Archive for the ‘DPAs competence’ Category

CNIL: a regulator to watch in 2014

Posted on March 18th, 2014 by



Over the years, the number of on-site inspections by the French DPA (CNIL) has been on a constant rise. Based on the CNIL’s latest statistics (see CNIL’s 2013 Annual Activity Report), 458 on-site inspections were carried out in 2012, which represents a 19 percent increase compared with 2011. The number of complaints has also risen to 6,000 in 2012, most of which were in relation to telecom/Internet services, at 31 percent. In 2012, the CNIL served 43 formal notices asking data controllers to comply. In total, the CNIL pronounced 13 sanctions, eight of which were made public. In the majority of cases, the sanction pronounced was a simple warning (56 percent), while fines were pronounced in only 25 percent of the cases.

The beginning of 2014 was marked by a landmark decision of the CNIL. On January 3, 2014, the CNIL pronounced a record fine against Google of €150,000 ($204,000) on the grounds that the terms of use available on its website since March 1, 2012, allegedly did not comply with the French Data Protection Act. Google was also required to publish this sanction on the homepage of Google.fr within eight days of it being pronounced. Google appealed this decision, however, on February 7th, 2014, the State Council (“Conseil d’Etat”) rejected Google’s claim to suspend the publication order.

Several lessons can be learnt from the CNIL’s decision. First, that the CNIL is politically motivated to hit hard on the Internet giants, especially those who claim that their activities do not fall within the remit of the French law. No, says the CNIL. Your activities target French consumers, and thus, you must comply with the French Data Protection Act even if you are based outside the EU. This debate has been going on for years and was recently discussed in Brussels within the EU Council of Ministers’ meeting in the context of the proposal for a Data Protection Regulation. As a result, Article 4 of the Directive 95/46/EC could soon be amended to allow for a broader application of European data protection laws to data controllers located outside the EU.

Second, despite it being the highest sanction ever pronounced by the CNIL, this is hardly a dissuasive financial sanction against a global business with large revenues. Currently, the CNIL cannot pronounce sanctions above €150,000 or €300,000 ($410,000) in case of a second breach within five years from the first sanction pronounced, whereas some of its counterparts in other EU countries can pronounce much heavier sanctions; e.g., last December, the Spanish DPA pronounced a €900,000 ($1,230,000) fine against Google. This could soon change, however, in light of an announcement made by the French government that it intends to introduce this year a bill on “the protection of digital rights and freedoms,” which could significantly increase the CNIL’s enforcement powers.

Furthermore, it seems that the CNIL’s lobbying efforts within the French Parliament are finally beginning to pay off. A new law on consumer rights came into force on 17 March 2014, which amends the Data Protection Act and grants the CNIL new powers to conduct online inspections in addition to the existing on-site inspections. This provision gives the CNIL the right, via an electronic communication service to the public, “to consult any data that are freely accessible, or rendered accessible, including by imprudence, negligence or by a third party’s action, if required, by accessing and by remaining within automatic data protection systems for as long as necessary to conduct its observations.” This new provision opens up the CNIL’s enforcement powers to the digital world and, in particular, gives it stronger powers to inspect the activities of major Internet companies. The CNIL says that this law will allow it to verify online security breaches, privacy policies and consent mechanisms in the field of direct marketing.

Finally, the Google case is a good example of the EU DPAs’ recent efforts to conduct coordinated cross-border enforcement actions against multinational organizations. In the beginning of 2013, a working group was set up in Paris, led by the CNIL, for a simultaneous and coordinated enforcement action against Google in several EU countries. As a result, Google was inspected and sanctioned in multiple jurisdictions, including Spain and The Netherlands. Google is appealing these sanctions.

As the years pass by, the CNIL continues to grow and to become more resourceful. It is also more experienced and better organized. The CNIL is already very influential within the Article 29 Working Party, as recently illustrated by the Google case, and Isabelle Falque-Pierrotin, the chairwoman of the CNIL, was recently elected chair of the Article 29 Working Party. Thus, companies should pay close attention to the actions of the CNIL as it becomes a more powerful authority in France and within the European Union.

This article was first published in the IAPP’s Privacy Tracker on 27 February 2014 and was updated on 18th March 2014.

Belgian DPA overhauls enforcement strategy

Posted on October 21st, 2013 by



Belgium has long been one of the low risk EU Member States in terms of data protection enforcement. Aside from the fact that pragmatism can be considered part of a Belgian’s nature, this view was also due to the fact that the Belgian DPA, the Privacy Commission, could be termed as one of those so-called ‘toothless tigers’.

As De Standaard reports, it seems this is now about to change, with the Privacy Commission set to follow the example of the Dutch DPA by adopting a more severe enforcement strategy.

Until now, the Privacy Commission did not pro-actively investigate companies or sectors, despite the fact that the Belgian Privacy Act grants them such powers. However, the Privacy Commission has recently decided to establish a team of inspectors who will actively search for companies that process personal data in a non-compliant manner. It seems the Privacy Commission is finally adopting an approach which the CNIL has been applying for a number of years, with the idea being that each year a specific sector would be subject of increased scrutiny.

In addition, anticipating the adoption of the Regulation, the Privacy Commission has called upon the Belgian legislator to grant it more robust enforcement powers. Currently, if a company is found to be in breach of the Belgian data protection laws, the Privacy Commission has a duty to inform the public prosecutor. However, in practice criminal prosecution for data protection non-compliance is virtually non-existent and leads to de facto impunity.  This could drastically change if greater enforcement powers are granted to the Privacy Commission.

In the wake of the coming Regulation, this new enforcement strategy does not come as a surprise. In addition, earlier this year, Belgium faced a couple of high-profile mediatised data breach cases for the first time. Both the Ministry of Defense, the Belgian railroad company and recruting agency Jobat suffered a massive data leak. More recently, the massive hacking of Belgacom’s affiliate BICS gave rise to a lot of controversy. It would appear that these cases highlighted to the Privacy Commission the limits of its current powers .

However, if even a pragmatic DPA, such as the Privacy Commission, starts adopting a more repressive enforcement strategy, it is clear that the days of complacency are fading. Organisations processing personal data really cannot afford to wait until the Regulation becomes effective in the next few years. They will have to make sure they have done their homework immediately, as it seems the DPA’s won’t wait until the Regulation becomes effective to show their teeth.

One-stop-shop – In search of legal and political effectiveness

Posted on October 7th, 2013 by



The proposed EU Data Protection Regulation is an ambitious piece of legislation by any measure. Perhaps the most ambitious element of all is the introduction of the one-stop-shop principle: one single data protection authority being exclusively competent over an organisation collecting and using data throughout the EU. The reason why this is such a big deal is that even if the law ends up being exactly the same across all Member States (in itself a massive achievement), regulators are human and often show different interpretations of the same issues and rules. So if one-stop-shop becomes a reality, all EU data protection regulators will simply have to accept the position adopted by the one deemed to be competent and keep their own interpretation to themselves. But will they???

Today the Council of the EU is debating how to structure and shape this principle in a way that provides the benefits that the European Commission and global organisations are seeking, whilst meeting the national expectations of each Member State at the same time. It is a matter of legal and political effectiveness. So far and not surprisingly, the Council’s scale seems to be tilting towards greater national intervention than what the Commission originally aimed for. Whilst most Member States appear to be in favour of the philosophy underlying the one-stop-shop mechanism, only a few accept that one single authority should have exclusive jurisdiction to supervise all of the processing activities of a pan-European data user and decide exclusively upon all measures (including penalties). They cite the likely detriment to the protection of the data protection rights of individuals as their main stumbling block.

Therefore, there are a number of possible changes to this principle that will be discussed today, including:

* Limiting the powers of the ‘competent’ authority to authorisation and consultation functions only. So basically, leaving the paperwork for one regulator whilst any other EU authorities would continue to have enforcement powers.

* Replacing the one-stop-shop with a co-decision model (at least for the most important cases) where all relevant regulators need to agree.

* Adopting a consultation model where the competent authority is legally required to consult the other supervisory authorities concerned with a view to reaching consensus.

* Allowing appeals by unhappy authorities to the European Data Protection Board, which would then collectively be empowered to make the final decision.

How realistic these potential changes are is no doubt something that will come up in the discussions. What is clear is that any weakening of the one-stop-principle will affect the effectiveness of the core ‘one law/one regulator’ thinking of the Commission.

What will be the impact of the revised OECD Guidelines?

Posted on September 24th, 2013 by



This month, the Organisation for Economic Cooperation and Development (OECD) published its first ever revision to the original 1980 guidelines on the protection of privacy and transborder flows of personal data. It has been over 20 years since the OECD published the first internationally agreed set of privacy principles, and now they seem armed and ready to tackle the modern challenges of the international privacy world. But what is the real impact of these provisions?   

The primary aim of the Revised Guidelines is to increase organisations’ accountability for data security practices through a number of new mechanisms including an obligation on data controllers to implement a robust privacy management programme. There is also a shift to a more risk-based approach, with the guidelines focusing on ‘risk’ and ‘proportionality’.

The guidelines also introduce a number of other new provisions including: the implementation of national privacy strategies that are effectively coordinated at the highest levels of government; an obligation for member countries to support international arrangements promoting global interoperability and an obligation to notify authorities and individuals of data security breaches. 

The revisions are a clear indication of the OECD’s attempt to modernise their approach to international data flows and to strengthen privacy enforcement. They have also attempted to tighten their link with the EU regime by including ‘good practice’ references to different collaborative approaches taken by EU data protection authorities as a way of emphasising to its members the need for increased interoperability. 

But perhaps the most significant revision is the obligation to implement a robust privacy management programme. This is the first time that members of the OECD around the world will be uniformly required to implement a comprehensive programme. In addition, they will be required to ensure the privacy programme: 

  • gives effect to the Revised Guidelines for all personal data under its control;
  • is tailored to the structure, scale, volume and sensitivity of its operations;
  • provides for appropriate safeguards based on privacy risk assessment;
  • is integrated into its governance structure and establishes internal oversight mechanisms;
  • includes plans for responding to inquiries and incidents; and
  • is updated in light of ongoing monitoring and periodic assessment. 

The OECD’s proposal attempts to align with the EU’s approach of ensuring privacy mechanisms are properly documented and are supported by effective procedures. Will this be the catalyst that motivates organisations and data protection authorities around the world to adopt a uniform approach to data privacy? We shall see.     

What will happen if there is no new EU privacy law next year

Posted on June 20th, 2013 by



The European Parliament has just announced another delay affecting the vote on its version of the EU Data Protection Regulation. That means that we will now not know where the Parliament truly stands on this issue until September or October at the earliest. Although this was sort of expected, optimistic people like me were still hoping that the LIBE Committee would get enough consensus to issue a draft this side of the Summer, but clearly the political will is not quite there. This is obviously disappointing for a number of reasons, so in case the MEPs need a bit of motivation to get their act together, here are a few things that are likely to happen if the new Regulation is not adopted before next year’s deadline:

* Inconsistent legal regimes throughout the EU – The current differences in both the letter of the law and the way it is interpreted are confusing at best and one of the biggest weakness to achieve the right level of compliance.

* Non application of EU law to global Internet players – Thanks to its 90′s references to the ‘use of equipment’, the Directive’s framework is arguably not applicable to Internet businesses based outside the EU even if they collect data from millions EU residents. Is that a good idea?

* Death by paperwork – One of the most positive outcomes of the proposed Regulation will be the replacement of the paper-based compliance approach of the Directive with a more practical focus. Do we really want to carry on spending compliance resources filling in forms?

* Uncertainty about the meaning of personal data – Constantly evolving technology and the increasing value of data generated by our interaction with that technology have shaken the current concept of personal data. We badly need a 21st century definition of personal data and its different levels of complexity.

* Massive security exposures – The data security obligations under the existing Directive are rather modest compared to the well publicised wish list of regulators and, frankly, even some of those legal frameworks regarded as ‘inadequate’ by comparison to European data protection are considerably ahead of Europe in areas like data breach notification.

* Toothless regulators – Most EU data protection authorities still have very weak enforcement powers. Without going overboard, the Regulation is their chance to make their supervisory role truly effective.

The need to modernise EU data protection law is real and, above all, overdue. A bit of compromise has to be better that not doing anything at all.

UK e-privacy enforcement ramps up

Posted on April 29th, 2013 by



The times when one could say that the UK ICO was a fluffy, teethless regulator are over. Recently, the ICO has been going through its most prolific period of enforcement activity – by the end of 2012 it had imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings and 2013 looks set to bring similar activities (in March for example the ICO issued its first monetary penalty for a serious breach of the Privacy and Electronic Communications Regulations 2003 (‘PECR’) relating to live marketing calls – a £90,000 fine for Glasgow-based DM Design for unwanted marketing calls.

To coincide with such activities, the ICO has recently updated the enforcement section of its website. What this tells us is that whilst data security breaches will continue to be a significant area of focus for the ICO, PECR breaches will also figure highly in the ICO’s enforcement agenda. In this regard, the ICO tell us that it has already been active in the areas of ‘spam texts’, sales calls and cookies.

Spam texts are identified as ‘one of the biggest concerns to consumers’ (the ICO refers to texts about accident and ‘PPI’ claims, in particular) and refers to the work it has carried out with members of the mobile phone industry in order to identify an organisation which is now the subject of enforcement action. The ICO also identifes ‘Live’ Sales Calls and ‘Automated Calls’ as other areas of priority, and have explicitly identified (and published) the names of a number of companies where they have either met to discuss compliance issues; or indeed are in the process of activeley monitoring ‘concerns’ about compliance with a view to considering enforcement action. This is not only related to UK-based companies, but also those based overseas who are targeting UK-based consumers. The ICO tell us that they are actively working with the FTC in the US and with other regulators based in Ireland, Belgium and Spain through Consumer Protection Co-operation arrangements.

Finally the ICO tells us that between January and March 2013 it received a further 87 reported concerns via its website from individuals about cookies (many less than the amount of concerns about unwanted marketing communications from individuals, it has to be said). The ICO will continue to focus on those websites that are doing nothing to raise awareness of cookies or obtain users’ consent, and also on those sites they receive complaints about or are ‘visited most by consumers’. However the ICO also say that they have ‘maintained a consumer threat level of ‘low’ in this area due to the low level of concerns reported’.

It is obvious that as consumer technologies such as tablets and smart-phones continue to develop, so too will the ICO’s enforcement strategy in this area. Compliance with PECR should therefore also figure highly on any business’s data protection compliance strategy.

The Leveson Report and UK Data Protection

Posted on November 29th, 2012 by



So, the Leveson Report has been published.  Whilst not yet having read all 2000 + pages, the key recommendations that Lord Justice Leveson has made to the Ministry of Justice about the Data Protection Act are:

* Amend s. 32 (journalism, liteature and art exemption) including making it narrower

* Amend the right to compensation under s. 13 so that it includes compensation for pure distress

* Repeal certain procedural provisons around journalism in the DPA

* Consider requiring the ICO to give special regard to the balance of the public interest in freedom of expression alongside the public interest in upholding the DPA

* Bring into force amendments made to s. 55 around increasing sentencing and an enhanced defence for the public interest with respect to journalism

* Extend the prosecuting powers of the ICO to include any offence which also constitutes a breach of the Data Protection Principles

* Impose a new duty on the ICO to consult with the Crown Prosecution Service regarding the exercise of any power to undertake criminal proceedings

* Amend the DPA to reconstitute the ICO as an Information Commission led by a Board of Commissioners

The Report also has a whole part examining the relationship between the Press and Data Protection including comments on the structure and workings of the ICO.

A week in Brussels

Posted on November 16th, 2012 by



Life is always busy in Brussels.  Policy making and legislative activities never stop but this particular week has been rather eventful for the current European data protection reform process.  The Data Protection Congress organised by the IAPP has served as an open and constructive forum for some of the key players to get together and debate their views in front of a very sophisticated audience.  The most visible message of the week has been that all parties involved – European Parliament, Commission, Council of the EU, EDPS and of course the data protection authorities – are now working at full pace to consider the issues, listen to other stakeholders and inject their thinking into the end result.

Here are some of the key takeaways about the data protection legislative reform we heard at the IAPP Data Protection Congress:

*    Francoise Le Bail, Director General for Justice at the European Commission, kicked off a prestigious roster of keynote speakers by acknowledging the need to simplify the current proposal, particularly for the benefit of SMEs.  However, she fiercely defended two commonly criticised aspects of the draft Regulation: the Commission’s delegated acts, which she believes are needed to maintain the Regulation’s flexibility; and monetary fines, which are meant to give the new framework much needed teeth.

*    For Jan Philipp Albrecht, Rapporteur of the LIBE Committee with primary responsibility for leading the European Parliament’s position, the main challenge is to convince everyone (individuals and businesses) that a harmonised approach is needed.  Reiterating his aim to approve the final text before the next European Parliament elections in June 2014, he emphasised the need for a regulation (rather than a directive) for the sake of certainty going forward, making clear LIBE’s stance on this issue.  Mr Albrecht also said that whilst we are on the right track in terms of principles, we also need to achieve foreseeability, which suggests that some of the more technology-specific provisions will be revised.

*    Jacob Kohnstamm, Chairman of the Article 29 Working Party showed his concern about some essential elements being under attack, namely: personal data, consent and purpose limitation.  With regard to personal data, he would favour of a slight extension of the definition to cover any data that may be used to single out individuals.  He believes that it is crucial to leave the concept of consent untouched because if data protection is a fundamental right, the individual’s consent must override everything else.  With regard to purpose limitation, as well as profiling, Mr Kohnstamm announced that the Article 29 Working Party is working on alternative proposals.  Not surprisingly, Mr Kohnstamm is wary of the ‘one stop shop’ principle and emphasised the role of the proposed European Data Protection Board to get the balance right.

*    The ‘one stop shop’ principle became one of the most heatedly debated topics.  Isabelle Falque-Pierrotin, President of the CNIL, indicated that the current proposal was simply not realistic and that local data protection authorities should not be prevented from enforcing the law.  Jan Philipp Albrecht responded by saying that it is very important to have one competent regulator to ensure consistency of interpretation and actions.  The debate on this issue is clearly wide open with Peter Hustinx, the European Data Protection Supervisor, taking a position somewhere in between where there is one regulator as a single point of contact for the same organisation across the EU but all regulators are still competent.

Clearly, the pressure to get the balance right is on and whilst there is no sense of urgency yet, Sophie in ‘t Veld, MEP, summarised the situation perfectly when she referred to the fact that after months of familiarisation with the Commission’s proposals, it was now time to put our heads down and get on with the business of building the future data protection framework for Europe.

 

Getting the ‘one stop shop’ principle to work

Posted on November 5th, 2012 by



Going all the way to the Rio de la Plata to discuss the content of the future European data protection framework seems a little over the top, but the recent International Privacy Commissioners’ Conference in Punta del Este, Uruguay provided a perfect forum as a neutral ground for a fierce policy debate.  Surrounded by equally fierce winds and rain for added dramatic effect, regulators and other influential stakeholders in the privacy world locked horns in the most constructive possible way for three days to make the most of this annual gathering.  One of the immediate outcomes was the realisation that much work remains to be done if we are to achieve the necessary balance between progress and protection.  No other issue symbolised the need for this balance better than the ‘one stop shop’ principle under the proposed EU data protection regulation – the sole competence of one single regulator over the same controller all over the European Union.

As a concept, this principle seems like a no brainer that everyone would be happy with.  If anything, having a single regulator with responsibility for supervising the activities of a corporate group across the EU on the basis of the same law should be the most efficient way of managing the limited time and resources that data protection authorities have.  If the organisation to be supervised operates on a pan-European basis and the law is the same everywhere, surely this approach is the most logical in the absence of a central European regulator.  However, why is it that this concept is proving so difficult to shape to everyone’s satisfaction?  There is even a precedent with the concept of a “lead authority” for BCR authorisations which has been working quite effectively for years now.  Are national interests preventing this principle from working or is there a more fundamental issue getting in the way?

In line with the overall harmonisation objective, the ‘one stop shop’ principle brings with it a significant change, as the law is seeking to designate only one competent regulator per EU-based controller.  By definition, this approach relies on the trust that needs to be placed on the competent authority by the authorities of all of the other countries where a given controller operates.  This is certainly an ambitious expectation but surely one that can be met if the collaborative mood of the  Commissioners’ Conference is anything to go by.  So a lack of trust amongst regulators should not be a reason to question the ‘one stop shop’ principle.

A more damaging factor is the suspicion that astute organisations will seek to manipulate the system and aim to be supervised by the ‘easy’ regulators.  Frankly, there are no easy or difficult regulators.  They all take their jobs very seriously and have good days and bad days – like everyone else.  What is essential is a sufficient degree of pragmatism that brings compliance with the law to a viable level that meets the right standards.  For this to happen, dialogue is essential but, again, seeking that level of compliance should not be seen as a sign of defiance or an easy way of avoiding legal requirements.

Could the ‘one stop shop’ principle ever work then?  Of course it can.  As a starting point, it needs dialogue and collaboration amongst the data protection authorities and a realistic approach to data protection compliance.  Linked to this, what is also needed is trust.  Trust by the regulators in their counterparts and ultimately trust in the legal system.  However, trust should not be about ‘easy’ regulators behaving unreasonably to show how ‘tough’ they are, and trust should not be about triggering a dangerously bureaucratic “consistency mechanism” at the first sight of disagreement.  The ‘one stop shop’ principle is ultimately about effective compliance and should be given the chance to succeed.

The next two years of legislative reform are crucial.  We have a golden opportunity to establish a supervisory approach that is geared to deal with global organisations operating in Europe in a consistent and effective way.  Change should be accepted because it is inevitable.  The ‘one stop shop’ model is perfectly workable if it throws away old and unhelpful prejudices.  Efforts should be made to find the best criteria to determine which authority is the competent one in respect of every controller subject to EU law – irrespective of where they are based – and to support that authority in their role.  Diversity is a great thing but when it comes to regulatory enforcement, it creates uncertainty and unfairness.  Let’s not risk that outcome and let’s try to make the ‘one stop shop’ principle work instead.

 
This article was first published in Data Protection Law & Policy in October 2012.