Archive for November, 2011

First Nordic led BCR gets authorised

Posted on November 22nd, 2011 by

On 13 October 2011 the Danish DPA concluded the co-operation procedure for the first BCR application for which it was appointed to act as lead authority.  The applicant company was Novo Nordisk A/S and the BCR covers all personal information of Novo Nordisk’s employees and third parties.

As the Danish DPA is not part of mutual recognition the authorisation process had to be dealt with under the co-operation procedure.  Prompted by the fact that this was their first application as lead, the Danish DPA did, however, take the step of following the mutual recognition procedure to the extent that it appointed two experienced DPAs to review the BCR before it was circulated more widely.

This application demonstrates the willingness of DPAs to engage with BCR and also the way in which the DPAs are working co-operatively to streamline the authorisation process.

The Novo Nordisk application is also notable because the BCR has been authorised by the Swiss DPA under its own national procedure.  The effect of this is that the Swiss DPA will approve a BCR provided that it meets the standards equivalent to those required by the Article 29 Working Party.

More indications about the new EU data protection rules

Posted on November 17th, 2011 by

In an interview with the Washington Post, Viviane Reding, the EU Justice Commissioner, gave more indications about what we can expect from the tougher European regime that is in the pipeline.

The key points are:

* “Our reforms are aimed at getting rid of the fragmentation and providing consistency and coherence for the whole of the continent”. This is the clearest sign yet that we can expect a Regulation directly applicable in all Member States, as opposed to a Directive, which is subject to national implementation.

* “Self-regulation can be little more than a fig leaf. It works only if there is strong, legally binding regulation in the first place”. Not only tougher substantive rules, but also more heavy-handed regulation are likely to be on their way. If so, we can expect more disputes and litigation.

* “We do have a set of rules today that is not always applied and controlled in the way it should be. That has led to fragmentation and different interpretations of the rules”. The proposals may also include a mechanism to ensure at least some degree of consistency in the application of data protection rules across Member States; a supra-national data protection regulator perhaps?

* “It is clear that every citizen has a right to their own data. Before a company can use your data they should ask for permission. This is a basic rule of the European Union”. As expected, the new instrument will attempt to further empower consumers, particularly by imposing a requirement for explicit consent before their data are used and by introducing a right to have their data deleted at any time.

* “Data breaches is one of the questions that is very high on the agenda […] We will extend the telecom rules to the Internet”. As expected, the mandatory breach notification obligations currently applying to Telcos and ISPs will be extended to internet services, online traders and private-sector medical records, and possibly to the broader economy.

The interview can be found here:

Stronger EU data protection rules in the pipeline

Posted on November 8th, 2011 by

Here is the latest announcement from the European Commission concerning the reform of the data protection directive, following a meeting yesterday between the EU Justice Commissioner Viviane Reding and Germany’s Federal Minister for Consumer Protection Ilse Aigner:

In a nutshell:

* The proposal will be published by the end of January 2012.
* Consumers in Europe should see their data strongly protected.
* Companies who direct their services to European consumers will be subject to EU data protection laws.
* Social networks will be caught by EU law, even where based in a third country and where data is stored in the cloud.
* Consumers must be more empowered than they are today, particularly by giving their explicit consent before their data is used and by having the right to delete their data at any time.

These are obviously very broad brush political statements but they suggest that a tougher regime is in the pipeline.

Information Commissioner publishes online data breach notification form

Posted on November 7th, 2011 by

The Information Commissioner’s Office has produced a new form for organisations to report a data breach.

While public electronic communications service providers are required to notify the ICO of personal data security breaches, currently there is no obligation on other businesses to do so. However, according to existing ICO guidance, serious breaches should be brought to the attention of the ICO.

The instructions outlined in the new form indicate that, before completing the form, data controllers should read the earlier guidance: Notification of Data Security Breaches to the Information Commissioner’s Office. This guidance sets out various factors to be taken into account in deciding whether a breach is serious enough to merit reporting it to the ICO and also sets out the types of information that should be provided when making a notification.

It is clear that the form is intended as an aid to compliance rather than circumscribing the information to be provided to the ICO. It states that, in addition to completing the form, the ICO welcomes other relevant information (e.g. incident reports). While the form is available online, once completed, it should be submitted by email to the address specified in the form or sent by post.

The questions contained in the new form largely correspond to the types of information sought by the ICO as per its earlier guidance. However, it is interesting to note that the form also requests information about whether there has been any media coverage of the incident. It is clear from the earlier ICO guidance that, whether or not there has been media coverage, is likely to influence the extent to which the Information Commissioner needs to provide reassurance to the public via appropriate enforcement action.

The ICO has indicated that it will not usually take enforcement action unless a data controller fails to take recommended steps or there are other reasons to doubt compliance or there is a need to provide reassurance to the public. Consequently, where there has been a large amount of publicity in relation to a particular incident, data controllers should brace themselves for some sort of regulatory action.

The new form is available on the ICO website here.