Part 10 of Future-Proofing Privacy: Enforcement and the Risk of Non-Compliance. One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains to be seen whether they have devised a workable solution.
Part 8 of Future-Proofing Privacy: Data Processors’ New Obligations. The Regulation will impose a number of compliance obligations and possible sanctions directly on service providers. This is a significant change as currently service providers do not have any direct obligations to comply with EU data protection law (their obligations derive from their contracts with controllers). Future proof deals being negotiated now. Controllers and processors should carefully document the responsibilities of the parties and specifically take into account the forthcoming changes when deciding on providing consent for subprocessors, pricing, security standards and risk allocation.
The Spanish Data Protection Agency has published its annual report for 2012. The report contains a detailed description of the activities undertaken by the Spanish DPA in 2012 together with its view of the latest trends and challenges related to data protection, including an increase in the number of complaints lodged with and monetary sanctions issued by the Agency.
CNIL’s recently-released annual report gives insight from France’s authority into sanctions, the right to be forgotten, whistleblowing, and what it believes are several shortcomings in the proposed EU regulation.