Archive for the ‘Applicable law’ Category

« Older Entries

How to solve BCR conflicts with local law

avatar Posted on March 13th, 2013 by Phil Lee

A frequently asked question by many clients considering BCR is “How can we apply BCR on a global basis?  What if non-EU laws conflict with our BCR requirements?”  Normally, this question is raised during an early-stage stakeholder review – typically, by local in-house counsel or a country manager who points out, quite reasonably, that BCR are designed to meet EU data protection standards, not their own local laws.

It’s a very good, and perfectly valid, question to ask – but one that can very quickly be laid to rest.  BCR are a voluntary set of self-regulatory standards that can readily be designed to flex to non-EU local law requirements.  Global businesses necessarily have to comply with the myriad of different laws applicable to them, and the BCR policy can address this need in the following way:

(*)  where local law standards are lower than those in the BCR, then the BCR policy should specify that its standards will apply.  In this way, the local controller not only achieves, but exceeds, local law requirements and continues to meet its commitments under its BCR; and

(*)  where local law standards are higher than those in the BCR, then the BCR policy should specify that the local law standards will apply.  In this way, the local controller achieves local law compliance and exceeds its commitments under the BCR.

In both cases, the controller manages to fulfill its responsibilities under both applicable local law and the BCR, so a head on collision between the two almost never arises.  But for those very exceptional circumstances where mandatory local laws do prohibit the controller from complying with the BCR, then the group’s EU headquarters or privacy function is simply required to take a “responsible decision” on what action to take and consult with EU data protection authorities if in doubt.

The net result?  Carefully designed BCR provide a globally consistent data management framework that set an expected baseline level of compliance throughout the organization – exceeded only if and when required by local law.

Posted in Accountability, Applicable law, Binding Corporate Rules, Binding Safe Processor Rules

Positive ruling for US businesses adopting single EU controller model?

avatar Posted on February 19th, 2013 by Stephan Zimprich

In two preliminary decisions, the Administrative Court of German Federal State Schleswig-Holstein ruled last week that two administrative acts which had been issued by the DPA of Schleswig-Holstein (ULD) against Facebook Inc. and Facebook Ireland Ltd. cannot be enforced until a decision in the main proceedings is made (ref. nos. 8 B 60/12 and 8 B 61/12). What at first sight seems to be only a side aspect in the ULD´s battle against the handling of personal data by the world´s largest social network has some fundamental implications as the court denied the applicability of German data protection law on the company´s German activities at all.

In its preliminary decisions, the court followed Facebook´s argument that only Facebook Ireland Ltd. is relevant for the determination of applicable law, as its German entity solely provides supporting services (marketing and acquisition) and is not involved in the processing of personal data. Facebook Ireland would be the only European entity with direct control about user data of non-US users. Other European entities would not be involved in the processing of personal data. The court regarded it irrelevant whether Facebook Inc. (USA) would be the sole controller of personal data, or whether it would be joint controller together with Facebook Ltd. (Ireland), as Facebook Ltd. must be regarded as an establishment of Facebook Inc. which processes personal data in the course of its business operations. The court stated that Facebook Ltd., with its 400 employees and its infrastructure in Dublin “implies the effective and real exercise of activity through stable arrangements” within the meaning of recital 19 of the Directive, and thus fulfills the requirements for an “establishment” under Art.  4 (1)(a) of Directive 95/46/EC.

Further, the court stated it would not be relevant where the servers are located on which the data is stored and processed as Art. 4 (1) (a) of Directive 95/46/EC only requires that the processing is carried out “in the context of the activities of an establishment of the controller”, so that Facebook Ltd. must be regarded as an establishment within the meaning of Art. 4 (1) (a) of Directive 95/46/EC even if the technical infrastructure is located in the US.

The background of the case is that the ULD had issued two identical  administrative orders against Facebook Inc. and Facebook Ireland Ltd. in December 2012 to force the company to unlock aliased user accounts that had been locked by Facebook. The ULD regards Facebook´s policy that users must use full and correct names for their profiles to be in violation of German data protection regulation and the German Telemedia Act, which stipulate that an anonymous/aliased use of the internet services must be offered where possible. The ULD also made the order immediately enforceable, and only this additional element to the order was subject to the preliminary ruling of the court.

It must thus be borne in mind that the decision is only preliminary and based on a consideration of interests rather than a thorough legal consideration. The main criterion for the court was whether the interest of the DPA in an immediate enforcement supersedes Facebook´s interest in the suspension of the enforcement. The legal assessment, although part of that consideration, is not binding and will be further scrutinized in the main proceedings. Also, the DPA of Schleswig-Holstein has lodged a complaint against the decision.

Conclusions: In general, the decisions of the administrative court support the validity of a structure that various US internet businesses use in Europe to mitigate potential exposure to multiple EU data protection regimes, i.e. appointing a single European subsidiary to assume controllership of European users’ personal data, while other European subsidiaries provide supporting services in the areas of marketing and distribution. However, the decision also shows that the setup of a European structure must be carefully shaped as the court put specific emphasis on the “stable arrangements” and the personnel and infrastructural configuration of the establishment. This makes clear that “letterbox offices” will not be accepted, and that only a legal setup that reflects the reality of the business may qualify as an establishment under the Directive.

As a further important point to note, the court also held that EU data protection law does not require the IT infrastructure to be located on European soil. In this regard, it must be noted that Directive 95/46/EC potentially allows for an opposing interpretation; and it should be closely monitored whether the position of the Administrative Court of Schleswig-Holstein finds support in potential appellate proceedings.

Posted in 95 directive, Applicable law, Social networking

European Parliament’s take on the Regulation: Stricter, thicker and tougher

avatar Posted on January 9th, 2013 by Eduardo Ustaran

 

If anyone thought that the European Commission’s draft Data Protection Regulation was prescriptive and ambitious, then prepare yourselves for the European Parliament’s approach. The much awaited draft report by the LIBE Committee with its revised proposal (as prepared by its rapporteur Jan-Philipp Albrecht) has now been made available and what was already a very complex piece of draft legislation has become by far the strictest, most wide ranging and potentially most difficult to navigate data protection law ever to be proposed.

This is by no means the end of the legislative process, but here are some of the highlights of the European Parliament’s proposal currently on the table:

*     The territorial scope of application to non EU-based controllers has been expanded, in order to catch those collecting data of EU residents with the aim of (a) offering goods or services (even if they are free) or (b) monitoring those individuals (not just their behaviour).

*     The concept of ‘personal data’ has also been expanded to cover information relating to someone who can be singled out (not just identified).

*     The Parliament has chosen to give an even bigger role to ‘consent’ (which must still be explicit), since this is regarded as the best way for individuals to control the uses made of their data. In turn, relying on the so-called ‘legitimate interests’ ground to process personal data has become much more onerous, as controllers must then inform individuals about such specific processing and the reasons why those legitimate interests override the interests or fundamental rights and freedoms of the individual.

*     Individuals’ rights have been massively strengthened across the board. For example, the right of access has been expanded by adding to it a ‘right to data portability’ and the controversial ‘right to be forgotten’ potentially goes even further than originally drafted, whilst profiling activities are severely restricted.

*     All of the so-called ‘accountability’ measures imposed on data controllers are either maintained or reinforced. For example, the obligation to appoint a data protection officer will kick in when personal data relating to 500 or more individuals is processed per year, and new principles such as data protection by design and by default are now set to apply to data processors as well.

*     The ‘one stop shop’ concept that made a single authority competent in respect of a controller operating across Member States has been considerably diluted, as the lead authority is now restricted to just acting as a single contact point.

*     Many of the areas that had been left for the Commission to deal with via ‘delegated acts’ are now either specifically covered by the Regulation itself (hence becoming more detailed and prescriptive) or left for the proposed European Data Protection Board to specify, therefore indirectly giving a legislative power to the national data protection authorities.

*     An area of surprising dogmatism is international data transfers, where the Parliament has added further conditions to the criteria for adequacy findings, placed a time limit of 2 years to previously granted adequacy decisions or authorisations for specific transfers (it’s not clear what happens afterwards – is Safe Harbor at risk?), reinforced slightly the criteria for BCR authorisations, and limited transfers to non-EU public authorities and courts.

*     Finally, with regard to monetary fines, whilst the Parliament gives data protection authorities more discretion to impose sanctions, more instances of possible breaches have been added to the most severe categories of fines.

All in all, the LIBE Committee’s draft proposal represents a significant toughening of the Commission’s draft (which was already significantly tougher than the existing data protection directive). Once it is agreed by the Parliament, heated negotiations with the Council of the EU and other stakeholders (including the Commission itself) will then follow and we have just over a year to get the balance right. Much work no doubt awaits.

 

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Consent, Financial penalties, Legislative reform, Privacy by design, Profiling, Right to be forgotten, Sanctions

Getting the ‘one stop shop’ principle to work

avatar Posted on November 5th, 2012 by Eduardo Ustaran

Going all the way to the Rio de la Plata to discuss the content of the future European data protection framework seems a little over the top, but the recent International Privacy Commissioners’ Conference in Punta del Este, Uruguay provided a perfect forum as a neutral ground for a fierce policy debate.  Surrounded by equally fierce winds and rain for added dramatic effect, regulators and other influential stakeholders in the privacy world locked horns in the most constructive possible way for three days to make the most of this annual gathering.  One of the immediate outcomes was the realisation that much work remains to be done if we are to achieve the necessary balance between progress and protection.  No other issue symbolised the need for this balance better than the ‘one stop shop’ principle under the proposed EU data protection regulation – the sole competence of one single regulator over the same controller all over the European Union.

As a concept, this principle seems like a no brainer that everyone would be happy with.  If anything, having a single regulator with responsibility for supervising the activities of a corporate group across the EU on the basis of the same law should be the most efficient way of managing the limited time and resources that data protection authorities have.  If the organisation to be supervised operates on a pan-European basis and the law is the same everywhere, surely this approach is the most logical in the absence of a central European regulator.  However, why is it that this concept is proving so difficult to shape to everyone’s satisfaction?  There is even a precedent with the concept of a “lead authority” for BCR authorisations which has been working quite effectively for years now.  Are national interests preventing this principle from working or is there a more fundamental issue getting in the way?

In line with the overall harmonisation objective, the ‘one stop shop’ principle brings with it a significant change, as the law is seeking to designate only one competent regulator per EU-based controller.  By definition, this approach relies on the trust that needs to be placed on the competent authority by the authorities of all of the other countries where a given controller operates.  This is certainly an ambitious expectation but surely one that can be met if the collaborative mood of the  Commissioners’ Conference is anything to go by.  So a lack of trust amongst regulators should not be a reason to question the ‘one stop shop’ principle.

A more damaging factor is the suspicion that astute organisations will seek to manipulate the system and aim to be supervised by the ‘easy’ regulators.  Frankly, there are no easy or difficult regulators.  They all take their jobs very seriously and have good days and bad days – like everyone else.  What is essential is a sufficient degree of pragmatism that brings compliance with the law to a viable level that meets the right standards.  For this to happen, dialogue is essential but, again, seeking that level of compliance should not be seen as a sign of defiance or an easy way of avoiding legal requirements.

Could the ‘one stop shop’ principle ever work then?  Of course it can.  As a starting point, it needs dialogue and collaboration amongst the data protection authorities and a realistic approach to data protection compliance.  Linked to this, what is also needed is trust.  Trust by the regulators in their counterparts and ultimately trust in the legal system.  However, trust should not be about ‘easy’ regulators behaving unreasonably to show how ‘tough’ they are, and trust should not be about triggering a dangerously bureaucratic “consistency mechanism” at the first sight of disagreement.  The ‘one stop shop’ principle is ultimately about effective compliance and should be given the chance to succeed.

The next two years of legislative reform are crucial.  We have a golden opportunity to establish a supervisory approach that is geared to deal with global organisations operating in Europe in a consistent and effective way.  Change should be accepted because it is inevitable.  The ‘one stop shop’ model is perfectly workable if it throws away old and unhelpful prejudices.  Efforts should be made to find the best criteria to determine which authority is the competent one in respect of every controller subject to EU law – irrespective of where they are based – and to support that authority in their role.  Diversity is a great thing but when it comes to regulatory enforcement, it creates uncertainty and unfairness.  Let’s not risk that outcome and let’s try to make the ‘one stop shop’ principle work instead.

 
This article was first published in Data Protection Law & Policy in October 2012.

Posted in Applicable law, DPAs competence, Legislative reform

The future of privacy

avatar Posted on May 31st, 2012 by Eduardo Ustaran

Not that long ago, reading this article (let along writing it) would have been regarded as nerdy.  Data protection used to be seen as arcane and irrelevant to businesses and ordinary people.  Introducing yourself as a data protection lawyer or a privacy professional was a recipe for embarrassment and a sure way of getting some funny looks.  However, at some point, something suddenly changed.  What was wacky is now cool, and what seemed like an obscure legal discipline with funny jargon and odd rules has become a critical consideration for business and government.  What happened?  What was the event that radically altered our perception of the importance of personal information for the world’s prosperity?  The crucial catalyst was in fact a combination of three factors that will also shape the future of privacy and data protection going forward.

The first one is the most obvious of all because it has impregnated our lives to such degree that we can no longer live without it.  Remember life before e-mail, mobile phones, the Internet, search engines, CCTV cameras, biometric passports, chip & pin, apps and cookies?  The evolution of technology has been the primary contributor to the growing importance of data protection as digitalisation has led to a never ending, yet not always visible, churn of personal data.  The second one has been the realisation that personal data is a very valuable asset.  Some examples: last year, Google’s turnover was nearly $38bn, LinkedIn doubled the value of its shares on the day it floated on the stock exchange, and Facebook’s IPO reportedly created 1,000 millionaires overnight.  What these businesses have in common in addition to being amazing success stories of the post-dotcom boom is that their success is based on the power and value of personal information.  The third critical factor is no other than the reality of data globalisation: the fact that geographical distance and cultural barriers have become almost negligible for the exploitation of data.

These three factors have thrown into the air many existing preconceptions and turned legal conundrums into business critical issues.  Getting the right answer to which law applies or who is in control of the information generated by our daily use of global interconnecting technologies has massive practical implications.  Some will be purely financial and others political, but their significance has not gone unnoticed.  Even the very thing at the centre of the legal debate – ascertaining what is and what isn’t personal data – has become an issue of great economic impact for businesses across all industry sectors, from technology to financial services and from retail to life sciences.  As an overarching theme, the question of how to ensure global compliance with maximum effectiveness and minimum cost has suddenly focused the minds of business leaders and politicians.

But having got to this place, the question that we now need to address is this: what happens next?  Or in other words: what is the future of privacy and data protection?  For policy makers and data reliant businesses alike the answer to that question lies in addressing the three issues that have so radically changed things.  Regulating and managing the evolution of technology necessarily involves understanding technology.  That means that a likely component of tomorrow’s privacy regulation will be about explaining technology in a way that their users can understand what is likely to happen to their personal information generated by the use of that technology.  This is transparency 2.0 and from a compliance perspective, collecting and using data will entail making the impenetrable world of new technologies understandable to everyone.  But beyond pure transparency, something that no legal regime has addressed to date but that will form part of the legal obligations of the future is the provision of value.  When a government or a business asks a citizen or customer for their personal information, it will only be fair to give that person something back or to share with individuals part of the value extracted from their data.  That would certainly be a much better way of getting the control balance right than seeking an empty and meaningless consent.

One remaining challenge is the international nature of data flows and information exploitation.  Data protection will never be a local issue again.  Data is no longer transferred from A to B.  Geographically speaking, where data actually is in an interconnected world is completely irrelevant, because data is ever accessible from everywhere.  Law and practice will have to come to terms with that.  Overcoming the legal limitations affecting international data transfers has always been a difficult challenge because, even in the old days, data was pretty fluid.  Today’s and tomorrow’s data globalisation needs a completely different approach which focuses on mutual recognition of rules, regulatory collaboration and incentives to do the right thing.

This article was first published in issue number 100 of Data Protection Law & Policy in May 2012.

Posted in Applicable law, Data as an asset, Privacy professionals

Mobile privacy – is there an app for that?

avatar Posted on April 20th, 2012 by Phil Lee

Next week I’ll be chairing a session at the IAPP’s Data Protection Intensive in London on mobile privacy. In advance of my session (and without giving too much away – I highly recommend attending the event!), I thought I’d set out a few key thoughts on the issues mobile operators and developers need to consider when launching mobile apps:

  • Why does m-privacy matter? It’s simple: if you’re anything like me, your mobile device has become your closest, must trusted friend. No one know more about you: your phone knows where you go, who you know, and the passwords to your banking, shopping and social networking accounts. It looks after your diary and has access to all your most treasured and personal photos. This is all very sensitive information – and your phone holds an awful lot of it.
  • Why is m-privacy hard (practically)? Because the actors, devices and consumer expectations are so many and so varied. In the course of downloading, installing and running an app, a consumer will share data with or through its device platform, the relevant app marketplace, the application developer, and various ad networks, analytics providers, payment processors and mobile carriers. Consumers can access apps through smartphones, tablets, netbooks or other mobile devices – each with different platforms having their own data access permissions, device unique data types, and screen sizes and resolutions, thereby making efforts to design a simple ‘one size fits all’ privacy notice a real challenge. Adopting a privacy by design approach is not a nice to have in the mobile environment – it’s a necessity.
  • Why is m-privacy hard (legally)? From a privacy perspective, data protection, e-privacy, communications interception and data retention laws – both in the EU and beyond – can all apply to data collected from mobile devices. Widen the picture out into general consumer law, and issues arise around applicable law, mandatory consumer terms, liability and enforceability of terms (to name but a few). As a few press reports have highlighted recently, just because you CAN access data, doesn’t mean you should – the recent furore surrounding the Girls Around Me app being a very good case in point (see here). And to make matters more complicated, the data protection laws we have can often apply in surprising and unexpected ways – remember, many of them date back to before any of us even had a mobile. Should device ID data really be considered ‘personal data’? Why do ‘cookie consent’ rules apply to mobile apps? Do SoLoMo applications REALLY need to get opt-in consent to location data use?

If you’re attending the IAPP Intensive next week, then do come along and join my session to answer all of these questions – and more!

Tags:,
Posted in 95 directive, Applicable law, Cookie rule, Mobile telecoms, Privacy by design, Targeted advertising

The extra-territorial application of the new EU law

avatar Posted on February 15th, 2012 by Eduardo Ustaran

One of the most expected changes likely to be introduced by the new EU Data Protection Regulation proposed by the European Commission is the criteria to determine the applicability of EU law – quite an important issue.  To recap briefly, under the current Data Protection Directive, the rules are essentially as follows: 

*   If the controller is based in an EU Member State (e.g. Acme (UK) Limited based in the UK), that controller will be subject to the law of that Member State (e.g. the UK Data Protection Act) and to the scrutiny of the regulator of that country (e.g. the UK Information Commissioner).

*   If the controller is based outside the EU (e.g. Acme Inc.) but uses equipment (e.g. servers or people’s computers) to collect information, that controller will be subject to the laws of every single Member State and to the scrutiny of each and every regulator. 

However, the rule that determines the applicability of the law to non-EU controllers produces bizarre situations like the potential application of EU law to organisations that have no presence, employees or customers in the EU but happen to engage an EU-based service provider (with equipment in Europe), or like the non-application of EU law to organisations who may be dealing with millions of Europeans over the Internet but have no real processing equipment in the EU.

Therefore, under the proposed Data Protection Regulation, the rules would be as follows: 

*   If the controller is based in an EU Member State and it has one main establishment (e.g. Acme (UK) Limited based in the UK), then it will still be subject to the Regulation but it will only be subject to the scrutiny of one regulator (e.g. the UK Information Commissioner).

*   If the controller is based outside the EU (e.g. Acme Inc.) and offers products or services to EU residents or monitors the behaviour of EU residents, it will be subject to the Regulation and to the scrutiny of each and every regulator.

For non-EU organisations, the million dollar question is what does the Regulation mean by “offering products or services” or, more intriguingly, “monitoring the behaviour”?  The answer to this question will undoubtedly become clear as the legislative process progresses, but in the meantime it is helpful to consider the explanations given in the recitals to the Regulation.

First of all, the whole point of the extra-territorial reach of the law (both under the Directive and even more under the Regulation) is to protect people who live in Europe where their data is used elsewhere.  The “offering products or services” side of the equation is also clearly aimed at capturing visible commercial relationships where, typically via the Internet, an organisation is making its goods or services available to EU residents.

The meaning of “monitoring the behaviour” is slightly trickier because the recitals only refer to one very specific form of monitoring: Internet tracking and profiling.  So the commonplace practice of building an Internet user’s picture through the use of cookies with a view to targeting that individual with tailored advertising will definitely be caught – not a very “technologically neutral” provision, it must be said.  The question that we will need to address over the coming months is what is the intended scope of the phrase “monitoring the behaviour” beyond Internet tracking and more precisely, how granular or detailed that monitoring must be to trigger the application of the law.  The debate is wide open.

Posted in 95 directive, Applicable law, Targeted advertising

The new EU framework: Uniform, prescriptive and ambitious

avatar Posted on February 3rd, 2012 by Eduardo Ustaran

These are truly exhilarating times for the data protection world.  Viviane Reding’s recent announcement of the Commission’s proposal for a fully harmonised European data protection framework had the connotations of an Olympic opening ceremony – the years of hard work in preparation for this moment, the sense of achievement in the face of challenge and the triumphant belief that something memorable is going to come out of this.  Only the big drums and the flame were missing.  The jury is now out but this is without a doubt the most significant global legislative development affecting the collection, use and protection of personal information of the past 15 years.

As expected, the proposed new general framework for data protection is set out in a regulation, rather than another directive.  This means that once adopted, the regulation will be directly and universally applicable across all EU Member States without the need for national legislation.  Recent legislative history suggests that a single EU-wide regulation is likely to be the only way to achieve the desired uniformity across the European Union.  Member States’ struggle to implement the changes to the e-privacy directive in a coherent way remind us daily of the limitations of a directive.  But a single pan-European law is a double edged sword – one set of rules is meant to be beneficial to organisations operating internationally, but those who are used to dealing with the reasonably practical obligations of jurisdictions like the UK or Ireland face a cultural and legal shock.

The proposed regulation is also aimed at rejuvenating a law which has lost its effectiveness to tackle the data protection challenges of the 21st century.  The novelties are varied and creative, but they all have in common one thing: the principles, rights and obligations are far more prescriptive in nature than under the 95 directive.  This is a natural consequence of having to draft a directly applicable regulation, but it is a fundamental change from the way European data protection has operated until now. 

The bulk of the proposed regulation brings with it a whole new set of obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers.  Plus of course, nearly immediate data breach notification.  These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also the basis for a new way of demanding practical compliance in the black letter of the law.

Above all, the Commission’s proposal is an ambitious one.  Not least because it sets out a very clear basis for its extra-territorial application.  The regulation does away with the cumbersome references to equipment located in the European Union and introduces brand new EU residency grounds.  Any company that processes personal data in the context of an EU-based establishment will be subject to the new law in any event.  But in addition, the regulation will extend the applicability of European data protection rules to organisations established elsewhere that use personal information in relation to the offering of goods or services to, or the monitoring of the behaviour of, individuals who live in the EU.

This approach will affect Internet businesses from all over the world but the Commission’s ambition goes even further than that.  One of the greatest challenges ahead is not faced by organisations using personal information but by the regulators themselves.  They will need to learn a radical new law which demands constant dialogue and closer cooperation than ever before.  The legislative process is now wide open and 2012 will be a crucial year to influence the outcome of the new law.  We have a real opportunity to contribute to this process, so it is our responsibility to get the right result.

This article was first published in Data Protection Law & Policy in January 2012.

Posted in 95 directive, Applicable law, Breach Disclosure, Privacy by design

An ambitious new framework for a data reliant world

avatar Posted on January 25th, 2012 by Eduardo Ustaran

The most radical global attempt ever to regulate the exploitation of personal information is now in the public domain.  Following several weeks of increasing expectation about the content of the proposals, the European Commission published this morning two legislative documents: a Regulation setting out a general EU framework for data protection and a Directive on protecting on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities. 

Looking at the Regulation, the immediate reaction is that after many years of a principles-based approach, the new law will go much further than that and establish a new system of powerful rights and very prescriptive and uniform obligations across the EU.

The draft Regulation sets out very clearly its extra-territorial reach, which as Viviane Reding put it, will apply to companies that are active in the EU market and offer their services to EU citizens – although it is really ‘EU residents’.  What is also obvious is that the new law is targeted at companies operating on the internet and aims to shake up the way they tackle privacy issues.

The bulk of the proposed Regulation brings with it a whole new set of practical obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers.  Plus of course, nearly immediate data breach notification.  These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also the basis for a new way of demanding practical compliance in the black letter of the law.

The prospect of substantial monetary fines based on the annual worldwide turnover of a company (up to 2%) may contribute to get the attention of some decision makers, but the real test for the proposed framework will be its viability in an ever-changing data reliant world.

This is by no means the end of the road.  My expectation is that 2012 will be a crucial year to influence the outcome of the new law and policy makers will be looking for input from all key stakeholders.

 

Posted in 95 directive, Accountability, Applicable law, Financial penalties, Sanctions

Deconstructing the privacy macaron

avatar Posted on December 7th, 2011 by Eduardo Ustaran

Compact.  Self-contained.  Multi-layered.  Hard to penetrate and rich inside with a mix of flavours and tones.  Judging by the commentary surrounding the forthcoming EU data protection framework circulating in the corridors of the IAPP European Data Protection Congress that took place in Paris at the end of November, we could have been describing a typical Parisian macaron instead of a new law.  But if the indications of what we are about to see in the regulation being proposed by the European Commission are true, complying with the future European privacy regime is going to require fine confectionery skills.

So what are the likely ingredients of this extremely elaborate piece of legislation and how will they blend together?

*   A Regulation – It is widely accepted that a regulation, rather than another directive, will be the best recipe for a harmonised regime that delivers a consistent level of protection across the EU.

*   Two-fold objective – Like the original directive, the new regulation will most certainly have a dual aim: protecting personal data and facilitating the intra-EU movement of that data.

*   Applicability based on establishment and targeting of European residents – The novelty being that the use of equipment in the EU will be replaced by data processing directed at those individuals who live in the EU.

*   Privacy principles – Transparency, finality, proportionality and data quality – they are all likely to be there but for added flavour, expect some new ones like data minimisation and accountability.

*   Consent – Individual’s consent will remain a cornerstone of European data protection law but the standard for valid consent will be higher than ever before, with a greater emphasis on the individual’s freedom of choice.

*   Big rights – Some rather radical changes are likely to come in the shape of new or strengthened individuals’ rights.  Top of the list will be the much publicised right to be forgotten followed closely by data portability rights.  No doubt the Commission will want to give people as much control as possible over their data, particularly in relation to profiling activities.

*   Controller’s responsibilities – As a flipside of the increased rights of individuals, controllers are bound to face very specific responsibilities ranging from the adoption of policies and principles such as privacy by design and privacy by default to the training of staff and the appointment of data protection officers.

*   Data breach notification – As is already the case for providers of communications services, an obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) will now apply to all controllers.

*   International data transfers – Greater flexibility is expected on this issue alongside an express recognition for binding corporate rules, which will be available to both controllers and processors.  An area of concern however is the potential conflict between data requests by non-EU authorities and the limitations on data disclosures, which will probably require the involvement of data protection authorities in determining how to resolve such conflict.

*   Role of data protection authorities – The main novelty on this front is bound to be in relation to their geographical competence.  In all likelihood, the data protection authority of the Member State where the main establishment of a data processing organisation is based will be responsible for supervising that organisation across the whole of the EU.  We can also assume that greater international coordination mechanisms will be in place.

*   Enforcement powers – The promise by the Commission of stronger enforcement powers for the data protection authorities is bound to bring harmonised and succulent monetary fines, which can only be more substantial than what most Member States have at the moment.

All in all, it is beyond doubt that the Commission has been working very hard to craft a framework that fits the regulatory requirements of today’s and tomorrow’s data protection.  Whether the result will suit everyone’s taste is a different matter.

This article was first published in Data Protection Law & Policy in November 2011.

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Binding Safe Processor Rules, Breach Disclosure, Data minimisation, Financial penalties, Privacy by design, Profiling

« Older Entries