www.iras.gov.sg

(2) Convention between the Government of the Republic of Singapore and the Government of the French Republic for the avoidance of double taxation and the prevention of fiscal evasion with respect to taxes on income, concluded on 15 January 2015 and entered into force on 1st June 2016. The previous convention was concluded on 9 September 1974 and entered into force on 1st August 1975.

(3) See article 7 §1 of the Convention (“Business Profits”)


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

June 2016

New European General Data Protection Regulation (GDPR): the compliance clock is ticking

After over four years of debates at the European level, the General data protection regulation (GDPR) was finally passed on 27 April 2016. The new regulation will apply in all the European member states in two years, as from 25 May 2018. (1) The compliance countdown is now running for all organisations processing personal data.

The GDPR is part on a more global reform of European data protection law - the “data protection package”, which also includes a directive on data transfers for policing and judicial purposes, i.e. personal data processed by the European police and judiciary authorities.

The GDPR will repeal Directive 95/46/EC of 24 October 1995 on the protection of personal data. The new text will be the base of our regulation of personal data protection in Europe, with a single set of rules (with a few exceptions).

The regulation is based on existing data protection law. The main principles regarding the processing of personal data, such as the principles of lawfulness, fairness and transparency of the data process, the principles of specified and legitimate purpose, of adequacy of the process, of data conservation for a limited duration and of data security are preserved. (art. 5) But because of the technical and behavioural evolutions that have occurred in our society since the 1995 Directive, it was important to adapt and complement the existing principles and implement more homogenous rules within the European Union. This is however a complex text comprised of 173 recitals and 99 articles, when the directive included only 34 articles.

We summarise below the main provisions of the GDPR regarding the rights of natural persons, followed by the rights of corporations (as data controllers or processors).


1. The rights of natural persons under the GDPR

Several provisions of the GDPR reinforce the existing rights on the data of natural persons (“data subjects”). We identified the major evolutions as follows:

    - The conditions to obtain consent from the data subjects are reinforced (Art. 7): the terms regarding consent must be drafted in clear and explicit language. The data subject must be able to withdraw his consent at any time. The burden of proof of obtaining the data subject’s consent rests on the data controller who must be able to show that the data subject did give his consent to the process.

    - The right to be informed is modified toward more transparency and simplification (art. 12, 13 and 14): the information must be concise, clear, intelligible and easily accessible. It must be drafted in clear and legible terms, especially when targeting children.

    - The GDPR confirms the “digital right to be forgotten” (or right to erasure) as defined by the European court of justice (ECJ) in the Google Spain decision of 13 May 2014. (art. 17) The data subject can request the controller to erase his personal data without undue delay. Data erasure is however subject to certain conditions -including regarding the right to information, and is not automatic. These conditions and limitations to the right to be forgotten have been further defined since 2014 by subsequent case law.

    - Data portability is a new right for the data subjects. (art. 20) Except in certain situations, data subjects can request the controller to recover or to transfer their collected data to a new data controller (e.g. transfer to a similar service proposed by a competitor). To prevent blocking or circumventing this obligation, the controller must transfer the data in a structured, commonly used, machine-readable format.

    - Finally, the GDPR includes the principle of specific data protection rules for children below 16 years of age. (art 8) Children are intensive users of internet services (social networks, chat, SMS, MMS) but are not necessarily aware of the concept of personal data and of how their data can be used by third parties. The GDPR identifies children as a distinct category of data subjects and recognises the need to provide specific protection to their data. The 38th recital provides that children must receive specific protection from organisations using their personal data for marketing purposes or user profile set ups. For online services targeting children (i.e. children below 16, or 13 in certain member states), the processing of children data will be subject to the consent or authorisation of the person having parental authority. The controller must implement “reasonable” means, taking into account available technology, to ensure the effectiveness of such parental consent.


2. The rights of data controllers and processors under the GDPR

Regarding the rights of the controllers and processors (corporations and any organisation processing personal data), we note a tendency toward simplification of formalities, but also toward more stringent obligations. Also, the level of the financial penalties was raised substantially. The major evolutions are as follows:

    - Automated process and profiling techniques - which are used increasingly with big data projects for example, will be regulated. (art. 22) Such process will be authorised under certain conditions and provided the data subject has given his consent.

    - According to the accountability principle, the controller must implement clear and accessible internal rules to guarantee and demonstrate compliance with the regulation on process inventory, security, and if applicable, compliance with the preliminary formalities and with the appointment of a data protection officer. (art. 5 and 24)

    - During the development of new products or services, the controller must include personal data protection by default in the definition of the processing means and within the data process  (“privacy by design” principle). (art. 5 and 25)

    - The GDPR creates a new “joint controllers” concept (art. 26), to take into account the technical evolutions, especially with cloud computing services under which the entity collecting the data no longer controls the technical data process. Two data controllers may then co-exist, i.e. the entity collecting and using the data, and the entity which determines the technical means of the data process (often the hosting service provider or the cloud service provider, as a subcontractor of the data collector/controller). In case of joint liability, the joint controllers must define the respective scopes of their liability in performing their obligations, especially concerning the data subjects. The liability of the subcontractor is now acknowledged at the same level as its client’s.

    - The GDPR withdrew the preliminary filing obligation for new data processing (art. 30) except for data transfers outside of the European Union which are subject to a specific regime. In return, the controller must (i) either keep an internal record of processing activities listing the data process implemented, (ii) or consult the supervisory authority prior to launching a new data process if such process requires an impact assessment and includes specific risks.

    - The GDRP imposes stronger data protection security rules. Security breaches must be notified by all controllers, regardless of their main activity. (art. 5 and 32 to 34) For example in France, this notification duty is currently limited to communications operators and to “vitally important operators” (OIV) i.e. operators of critical infrastructures or services.

    - A data protection officer (DPO) must be appointed in all companies where the core activities of the controller or processor consist of processing data which require monitoring of data subjects on a “large scale” or processing of specific categories of data on a “large scale”. (art. 37, 38 and 39) The data protection officer (which in France will replace the current “correspondant informatique et libertés” - CIL) must be a competent law and personal data protection professional. This person may be employed by that organisation or be a third party consultant.

    - The rules regarding data transfers outside of the European Union won’t change substantially. (art. 44 to 50) As a principle, all data transfers outside of the EU remain prohibited. This prohibition may be waived for transfers to a third country offering an adequate level of protection, as defined by the European Commission and for transfers to companies in third countries, provided one of the available contractual tools has been implemented between the exporting controller and the importing processor (EU model contractual clauses, Binding corporate rules (BCRs) or code of conduct). It is still unclear whether existing adequacy decisions will be upheld for all third countries currently listed. Since the GDPR includes new and more stringent provisions, the Commission may decide to reassess whether these countries are still providing an adequate level of protection under the new Regulation.

    - Companies that operate in several member states will designate a supervisory authority as the lead competent authority, for cross-border processing and to handle complaints. (art. 56) This lead supervisory authority shall be the authority of the seat of the main establishment, construed as the place where the main decisions regarding the data process purpose, conditions and means are made.

    - The GDPR includes the possibility for the supervisory authorities to impose more stringent sanctions. (art. 83) Depending on the type of infringement, the supervisory authorities can impose administrative fines up to 10 million euros or 2% of the total worldwide turnover of the company during the preceding financial year, whichever is higher, or up to 20 million euros or 4% of the total worldwide turnover of the company during the preceding financial year.

Finally, the GDPR will apply not only within the European Union, but will also produce extra-territorial effects. (art. 3 and 27) The GDPR will apply:
    - to controllers located within the European Union, whether or not the data process is performed in the EU, and
    - to the data of EU citizens and residents processed by a controller or a processor (subcontractor) located outside the EU, if the products or services target the European market. Certain non-European companies may then have to comply with the GDPR.


Businesses should use this two-year transition period to work on their legal and operational compliance with the GDPR. This compliance exercise should include a legal review of their existing commercial terms and conditions and privacy policies applicable to their products and services, and a review of their internal corporate privacy policies. Certain types of data process will also require technical and/or operational review and upgrade (such as collecting the proof of consent by the data subject, especially for the processing of children’s data).


                                                                    * * * * * * * * * * * *


(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General data protection regulation)

Bénédicte DELEPORTE – Avocat

Deleporte Wentz Avocat
www.dwavocat.com

June 2016

Legal requirements applicable to importing or exporting encryption software and equipment in/from France

Cryptography is part of our daily digital life: from online communication, through e-commerce, to online banking. Encryption ensures secure data transfers and storage, with data confidentiality, authentication requirements and data integrity. However, data encryption is used in very diverse situations, whether for civil or for military purposes, for legal but also for illegal purposes.

In France, although the Digital Economy Act (“Loi pour la confiance dans l’économie numérique”, aka “LCEN”) of 21 June 2004 introduced more flexibility for the use and supply of means of cryptography, importing or exporting encryption software or services in or from France remains regulated. (1)

The law distinguishes between the use and provision (including transfer, import and export) of means of cryptography and the provision of cryptography services. Means of cryptography are usually classified a dual use encryption products, i.e. technologies which can be used for both civil and military purposes. The provision of means of cryptography and of cryptography services remains regulated, even if certain areas are now exempted from any form of declaration or authorisation.


1. The provision of means of cryptography

The law defines “means of cryptography” as follows: “a means of cryptography (moyen de cryptologie) includes any hardware or software designed or modified to alter data, whether information or signals, through secret conventions (keys or encryption algorithms) or to proceed to the reverse operation with or without a secret convention. The main purpose of such means of cryptography is to safeguard the security of data storage or of data transmission to ensure its confidentiality, authentication or integrity check.” (art 29 of the Digital Economy Act)

The law states the general principle of freedom to use means of cryptography.

The law distinguishes between:
    - the provision of means of cryptography ensuring exclusively functions of authentication and integrity checks. Such means may be provided without restriction, including if the means of cryptography are exported to or imported from an EU member state or to/from third countries; and
    - the provision of means of cryptography not ensuring exclusively functions of authentication and integrity checks (including means ensuring data confidentiality). The provision of such means and their import is subject to a prior declaration to, or authorisation from ANSSI (Agence nationale de la sécurité des systèmes d’information - the government agency in charge of cybersecurity).

Declarations are acknowledged within one month from submission to ANSSI, and within four months for requests for authorisation. These timeframes may be extended if the submitted file is incomplete or if ANSSI has additional questions on the filing.

Declarations of means of cryptography are also valid for the intermediaries of the supplier (party having filed the declaration), i.e. the distributors of the means of cryptography. A single declaration is therefore sufficient and can be used by the supplier’s distributors.

The provision and export of means of cryptography not ensuring exclusively functions of authentication and integrity checks is subject to an authorisation from ANSSI filed by the supplier of the means of cryptography and to an export license from SBDU (Service des Biens Double Usage) filed by the party exporting the means of cryptography. (2)

Authorisations are granted for a maximum term of five years, at the end of which, a new request must be filed.

Certain categories of means of cryptography may be exempted from prior declaration if their technical characteristics or conditions of use are such that their provision, transfer from a member state or import doesn’t challenge the interests of national defense or of the internal and external security of the State. These categories are identified by decree. They include the provision of equipment to the public, the provision of broadcasting or television equipment, mobile radio communication, mobile telephone equipment which cryptographic coding or encryption is not accessible by the user. The provision of cryptography services not consisting in delivering electronic certificates is also unrestricted. (3)

The Prime Minister can prohibit the release and distribution of a supplier which does not comply with the requirements listed under article 30 of the Digital Economy Act (i.e. prior declaration or request for authorisation). Such prohibition would also include the distributors of the means of cryptography and the equipment used with the means of cryptography.

Suppliers not complying with the prior declaration or request for authorisation requirements may incur criminal penalties, including a maximum fine of €15,000 and one year imprisonment.

Exporting a means of cryptography without the required authorisation is subject to a maximum fine of €30,000 and two years imprisonment.


2. The provision of cryptography services

The law defines “cryptography services” as follows: “a cryptography service (prestation de cryptologie) includes any process used to implement a means of cryptography, on behalf of a third party.” (art 29 of the Digital Economy Act)

The provision of cryptography services must be declared to ANSSI. The exemptions to such declaration are similar to the exemptions for means of cryptography (see above).

The entities providing cryptography services are subject to a duty of professional secrecy (“secret professionnel”). Professional secrecy is defined in article 226-13 of the French criminal code, which provides that “the disclosure of secret information by a person who is entrusted either because of his status or his profession, because of a function or a temporary mission, is subject to one year imprisonment and a maximum fine of €15,000.”

These entities are fully liable for damages caused to the entity or person on behalf of whom they manage the secret conventions in case of breach of the integrity, confidentiality or availability of the encrypted data.

The entities providing electronic certificates are liable for the damages caused to the persons who relied on the certificates presented as “qualified” (art. 33 of the Digital Economy Act). These entities must contract an insurance policy sufficient to cover the risks related to their activity.

Pursuant to article 31 of the French Digital Economy Act, the provision of cryptography services for confidentiality purposes without the required prior declaration is subject to two years imprisonment and a maximum fine of €30,000.


Importing or exporting encryption software or services in/from France remains a complex matter. The supplier must first check whether the means or service is exempted or subject to a regulatory prior declaration or authorisation from ANSSI, then take into account the delays in obtaining a declaration certificate or an authorisation to distribute the software or application, or to provide a cryptography service. Suppliers or importers who breach these legal requirements may incur severe criminal charges.

                                                          * * * * * * * * * * * *

(1) Loi n°2004-575 pour la confiance dans l’économie numérique, 21 June 2004 - LCEN (French Digital Economy Act). The provisions regarding cryptography are enacted under articles 29 et seq.

(2) The supplier filing a declaration or requesting an authorisation must submit a file to ANSSI. The format and content of the file are listed in an administrative ruling (Arrêté) dated 29 January 2015

(3) Decree No 2007-663 dated 2 May 2007

Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

April 2016

Personal data transfers from the EU to the US: a new Privacy Shield to replace the Safe Harbor principles

The 1995 European directive on personal data protection allows companies to transfer personal data between Member States without restrictions. (1) However personal data transfers outside of the European Union are prohibited, except to a limited number of countries providing an adequate level of protection (such as EEA Member States and countries ensuring an adequate level of protection subject to a decision from the European Commission). The Safe Harbor principles provided the legal framework for data transfers to the US.

In its ruling dated 6 October 2015, the Court of Justice of the European Union (CJEU) decided to cancel the Safe Harbor privacy principles. (2) Since July 2000, European companies working with US companies adhering to Safe Harbor could transfer personal data legally to the United States. Such data transfers occur between companies belonging to a multinational group located on both sides of the Atlantic, or between a European client company and a service company located in the US (e.g. a US hosting company, a cloud service company or a company providing any types of data management services). With the cancellation of Safe Harbor, personal data can no longer be transferred legally from the EU to the US under these privacy principles.

The European Commission and the United States have been negotiating to set up a new privacy framework to better protect personal data transfers of the European citizens to the United States. The goal of the Commission was to reach an agreement on a “2.0 Safe Harbor” before the end of January 2016. (3) An agreement was reached at the beginning of February 2016 and on 29 February, the text of the EU-US Privacy Shield was released.

We describe below the main principles applicable to the new Privacy Shield framework and recall the other legal “tools” available for European companies which have to transfer personal data to the United States.


1. The main principles of the EU-US Privacy Shield framework

The text of the new EU-US Privacy Shield framework regarding personal data transfers between the European Member States and the United States was published on 29 February 2016. (4)

The purpose of the Privacy Shield framework is to provide protection principles for the personal data of the European citizens transferred to the United States, equivalent to the principles applicable within the European Union. More specifically, with the Privacy Shield, the authorities wanted to fix the issues identified with the Safe Harbor principles and put an end to the mass surveillance practice developed by the US National Security Authority (NSA), disclosed by Edward Snowden in 2013.

The Privacy Shield principles include the following rights which are similar to the rights issued form the EU privacy regulation:
   - a) notice to the data subject regarding the data processed by the organization, details about the data processed and how to contact the company with enquiries and complaints;
   - b) choice to opt out if the data is to be disclosed to a third party or used for a purpose which is different from the original purpose when the data was collected. Sensitive data process is subject to an opt in consent from the data subject;
   - c) accountability for onward transfers to a third party;
   - d) security of the data process against loss, misuse, unauthorized access, disclosure, alteration and destruction;
   - e) data integrity and purpose limitation. As in the EU, personal data collected must be limited to data relevant for the purpose of the processing being carried out;
   - f) access by the data subjects to their personal data to ensure that they can correct, amend or delete their data;
  - g) recourse, enforcement and liability mechanisms for individuals affected by non-compliance with the Privacy Shield.

The main provisions of the Privacy Shield framework, which differ from the Safe Harbor principles, can be summarized as follows:

- Companies will adhere to the Privacy Shield through self-certification. These organizations will be subject to strict compliance obligations. The US Department of Commerce will monitor and verify compliance by the companies which have registered. Companies adhering to the Privacy Shield principles must publicly declare their commitment to comply with the Privacy Shield, disclose their privacy policies (which must be in line with the Privacy Shield principles), and implement the Privacy Shield.

- Access to personal data by the US authorities will be regulated and only allowed for specific purposes, including law enforcement and national security. General access to data is prohibited.

- Several legal redress mechanisms are included in the new arrangement. Such legal recourse rights will be available to European as well as US citizens. One of the issues raised with Safe Harbor was that the European citizens had not legal recourse in the US if a US company using their data and adhering to Safe Harbor did not comply with its legal obligations. From now on, European citizens will have the option among several legal recourse mechanisms in case of personal data misuse:
    (i) Mediation: a mediation service through an Ombudsperson mechanism, independent from the US security services, will be set up within the US Department of State;
    (ii) Complaints to the US data processor: individuals will be able to send a claim to the US companies adhering to the Privacy Shield for problems regarding their personal data. Companies will have to respond to such claims within 45 days;
    (iii) Claims to the national supervisory authority: individuals will be able to send a claim to their national supervisory authority (such as the ICO in the UK or CNIL in France). Each national data supervisory authority will communicate with the Department of Commerce and the Federal Trade Commission (FTC) so that the claims are actually processed and settled;
    (iv) Alternative dispute resolution: an out-of-court settlement mechanism will be available, free of charge;
    (v) Arbitration: an arbitration mechanism will be available as a last resort by a Privacy Shield panel.

US companies may also choose to comply with the advice and guidelines issued by the national supervisory authorities. Companies processing human resources data will however have to comply with such guidelines.

The Department of Commerce will maintain an updated list of current companies adhering to the Privacy Shield and a list of companies which have left the Privacy Shield arrangement.

- Finally, the Privacy Shield framework includes an annual joint review mechanism between the European Commission and the US Department of Commerce, and national surveillance experts working with the US and European data protection authorities. The purpose of this annual reassessment exercise will be to check the effectiveness of the Privacy Shield and the actual compliance regarding access to personal data for law and order and national security purposes.

The main differences between Safe Harbor and the new Privacy Shield principles are the rights of recourse by the European citizens who feel that their personal data has been misused, a strong commitment by the US authorities regarding supervision and enforcement, and a joint annual review process between the EU and US authorities.

However, this new privacy framework is not yet in effect. The European Commission must issue its adequacy decision on the new EU-U.S. the new Privacy Shield, pursuant to article 31 of the 1995 directive on the protection of personal data. The adequacy decision means that the safeguards provided when personal data are transferred under the Privacy Shield are equivalent to data protection standards in the EU. Indeed, absent such adequacy decision, European companies cannot yet transfer personal data to US companies unless an alternative contract is in place. The legal adequacy assessment of the EU-US Privacy Shield will be conducted by the article 29 working party (art. 29 WP - representatives of the national data protection authorities of the Member States).

Meanwhile, European companies that must transfer personal data to the United States may still use the other existing legal tools available for transborder data transfers.


2. The other legal “tools” available to transfer personal data to the US

Until the Privacy Shield adequacy decision of the European Commission is released, the European companies which must transfer data to the United States must implement alternative legal tools. (5)

As experienced with the October 2015 CJEU ruling cancelling Safe Harbor, and with the new annual joint review mechanism of the Privacy Shield, companies adhering to such privacy frameworks are no longer assured of a stable long-term privacy protection environment for their transborder data transfers. The existing legal options are strong and stable alternatives to the Privacy Shield.

Three options are available : the EU Standard contractual clauses (SCC), private ad hoc contracts, and Binding corporate rules (BCRs).

The EU Standard contractual clauses (SCC) are relatively easy to implement subject to identifying the types of Standard clauses that are relevant to the data processes, and have them executed “as is” by each party. Should any of the clauses be amended by the parties, the document will have to be approved by a national data protection authority.

The ad hoc contractual option, is a contract drafted by the parties and adapted to the data process under consideration. This may be the best option. An ad hoc contract is indeed more flexible and adapted than the Standard contractual clauses. It is however necessary to take into account the cost, process and delays to receive an authorization from a national data protection authority. This contractual option may be used between two commercial entities or between affiliates (in lieu of BCRs).

Lastly, the Binding Corporate Rules (BCRs) option can only be used within a multinational group of companies. BCRs are not an alternative to govern the relationship with third party commercial partners or service providers. BCRs also usually require several months to be drafted and approved by a national authority prior to being rolled out within the group of affiliated companies. However, once the BCRs are approved and rolled out, this system is then a stable option.


As a reminder, penalties for illegal cross-border data transfers can reach up to €300,000 and 5 years in prison. This includes data transferred to the United States under the Safe Harbor principles, which are no longer valid.

                                                             * * * * * * * * * * * *

(1) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

(2) CJEU, Gd Chamb., 6 October 2015, Maximillian Schrems / Data Protection Commissioner

(3) European Commission - Press release dated 6 November 2015 “Commission issues guidance on transatlantic data transfers and urges the swift establishment of a new framework following the ruling in the Schrems case” : and see our article “Personal data transfers from the EU to the US after the cancellation of Safe Harbor by the CJEU”, published on this blog in December 2015

(4) European Commission - Press release dated 29 February 2016 “Restoring trust in transatlantic data flows through strong safeguards: European Commission presents the EU-U.S. Privacy Shield”

(5) The decision concluding the Umbrella agreement including the Privacy Shield should be adopted by the European Council after obtaining the consent of the European Parliament.


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

March 2016