Archive for the ‘Sanctions’ Category

« Older Entries

UK e-privacy enforcement ramps up

avatar Posted on April 29th, 2013 by Brian Davidson

The times when one could say that the UK ICO was a fluffy, teethless regulator are over. Recently, the ICO has been going through its most prolific period of enforcement activity – by the end of 2012 it had imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings and 2013 looks set to bring similar activities (in March for example the ICO issued its first monetary penalty for a serious breach of the Privacy and Electronic Communications Regulations 2003 (‘PECR’) relating to live marketing calls – a £90,000 fine for Glasgow-based DM Design for unwanted marketing calls.

To coincide with such activities, the ICO has recently updated the enforcement section of its website. What this tells us is that whilst data security breaches will continue to be a significant area of focus for the ICO, PECR breaches will also figure highly in the ICO’s enforcement agenda. In this regard, the ICO tell us that it has already been active in the areas of ‘spam texts’, sales calls and cookies.

Spam texts are identified as ‘one of the biggest concerns to consumers’ (the ICO refers to texts about accident and ‘PPI’ claims, in particular) and refers to the work it has carried out with members of the mobile phone industry in order to identify an organisation which is now the subject of enforcement action. The ICO also identifes ‘Live’ Sales Calls and ‘Automated Calls’ as other areas of priority, and have explicitly identified (and published) the names of a number of companies where they have either met to discuss compliance issues; or indeed are in the process of activeley monitoring ‘concerns’ about compliance with a view to considering enforcement action. This is not only related to UK-based companies, but also those based overseas who are targeting UK-based consumers. The ICO tell us that they are actively working with the FTC in the US and with other regulators based in Ireland, Belgium and Spain through Consumer Protection Co-operation arrangements.

Finally the ICO tells us that between January and March 2013 it received a further 87 reported concerns via its website from individuals about cookies (many less than the amount of concerns about unwanted marketing communications from individuals, it has to be said). The ICO will continue to focus on those websites that are doing nothing to raise awareness of cookies or obtain users’ consent, and also on those sites they receive complaints about or are ‘visited most by consumers’. However the ICO also say that they have ‘maintained a consumer threat level of ‘low’ in this area due to the low level of concerns reported’.

It is obvious that as consumer technologies such as tablets and smart-phones continue to develop, so too will the ICO’s enforcement strategy in this area. Compliance with PECR should therefore also figure highly on any business’s data protection compliance strategy.

Tags:, , , ,
Posted in Cookie rule, Direct marketing, DPAs competence, Sanctions, Uncategorized

CNIL unveils 2012 annual activity report

avatar Posted on April 29th, 2013 by Olivier Proust

On April 23rd, 2013, the French data protection authority (the “CNIL”) unveiled its 2012 Annual Activity Report (the “Report”). The CNIL’s Report gives an overview of the actions and initiatives undertaken in the past year, and is also a good indicator for what to expect in the coming year.

The CNIL has adopted a three-year strategic orientation program for the period 2012-2015. This action plan sets out three priorities, namely:

- To adopt a policy of openness and consultation towards stakeholders ;
- To raise the level of awareness among data controllers (particularly companies) and to help them develop tools that allow them to implement the data protection principles; and
- To increase the level of compliance through a more targeted and efficient enforcement policy.

Focusing on the CNIL’s enforcement strategy, the summary below highlights some of the key points in the CNIL’s Report:

- Complaints: The number of complaints has risen to 6000 in 2012. 46% of complaints concerned the right to object to the data processing. The constant rise of complaints over the past years indicates that citizens are more and more aware of their data protection rights and are taking action more frequently. The telecoms/internet sector appears to have triggered most of the complaints (31%).

- Inspections: The CNIL conducted 458 on-site inspections in 2012, which represents a 19% increase compared to 2011. 285 of the inspections were carried out in the context of the Data Protection Act, while 173 inspections concerned the use of videosurveillance equipment. With regard to the Data Protection Act, 23% of the inspections were triggered by complaints and another 26% were initiated by events picked up in the news. This shows that the CNIL often takes action when a particular event or situation makes the headlines. 40% of the inspections are in line with the priorities set out by the CNIL in its annual inspection’s plan, which shows some consistency in how the CNIL operates within a particular sector or business activity.

- Sanctions: In 2012, the CNIL served 43 formal notices asking data controllers to comply. In most of the cases, the CNIL did not pronounce any sanction because the data controller had complied. In total, the CNIL pronounced 13 sanctions, eight of which were made public. The publicity of the sanction follows a recent amendment of the Data Protection Act, which authorizes the CNIL to publish the sanction it pronounces. In the majority of cases, the sanction pronounced was a simple warning (56%), while fines were pronounced in only 25% of the cases. The CNIL pronounced only one injunction to cease the processing. The low number of fines can be explained by the fact they do not have a very deterrent effect for companies in France (by law, the maximum fine for a first violation is EUR 150,000). On the contrary, a warning can cause serious reputational damage to the data controller, particularly when it is made public, which may explain why the CNIL has chosen to publish its sanctions in 60% of the cases.

- Videosurveillance: In 2012, the CNIL carried out over 170 inspections of videosurveillance systems. In this context, the CNIL received more than 300 complaints, 75% of which concerned the use of video cameras at the workplace. The CNIL notes a lack of clarity surrounding the current legal framework for videosurveillance measures, the insufficient or inexistent information of individuals, the inappropriate use of cameras, and insufficient security measures. In 2012, the CNIL published six practical guidebooks, explaining how to use video cameras in compliance with the law.

- Data breach notifications: Following the implementation of the revised ePrivacy directive into French law, the CNIL received the first notifications for data breaches in the telecoms sector. While the total number of notifications for 2012 remains fairly low, the CNIL expects to receive more notifications in the coming year.

It is also worth noting that the CNIL’s budget and manpower have also increased in 2012. As the years pass by, the CNIL continues to grow and to become more resourceful. It is also more experienced and better organized. Thus, data controllers should pay close attention to the actions of the CNIL as it becomes a most powerful authority in France and within the European Union.

The CNIL’s 2012 Annual Activity Report is available (in French) at www.cnil.fr

Tags:, , , , , ,
Posted in Audits, Financial penalties, Sanctions, Uncategorized

Poland and cookies – what’s the story?

avatar Posted on April 22nd, 2013 by Dominika Kupczyk

Last month Poland joined the club of EU Member States to implement Europe’s consent requirement for cookies set on users’  devices.  Rumoured to be one of the Member States contemplating strict opt-in, all eyes were watching to see how exactly it would implement the cookie consent rule.

Cookie rules

Poland’s cookie consent law entered into force only on 25 March 2013 and seemingly introduced an opt-in requirement before setting cookies - with potential fines of up to 3% of revenue for website operators in breach.

Specifically, the new law imposes an obligation to inform users in advance, in a clear, unambiguous and easily understandable manner about:

1)      The fact that cookies are being placed on their devices;

2)      The purposes for which cookies are used;

3)      The user’s right to access information about them; and

4)      The ability to accept or refuse the cookie.

Like most Member States, consent is not needed for strictly necessary cookies.

So does Poland really require opt-in?

During the legislative work on the amendment various approaches to valid consent form were proposed: implied, written and even signified through  a  simple “I accept” button. In the end, Article 173 (2) of the amended Telecommunication Law says that:

The subscriber or end user can express consent (…) by means of settings of a software installed on the telecommunication device they are using or through settings of the service

The two main regulator’s websites in Poland have both adopted an implied cookie consent banner approach and even the Polish Ministry of Administration and Digitization (Ministerstwo Administracji i Cyfracji)  has indicated it supports consent obtained through browser settings.  It is unclear whether this would extend to default browser settings.

What does this mean?

For businesses still building out their cookie consent strategy for the EU, this is good news: Poland was one of a couple of  ‘outlier’ states threatening to adopt strict opt-in consent for cookies.  Had it adopted strict opt-in as the standard for consent, businesses operating on a pan-EU basis would have had to implement a different consent solution for Poland than for other, more relaxed EU territories where they could instead rely on implied consent.

In the end, this hasn’t happened and the other key outlier territory, the Netherlands, also looks set to acknowledge the validity of implied consent in the very near future.  When the cookie consent rule first came into effect in Europe back in 2011, nobody knew what a robust but pragmatic cookie consent solution would look like; now, two years on, both business and regulators alike are increasingly settling on implied consent as the answer.

Posted in Consent, Cookie rule, Sanctions

Position of Spain on the General Data Protection Regulation: flexibility, common sense and self-regulation

avatar Posted on March 7th, 2013 by Nuria Pastor

As expectation and concerns rise whilst we wait for the final position of the LIBE committee and the European Parliament on the General Data Protection Regulation (the “Regulation”), the report issued by the Spanish Ministry of Justice on the Regulation (the “Report”) and the recent statements of the Spanish Minister of Justice is music to our ears.

A few weeks ago the Spanish Minister of Justice expressed concern that SMEs could be ‘suffocated’ by the new data protection framework. This concern seems to have inspired some of the amendments suggested in the Report which are designed to make the Regulation more flexible. These include substantive changes to reduce the administrative burdens for organisations with a DPO or for those that have adhered to a certification scheme, and the calculation of fines on profits rather than turnover.

Spain favours a Regulation that relies on self-regulation and accountability, clearly steering away from a restrictive ‘one size fits all’ approach which establishes an onerous (and expensive to comply with) framework . The underlying objective of these proposals seems to be the protection of the SMEs at the core of the Spanish economy. A summary of the Spanish position is provided below:

- Regulation v Directive: there is agreement that a Regulation is the best instrument to standardise data protection within the EU. This is despite the fact that this will cause complications under Spanish Constitutional law.

- Data protection principles: the Report favours the language of the Data Protection Directive (which uses the expression “adequate, relevant and not excessive”) as it allows more flexibility than the language of the Regulation which refers to personal data being “limited to the minimum necessary”. In updating personal data, the Report suggests that this should only be required “whenever necessary” and depending upon its expected use as opposed to the general obligation currently set out by the Regulation.

- Information: the requirement to inform individuals about the period during which personal data will be kept is considered excessive and very difficult to comply with. The Report suggests that this should only be required “whenever it is possible”.

- Consent: the requirement of express consent is seen as too onerous in practice and “properly informed consent” is favoured, the focus being on whether individuals understand the meaning of their actions. The adoption of sector by sector solutions in this context is not ruled out.

- Right to be forgotten: this right is considered paramount but the point is made that a balance has to be found between “theoretical technological possibilities” and “real limitations”. Making an organisation solely responsible for the erasure of personal data which has been disseminated to third parties is regarded as excessive.

- Security incidents: various amendments to the articles that regulate breach notifications are suggested to introduce less stringent requirements to the proposed regime. The suggested amendments remove the duty to notify the controller within 24 hours and also limit the obligation to notify for serious breaches only. Notifications to data subjects are also limited to those that would not have a negative impact on the investigations.

- DPOs: it is proposed that the appointment of DPOs should not be compulsory but should be encouraged by incentives such as the suppression of certain administrative burdens (as referred to below). Organisations without the resources to appoint a DPO may also be encouraged to adopt a “flexible and rigorous” certification policy or scheme. Such certifications would be by sector, revocable and renewable.

- Documentation, impact assessments and prior authorisation: the suggested amendments propose a solution whereby organisations which hold a valid certificate or which have appointed a DPO, would not have to maintain documentation, carry out PIAs or request authorisation to data protection authorities as provided for by Articles 28.2, 33 and 34 of the Regulation respectively.

- International transfers: Spain favours the current system but suggests that this could be made more flexible by only requiring the authorisation of the data protection authority for contractual clauses (which have not been adopted by the Commission or an authority) when the organisation does not have a DPO or a certificate.

- One-stop-shop: this concept is endorsed in general but the Report proposes that where a corporation is established in more than one Member State, the DPA established in the country of residence of an individual complainant should have jurisdiction to deal with the matter. The consistency mechanism would be used to ensure a coherent decision where there were several similar complaints in different countries.

- Sanctions and alternatives: Spain considers that the current system could be improved by providing less stringent alternatives to the imposition of fines. Furthermore, it is proposed that the way in which sanctions are calculated is reviewed on the basis that annual turnover does not equal benefits obtained. This is to avoid the imposition of disproportionate sanctions.

- Technological neutrality: technological neutrality is supported although the Report expresses concerns that such neutrality does not provide for adequate solutions for particular challenges, such as those presented by cloud computing or the transfer of personal data over the Internet.

- Cloud computing: the Report suggests that the Regulation takes this “new reality” into account and suggests the adoption some measures, for example, those aimed at (1) finding a balance between the roles of controllers and processors in order to avoid cloud service providers becoming solely responsible for the processing of personal data; and (2) simplifying the rules on international transfers of personal data; for example, by extending binding corporate rules to the network of sub-processors.

Posted in 95 directive, Accountability, Cloud computing, Consent, Financial penalties, Legislative reform, Right to be forgotten, Sanctions

ICO’s enforcement action: what do the cases tell us?

avatar Posted on March 1st, 2013 by Antonis Patrikios

We recently completed our comprehensive analysis of the UK Information Commissioner’s Office (ICO) enforcement actions in 2012. You may find this analysis, along with statistics, pie charts and summaries of the key facts of each case, in our ICO Enforcement Action Tracker 2012.

The analysis highlights some very interesting facts and trends, and provides valuable insights into ICO’s enforcement strategy and how it translates into action. Here are a few examples:

  • - 2012 was the most prolific year yet for ICO enforcement action: ICO imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings
  • - Whilst the public sector has been the main focus of enforcement action, the focus is now shifting to the private sector (which has been confirmed by the enforcement activity in early 2013)
  • - Data security breaches remain the most regulated type of failure (no surprises here). For instance, out of the 25 fines, 22 were for security breaches, 1 was for breach of the data accuracy rule of the Data Protection Act 1998, and 2 were for breach of the direct marketing rules of the Privacy and Electronic Communications Regulations 2003.
  • - Data controllers who voluntarily self report an incident to ICO are not given immunity from enforcement; for instance, 21 of the 25 fines were for self reported breaches.

 

It is obvious from the cases that ICO does not hesitate to take serious enforcement action and is becoming a real force to be reckoned with and a driver for change. Looking at the year ahead, we can expect ICO’s enforcement activity to continue at this pace or even intensify, focusing in the areas that ICO has prioritised as posing a higher data protection risk, namely health; internet and mobile; financial services; security; and criminal justice. Although the public sector will remain firmly on ICO’s radar, we expect the regulator to turn more of its attention to the private sector. This is likely to mean more serious enforcement action, but also, we believe, a greater appetite to challenge enforcement actions.

In Session 1 of our Privacy and Security Breakfast Briefings for 2013 (scheduled for April 2013) we will present and expand on the findings of our analysis as set out in the Tracker. We will dissect ICO’s strategy and enforcement action in order to identify the highest risk areas, understand the trajectory of enforcement action and what our organisations should be doing to manage the risk of failure and enforcement action.

To receive a copy of our ICO Enforcement Action Tracker 2012 or to secure an invitation to Session 1 of our Privacy and Security Breakfast Briefings for 2013 please email antonis.patrikios@ffw.com.

Tags:
Posted in Data security, Direct marketing, Financial penalties, Sanctions, Uncategorized

Cybersecurity in the EU – massive change on its way

avatar Posted on February 8th, 2013 by Stewart Room

Is anyone unsure about the EU agenda for cyber and data security? If you want some insight you could easily check the UK Information Commissioner’s website and you see that in 2012 over 20 data controllers were hit with big fines for security breaches affecting personal data.

Or you could rewind to January 2012, when the EU published the Draft General Data Protection Regulation, which will impose mandatory breach disclosure on every data controller operating in the EU, backed up with potential fines of up to 2% of annual worldwide turnover for those organisations who fail badly.

Or you could go back a little further still, to October 2009, when the EU introduced the mandatory breach disclosure rule for telcos and ISPs, which has been operating since early 2011.

Actually, you don’t need to do any of that. Instead, just focus on the draft EU Cybersecurity Directive, which was published today. Its a short document, easy to get to grips with, and within a few minutes the implications will be obvious to you.

The new Directive makes it compulsory for all “market operators”, including utilities, transport and financial services businesses, as well as public authorities who use “network and information systems” within their businesses to implement technical and organisations measures to manage cyber risks. These organisations will be subject to independent regulation, they will have to disclose security breaches to the regulators, they will have to submit to compulsory regulatory audits and they will be sanctioned if they fail to comply with the law.

The scope and magnitude of this new Directive is huge. Obviously, the regulation of cyber risks in utilities, transport, financial services and public authorities is massive in its own right, but its the wider concept of “market operator” that really needs to be looked at.

A market operator includes a provider of information society services “that enable the provision of other information society services”.

Information society services are colloquially called ecommerce services in the EU, but this is about much more than online shopping, because in the EU an information society service is essentially a service that is provided over the internet, whether or not a fee is charged. In other words, an information society service can be a shopping site, a social network, a search engine, or an “over the top” communications systems (like Skype) and so on, whether or not they are web or app based.

Looking again at the definition of market operator, what really counts is whether the information society service is supporting another information society service. This website, privacylawblog.ffw.com, is an information society service, but it’s not supporting another, so its not caught by the Cybersecurity Directive. What the Directive is looking for is the platform of support – if you are a platform for an ISS, then you are regulated.

If all of this sounds too complicated, don’t worry, the Directive provides some indicative examples. These are: ecommerce platforms, internet payment gateways, social networks, search engines, cloud computing services and application stores.

This is an incredible list and the magnitude of the Directive becomes obvious when you start adding names to the list:

* ecommerce platform = Amazon and eBay provide market platforms for traders and iTunes has to be captured too

* internet payment gateways = Paypal is the most obvious one, but there loads of others, like Worldpay

* social networks = Facebook, LinkedIn, Twitter and so on

* search engines = Google (are there any others?)

* cloud = basically every tech co in the World!!!

* application stores = I think Apple has one (!), Google too, Amazon again and what about the telcos … isn’t Blackberry launching one now too?

This seems quite incredible at first, but its real. And its obvious really, isn’t it, because it is the Cybersecurity Directive after all! It wouldn’t deserve this name if it didn’t regulate these household names.

There is a lot to like in the Directive, but businesses will have concerns about the nature of regulation and the competence of the regulators. There are also some worrying grey areas in the Directive, such as the delegation of many powers to quangos, which is never good for legal certainty. I would expect many big tech companies to be looking hard at how to engage with the EU on this, because there is much to be shaped-up.

But wrapping this altogether and tying up the various strands, what we see within the EU is radical lawmaking for security. Any organisation that misses this point will come unstuck. That’s why the law is being reformed, specifically to cause behavioural change. Whether you look at security from a data protection angle or a cyber angle, it does not matter; you just have to be more secure.

I’ve posted a diagram below which shows the core legal pillars for data and cybersecurity in the EU, now and coming. What you are seeing here is a coalescence of approach and obligation. The end game is a single legal test – take appropriate technical and organisational measures to secure your networks and data. That’s the European approach.

Posted in Breach Disclosure, Sanctions

European Parliament’s take on the Regulation: Stricter, thicker and tougher

avatar Posted on January 9th, 2013 by Eduardo Ustaran

 

If anyone thought that the European Commission’s draft Data Protection Regulation was prescriptive and ambitious, then prepare yourselves for the European Parliament’s approach. The much awaited draft report by the LIBE Committee with its revised proposal (as prepared by its rapporteur Jan-Philipp Albrecht) has now been made available and what was already a very complex piece of draft legislation has become by far the strictest, most wide ranging and potentially most difficult to navigate data protection law ever to be proposed.

This is by no means the end of the legislative process, but here are some of the highlights of the European Parliament’s proposal currently on the table:

*     The territorial scope of application to non EU-based controllers has been expanded, in order to catch those collecting data of EU residents with the aim of (a) offering goods or services (even if they are free) or (b) monitoring those individuals (not just their behaviour).

*     The concept of ‘personal data’ has also been expanded to cover information relating to someone who can be singled out (not just identified).

*     The Parliament has chosen to give an even bigger role to ‘consent’ (which must still be explicit), since this is regarded as the best way for individuals to control the uses made of their data. In turn, relying on the so-called ‘legitimate interests’ ground to process personal data has become much more onerous, as controllers must then inform individuals about such specific processing and the reasons why those legitimate interests override the interests or fundamental rights and freedoms of the individual.

*     Individuals’ rights have been massively strengthened across the board. For example, the right of access has been expanded by adding to it a ‘right to data portability’ and the controversial ‘right to be forgotten’ potentially goes even further than originally drafted, whilst profiling activities are severely restricted.

*     All of the so-called ‘accountability’ measures imposed on data controllers are either maintained or reinforced. For example, the obligation to appoint a data protection officer will kick in when personal data relating to 500 or more individuals is processed per year, and new principles such as data protection by design and by default are now set to apply to data processors as well.

*     The ‘one stop shop’ concept that made a single authority competent in respect of a controller operating across Member States has been considerably diluted, as the lead authority is now restricted to just acting as a single contact point.

*     Many of the areas that had been left for the Commission to deal with via ‘delegated acts’ are now either specifically covered by the Regulation itself (hence becoming more detailed and prescriptive) or left for the proposed European Data Protection Board to specify, therefore indirectly giving a legislative power to the national data protection authorities.

*     An area of surprising dogmatism is international data transfers, where the Parliament has added further conditions to the criteria for adequacy findings, placed a time limit of 2 years to previously granted adequacy decisions or authorisations for specific transfers (it’s not clear what happens afterwards – is Safe Harbor at risk?), reinforced slightly the criteria for BCR authorisations, and limited transfers to non-EU public authorities and courts.

*     Finally, with regard to monetary fines, whilst the Parliament gives data protection authorities more discretion to impose sanctions, more instances of possible breaches have been added to the most severe categories of fines.

All in all, the LIBE Committee’s draft proposal represents a significant toughening of the Commission’s draft (which was already significantly tougher than the existing data protection directive). Once it is agreed by the Parliament, heated negotiations with the Council of the EU and other stakeholders (including the Commission itself) will then follow and we have just over a year to get the balance right. Much work no doubt awaits.

 

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Consent, Financial penalties, Legislative reform, Privacy by design, Profiling, Right to be forgotten, Sanctions

Cookie consent enforcement – ICO’s latest

avatar Posted on December 19th, 2012 by Eduardo Ustaran

The UK Information Commissioner’s Office has quietly published today a report detailing the concerns reported to them, the current picture and the action they are taking as of December 2012 in relation to the cookie consent requirement.

The highlights of the report are as follows:

*   Consumers are unhappy with implied consent mechanisms, especially where cookies are placed immediately on entry to the site.

*   Consumers often complain about the fact that they have not been given enough information generally, and specifically not enough information about how to decline cookies or manage them later.

*   The ICO is continuing to write to websites they receive concerns about – This means that nobody is off the hook.

*   The ICO has also looked at the types of cookie in use – This means that the regulator has the means to investigate and find out about cookie practices on a per site basis.  If a site operator does not have this information, how is that going to look???

*   The provider must ensure that users can see clear and relevant information explaining what is likely to happen while they are accessing the site, and their choices as regards controlling what happens.

*   Failure to comply will result in formal action to ensure compliance, and the ICO may decide to name the site in order to make consumers aware of its use of cookies – In other words, the ICO is not going to sit still.  The prospect of facing enforcement action is there.

*   If an organisation refuses to take steps to comply, or has been involved in a particularly privacy-intrusive use of cookies without telling individuals or obtaining consent, the ICO will consider using formal regulatory powers in line with our criteria set out in the Data Protection Regulatory Action Policy and Guidance on the issue of monetary penalties – This is the clearest threat of enforcement action to date!

 

Posted in Cookie rule, Financial penalties, Sanctions

A week in Brussels

avatar Posted on November 16th, 2012 by Eduardo Ustaran

Life is always busy in Brussels.  Policy making and legislative activities never stop but this particular week has been rather eventful for the current European data protection reform process.  The Data Protection Congress organised by the IAPP has served as an open and constructive forum for some of the key players to get together and debate their views in front of a very sophisticated audience.  The most visible message of the week has been that all parties involved – European Parliament, Commission, Council of the EU, EDPS and of course the data protection authorities – are now working at full pace to consider the issues, listen to other stakeholders and inject their thinking into the end result.

Here are some of the key takeaways about the data protection legislative reform we heard at the IAPP Data Protection Congress:

*    Francoise Le Bail, Director General for Justice at the European Commission, kicked off a prestigious roster of keynote speakers by acknowledging the need to simplify the current proposal, particularly for the benefit of SMEs.  However, she fiercely defended two commonly criticised aspects of the draft Regulation: the Commission’s delegated acts, which she believes are needed to maintain the Regulation’s flexibility; and monetary fines, which are meant to give the new framework much needed teeth.

*    For Jan Philipp Albrecht, Rapporteur of the LIBE Committee with primary responsibility for leading the European Parliament’s position, the main challenge is to convince everyone (individuals and businesses) that a harmonised approach is needed.  Reiterating his aim to approve the final text before the next European Parliament elections in June 2014, he emphasised the need for a regulation (rather than a directive) for the sake of certainty going forward, making clear LIBE’s stance on this issue.  Mr Albrecht also said that whilst we are on the right track in terms of principles, we also need to achieve foreseeability, which suggests that some of the more technology-specific provisions will be revised.

*    Jacob Kohnstamm, Chairman of the Article 29 Working Party showed his concern about some essential elements being under attack, namely: personal data, consent and purpose limitation.  With regard to personal data, he would favour of a slight extension of the definition to cover any data that may be used to single out individuals.  He believes that it is crucial to leave the concept of consent untouched because if data protection is a fundamental right, the individual’s consent must override everything else.  With regard to purpose limitation, as well as profiling, Mr Kohnstamm announced that the Article 29 Working Party is working on alternative proposals.  Not surprisingly, Mr Kohnstamm is wary of the ‘one stop shop’ principle and emphasised the role of the proposed European Data Protection Board to get the balance right.

*    The ‘one stop shop’ principle became one of the most heatedly debated topics.  Isabelle Falque-Pierrotin, President of the CNIL, indicated that the current proposal was simply not realistic and that local data protection authorities should not be prevented from enforcing the law.  Jan Philipp Albrecht responded by saying that it is very important to have one competent regulator to ensure consistency of interpretation and actions.  The debate on this issue is clearly wide open with Peter Hustinx, the European Data Protection Supervisor, taking a position somewhere in between where there is one regulator as a single point of contact for the same organisation across the EU but all regulators are still competent.

Clearly, the pressure to get the balance right is on and whilst there is no sense of urgency yet, Sophie in ‘t Veld, MEP, summarised the situation perfectly when she referred to the fact that after months of familiarisation with the Commission’s proposals, it was now time to put our heads down and get on with the business of building the future data protection framework for Europe.

 

Posted in Article 29 Working Party, DPAs competence, Legislative reform, Profiling, Sanctions

The UK’s Justice Committee is not impressed with the EU Data Protection Framework Proposals

avatar Posted on November 2nd, 2012 by Victoria Hordern

In the week that the UK Parliament voted for a real-terms cut in the EU’s future budget, it’s no particular surprise to hear criticism from UK Parliamentarians levelled at EU institutions. On Thursday this week, the House of Commons Justice Committee produced its opinion on the European Commission’s legislative proposals for reform of EU data protection law. Whilst accepting that reform of data protection law is necessary, the opinion urges the Commission to ‘go back to the drawing board and devise a regime which is much less prescriptive’. The opinion strongly calls upon the Commission to re-think a number of issues including the division of the proposals into a Regulation and Directive, the drive towards harmonisation at the expense of flexibility, the need for a proper impact assessment, the right to be forgotten and the power of data protection authorities to issue sanctions. The Justice Committee heard evidence from the Ministry of Justice (in charge of negotiating the UK’s position on the proposals), the Information Commissioner’s Office, the EU Commission as well as representatives of UK small businesses, the police, privacy and consumer lobbyists and global businesses.   

Regulation and Directive

While the MoJ and ICO remained resistant to splitting the proposals for reform between a Regulation (for most data processing) and a Directive (for data processing for law enforcement and judicial co-operation), the Commission argued that this split was deliberate to give Member States flexibility to take their particular culture and type of legislation into consideration. So, in the case of the UK, the Commission considered this accommodated the UK’s reliance on common law.  However, a number of witnesses considered that the protection afforded by the draft Directive was less than the protection provided by the draft Regulation so potentially not protecting the rights of individuals. 

Principles rather than prescription?

There was considerable opposition to the prescriptive elements in the Regulation and the ICO, amongst others, encouraged an outcome focused approach based on principles. On the other hand, privacy and consumer lobbyists welcomed the administrative requirements on controllers which they considered helped to secure the rights of individuals.

Good for business?

It was accepted that simple, harmonised rules would greatly help small businesses seeking to expand across the EU as well as global businesses. However, the more prescriptive the rules the harder it would be for businesses to comply (particularly small businesses). The MoJ saw a real threat to business if the Regulation placed extra burdens on businesses and stated that it would influence negotiations to ensure a proportionate, flexible approach that does not impede entrepreneurship. The recent announcement from the EU Justice Commissioner Viviane Reding that she does not wish to see small businesses overburdened by the Regulation should provide some relief for businesses overawed by the compliance requirements of the Regulation.

Good for the ICO?  

Representatives from the ICO stated bluntly that they would not be able to resource their new role under the Regulation. Additionally, the MoJ made it clear that the ‘wish list of extra responsibilities and tasks‘ for the ICO under the Regulation was ‘genuinely wishful thinking’. Likewise, the ICO objected to having its hands tied by the Regulation when it came to identifying and dealing with compliance failures and wanted regulators to have more discretion to apply their own judgement and experience.   

The European Commission

In the Commission’s view enhanced harmonisation would make global processing of personal data simpler and cheaper and thus lead to increased business for the EU. However, this picture of harmonisation downplays the efforts that organisations will have to go to in order to strive for this end.  The MoJ and others sharply criticised the impact assessment that the Commission provided as inadequate and the Justice Committee called for a full assessment of the impact of the proposals.

The Commission also argued that they had sought to technology-proof the Regulation by leaving flexibility in the form of delegated Acts for the Commission to implement later. However, there was significant criticism from witnesses on the extent and scope of provisions for delegated Acts which potentially gave power to the Commission to prescribe technical formats, standards and solutions. There appears to be some scope for movement on this point given Viviane Reding’s recent announcement that she was willing to review the delegated Acts individually and to limit them to only what is truly necessary for future technological developments.

The right to be forgotten

Comments from the ICO provided insight into this controversial concept as Christopher Graham indicated (to his surprise) that Viviane Reding had told him that the right to be forgotten was ‘more of a political slogan’ which actually represented something that already existed. So amidst all the excitement and debate that the trumpeting of the right to be forgotten had stirred up, there was now a suggestion that it wasn’t really a big deal after all. The MoJ strongly emphasised that it would resist the implementation of the right to be forgotten since it would raise unrealistic expectations that will prove impossible to fulfil. More cautiously, the Justice Committee recognised the importance of an individual’s right to delete their data but recommended that the phrase ‘right to be forgotten’ should be avoided since it was misleading. Since the right to be forgotten is inextricably linked in most people’s minds with social media, it was significant that the MoJ considered that parts of the Regulation appeared to be overly-concerned with social media (an anxiety that has perhaps infected the tenor of the drafting).

Subject access rights

Although there were objections from the Federation of Small Businesses to the abolition of the £10 fee for access to personal data and the MoJ was clearly sympathetic to these concerns, the Justice Committee (along with privacy and consumer lobbyists) supported the Commission’s position that the right of access should be free. The MoJ was urged to change its negotiating position on this point.

Justice Committee’s conclusions

In the Committee’s view, the draft Regulation does not produce a proportionate, practicable, affordable or effective system of data protection. Therefore the Committee lay out a stark choice for the Commission: either pursue harmonisation under a Regulation by focusing on the elements essential to harmonise and deploy the consistency mechanism and the European Data Protection Board to achieve this, or use a Directive to set out the outcomes to be achieved and leave implementation down to Member States, thus forgoing an element of harmonisation and consistency. With respect to the new draft Directive on processing personal data for law enforcement and judicial co-operation purposes, the Committee queried whether there is a pressing need to amend EU law in this area. 

What next?

The Justice Committee was asked by the European Scrutiny Committee to provide an opinion on the new data protection framework proposals. Although it has delivered its opinion, the opinion contains a number of outstanding actions on the MoJ to clarify its view or provide responses to the Committee on certain aspects of the new data protection framework. This may well inform the MoJ’s position as it continues to negotiate at European level on the shape of the data protection framework proposals.

Posted in 95 directive, Right to be forgotten, Sanctions

« Older Entries