On 24 March, the French data protection authority, the CNIL, announced that it will soon make easier the practical implementation of intra-group transfers of data from French entities to entities located outside the European Union where groups of companies have adopted Binding Corporate Rules (BCRs). BCRs are becoming increasingly popular among multinationals as a legal means for providing adequate protection to personal data which are transferred from the European Union to countries that are not considered to provide an adequate level of protection by the European Commission. In the CNIL’s view, the implementation of BCRs shows a strong commitment from multinational organisations to protect personal data. Indeed, the CNIL has been a champion of the emerging “BCR for processors” initiative which is also prompting interest from sophisticated processors who operate globally.
Technology has transformed and disrupted long standing industries as well as created new industries along the way. The digital revolution in the healthcare industry appears to have been long promised but much delayed. There may be a number of understandable reasons why the wheels have not turned so quickly. For instance, unlike say the financial services industry which is private sector led, the healthcare industry has obvious public sector touch points which can make any sort of change slower. But just as information about an individual’s bank balance or salary is considered confidential, so a person’s health information is particularly sensitive, both in a legal sense (because health information is categorised as sensitive under EU data protection law) but also in an obviously everyday sense – people feel that their health information (in most but not all circumstances) is private.
On 7 November 2014 the Polish Parliament passed the Act on the Facilitation of Business Activity which substantially amends the existing Act on Personal Data Protection. As we previously reported, this new Act requires an administrator for information security to be given an independent position within the data controller’s organization. Additionally, the new Act introduces provisions facilitating the transfer of personal data to countries outside the European Economic Area (further implementing provisions from Directive 95/46/EC and the proposed draft General Data Protection Regulation). The new law will come into force on 1 January 2015.
At the heart of EU data protection law is the passionate belief in the right to privacy. Indeed, the Treaty of Lisbon has now recognised both privacy and data protection as fundamental rights under EU law. As fundamental rights, there is a sense in which the scope of privacy and data protection must be expanded to the furthest extent possible. Yet, like any other law, it must be clear when and where EU data protection rules apply and the applicable law provision in the current Data Protection Directive has caused some headaches along the way. Whether the proposed new EU regime will prove to be a calming tonic remains to be seen. Today’s technology pays no attention to geographic borders. What do Cloud Computing networks care about the Atlantic Ocean so long as the network is resilient and customers can access their data? Businesses typically structure their systems in order to provide the best commercial proposition which often (but not always) involves cross-border data transfers. Therefore, cross-border data transfers are a part of everyday business. But businesses need to understand which laws apply to their operations to ensure compliance and avoid being chased by regulators or disgruntled customers. Unfortunately, the Directive’s provision concerning when it applies has not always provided much clarity.
A recent article by Hogan Lovells provides key takeaways for businesses in light of last week’s landmark ruling by the European Court of Justice that in effect judicially sanctioned a “right to be forgotten” allowing data subjects to scrub their names from a public record while also extending jurisdiction under European data protection law to include non-EU companies that may have a branch or subsidiary in the European Union and that collect data in the context of business activities in the European Union.
The Article 29 Working Party’s new opinion on anonymization techniques provides a useful primer on randomization and generalization (i.e., data aggregation) techniques used to anonymize data sets. The opinion analyzes each technique based on three ways that data can be re-identified: the ability to single out individuals after the anonymization technique has been applied; the linkability of the anonymized data sets to other data sets; and finally the ability of the data sets to resist inference attacks after application of the anonymization technique. Organizations depending on anonymization for compliance with the Data Protection Directive would be well advised to review their anonymization processes to determine if they comport with the standards set out in the opinion.
On January 27, the European Agency for Fundamental Rights, an official agency of the European Union, released its report on Access to Data Protection Remedies in EU Member States. As detailed below, the FRA concluded that redress mechanisms for data protection violations in the EU need improvement. More specifically, the FRA found that data protection authorities do not have sufficient powers or resources, there are not enough judges and lawyers with adequate knowledge of data protection issues, civil society organizations (e.g., consumer interest and privacy advocacy groups) have difficulty bringing suits on behalf of victims of data protection breaches, the costs and burdens of proof associated with data protection suits are too high, and Europeans lack awareness of remedies for data protection violations.
On 16 October 2013, the Polish Ministry of Economy published draft amendments to Poland’s data protection law, the Polish Act of 29 August 1997 on the Protection of Personal Data (“PPD”), aimed at easing administrative obligations regarding the compulsory hiring of data protection officers and registration of data filing systems with the Polish Data Protection Authority (“DPA”). Under the proposed legislation, companies would have the flexibility to decide whether to appoint an administrator of information security (“AIS”), currently a legal requirement. A data controller regulated under the PPD would be able to strategically choose whether to appoint an AIS, a move that would increase its compliance obligations and the company’s visibility to regulators in return for reduced external filing obligations.
The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) voted on Monday to adopt its report on the draft General Data Protection Regulation and the separate Directive for the law enforcement sector. This vote sets out the Parliament’s position for its negotiations with the Council and Commission (known as the “trialogue” stage). The Committee aims to have a plenary Parliamentary vote in March before the Parliamentary elections.
Earlier this week, The New York Times published “Europe Aims to Regulate the Cloud,” an article considering the impact on cloud computing of the proposed European Data Protection Regulation which quoted Hogan Lovells Partner Mark Taylor. Taylor commented that over-regulation in this area could impact the adoption and use of cloud services in the EU, and this in turn could have a broader economic impact given the level of penetration which cloud-related services are now achieving. This blog post contains a link to the article.
The European Court of Justice (ECJ) is considering a critical case regarding the “right to be forgotten” and the application of EU data protection law to Internet intermediaries. The case involves a Spanish individual who is seeking to require Google to delete references to newspaper articles mentioning his prior involvement in debt collection proceedings from its search results. The ECJ’s adviser, Advocate General Niilo Jääskinen, recently issued a non-binding opinion stating that although EU law should apply to Google, the company should not be deemed a “data controller” for its search engine activities. The opinion also warned that the “right to be forgotten” can adversely affect freedom of expression.
In February 2013 the European Union published the EU Cyber Security Strategy and accompanying proposed Directive. Now, in anticipation of the implementation of the Directive, the UK’s Department for Business, Innovation and Skills (BIS) has published a call for evidence to look at the impact of the Directive upon businesses in the UK.
On April 19, the European Union’s Article 29 Working Party adopted Explanatory Document WP204 on processor Binding Corporate Rules (BCRs). Processor BCRs provide a new avenue for data controllers to transfer EU personal data to processors (such as cloud service providers) located in third countries not considered to ensure an adequate level of protection under the 1995 EU Data Protection Directive. The Article 29 Working Party, noting the success of controller BCRs and citing the “growing interest of industry in such a tool,” provided initial guidance on processor BCRs in June 2012 through Working Document WP195 (which we previously covered here). WP195 presented a “toolbox” that laid out the criteria for approval of processor BCRs, as well as explanatory notes on the content expected in the processor BCRs. As of January 1, 2013, the EU began accepting applications for approval of processor BCRs.
The European Union’s Article 29 Data Protection Working Party (“WP29”), which consists of the 27 data protection authorities of the EU Member States, has published the “Opinion 03/2013 on purpose limitation” (Working Paper WP203), adopted on 2 April 2013 (the “Opinion”). The WP29 analyzes and interprets the elements of this principle, and gives numerous examples with […]
The European Union’s Article 29 Data Protection Working Party (“WP29“), which consists of the 27 data protection authorities of the European Union Member States, has published its “Opinion on Apps in Smart Devices“, adopted on 27 February 2013 (the “Opinion“). Applicability of EU laws According to WP29, the 1995 Data Protection Directive applies to all […]
In a decision with important implications not only for Facebook but potentially for many companies not primarily located in Europe but with European customers, on February 14 the Administrative Court (Verwaltungsgericht) for the German State Schleswig-Holstein decided that German data protection law is not applicable to U.S.-based Facebook Inc. as well as its European subsidiary, Facebook Ireland Ltd., […]
Noting that security incidents affecting information systems “are becoming bigger, more frequent, and more complex,” and that the majority of respondents to its consultation on the topic reported having experienced such an incident in the past year, today the European Commission released a proposal for a Directive “concerning measures to ensure a high common level […]
Last month, the Court of Justice of the European Union (ECJ) issued a ruling on the scope of EU member states’ jurisdiction over internet services. In Football Dataco Ltd v. Sportradar GmbH, the ECJ considered a jurisdictional issue related to the Database Directive, but its opinion could have broader implications for how the EU considers […]
This post was contributed by Mac Macmillan, an attorney in Hogan Lovells’ London office On November 22, 2012, the UK government published its Impact Assessment of the draft European data protection regulation. When the draft regulation was first published, the European Commission estimated that harmonizing the European data protection regime would bring a net administrative […]
The European Court of Justice held on October 16, 2012 that Austria’s data protection authority is not sufficiently independent, and therefore fails to comply with the requirements of the European data protection directive. The Court found that Austria’s DPA has too many links to the Austrian Federal Chancellery and that the EU Data Protection Directive’s requirement of “complete independence” is violated.
Philippine President Benigno Aquino III signed into law the Data Privacy Act of 2012, which is modeled after the EU Data Protection Directive and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework. The Act contains provisions that govern the processing of personal information, the rights of data subjects (e.g., notice, access, and data portability), and the security of personal information (which includes a breach notification requirement).
Jan Philipp Albrecht, the rapporteur to the European Parliament for the proposed EU Data Protection Regulation, has set forth a draft calendar that indicates how long debate over the Regulation may last. It is anticipated that by summer 2013 the Regulation should be ready for trilogue with the Council and Commission, and that the Regulation shall be put to a vote in the plenary session of the European Parliament in early 2014.
The Article 29 Working Party released on March 29, 2012 its opinion on the European Commission’s proposed new data protection Regulation and Directive (WP191 – Opinion 01/2012 on the data protection reform proposals). The Working Party expresses strong reservations about the proposed Directive on data processing for police and criminal justice matters, criticizing the Commission’s […]