Website providers that collect dynamic Internet Protocol addresses (“IP address”) from website visitors may soon be subject to even more scrutiny from data protection authorities in the EU.
Last week, Europe’s Advocate General Manuel Campos Sánchez-Bordona (one of the advisors to the European Court of Justice, “ECJ”) released an opinion which, if followed by the ECJ would end a long debated question whether IP addresses are personal data subject to EU data privacy law. The Advocate General takes the view that dynamic IP addresses are personal data when being in the hands of a website provider when a third party (e.g. the internet access provider) has access to additional information that would enable identification of the Internet user.
On 29 February 2016 the European Commission issued the legal texts of the EU-U.S Privacy Shield which aims to replace the defunct EU-U.S Safe Harbor Framework as a legitimate mechanism for transferring personal data from the EU to the U.S.
In contrast to its predecessor, the Privacy Shield contains commitments from US government in relation to controls on access to personal data by public authorities. This is an aspect of the new scheme which aims to address the jurisprudence of the Court of Justice of the European Union and criticisms of the previous Safe Harbor Framework.
Last Friday (6 November 2015) the EU Commission issued a communication on the transfer of personal data from the EU to the US under the Data Protection Directive following the judgment by the Court of Justice in the Schrems case.
In addition to providing some welcome support for the use of data transfer mechanisms such as Model Clauses and BCRs, the communication also contains an important statement from the Commission that it intends to update the decisions it has previously made authorising personal data transfers to certain countries outside of the EU.
The European Court of Justice’s (CJEU) recent decision striking down the EU-US Safe Harbor framework has created significant marketplace uncertainty and left companies scrambling for alternative cross-Atlantic data transfer mechanisms.