You Are Viewing Europe

Draft EU Privacy Regulation Amendments Approved

Posted by fgilbert on October 22nd, 2013

 

The European Union Committee on Civil Liberties, Justice, and Home Affairs, also known as the “LIBE Committee” approved amendments to the draft of the EU Data Protection Regulation on October 21, 2013.

The good news is that the “right to be forgotten” has been replaced with a “right of erasure” which is more narrowly phrased.

The bad news is … most of the other amendments. The revised draft would define a stronger and more stringent data protection regime, which is likely to create additional hurdles for US companies doing business in the European Union, or in need of transferring data out of the EU/EEA to the United States or to subsidiaries worldwide.

In particular, the revised draft increases significantly the maximum fine that might result from violation of the new law. The 2012 draft regulation set a maximum fine of 1,000,000 Euros or 2% of a company’s worldwide income and adopted a tiered approach. With the revised draft, fines could reach up to 100,000,000 Euros or up to 5% of a company’s annual worldwide income, whichever is greater.  This is a significant jump.

The next step is the review and approval of the amended text by the European Union Council and the European Commission. After that, the final text of the proposed Regulation would be submitted to the European Parliament for a final discussion and vote. This vote is not likely to take place before May 2014. If an agreement is not reached before the Parliament closes down for the election of new MPs, the negotiation over the Regulation could continue in the next session of the EU Parliament. In this case, more delay might be likely if there were a change in the composition of the Parliament.

The text of the approved amendment is available here.

Posted in Europe, International
Comments Off on Draft EU Privacy Regulation Amendments Approved

Article 29 Working Party’s Opinion on Mobile App Privacy

Posted by fgilbert on March 15th, 2013

On March 14, 2013, the European Union’s Article 29 Working Party published its opinion on the unique privacy and data protection issues faced by applications used on mobile device.  The 30-page opinion provides an analysis of the technical and legal issues, and concludes with a series of recommendations to app developers, platform developers, equipment manufacturers and third parties.

In many respects, this new opinion of the Article 29 Working Party is very similar to the document that the Federal Trade Commissions has published recently on the same topic.  It addresses many themes also found in the FTC documents regarding the use of mobile applications in general, or that mobile applications directed to children.

The Article 29 Opinion WP 202 provides two series of recommendations for application developers.  The first set of recommendation is in fact a recitation of general principles set forth in the proposed Data Protection Regulation, but adapted to the specific context of the mobile world, with references to location data, unique device identifier, SMS.   There are also references to other modern concepts, such as privacy design, also found on the proposed Data Protection regulation, but absent from Directive 95/46/EC, the directive currently in effect.

The second set of recommendations to application developers includes specific guidance on the actions to be taken.  These include:

  • Adopting appropriate measures that address the risks to the data;
  • Informing users about security breaches;
  • Telling users what types of data are collected or 
accessed on the device, how long the data are retained and what security measures are used to protect these data;
  • Developing tools to enable users to decide how long their data should be retained, based on their specific preferences and contexts, rather than offering pre-defined retention terms;
  • Including information in their privacy policy dedicated to European users;
  • Developing and implementing simple but secure online access tools for users, without collecting 
additional excessive personal data;
  • Developing, in cooperation with OS and device manufacturers and others, innovative solutions to adequately inform users on mobile devices, such as through layered information notices combined with meaningful icons.

The remainder of the recommendations is addressed to app stores, OS and device manufacturers, and third parties.

The protection of children reappears as a common theme in the different recommendations to the different players in the mobile market.  Each set of recommendations provided in WP 202 stresses that they should limit their collection of information from children, and especially refrain from processing children’s data for behavioral advertising purposes, and refrain from using their access to a child’s account to collect data about the child’s relatives or friends.

Comments Off on Article 29 Working Party’s Opinion on Mobile App Privacy

Article 29 Working Party’s Opinion on Cloud Computing: A Threat for the Industry?

Posted by fgilbert on July 16th, 2012

In its Opinion 05/2012 on Cloud Computing published as document WP 196 in early July 2012, the Article 29 Working Party identifies the data protection risks that are likely to result from the use of cloud computing services, such as the lack of control over personal data and lack of information about how, where and by whom the data are being processed or sub-processed in the cloud.  It expressly deems the Safe Harbor regime insufficient to meet the requirements of the national data protection laws.

Even though opinions of Article 29 Working Party do not have the force of law, they have a very significant influence over the ways companies operate, and the privacy choices they make.  US businesses operating in the European Economic Area should keep in mind that the data protection authority of the country or countries in which they operate are highly likely to follow the guidance set forth in a Working Party’s opinion.  Thus, it is important that they operate within the guidelines and guidance provided in the opinions and other writings of the Article 29 Working Party.

Overview

One of the most significant concerns expressed in the Article 29 Opinion on Cloud Computing is the extent to which the Safe Harbor Principles fail to address the unique ways in which cloud computing services hold and process data.  The Article 29 Working Party believes that the Safe Harbor Principles, which were conceived in a different technological environment, fail to address the unique environment in which cloud services are provided. In their view, sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment.

The Opinion points to the lack of control over the whereabouts of the data held in the cloud, the lack of transparency on the security measures being adopted or the identity of the subprocessors, as threats to the protection of personal data.  It also stresses the importance of informing the data subjects about who processes their data, for what purposes, and in which locations, and how they can exercise the rights afforded to them in this respect when their data are hosted or processed in the cloud.

Due Diligence & Contract Terms

The document recommends that the cloud client select a cloud provider that guarantees compliance with EU data protection legislation derived from Directives 95/46/EC and 2002/58/EC.  It stresses that the cloud client should verify whether the cloud provider can guarantee the lawfulness of any crossborder international data transfers.

Once the cloud service provider is identified, the relationship should be recorded in a contract that affords sufficient guarantees in terms of technical and organizational measures for the cloud service.  The Opinion identifies a number of contractual safeguards to be included in the contract for cloud services.

Crossborder Transfers & Safe Harbor

One of the most important components of the Opinion is its negative analysis of the ability of most cloud providers to meet the restrictions on crossborder data transfers that are part of the EEA Member States national data protection laws.  The Opinion expresses significant concerns about the Safe Harbor’s ability to meet the requirements that the recipient of the data provide “adequate protection” consistent with that which is provided in the EU and EEA.

Among other things, the Opinion warns that the Working Party considers that companies exporting data should not merely rely on the statement of the data importer claiming that it has a Safe Harbor certification.  The company exporting data should request evidence demonstrating that their principles are complied with.  The Opinions also states that it might be advisable to complement the commitment of the data importer to the Safe Harbor with additional safeguards taking into account the specific nature of the cloud.’’

It is not clear what effect the Working Party’s Opinion in WP 196 will have on US cloud providers.  If US cloud providers want to continue to attract EU based clients, they will have to address the recommendations of WP 196, at least in connection with their sales in the European Union.  Will US customers request the same level of transparency and control?

Further analysis of WP 196 available in Francoise Gilbert’s article published by the BNA Privacy & Security Law Report, available here.

Comments Off on Article 29 Working Party’s Opinion on Cloud Computing: A Threat for the Industry?

CNIL on Cloud Computing

Posted by fgilbert on June 28th, 2012

On June 25, CNIL – the French Data Protection Authority – published its recommendation on the use of cloud computing services. This recommendation is the result of a research project on cloud issues, which started in the Fall of 2011 with a consultation with industry. The documents released by CNIL include a summary of the research and documents; a compilation of the responses received to the consultation, and a set of recommendations.

The recommendations includes:

  • Clearly identify the type of data and type of processing that will be in the cloud
  • Identify the security and legal requirements
  • Conduct a risk analysis to identify the needed security measures
  • Identify the type of cloud service that is adapted for the contemplated type of processing
  • Choose a provider that provides sufficient guarantees

The CNIL document also provides an outline of the contractual clauses that should be included in a cloud contract and contains “Model Clauses” that may be added to contracts for cloud services.  These model clauses are provided as a sample, are not mandatory, and can be changed or adapted to each specific contract.

Except for a high level summary in English, the documents described above are currently available only in French on the CNIL website.  According to CNIL representatives, English translations of these documents should be available shortly.

  • Overview of CNIL Recommendation – Summary in English:

http://www.cnil.fr/english/news-and-events/news/article/cloud-computing-cnils-recommandations-for-companies-using-these-new-services/

  • Overview of CNIL Recommendation – Summary in French

http://www.cnil.fr/la-cnil/actualite/article/article/cloud-computing-les-conseils-de-la-cnil-pour-les-entreprises-qui-utilisent-ces-nouveaux-services/

  • Compilation of the responses to the CNIL consultation on cloud computing (in French)

http://www.cnil.fr/fileadmin/images/la_cnil/actualite/Synthese_des_reponses_a_la_consultation_publique_sur_le_Cloud_et_analyse_de_la_CNIL.pdf

  • Recommendation for companies wishing to use cloud services (in French)

http://www.cnil.fr/fileadmin/images/la_cnil/actualite/Recommandations_pour_les_entreprises_qui_envisagent_de_souscrire_a_des_services_de_Cloud.pdf.

 

 

Comments Off on CNIL on Cloud Computing

Outline of BCR for Processors Published by Article 29 Working Party

Posted by fgilbert on June 20th, 2012

On June 19, 2012, the Article 29 Working Party adopted a Working Paper (WP 195) on Binding Corporate Rules (BCR) for processors, to allow companies acting as data processors to use BCR in the context of transborder transfers of personal data, such as in the case of cloud computing and outsourcing.

WP 195 includes a full checklist of the requirements for BCR for Processors and is designed both for companies and for data protection authorities.  The document provides a checklist outlining the conditions to be met in order to facilitate the use of BCR for processors, and the information to be found in the applications for approval of BCR to be presented in the application filed with the Data Protection Authorities.

 

Comments Off on Outline of BCR for Processors Published by Article 29 Working Party

Proposed EU Data Protection Regulation – Draft Calendar

Posted by fgilbert on May 31st, 2012

Jan Philipp Albrecht, rapporteur of the European Parliament for the proposed Data Protection Regulation, has published the following draft calendar for the events and actions point associated with the finalization of the proposed Regulation. The final schedule will be agreed with the other committees involved and will be adapted as the legislation proceeds.

  • 31 May 2012, 11:00-12:00: LIBE Exchange of views (Regulation and Directive)
  • 19/20 June 2012: Presentation of general Working Document (Regulation and Directive)
  • 9/10 July 2012 : Presentation of specific working document on the Regulation (WD 1)
  • September 2012: LIBE Exchange of views (Regulation)
  • October 2012: Presentation of specific working document on the Regulation (WD 2)
  • October/November 2012: LIBE Committee Hearing
  • November 2012: Presentation of the draft report
  • December 2012: Deadline for tabling amendments
  • End January/February 2013: Discussion of Amendments in LIBE Committee
  • February 2013: Discussion with Opinion Committees
  • March/April 2013: Orientation Vote LIBE committee
  • Summer 2013 (?) Trilogue with Council and Commission
  • Early 2014 (?): Vote in plenary session

 

Posted in Europe
Comments Off on Proposed EU Data Protection Regulation – Draft Calendar

Teleconference on Proposed EU Regulation

Posted by fgilbert on February 10th, 2012
On Tuesday, February 14, 2012, at 12:30pm PST, the State Bar of California will host a teleconference where I will analyze and comment on the Proposal to Overhaul Data Protection in the European Union (unveiled on January 25, 2012).  Everyone is welcome to attend attend the conference call at no cost.

The phone number to use is:  1-866-548-4705  Participant code:  882704

If you cannot attend and wish to read about the proposed draft EU Data Protection Regulation (published on January 25, 2012), I have written extensively on the topic.  Feel to download my articles:

Short overview of the proposed legislative texts:

More on the draft EU Regulation on my blog:
Posted in Europe
Comments Off on Teleconference on Proposed EU Regulation

Proposed EU Data Protection Regulation: A New Framework for 2015?

Posted by fgilbert on January 29th, 2012

Data protection may look and feel very different by 2015 if the European Parliament adopts the documents that were published on January 25, 2012 on behalf of the European Commission. These documents outline a drastic change in the manner in which the collection, processing and sharing of personal data is handled in the European Union. The proposed EU Data Protection reform would create a single data protection law that applies directly to all entities and individuals in the Member States, except in the case of criminal investigation and related law enforcement issues. The proposed rules that would applies to companies would create more obligations for companies and more rights for individuals, while some of the current administrative burdens and complexities would be removed.

On January 25, 2012, the European Commission presented a series of legislative texts and documents that are intended to redefine the legal framework for the protection of personal data throughout the European Economic Area. The proposal is to have a Regulation address the general privacy issues, and a Directive address the special issues associated with criminal investigations.

The publication of these drafts signals a very important shift in the way data protection may be handled in the future throughout the European Union. This is consistent with the plan of action that was presented in late 2010 in Communication 609. What is new, and a paradigm shift, is that there would be one single data protection law throughout the European Union.  This means that companies may not longer have to suffer from the fragmentation resulting from the fact that the 27 Member States interpreted and implemented differently the principles set forth in Directive 95/46/EC.  It is not clearl however (and probably unlikely) that the Member States would have to repeal all of the other laws that they have adopted over the years and that apply to different sectors of activities.  For example, there are often special laws that apply to personal information collected by telecom services providers.

US companies that do business in or with the European Economic Area must start preparing for this dramatic change in the data protection landscape. Some of the provisions will require the development of written policies and procedures, documentation, and applications as necessary to comply with the new rules. Security breaches will have to be disclosed, and incident response plans will have be created accordingly. The development of these new structures will require significant investment and resources. IT and IS departments in companies will need to obtain greater, more significant budgets in order to finance the staff, training, policies, procedures and technologies that will be needed to implement the new provisions.

The Foundation Documents

The proposed data protection package contains two important legislative texts:

The draft Regulation and draft Directive will now be discussed by the European Parliament and EU Member States meeting in the Council of Ministers. Thus, there will be more opportunities for discussion, changes, and modifications of the current provisions, and there is currently no certainty that the provisions as stated in the January 25, 2012 draft will remain.

However, given the energy, speed, and determination with which the reform of the EU data protection regime has been handled, it is likely that a final vote will take place sooner than later. Once in their final form and formally adopted by the European Parliament, the rules are expected to take effect two years later. Thus, it is likely that, by the end of 2014, or early 2015, the European Economic Area will be subject to a new, improved, but stricter data protection regime.

This article discusses only the Proposed Regulation.

A Regulation, Not a Directive

The European Union is over 50 years old. For a long time, the Union has functioned as a group of countries operating under a set of rules that attempted to be consistent with each other, in order to ease the flow of people and goods among the Member States. This was achieved by implementing on a piecemeal basis the principles of numerous directives, with each Member State, in fact, retaining a lot of independence and autonomy. While this strategy allowed to slowly create a sense of unity among countries that had different cultures, history and personalities, it ended up creating a patchwork of national laws that had some resemblance but also their own personality. A difficult setting for companies operating in several Member States.

The ratification of the Treaty of Lisbon in late 2009 was a very important milestone in the morphing of the European Union as a united power.  It marked a very important step in the evolution of the Union, creating deep changes in its rules of operation, removing the three-pillar system that fragmented the operations, and moving the federation into a closer, tighter structure. With the Treaty of Lisbon, the European Union moved towards more cohesion, more consistency, and more unity.

With this background in mind, it is logical that the European Commission found that a “Regulation,” as opposed to a “Directive,” was the most appropriate legal instrument to define the new framework for the protection of personal data in the European Union in connection with the processing of these data by companies and government agencies in their day-to-day operations. Due to the legal nature of a regulation under EU law, the proposed data protection Regulation will establish a single rule that applies directly and uniformly.

EU regulations are the most direct form of EU law. A regulation is directly binding upon the Member States and is directly applicable within the Member States. As soon as a regulation is passed, it automatically becomes part of the national legal system of each Member State. There is no need for the creation of a new legislative text.

EU directives, on the other end, are used to bring different national laws in-line with each other. They prescribe only an end result that must be achieved in every Member State. The form and methods of implementing the principles set forth in a directive are a matter for each Member State to decide for itself. Once a directive is passed at the European Union level, each Member State must implement or “transpose” the directive into its legal system, but can do so in its own words. A directive only takes effect through national legislation that implements the measures.

The current data protection regime, which is based on a series of directives – Directive 96/45/EC, Directive 2002/558/EC (as amended) and Directive 2006/2006/24/EC – has proved to be very cumbersome due to the significant discrepancies between the interpretations or implementations of the directive that were made in the various Member State data protection laws. There is currently a patchwork of 27 rules in 27 countries. This fragmentation creates a significant burden on businesses which are forced to act as chameleon, and adapt to the different privacy rules of the countries in which they operate.

Conversely, a regulation is directly applicable, as is, in the Member States. By adopting a Regulation for data protection matters, the EU will equip each of its Member States with the same legal instrument that applies uniformly to all companies, all organizations, and all individuals. The choice of a regulation for the new general regime for personal data protection should provide greater legal certainty by introducing a harmonized set of core rules that will be exactly the same in each Member State. Of course, each country’s government agencies and judicial system are still likely to have their own interpretation of the same text, but the discrepancies between these interpretations should be less significant than those that are currently found among the Member State data protection laws.

Overview of the Draft Regulation

The 119-page draft Regulation lays out the proposed new rules. Among the most significant changes, the Proposed Regulation would shift the consent requirement to that of an “explicit” consent. It would introduce some new concepts that were not in Directive 95/46/EC, such as the concept of breach of security, the protection of the information of children, the use of binding corporate rules, the special status of data regarding health, and the requirement for a data protection officer. It would require companies to conduct privacy impact assessments, to implement “Privacy by Design” rules, and to ensure “Privacy by Default” in their application. Individuals would have greater rights, such as the “Right to be Forgotten” and the “Right to Data Portability.” Some of the key components of the Proposed Regulation are discussed below.

–  New, Expanded Data Protection Principles

Articles 5 through 10 would incorporate the general principles governing personal data processing that were laid out in Article 6 of Directive 95/46/EC and add new elements such as: transparency principle, comprehensive responsibility and liability of the controller, and clarification of the data minimization principle.

One of the significant differences with Directive 95/46/EC is that the notion of consent is strengthened. Currently, in most EU Member States, consent is implied in many circumstances. An individual who uses a website is assumed to have agreed to the privacy policy of that website. Under the new regime, when consent is the basis for the legitimacy of the processing, it will have to be “specific, informed, and explicit.” The controller would have to bear the burden of proving that the data subjects have given their consent to the processing of their personal data for specified purposes. For companies, this means that they may have to find ways to keep track of the consent received from their customers, users, visitors and other data subjects, or will be forced to ask again for this consent.

–  Special Categories of Processing

The rules that apply to special categories of processing would be found in Articles 80 through 85. The special categories would include processing of personal data for:

  • Journalistic purposes;
  • Health purposes;
  • Use in the employment context;
  • Historical, statistical or scientific purposes;
  • Use by individuals bound by a duty of professional secrecy;
  • Public interest.

There are also provisions to protect the rights of a child. A “child” is currently defined as an individual under 13 (Article 8). In addition, the definition of “sensitive data” would be expanded to include genetic data and criminal convictions or related security measures. (Article 9).

–  Transparency and Better Communications

Article 11 of the proposed Regulation would introduce the obligation for transparent and easily accessible and understandable information, while Article 12 would require the controller to provide procedures and a mechanism for exercising the data subject’s rights, including means for electronic requests, requiring that response to the data subject’s request be made within a defined deadline, and the motivation of refusals. Companies will welcome the fact that the rule for handling requests for access or deletion will be the same in all Member States. In the current regime, the time frames for responding to such requests are different, with some Member States requiring action within very short periods of time, and others allowing two months to respond.

–  Rights of the Data Subjects

Articles 14 through 20 would define the rights of the data subjects. In addition to the right of information, right of access, and right of rectification, which exist in the current regime, the Proposed Regulation introduces the “right to be forgotten” as part of the right to erasure. The right to be forgotten includes the right to obtain erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service. It also integrates the right to have the processing restricted in certain cases.

Article 18 would introduce the data subject’s right to data portability, that is, to transfer data from one automated processing system to, and into, another, without being prevented from doing so by the controller. As a precondition, it provides the right to obtain from the controller those data in a commonly used format. The right to object to the processing of personal data would be supplemented by a right not to be subject to measures based on profiling.

The “right to be forgotten” and the “right to portability” reflect the pressure of the current times, and respond to the needs of customers of social networks who have found, to their detriment, that the ease of use of a social network and the access to the service for no fee was tied to a price:  that their personal data could be used in forms or formats that they had not expected, and that the service provider would resist a user’s attempt to move to another service.

–  Obligations of Controllers and Processors

Articles 22 through 29 would define the obligations of the controllers and processors, as well as those of the joint controllers and the representatives of controllers that are established outside of the European Union. Article 22 addresses the accountability of the controllers. These would include for example, the obligation to keep documents, to implement data security measures, and to designate a data protection officer. Article 23 would set out the obligations of the controller to ensure data protection by design and by default.

Articles 24 and 25 address some of the issues raised by outsourcing, offshoring and cloud computing. While these provisions do not indicate whether outsourcers are joint data controllers, they acknowledge the fact that there may be more than one data controller. Under Article 24, joint data controllers would be required to determine their own responsibility for compliance with the Proposed Regulation. If they fail to do so, they would be held jointly responsible. Article 25 would require data controllers that are not established in the European Union and that direct data processing activities at EU residents, or monitor their behavior, to appoint a designated representative in the European Union.

–  Supervision of Data Controllers or Processors by Data Protection Authority

Article 28 would introduce the obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, instead of a general notification to the data protection supervisory authority, as is currently the case under Articles 18 and 19 of Directive 95/46/EC. This provision reflects one of the new guiding principles in the EU Data Protection reform:  that of accountability. In exchange for removing the cumbersome requirement for notification of the data controllers’ personal data handling practices, the new framework require that data controllers be “accountable.” They must create their own structures, and document them thoroughly, must be prepared to respond to any inquiry from the Data Protection Authority and to promptly produce the set of rules with which they have committed to comply.

Article 28 identifies a long list of documents that would have to be created and maintained by data controllers and data processors. This information is somewhat similar to the information that is currently provided in notifications to the data protection authorities―for example, the categories of data and data subjects affected, or the categories of recipients. There are also new requirements such as the obligation to keep track of the transfers to third countries, or to keep track of the time limits for the erasure of the different categories of data.

In the case of data controllers or data processors with operations in multiple countries, Article 51 would create the concept of the “main establishment.” The data protection supervisory authority of the country where the data processor or data controller has its “main establishment” would be competent for the supervision of the processing activities of that processor or controller in all Member States under the mutual assistance and cooperation provisions that are set forth in the Proposed Regulation.

–  Data Security

Articles 30 through 32 focus on the security of the personal data. In addition to the security requirements already found in Article 17 of Directive 95/46/EC and extending these obligations to the data processors, the Proposed Regulation introduces an obligation to provide notification of personal data breaches. In case of a breach of security, a data controller would be required to inform the supervisory authority within 24 hours, if feasible. In addition, if the breach is “likely to adversely affect the protection of the personal data or the privacy of the data subject,” the data controller will be required to notify the data subjects, without undue delay, after it has notified the supervisory authority of the breach.

–  Data Protection Impact Assessment

Article 33 would require controllers and processors to carry out a data protection impact assessment if the proposed processing is likely to present specific risks to the rights and freedoms of the data subjects by virtue of its nature, scope, or purposes. Examples of these activities include: monitoring publicly accessible areas, use of the personal data of children, use of genetic data or biometric data, processing information on an individual’s sex life, the use of information regarding health or race, or an evaluation having the effect of profiling or predicting behaviors.

–  Data Protection Officer

Articles 35 through 37 would require the appointment of a data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations that require regular and systematic monitoring. Under the current data protection regime, several EU Member States, such as Germany, require organizations to hire a Data Protection Officer, who is responsible for the company’s compliance with the national data protection. Article 36 identifies the roles and responsibilities of the data protection officer and Article 37 defines the core tasks of the data protection officer.

–  Crossborder Data Transfers

Articles 40 through 45 would define the conditions of, and restrictions to, data transfers to third countries or international organizations, including onward transfers. For transfers to third countries that have not been deemed to provide “adequate protection,” Article 42 would require that the data controller or data processor adduce appropriate safeguards, such as through standard data protection clauses, binding corporate rules, or contractual clauses. It should be noted, in particular, that:

  • Standard data protection clauses may also be adopted by a supervisory authority and be declared generally valid by the Commission;
  • Binding corporate rules are specifically introduced (currently they are only accepted in about 17 Member States);
  • The use of contractual clauses is subject to prior authorization by supervisory authorities.

Binding corporate rules would take a prominent place in the Proposed Regulation. Their required content is outlined in Article 43. Article 44 spells out and clarifies the derogations for a data transfer, based on the existing provisions of Article 26 of Directive 95/46/EC. In addition, a data transfer may, under limited circumstances, be justified on a legitimate interest of the controller or processor, but only after having assessed and documented the circumstances of the proposed transfer.

–  European Data Protection Board

The “European Data Protection Board” would be the new name for the “Article 29 Working Party.” Like its predecessor, the new Board will consist of the European Data Protection Supervisor and the heads of the supervisory authority of each Member State. Articles 65 and 66 clarify the independence of the European Data Protection Board and describe its role and responsibilities.

–  Remedies and Sanctions

Articles 73 through 79 would address remedies, liability, and sanctions. Article 73 would grant data subjects the right to lodge a complaint with a supervisory authority (which is similar to the right under Article 28 of Directive 95/46/EC). It also would allow consumer organizations and similar associations to file complaints on behalf of a data subject or, in case of a personal data breach, on their own behalf.

Article 75 would grant individuals a private right of action. It would grant individuals the right to seek a judicial remedy against a controller or processor in a court of the Member State where the defendant is established or where the data subject is residing. Articles 78 and 79 would require Member States to lay down rules on penalties, to sanction infringements of the Proposed Regulation, and to ensure their implementation. In addition, each supervisory authority must sanction administrative offenses and impose fines.

The Proposed Regulation introduces significant sanctions for violation of the law. Organizations would be exposed to penalties of up to 1 million Euros or up to 2% of the global annual turnover of an enterprise. This is much more than the penalties currently in place throughout the European Union. Apart from a few cases, the level of fines that have been assessed against companies that violated a country’s data protection laws has been low. The Proposed Regulation signals an intent to pursue more aggressively the infringers and to equip the enforcement agencies with substantial tools to ensure compliance with the law.

Conclusion

For several months, the European Commission has been working on the reform of data protection in the European Union, and has given numerous descriptions of the general lines of the new regime, including through a draft of the documents published in December 2011, which differs slightly from the January 25, 2012 version. It is nevertheless exciting to see, at long last, the materialization of these descriptions, outlines, and wish lists.

If the current provisions subsist in the final draft, the new Regulation will increase the rights of the individuals and the powers of the supervisory authorities. While it create additional obligations and accountability requirements for organizations, the adoption of a single rule throughout the European Union would help simplify the information governance, procedures, record keeping, and other requirements for companies.

It remains to be seen what effect the adoption of the Regulation will have on the data protection laws of these other countries. Directive 95/46/EC has been a significant driving force in the adoption of data protection laws throughout the world. In addition to the 30 members of the European Economic Area, numerous other countries, such as Switzerland, Peru, Uruguay, Morocco, Tunisia, or the Dubai Emirate (in the Dubai International Financial District) have adopted data protection laws that follow closely the terms of Directive 95/46/EC. How will these countries react? And will they give their laws a facelift as well?

 

 

Posted in Europe
Comments Off on Proposed EU Data Protection Regulation: A New Framework for 2015?

Proposed EU Data Protection Regulation – January 25, 2012 Draft: What US Companies Need to Know

Posted by fgilbert on January 27th, 2012

If the vision of Ms. Reding, Vice-President of the European Commission, as expressed in the January 25, 2012 data protection package is implemented in a form substantially similar to that which was presented in the package, by 2015, the European Union will be operating under a single data protection law that applies directly to all entities and individuals in the Member States and will have removed much of the administrative burden that are currently costing billions of Euros to companies. The saving would allow companies to reinvest in more meaningful, efficient, data protection practices that are better adapted to the uses of personal data, the new technologies and the 21st century way of life.

The series of legislative texts and documents that were published on January 25, 2012 by the European Commission are intended to redefine the legal framework for the protection of personal data throughout the European Economic Area. Ms. Reding’s vision is to have a Regulation address the general privacy issues, and a Directive address the special issues associated with criminal investigations.

The publication of these drafts signal a very important shift in the way data protection will be handled in the future throughout the European Union. The proposed rules would create more obligations for companies and more rights for individuals, while some of the current administrative burdens and complexities would be removed. This is consistent with the plan of action that was presented in late 2010 in Communication 609. What is new, and a paradigm shift, is that there will be one single data protection law throughout the European Union, and companies will not longer have to suffer from the fragmentationresulting from the fact that the 27 Member States interpreted and implemented differently the principles set forth in Directive 95/46/EC.

A single set of rules on data protection, valid across the EU would make it easier for companies to know the rules. Unnecessary administrative burdens, such as notification requirements for companies, would be removed. Instead, the proposed Regulation provides for increased responsibility and accountability for those processing personal data. In the new regime, organizations would only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people would be able to refer to thedata protection authority in their country, even when their data are processed by a company based outside the EU.

US companies that do business in or with the European Economic Area must start preparing for this dramatic change in the data protection landscape. Some of the provisions will require the development of written policies and procedures, documentation, and applications as necessary to comply with the new rules. Security breaches will have to be disclosed, and incident response plans will have be created accordingly. The development of these new structures will require significant investment and resources. IT and IS departments in companies will need to obtain greater, more significant budgets in order to finance the staff, training, policies, procedures and technologies that will be needed to implement the new provisions.

The Foundation Documents

The proposed data protection package contains two important legislative texts:

The draft Regulation and draft Directive will now be discussed by the European Parliament and EU Member States meeting in the Council of Ministers. Thus, there will be more opportunities for discussion, changes, and modifications of the current provisions, and there is currently no certainty that the provisions as stated in the January 25, 2012 draft will remain.

However, given the energy, speed, and determination with which the reform of the EU data protection regime has been handled, it is likely that a final vote will take place sooner than later. Once in their final form and formally adopted by the European Parliament, the rules are expected to take effect two years later. Thus, it is likely that, by the end of 2014, or early 2015, the European Economic Area will be subject to a new, improved, but stricter data protection regime.

This article discusses only the Proposed Regulation.

A Regulation, Not a Directive

The European Union is over 50 years old. For a long time, the Union has functioned as a group of countries operating under a set of rules that attempted to be consistent with each other, in order to ease the flow of people and goods among the Member States. This was achieved by implementing on a piecemeal basis the principles of numerous directives, with each Member State, in fact, retaining a lot of independence and autonomy. While this strategy allowed to slowly create a sense of unity among countries that had different cultures, history and personalities, it ended up creating a patchwork of national laws that had some resemblance but also their own personality. A difficult setting for companies operating in several Member States.

The ratification of the Treaty of Lisbon in late 2009 was a very important milestone in the morphing of the European Union as a united power.  It marked a very important step in the evolution of the Union, creating deep changes in its rules of operation, removing the three-pillar system that fragmented the operations, and moving the federation into a closer, tighter structure. With the Treaty of Lisbon, the European Union moved towards more cohesion, more consistency, and more unity.

With this background in mind, it is logical that the European Commission found that a “Regulation,” as opposed to a “Directive,” was the most appropriate legal instrument to define the new framework for the protection of personal data in the European Union in connection with the processing of these data by companies and government agencies in their day-to-day operations. Due to the legal nature of a regulation under EU law, the proposed data protection Regulation will establish a single rule that applies directly and uniformly.

EU regulations are the most direct form of EU law. A regulation is directly binding upon the Member States and is directly applicable within the Member States. As soon as a regulation is passed, it automatically becomes part of the national legal system of each Member State. There is no need for the creation of a new legislative text.

EU directives, on the other end, are used to bring different national laws in-line with each other. They prescribe only an end result that must be achieved in every Member State. The form and methods of implementing the principles set forth in a directive are a matter for each Member State to decide for itself. Once a directive is passed at the European Union level, each Member State must implement or “transpose” the directive into its legal system, but can do so in its own words. A directive only takes effect through national legislation that implements the measures.

The current data protection regime, which is based on a series of directives – Directive 96/45/EC, Directive 2002/558/EC (as amended) and Directive 2006/2006/24/EC – has proved to be very cumbersome due to the significant discrepancies between the interpretations or implementations of the directive that were made in the various Member State data protection laws. There is currently a patchwork of 27 rules in 27 countries. This fragmentation creates a significant burden on businesses which are forced to act as chameleon, and adapt to the different privacy rules of the countries in which they operate.

Conversely, a regulation is directly applicable, as is, in the Member States. By adopting a Regulation for data protection matters, the EU will equip each of its Member States with the same legal instrument that applies uniformly to all companies, all organizations, and all individuals. The choice of a regulation for the new general regime for personal data protection should provide greater legal certainty by introducing a harmonized set of core rules that will be exactly the same in each Member State. Of course, each country’s government agencies and judicial system are still likely to have their own interpretation of the same text, but the discrepancies between these interpretations should be less significant than those that are currently found among the Member State data protection laws.

Overview of the Draft Regulation

The 119-page draft Regulation lays out the proposed new rules. Among the most significant changes, the Proposed Regulation would shift the consent requirement to that of an “explicit” consent. It would introduce some new concepts that were not in Directive 95/46/EC, such as the concept of breach of security, the protection of the information of children, the use of binding corporate rules, the special status of data regarding health, and the requirement for a data protection officer. It would require companies to conduct privacy impact assessments, to implement “Privacy by Design” rules, and to ensure “Privacy by Default” in their application. Individuals would have greater rights, such as the “Right to be Forgotten” and the “Right to Data Portability.” Some of the key components of the Proposed Regulation are discussed below.

–  New, Expanded Data Protection Principles

Articles 5 through 10 would incorporate the general principles governing personal data processing that were laid out in Article 6 of Directive 95/46/EC and add new elements such as: transparency principle, comprehensive responsibility and liability of the controller, and clarification of the data minimization principle.

One of the significant differences with Directive 95/46/EC is that the notion of consent is strengthened. Currently, in most EU Member States, consent is implied in many circumstances. An individual who uses a website is assumed to have agreed to the privacy policy of that website. Under the new regime, when consent is the basis for the legitimacy of the processing, it will have to be “specific, informed, and explicit.” The controller would have to bear the burden of proving that the data subjects have given their consent to the processing of their personal data for specified purposes. For companies, this means that they may have to find ways to keep track of the consent received from their customers, users, visitors and other data subjects, or will be forced to ask again for this consent.

–  Special Categories of Processing

The rules that apply to special categories of processing would be found in Articles 80 through 85. The special categories would include processing of personal data for:

  • Journalistic purposes;
  • Health purposes;
  • Use in the employment context;
  • Historical, statistical or scientific purposes;
  • Use by individuals bound by a duty of professional secrecy;
  • Public interest.

There are also provisions to protect the rights of a child. A “child” is currently defined as an individual under 13 (Article 8). In addition, the definition of “sensitive data” would be expanded to include genetic data and criminal convictions or related security measures. (Article 9).

–  Transparency and Better Communications

Article 11 of the proposed Regulation would introduce the obligation for transparent and easily accessible and understandable information, while Article 12 would require the controller to provide procedures and a mechanism for exercising the data subject’s rights, including means for electronic requests, requiring that response to the data subject’s request be made within a defined deadline, and the motivation of refusals. Companies will welcome the fact that the rule for handling requests for access or deletion will be the same in all Member States. In the current regime, the time frames for responding to such requests are different, with some Member States requiring action within very short periods of time, and others allowing two months to respond.

–  Rights of the Data Subjects

Articles 14 through 20 would define the rights of the data subjects. In addition to the right of information, right of access, and right of rectification, which exist in the current regime, the Proposed Regulation introduces the “right to be forgotten” as part of the right to erasure. The right to be forgotten includes the right to obtain erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service. It also integrates the right to have the processing restricted in certain cases.

Article 18 would introduce the data subject’s right to data portability, that is, to transfer data from one automated processing system to, and into, another, without being prevented from doing so by the controller. As a precondition, it provides the right to obtain from the controller those data in a commonly used format. The right to object to the processing of personal data would be supplemented by a right not to be subject to measures based on profiling.

The “right to be forgotten” and the “right to portability” reflect the pressure of the current times, and respond to the needs of customers of social networks who have found, to their detriment, that the ease of use of a social network and the access to the service for no fee was tied to a price:  that their personal data could be used in forms or formats that they had not expected, and that the service provider would resist a user’s attempt to move to another service.

–  Obligations of Controllers and Processors

Articles 22 through 29 would define the obligations of the controllers and processors, as well as those of the joint controllers and the representatives of controllers that are established outside of the European Union. Article 22 addresses the accountability of the controllers. These would include for example, the obligation to keep documents, to implement data security measures, and to designate a data protection officer. Article 23 would set out the obligations of the controller to ensure data protection by design and by default.

Articles 24 and 25 address some of the issues raised by outsourcing, offshoring and cloud computing. While these provisions do not indicate whether outsourcers are joint data controllers, they acknowledge the fact that there may be more than one data controller. Under Article 24, joint data controllers would be required to determine their own responsibility for compliance with the Proposed Regulation. If they fail to do so, they would be held jointly responsible. Article 25 would require data controllers that are not established in the European Union and that direct data processing activities at EU residents, or monitor their behavior, to appoint a designated representative in the European Union.

–  Supervision of Data Controllers or Processors by Data Protection Authority

Article 28 would introduce the obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, instead of a general notification to the data protection supervisory authority, as is currently the case under Articles 18 and 19 of Directive 95/46/EC. This provision reflects one of the new guiding principles in the EU Data Protection reform:  that of accountability. In exchange for removing the cumbersome requirement for notification of the data controllers’ personal data handling practices, the new framework require that data controllers be “accountable.” They must create their own structures, and document them thoroughly, must be prepared to respond to any inquiry from the Data Protection Authority and to promptly produce the set of rules with which they have committed to comply.

Article 28 identifies a long list of documents that would have to be created and maintained by data controllers and data processors. This information is somewhat similar to the information that is currently provided in notifications to the data protection authorities―for example, the categories of data and data subjects affected, or the categories of recipients. There are also new requirements such as the obligation to keep track of the transfers to third countries, or to keep track of the time limits for the erasure of the different categories of data.

In the case of data controllers or data processors with operations in multiple countries, Article 51 would create the concept of the “main establishment.” The data protection supervisory authority of the country where the data processor or data controller has its “main establishment” would be competent for the supervision of the processing activities of that processor or controller in all Member States under the mutual assistance and cooperation provisions that are set forth in the Proposed Regulation.

–  Data Security

Articles 30 through 32 focus on the security of the personal data. In addition to the security requirements already found in Article 17 of Directive 95/46/EC and extending these obligations to the data processors, the Proposed Regulation introduces an obligation to provide notification of personal data breaches. In case of a breach of security, a data controller would be required to inform the supervisory authority within 24 hours, if feasible. In addition, if the breach is “likely to adversely affect the protection of the personal data or the privacy of the data subject,” the data controller will be required to notify the data subjects, without undue delay, after it has notified the supervisory authority of the breach.

–  Data Protection Impact Assessment

Article 33 would require controllers and processors to carry out a data protection impact assessment if the proposed processing is likely to present specific risks to the rights and freedoms of the data subjects by virtue of its nature, scope, or purposes. Examples of these activities include: monitoring publicly accessible areas, use of the personal data of children, use of genetic data or biometric data, processing information on an individual’s sex life, the use of information regarding health or race, or an evaluation having the effect of profiling or predicting behaviors.

–  Data Protection Officer

Articles 35 through 37 would require the appointment of a data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations that require regular and systematic monitoring. Under the current data protection regime, several EU Member States, such as Germany, require organizations to hire a Data Protection Officer, who is responsible for the company’s compliance with the national data protection. Article 36 identifies the roles and responsibilities of the data protection officer and Article 37 defines the core tasks of the data protection officer.

–  Crossborder Data Transfers

Articles 40 through 45 would define the conditions of, and restrictions to, data transfers to third countries or international organizations, including onward transfers. For transfers to third countries that have not been deemed to provide “adequate protection,” Article 42 would require that the data controller or data processor adduce appropriate safeguards, such as through standard data protection clauses, binding corporate rules, or contractual clauses. It should be noted, in particular, that:

  • Standard data protection clauses may also be adopted by a supervisory authority and be declared generally valid by the Commission;
  • Binding corporate rules are specifically introduced (currently they are only accepted in about 17 Member States);
  • The use of contractual clauses is subject to prior authorization by supervisory authorities.

Binding corporate rules would take a prominent place in the Proposed Regulation. Their required content is outlined in Article 43. Article 44 spells out and clarifies the derogations for a data transfer, based on the existing provisions of Article 26 of Directive 95/46/EC. In addition, a data transfer may, under limited circumstances, be justified on a legitimate interest of the controller or processor, but only after having assessed and documented the circumstances of the proposed transfer.

–  European Data Protection Board

The “European Data Protection Board” would be the new name for the “Article 29 Working Party.” Like its predecessor, the new Board will consist of the European Data Protection Supervisor and the heads of the supervisory authority of each Member State. Articles 65 and 66 clarify the independence of the European Data Protection Board and describe its role and responsibilities.

–  Remedies and Sanctions

Articles 73 through 79 would address remedies, liability, and sanctions. Article 73 would grant data subjects the right to lodge a complaint with a supervisory authority (which is similar to the right under Article 28 of Directive 95/46/EC). It also would allow consumer organizations and similar associations to file complaints on behalf of a data subject or, in case of a personal data breach, on their own behalf.

Article 75 would grant individuals a private right of action. It would grant individuals the right to seek a judicial remedy against a controller or processor in a court of the Member State where the defendant is established or where the data subject is residing. Articles 78 and 79 would require Member States to lay down rules on penalties, to sanction infringements of the Proposed Regulation, and to ensure their implementation. In addition, each supervisory authority must sanction administrative offenses and impose fines.

The Proposed Regulation introduces significant sanctions for violation of the law. Organizations would be exposed to penalties of up to 1 million Euros or up to 2% of the global annual turnover of an enterprise. This is much more than the penalties currently in place throughout the European Union. Apart from a few cases, the level of fines that have been assessed against companies that violated a country’s data protection laws has been low. The Proposed Regulation signals an intent to pursue more aggressively the infringers and to equip the enforcement agencies with substantial tools to ensure compliance with the law.

Conclusion

The terms of the Proposed Regulation are not really a surprise. For several months, Viviane Reding, Vice-President of the European Commission, and other representatives of the European Union have provided numerous descriptions of their vision for the new regime, including through a draft of the documents published in December 2011, which differs slightly from the January 25, 2012 version. It is nevertheless exciting to see, at long last, the materialization of these descriptions, outlines, and wish lists.

Altogether, if the current provisions subsist in the final draft, the new Regulation will increase the rights of the individuals and the powers of the supervisory authorities. While the Regulation would create additional obligations and accountability requirements for organizations, the adoption of a single rule throughout the European Union would help simplify the information governance, procedures, record keeping, and other requirements for companies.

Finally, it should also be remembered that Directive 95/46/EC has been a significant driving force in the adoption of data protection laws throughout the world. In addition to the 30 members of the European Economic Area, numerous other countries, such as Switzerland, Peru, Uruguay, Morocco, Tunisia, or the Dubai Emirate (in the Dubai International Financial District) have adopted data protection laws that follow closely the terms of Directive 95/46/EC. It remains to be seen what effect the adoption of the Regulation will have on the data protection laws of these other countries.

Posted in Europe, International
Comments Off on Proposed EU Data Protection Regulation – January 25, 2012 Draft: What US Companies Need to Know

New Version of Draft Data Protection Directive and Regulation Unveiled in Brussels

Posted by fgilbert on January 25th, 2012

This morning, Mrs. Viviane Reding, Vice-President of the European Commission, unveiled the long awaited documents that are intended to frame the new data protection regime in the European Economic Area, after final approval. There are two principal documents, and a series of background papers:

The next step is for these documents to be discussed by the European Parliament and the EU Member States meeting in the Council of Ministers for discussion. The rules will take effect two years after they have been adopted.

A cursory comparison with the most recent draft of the Regulation – Draft 56, which had been leaked in late November 2011 – shows mostly technical changes resulting from careful proofreading. However, there are also significant changes. For example, the maximum level of penalties has been lowered from 5% of annual turnover to 2%. The security breach must be disclosed within 24 hours if feasible, and to the individuals ‘without undue delay’ (the prior draft included a 24 hour notice requirement).

Key aspects of the Draft Regulation include:

Data Subjects would have more rights:

  • Wherever consent is required for data to be processed, it would have to be given explicitly, rather than assumed.
  • Individuals would have a “right to data portability,” which would allow them to transfer personal data from one service provider to another more easily.
  • Individuals would have a “right to be forgotten” which would allow them to obtain the deletion of the data that they furnished online if there are no legitimate grounds for retaining it (with exceptions).
  • Individuals would be able to refer to the data protection authority in their country, even when their data is processed by a company based outside the EU.

Organizations would have more obligations and responsibilities:

  • Organizations would be required to conduct Privacy Impact Assessment, and to bake privacy into their developments and their product and services to fulfill their ‘Privacy by Design’ and ‘Privacy by Default’ obligations
  • Organizations would be required to notify the national supervisory authority of data security breaches if feasible within 24 hours; and if the breach would adversely affect the protection of the personal data or privacy of individuals, the controller would be required to communicate the personal data breach to the data subjects without undue delay.
  • Organizations would only have to deal with a single national data protection authority in the EU country where they have their main establishment.
  • Organizations would no longer have to notify their data protection practices to national data protection authorities, but would still have to obtain permission for some categories of processing.
  • Instead of notification, there would be increased responsibility and accountability for those processing personal data; including significant disclosure and record keeping requirements.

EU rules would apply after crossborder transfer of personal data:

  • EU rules would apply if personal data were handled abroad by companies that are active in the EU market and offer their services to EU citizens.

Enforcement would be strengthened:

 

  • Organizations would be exposed to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
  • The role of national Data Protection Authorities would be strengthened so they can better enforce the EU rules at home.

These documents will now be discussed by the European Parliament and EU Member States meeting in the Council of Ministers for discussion. Thus, it is likely that there will be more opportunities for discussion, changes, and modifications of the current provisions. However, given the energy, speed, and determination with which the reform of the EU data protection regime has been handled, it is likely that the final documents should be substantially similar to what was published on January 25, 2012, and that a final vote will take place sooner than later. Once adopted, the rules will take effect two years later. Thus, we can expect that by the end of 2014, Europe will be subject to a new, improved, but stricter data protection regime.

Posted in Europe
Comments Off on New Version of Draft Data Protection Directive and Regulation Unveiled in Brussels