Posted on December 8, 2011 by Bret Cohen

Details of EU Data Protection Reform Reveal Dramatic Proposed Changes

EU privacy law is under scrutiny and proposals for change are coming.  The European Commission (EC) last year announced an upcoming reform of the EU Data Protection Directive (95/46/EC), which was a hot topic of last week’s IAPP Europe Data Protection Congress in Paris (in which Hogan Lovells privacy lawyers from around the world participated).  Changes are anticipated near the end of January. Some of the details of those changes, however, have emerged earlier than expected, as this week the EC circulated for comment two proposed legal instruments that likely will form the baseline of the EU’s data protection framework for years to come.

The first legal instrument is a draft General Data Protection Regulation, which sets forth a general framework for EU data protection and is intended to replace the 16-year-old Data Protection Directive with a region-wide regulation.  The fact that the instrument is fashioned as a regulation is significant. Under EU law, regulations have binding legal force as soon as they are passed, whereas directives must be enacted into law by each individual EU Member State.   A frequent criticism of the Data Protection Directive was that the EU Member States enacted and applied it differently, leading to uneven implementation and forum shopping. By changing the format to a regulation, there is less room for variation between the Member States, which in theory should lead to greater certainty for EU citizens and organizations. 

The draft Regulation contains a number of significant changes to the Data Protection Directive, particularly in the areas of (1) jurisdiction, governance, and cross-border transfers, (2) data subject rights, (3) data controller/processor obligations, and (4) remedies, liability, and sanctions. These changes include:

Jurisdiction / Governance / Cross-Border Transfers

  • The declaration that EU data protection law applies to data controllers outside of the EU when processing activities are “directed to” or “serve to monitor the behaviour of” EU data subjects, including for commercial or professional services such as offering products or services. Factors to be considered when determining whether processing activities are “directed to” EU data subjects include (a) the international nature of the activities; (b) the use of a language or a currency other than the language or currency generally used in the country in which the controller is established; and (c) the use of a top-level domain (e.g., “.co.uk” or “.com”) other than that of the country in which the controller is established.
  • The use of Binding Corporate Rules (BCRs) to legitimize intra-company cross-border data transfers to countries without data protection laws deemed “adequate” by the EC would be streamlined and extended, including the use of BCRs to cover data processors and groups of companies, and with an eye to covering cloud computing. Unlike the current process, in which BCRs must be reviewed by at least three DPAs (one “lead” and two “reviewers”) and some Member States require additional authorization, BCRs would be validated only by one lead DPA. Once a BCR is validated by the lead DPA, it would be valid for the whole EU without needing authorization from any other Member State.
  • Each data controller or processor only will be subject to the enforcement jurisdiction of the one data protection authority (DPA) of the Member State in which the organization has its “main establishment,” which is where the organization’s “central administration” in the EU is located. This usually will be where the organization makes its management decisions regarding the purposes, conditions, and means of processing personal data.
  • DPAs would be obligated to carry out investigations and inspections upon request from other DPAs and to mutually recognize each others’ decisions. Rules are provided for joint operations and operations by one Member State within another Member State’s territory.
  • To ensure consistent application of the directive, the Article 29 Working Party would be updated to an independent “European Data Protection Board” that, in addition to its current duties, would have the authority to issue official opinions regarding the interpretation of the Regulation. These opinions would be subject to the review of the EC.

Data Subject Rights

  • To process personal data for any commercial direct marketing purpose, organizations would need to obtain the explicit, opt-in consent of the data subject.
  • Where consent is used to legitimize data processing (even outside the marketing context), it would need to be explicit, opt-in consent. Moreover, consent would not be valid where there is a “significant imbalance” in power between the data subject and data controller. The prime example of this is in the employment relationship. These rules essentially would be a codification of parts of this past summer’s Article 29 Working Party opinion on consent.
  • The creation of a “right to be forgotten” that would permit data subjects to request that data controllers erase all personal data relating to them and abstain from further disseminating that information, unless there are legitimate grounds to retain the data. In a particularly controversial portion of this proposal, data controllers would be required to “ensure the erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service which allows or facilitates the search of or access to this personal data.” This proposal is in line with recent statements made by EU authorities regarding the retention of data on social networking sites. Some have doubted the ability to “ensure” such complete erasure, especially when much of the content on the public Internet is shared and backed up.
  • The creation of a right to portability, through which data subjects would be able to request a copy of their stored data and move it from one service provider to another, without hindrance.

Data Controller/Processor Obligations

  • Data controllers would be required to notify data breaches to both the individuals concerned and data protection authorities within 24 hours of the breach being discovered (although notification to individuals would be required only when the breach "is likely to adversely affect the protection of the personal data or privacy" of the individual, a limitation not present in obligation to notify the data protection authority).  Currently, EU law only requires Member States to enact laws creating a breach notification obligation for telecommunications operators (which some Member States have yet to enact), although some Member States (such as Austria and Germany) do have security breach notification requirements for data controllers other than telecom operators.
  • Data controllers would be required to minimize the volume of personal data that they collect and process, and to set default settings so that user personal data will not be made public by default.
  • Data controllers and data processors would be required to appoint a data protection officer if (a) they employ over 250 employees or (b) their “core activities” require “regular and systematic” monitoring of data subjects.
  • Prior to processing personal data in a way that is “likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes,” organizations would be required to conduct a data protection impact assessment. The draft Regulation does not define exactly what processing would fall into this definition, though it does list a few examples that “likely” would, including (a) running automated models to analyze or predict a person’s performance at work, creditworthiness, economic situation, location, health, personal preferences, reliability, or behavior, where the result will affect the data subject; (b) the processing of certain types of sensitive data; (c) conducting video surveillance; and (d) utilizing large-scale filing systems containing genetic, biometric, or children’s data.
  • The elimination of the obligation of organizations to generally notify data protection authorities of any automatic processing of personal data, replacing it with an obligation to maintain documentation on processing operations under their responsibility.

Remedies, Liability, and Sanctions

  • Data subjects, and qualified public interest groups on behalf of data subjects or themselves, would have the right to lodge complaints either with DPAs or courts for violations of the Regulation. Currently, some Member States’ DPAs do not have such authority.
  • The creation of three levels of fines for intentional or negligent violations of the Regulation, with the maximum penalty for certain offenses being 5% of an organization’s annual worldwide turnover.

Besides the Regulation, the second legal instrument released is a draft Police and Criminal Justice Data Protection Directive. This directive sets forth rules relating to cross-border transfer and other processing of personal data for law enforcement purposes, with an eye toward facilitating the sharing of this information between law enforcement agencies while still complying with data protection law. Though this Directive is directed toward law enforcement and not the private sector, it does apply where personal data may be required and used by law enforcement authorities (e.g., data related to bank transfers, data collected when buying an airline ticket, traffic and telecommunications data), so it will have at least a tangential effect on the private sector.

Notably, these instruments are just preliminary drafts, and may differ when the EC releases the official drafts, which is still slated to happen in January. Even then, the drafts still will need to be debated and passed before coming into law, a process which is likely to at least a couple years. Therefore, there is still time for these legal instruments to be significantly modified before they are ultimately adopted.
Tags: , , , , , , , , , ,
Posted on October 13, 2011 by Stefan Schuppert

German DPAs Issue Rules for Cloud Computing Use

The German data protection authorities on September 26, 2011 adopted an "Orientation guide – cloud computing."  The guide sets out mandatory and recommended content for any agreement between German users of cloud computing services (“customers”) and cloud computing service providers. It highlights the customer's responsibility for full compliance with German data protection requirements for the cloud. Based on this orientation guide, customers and providers will have to review existing agreements in the German market.

Privacy and data protection compliance has been a challenging and unclear issue for cloud computing customers and service providers. The new German "orientation guide", adopted by the Munich conference of the German data protection authorities gives clear guidance to cloud computing service providers and their customers in the German market. Privacy practitioners can expect that German DPAs will refer to this guide when addressing situations that raise close questions about the application of data protection laws to cloud computing.

Full control by the customer

The guide emphasizes that German cloud computing customers are data controller and therefore are responsible for the "cloud's" compliance with all data protection requirements under German law. This means the customer needs to know the identity not only of his immediate cloud computing service provider, but of all sub-processors involved in the cloud computing services. The agreement with the immediate cloud computing service provider must contain duties to disclose these sub-processors, and certain core elements of compliance, such as technical and organizational security measures, audit and control rights vis-à-vis such sub-processors, and all locations of data processing. The customer is required to safeguard data subjects’ rights. Examples of how this is achieved include having liquidated damages and penalties in the cloud agreement, and ensuring that data subjects' rights (for instance the right to access, to correct or to have the data deleted) are observed by all cloud service providers. To the extent that the service also includes locations outside the European Economic Area (EEA), the customer may not only rely on using the EU Model Clauses, but must enter into an additional data processing agreement with control and audit provisions, which are mandatory under German data protection law.

Sensitive data in the cloud

The guide gives specific attention to sensitive data. Under German data protection law, the transfer of sensitive data like health data, trade union affiliation, or religious beliefs cannot be justified by a balance of interest test (see, e.g., Art. 7(f) of the EU Data Protection Directive, which provides a legal basis for processing non-sensitive data as necessary for a controller’s legitimate interests unless the interests are outweighed by the fundamental rights and freedoms of the data subject; see also § 28 of the German Federal Data Protection Act). Instead, the transfer of sensitive data can only be justified by the data subject's consent or other very specific exceptions. For any intra-EEA-cloud, this is not an issue since an EEA-located data processor following the data controller's instructions is not considered a third party to which data are transferred. The case is different for any provider located outside the EEA: This is a "third party" to whom the personal data are "transferred", and thus, any use of such cloud for sensitive data cannot be justified by a balance of interest.

Safe Harbor and the cloud

The German DPAs are repeating their careful approach to Safe Harbor certifications. A customer may not rely solely on the service provider's assurance with regard to any Safe Harbor certification. Instead, the customer needs to certify the validity and the applicability (for the relevant type of data) of the provider's Safe Harbor certification at least on the Safe Harbor website. If the customer wants to transfer employee data to the U.S. in the cloud computing environment, the customer also has to verify that the service provider has accepted to cooperate in investigations by, and to comply with the advice of, competent EU authorities. This requirement is reflected in the Safe Harbor FAQs (question 9, section 4).

Relevance of technical safeguards

The guide deals with technical issues and security measures and specific threats for data protection principals by cloud computing services in detail. The guide frequently addresses transparency for customers and data subjects regarding the location of the data processing, and the identity of the service providers involved (even as subcontractors). The guide highlights the problem of the reliable deletion of the data in the view of the vast storage resources of cloud computing services providers, regular back-up services, and the easy copying and global transferring of data in broadband networks. The guide emphasizes that personal data for different clients need to be securely separated. The guide also raises the concern of the potential access to personal data by state authorities beyond what is accepted in the EEA, and views this as a relevant consideration by a customer when deciding on the service provider. Customers need to address security against illegal access to the data, but also the portability of the data in case of their service provider's insolvency or in case of a termination of the contract.

Conclusion

The guide does not contain revolutionary approaches to the difficult question of how to harmonize the benefits of cloud computing with the legitimate objective to ensure compliance with German data protection requirements. However, it is a clear statement that German DPAs do not compromise on sometimes very strict requirements even for globally standardized services. The guide supports the role of intra-EU/EEA cloud computing service providers and those services that are reliable and highly transparent regarding to the location of the data processing and the identity of any subcontractors used in these services.

Both customer and providers of cloud computing services with an interest in the German market should now review their standard agreements for compliance with the requirements published by the German DPAs.

The paper is published in German can be found here.
Tags: , , , , , , , , , , , , , , , ,
Posted on October 7, 2011 by Lionel de Souza

French Court of Appeals reject company's whistleblower system despite CNIL approval

A French Court of Appeals in Caen recently confirmed a lower court's order for the suspension of a whistleblowing system implemented by French company Benoist Girard, a subsidiary of American group Stryker. The decision comes as a surprise as it rejects the approval of the whistleblower system by French data protection authority (the "CNIL"). 

Under French law, the implementation of whistleblowing systems is subject to prior authorization by the CNIL. To reduce the burden of such formalities, the CNIL issued, in 2005, a general authorization for whistleblowing systems limited to the reporting of accounting, financial, banking and corruption misconducts (the "General Authorization"). Benoist Girard decided to implement their whistleblowing system in 2008 by relying on the General Authorization, regardless of three negative opinions on the system issued by the company's Works Council (the "CE").

In 2009, Benoist Girard's CE and Hygiene and Security committee (the "CHSCT") contested the validity of the whistleblowing system before the Caen Tribunal of First Instance, arguing that it allowed the reporting of alleged misconducts which exceeded the scope of those covered by the General Authorization. The CE and CHSCT therefore argued that the system required the obtaining of a prior specific authorization from the CNIL. The Tribunal ruled in favour of the CE and CHSCT, considering that the system, as implemented, was therefore in breach of French data protection legislation and posed an immediate and substantial threat to the rights and freedoms of the employees. Benoist Girard appealed this decision.

In its analysis of the matter, the Caen Appeal Court first held that the CE and the CHSCT had to be consulted prior to the implementation or modification of the whistleblowing system and then moved on to it analyse in detail to evaluate its compliance with French law.

First, the Court analysed the scope of the system. It noted that, while the system was presented as limited to the reporting of misconduct in the fields of accounting, finance, banking and corruption, it still allowed for reporting other matters. Indeed, even though the menus of the online interface did not contain references to the reporting of "matters of vital interest to the company" or "concerns,"  the homepage of the Ethics Point platform still indicated that it was designed to "report anonymously to the company any suspected bad behaviour or other problems" or "report matters on issues relating to compliance with our code of conduct and the online ethics policies". In addition and more importantly, the Court noted that the system as conceived still allowed any whistleblower to submit an alert with facts relating to any type of misconduct.

Consequently, the Court found that the system did not demonstrate the scope limitations applicable for French employees using the online interface but actually favoured "denunciations" of all sorts. Indeed, according to the Court, reports of concerns outside the scope of admissible concerns still have to be processed for filtering and then generate replies which "far from being limited to restating the categories of admissible concerns, incite the whistleblower to pursue the process through hierarchy".

In addition, the appellate judges considered that regardless of the fact that the company's internal rules expressly stated that "Stryker strongly recommends that users of the whistleblowing helpline identify themselves" the online interface did not discourage employees from remaining anonymous, "on the contrary, various recommendations are even made to preserve [such anonymity]".

Finally, the Court found that the documents provided to the employees did not provide them with sufficient information on their rights in the event that they were the subject of an investigation in this context.

In light of these elements, the Caen Appeal Court ruled that the system could damage the rights and collective and individual liberties of the employees of the company and therefore confirmed the suspension of the system.

The Court's approach appears to be extremely stringent and could require a number of international companies to further review the implementation of their whistleblowing helplines. In this respect, it is important noting that the Court's decision seems to go against the CNIL's position on the Benoist Girard case. Indeed, Benoist Girard had put forward, during the procedure, a letter from the CNIL which confirmed that their whistleblowing system had been inspected and appeared to be compliant with the requirements imposed by the CNIL. 

Thus, it appears the CNIL's position on whistleblower programs, in some instances, may not be sufficient to ensure full compliance with French data protection legislation.  A further appeal by Benoist Girard may be possible.
Tags: , , , , , ,
Posted on July 19, 2010 by Timothy Tobin

EU Article 29 Working Party Report on ISP and Telecom Carrier Data Retention for Law Enforcement Purposes

Winston Maxwell, a partner in Hogan Lovells’ Paris Office prepared this entry.

On July 13, 2010 the EU’s Article 29 Data Protection Working Party adopted a report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf ) describing how ISPs and telecom carriers retain traffic data for law enforcement purposes in Europe. The European Data Retention Directive 2006/24/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML) was supposed to harmonize national laws on data retention. But according to the working party’s report, harmonization is seriously flawed in a number of respects.

 

The report confirms what we have heard from a number of our communications clients: each Member State has slightly different rules for retaining traffic data for law enforcement purposes, particularly when it comes to IP-based communications. The duration for retaining the data are different from country to country, and the kind of data to be retained are in many cases different. For a pan-European communications providers, this creates a real headache, because specific procedures and systems have to be created for each Member State where the communications provider does business. 

The Article 29 working party comes at this from the angle of protecting European citizens, and complains that the lack of harmonization creates different levels of protection of personal data between different Member States, defeating the Data Retention Directive’s objective of harmonization. In this particular case, however, the interests of communications providers and EU citizens converge, because different rules on data retention create additional costs for communications providers, as well as different risks for citizens. The directive currently allows Member States to apply data retention periods of between 6 and 24 months. Several of the large EU Member States have chosen a period of 12 months, and the Article 29 working party recommends that the directive be amended to impose a single harmonized period instead of giving Member States a choice. 

The legislation of Member States is fairly consistent regarding the kind of data to be retained for traditional voice communications, but for IP-based communications the practices vary. On this point, the Article 29 working party emphasizes that the only data that Member States can require service providers to retain are those listed in Article 5 of the Directive. In particular, the destination IP address and the URLs of web sites cannot be retained, because those data provide information on the content of the communication, which is prohibited. The working party deplores that many operators do not apply automatic erasure procedures at the end of the legally mandated retention period, and that many operators do not conduct security audits. Finally, the report complains that Member States have different definitions of what a “serious crime” is that would justify the communication of data to law enforcement personnel. The report recommends harmonization on this point too.

 

Although not specifically mentioned by the working party, the question of whether illegal downloading of copyrighted material is a “serious crime” is obviously a key issue, because several European countries are putting into place graduated response mechanisms that rely on the ISP communicating traffic data to a court or administrative body for the purpose of identifying the alleged infringer. On that front, BT and Talk Talk have lodged a complaint in the UK claiming that the Digital Economy Act, which allows OFCOM to send warning letters to individual infringers, violates fundamental privacy laws http://www.guardian.co.uk/technology/2010/jul/08/bt-talktalk-challenge-digital-economy-act

 

Some courts are also questioning the constitutionality of national data retention laws enacted to transpose the Data Retention Directive. Last March, the German Supreme Court held that the implementation of a German law on data retention violated fundamental privacy rights, and ordered that the application of the law be suspended until such time as the government narrows its scope http://news.cnet.com/8301-13578_3-10462117-38.html .
Tags: , , , , , , , , , , , , , , , , , , , , , ,
Posted on June 30, 2010 by Bret Cohen

EU Article 29 Working Party Decrees Strict Opt-In Standards for Behavioral Advertising Data Collection

On June 22, the Article 29 Working Party established by the 1995 European Directive on Data Protection published an opinion declaring that online advertisers who want to target ads by tracking consumers' surfing habits must obtain the consumers' affirmative opt-in consent to such data collection. At the same time, the Working Party lauded certain privacy-enhancing practices incorporated into behavioral advertising today and it encouraged industry to develop technologies to comply with the framework and “to exchange views” with the Working Party on the use of such technologies.

Behavioral Advertising is Regulated in the EU by Two Primary Sources

The Working Party explained that behavioral advertising ecosystem is regulated in the EU by two primary sources. The first is Article 5(3) of EU Directive 2002/58 (the ePrivacy Directive) that requires that organizations wishing to store or access information on an individual’s computer to obtain the consent of the individual before doing so. The ePrivacy Directive is to be implemented in the national laws of EU member states law by June 2011. 

The Opinion explained that since behavioral advertising relies on the placement of cookies (small data files) on individuals’ computers to aid in the tracking of their web browsing habits, the ePrivacy Directive applies. In addition, the Opinion went on to specify that if the behavioral advertising involves the collection of any personally identifiable information (PII), including an individual’s IP address (which is recognized as PII in the EU), then the EU Directive 95/46/EC (the Data Protection Directive) also applies.

Opt-In Consent Requirement and Opt-Out Deficiencies Explained

The major theme of the opinion is that under the ePrivacy Directive, meaningful, informed consent must be obtained by an individual before any information is collected and used for behavioral advertising purposes. The opinion went a long way in discussing what the Working Party considers to be meaningful consent in the behavioral advertising context.

Currently, consumers can "opt out" of behavior tracking through control panels offered by certain online advertising services or by relying on default web browser settings through which Internet users automatically accept all cookies that websites request to place on their computers. Users are therefore automatically “enrolled” in behavioral advertising, and can only stop the practice (if they know it is occurring) by blocking or deleting cookies.

The Working Party rejected this “opt-out” approach, concluding that it does not sufficiently allow individuals the ability to exercise choice on whether to share their information with behavioral advertisers. Instead, it stated that notice to individuals should explicitly reference the ad network that will place the cookie and describe how the information will be used once it is collected. Then, the individual should be given the opportunity to “opt in” to the sharing of their information for behavioral advertising purposes. 

Once a user opts in, separate consent would not need to be obtained every time the user visited a website participating in the ad network, but separate consent would need to be periodically obtained (the opinion did not specify a time period) and the user would need to be afforded the opportunity to easily revoke consent.

Room for Innovation

While the Working Party charted a path for behavioral advertisers to follow in the EU, it also left room for behavioral advertisers to deviate from that path, so long as they utilize methods to ensure that users understand and sufficiently consent to behavioral tracking. Specifically, the Working Party cited the Future of Privacy Forum’s efforts in developing icons to place on targeted ads with links to additional information, and called these efforts an example “which the Working Party finds both positive and necessary.” It also recognized tools that enable users to access the preference profiles maintained about them by ad networks, and to modify them and erase them if desired. A final area that the Working Party cited for improvement was the provision of privacy-protective default settings for web browsers, a development it called “paramount.”

Other Obligations

The Working Party drew on other legal sources, most prominently the Data Protection Directive, to list some other obligations for those engaging in behavioral advertising. Specifically, it stated that:

  • Ad networks should not create or use "interest categories" intended to track the Internet habits of children.
  • Ad networks should not offer or use interest categories that could reveal “sensitive data” about an individual (as defined in the EU ) without explicit opt-in consent.
  • Information must be deleted if no longer needed for the purpose for which it was collected, meaning that ad networks must implement policies to ensure that information collected each time a cookie is read is immediately deleted or anonymized once the necessity for retaining it expires.
  • Individuals must be allowed to exercise their rights of access, rectification, erasure, and to object under the Data Protection Directive.
  • Data controllers and processors must also keep in mind data security, data transfer, and database registration obligations.

Who is Responsible?

Though it laid out specific obligations, the Working Party was not prescriptive when it came to determining what participants in the behavioral advertising ecosystem would be responsible for complying with the obligations. For example, it stated that while ad networks, as ultimate controllers of the targeting data, are obligated to obtain informed consent, in some instances publishers of targeted advertisements have “some responsibility” in obtaining consent as well because they transfer user IP addresses to ad networks to facilitate advertising transactions. And the Working Party noted that advertisers too can be considered independent data controllers if they capture certain information when their ads are clicked (for example, demographic profiles such as “young mothers” or interest categories such as “extreme sports fans” for whom specific ads are selected) and combine it with an individual’s web browsing behavior or registration data.

Conclusion

The guidelines released by the Working Party represent a major change to the current behavioral advertising regulatory landscape. Nevertheless, the Working Party held out a lifeline for proponents of industry self-regulation and innovation, conceding that industry progress in the provision of notice to Internet users about behavioral advertising could lead the Working Party to accept innovations that may be less restrictive than the opt-in regime it announced. In that way, the opinion may serve a similar purpose to the Federal Trade Commission’s 2009 report on behavioral advertising that set forth its expectations for industry along with the not-so-subtle undertone that if industry did not comply with its “suggestions,” the Commission would formally regulate in the area. While companies have made progress on this front in the U.S., and consequently have succeeded in staving off formal FTC regulation or enforcement so far, those engaging in behavioral advertising in the EU should implement the guidelines set forth in the Working Party opinion immediately and stay tuned for developments regarding the EU's enforcement strategy.
Tags: , ,
Posted on June 6, 2010 by Christopher Wolf

BNA Webinar: Legal Landmines in Europe for Internet-Based Businesses

Readers of the Hogan Lovells Chronicle of Data Protection may be interested in this upcoming webinar featuring Hogan Lovells attorneys from Europe and the United States, as well as Google's European Privacy Counsel, Peter Fleischer.  This event is being produced by Pike & Fischer, a Bureau of National Affairs (BNA) Company.  Here is the Pike & Fischer/BNA announcement with link to registration information:

BNA Webinar
Legal Landmines in Europe for Internet-Based Businesses
June 30, 12:30 p.m. to 2:00 p.m. ET

So you think your business practices are EU-compliant? You could be blindsided by European laws and regulations that are foreignin every sense of the wordto your accustomed way of doing business. The recent conviction of three Google executives by an Italian judge is one notable example. Don't be caught off guard. Join Pike & Fischer's panel of legal experts as they expose European laws (both enacted and proposed) that potentially render U.S.-based Internet businesses liable for intellectual property, privacy, e-commerce, speech, and other violations.

Peter Fleischer, Global Privacy Counsel, Google, and Winston Maxwell and David Taylor, both partners with Hogan Lovells in Paris, will cover a wide range of topics, including data retention obligations, collection of personal data, and liability for user-generated content. The session will be moderated by Christopher Wolf, Partner, Hogan Lovells in Washington, DC.  

For further information: http://www.pf.com/eventDetail.asp?id=105&type=1.
 

Tags: , , , ,
Posted on January 11, 2010 by Winston Maxwell

European DP authorities issue "Future of Privacy" roadmap

The Article 29 working party of European data protection authorities (the “WP29”) published in early January a roadmap charting the future of privacy legislation in the EU.  Entitled “The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data,” the WP29 roadmap contains insight in to areas of likely reform of European privacy law in the coming years.  After an introduction describing the history and constitutional underpinnings of privacy legislation in the EU, the Future of Privacy roadmap outlines nine areas of needed reform:

1. Extend EU privacy legislation to law enforcement, former “third pillar” areas, which were heretofore excluded from the EU Data Protection Directive.

2. Consider modifying the criteria for determining when EU privacy law applies to controllers located outside the EU, particularly where non-EU established controllers target their activities at EU residents, through advertising and local language sites.  WP29 says it is currently preparing a detailed opinion on the applicability of EU law.

3. Support global standards, in furtherance of the so-called Madrid Resolution adopted on November 6, 2009, and increase international cooperation between data protection authorities.

4. Include “Privacy by Design” as an obligation applicable to all actors in the ICT (information and communications technology) sector.  Privacy by design should focus on principles such as data minimization, controllability, transparency, user friendly systems, data confidentiality, data quality and use limitations.

5. Empower citizens by increasing their ability to enforce privacy rules, including via class actions and alternative dispute resolution (ADR) mechanisms. Increase transparency obligations for the benefit of users and clarify the concept of user “consent.”

6. Increase accountability obligations for data controllers by imposing across-the-board data breach notification obligations (currently data breach obligations apply only in the electronic communications sector), and by encouraging self-audits, privacy impact assessments, and external certification procedures.  

7. In exchange for increased self-enforcement and accountability measures, WP29 suggests lifting many administrative filing obligations with data protection authorities, reserving filing only for cases where there is a serious risk to privacy.  Even in those cases, filing could be streamlined where organizations have conducted privacy audits or privacy impact assessments.

8. Impose minimum requirements to ensure that national data protection authorities are sufficiently independent and effective, including that they have sufficient funding.

9. Require the implementation of privacy impact assessments and related accountability measures for law enforcement organizations.

Adopted on December 1, 2009, but made available on the WP29 website only recently, the  WP 29 Future of Privacy roadmap is a contribution to the European Commission’s consultation on reform of EU privacy legislation, consultation which closed on December 31, 2009. Other contributions can be viewed here.

Tags: , , , , , , , ,