Archive for the ‘Audits’ Category

Belgian DPA overhauls enforcement strategy

Posted on October 21st, 2013 by

Belgium has long been one of the low risk EU Member States in terms of data protection enforcement. Aside from the fact that pragmatism can be considered part of a Belgian’s nature, this view was also due to the fact that the Belgian DPA, the Privacy Commission, could be termed as one of those so-called ‘toothless tigers’.

As De Standaard reports, it seems this is now about to change, with the Privacy Commission set to follow the example of the Dutch DPA by adopting a more severe enforcement strategy.

Until now, the Privacy Commission did not pro-actively investigate companies or sectors, despite the fact that the Belgian Privacy Act grants them such powers. However, the Privacy Commission has recently decided to establish a team of inspectors who will actively search for companies that process personal data in a non-compliant manner. It seems the Privacy Commission is finally adopting an approach which the CNIL has been applying for a number of years, with the idea being that each year a specific sector would be subject of increased scrutiny.

In addition, anticipating the adoption of the Regulation, the Privacy Commission has called upon the Belgian legislator to grant it more robust enforcement powers. Currently, if a company is found to be in breach of the Belgian data protection laws, the Privacy Commission has a duty to inform the public prosecutor. However, in practice criminal prosecution for data protection non-compliance is virtually non-existent and leads to de facto impunity.  This could drastically change if greater enforcement powers are granted to the Privacy Commission.

In the wake of the coming Regulation, this new enforcement strategy does not come as a surprise. In addition, earlier this year, Belgium faced a couple of high-profile mediatised data breach cases for the first time. Both the Ministry of Defense, the Belgian railroad company and recruting agency Jobat suffered a massive data leak. More recently, the massive hacking of Belgacom’s affiliate BICS gave rise to a lot of controversy. It would appear that these cases highlighted to the Privacy Commission the limits of its current powers .

However, if even a pragmatic DPA, such as the Privacy Commission, starts adopting a more repressive enforcement strategy, it is clear that the days of complacency are fading. Organisations processing personal data really cannot afford to wait until the Regulation becomes effective in the next few years. They will have to make sure they have done their homework immediately, as it seems the DPA’s won’t wait until the Regulation becomes effective to show their teeth.

ICO’s draft code on Privacy Impact Assessments

Posted on August 8th, 2013 by

This week the Information Commissioner’s Office (‘ICO’) announced a consultation on its draft Conducting Privacy Impact Assessments Code of Practice (the ‘draft code’). The draft code and the consultation document are available at  and the deadline for responding is 5 November 2013.

When it comes into force, the new code of practice will set out ICO’s expectations on the conduct of Privacy Impact Assessments (‘PIAs’) and will replace ICO’s current PIA Handbook. So why is the draft code important and how does it differ from the PIA Handbook?

  • PIAs are a valuable risk management instrument that can function as an early warning system while, at the same time, promoting better privacy and substantive accountability. Although there is at present no statutory requirement to carry out PIAs, ICO expects them.
  • For instance, in the context of carrying out audits, ICO has criticised controllers who had not rolled out a framework for carrying out PIAs. More importantly, the absence or presence of a risk assessment is a determinative factor in ICO’s decision making to take enforcement action or not. When ICO talks about the absence or presence of a risk assessment, it means the conduct of some form of PIA.
  • Impact assessments are likely to soon become a mandatory statutory requirement across the EU, as the current version of the draft EU Data Protection Regulation requires ‘Data Protection Impact Assessments’. Note, however, that the DPIAs mandated by article 33 of the Draft Regulation have a narrower scope than PIAs.  The former focus on ‘data protection risks’ as opposed to ‘privacy risks’, which is a broader concept that in addition to data protection encompasses broader notions of privacy such as privacy of personal behaviour or privacy of personal communications.
  • The fact that ICO’s guidance on PIAs will now take the form of a statutory Code of Practice (as opposed to a ‘Handbook’) means that it will have increased evidentiary significance in legal proceedings before courts and tribunals on questions relevant to the conduct of PIAs.

The PIA Handbook is generally too cumbersome and convoluted. The aim of the draft code is to simplify the current guidance and promote practical PIAs that are less time consuming and complex, and as flexible as possible in order to be adapted to an organisation’s existing project and risk management processes.  However, on an initial review of the draft code I am not convinced that it achieves the optimum results in this regard.  Consider for example the following expectations set out in the draft code which did not appear in the PIA Handbook:

  • In addition to internal stakeholders, organisations should work with partner organisations and with the public. In other words, ICO encourages controllers to test their PIA analysis with the individuals who will be affected by the project that is being assessed.
  • Conducting and publicising the PIA will help build trust with the individuals using the organisation’s services. In other words, ICO expects that PIAs will be published in certain circumstances.
  • PIAs should incorporate 7 distinct steps and the draft code provides templates for questionnaires and reports, as well as guidance on how to integrate the PIA with project and risk management processes.

Overall, although the draft code is certainly an improvement compared to the PIA Handbook, it remains cumbersome and prescriptive.  It also places a lot of emphasis on documentation, recording decisions and record keeping.  In addition, the guidance and some of the templates include privacy jargon that is unlikely to be understood by staff who are not privacy experts, such as project managers or work-stream leads who are most likely to be asked to populate the PIA documentation in practice.

Many organisations are likely to want a simpler, more streamlined and more efficient PIA process with fewer steps, simpler tools / documents and clearer guidance, and which incorporates legal requirements and ICO’s essential expectations without undully delaying the launch of new processing operations. Such orgaisations are also likely to want to make their voice heard in the context of ICO’s consultation on the draft code.

CNIL unveils 2012 annual activity report

Posted on April 29th, 2013 by

On April 23rd, 2013, the French data protection authority (the “CNIL”) unveiled its 2012 Annual Activity Report (the “Report”). The CNIL’s Report gives an overview of the actions and initiatives undertaken in the past year, and is also a good indicator for what to expect in the coming year.

The CNIL has adopted a three-year strategic orientation program for the period 2012-2015. This action plan sets out three priorities, namely:

- To adopt a policy of openness and consultation towards stakeholders ;
- To raise the level of awareness among data controllers (particularly companies) and to help them develop tools that allow them to implement the data protection principles; and
- To increase the level of compliance through a more targeted and efficient enforcement policy.

Focusing on the CNIL’s enforcement strategy, the summary below highlights some of the key points in the CNIL’s Report:

- Complaints: The number of complaints has risen to 6000 in 2012. 46% of complaints concerned the right to object to the data processing. The constant rise of complaints over the past years indicates that citizens are more and more aware of their data protection rights and are taking action more frequently. The telecoms/internet sector appears to have triggered most of the complaints (31%).

- Inspections: The CNIL conducted 458 on-site inspections in 2012, which represents a 19% increase compared to 2011. 285 of the inspections were carried out in the context of the Data Protection Act, while 173 inspections concerned the use of videosurveillance equipment. With regard to the Data Protection Act, 23% of the inspections were triggered by complaints and another 26% were initiated by events picked up in the news. This shows that the CNIL often takes action when a particular event or situation makes the headlines. 40% of the inspections are in line with the priorities set out by the CNIL in its annual inspection’s plan, which shows some consistency in how the CNIL operates within a particular sector or business activity.

- Sanctions: In 2012, the CNIL served 43 formal notices asking data controllers to comply. In most of the cases, the CNIL did not pronounce any sanction because the data controller had complied. In total, the CNIL pronounced 13 sanctions, eight of which were made public. The publicity of the sanction follows a recent amendment of the Data Protection Act, which authorizes the CNIL to publish the sanction it pronounces. In the majority of cases, the sanction pronounced was a simple warning (56%), while fines were pronounced in only 25% of the cases. The CNIL pronounced only one injunction to cease the processing. The low number of fines can be explained by the fact they do not have a very deterrent effect for companies in France (by law, the maximum fine for a first violation is EUR 150,000). On the contrary, a warning can cause serious reputational damage to the data controller, particularly when it is made public, which may explain why the CNIL has chosen to publish its sanctions in 60% of the cases.

- Videosurveillance: In 2012, the CNIL carried out over 170 inspections of videosurveillance systems. In this context, the CNIL received more than 300 complaints, 75% of which concerned the use of video cameras at the workplace. The CNIL notes a lack of clarity surrounding the current legal framework for videosurveillance measures, the insufficient or inexistent information of individuals, the inappropriate use of cameras, and insufficient security measures. In 2012, the CNIL published six practical guidebooks, explaining how to use video cameras in compliance with the law.

- Data breach notifications: Following the implementation of the revised ePrivacy directive into French law, the CNIL received the first notifications for data breaches in the telecoms sector. While the total number of notifications for 2012 remains fairly low, the CNIL expects to receive more notifications in the coming year.

It is also worth noting that the CNIL’s budget and manpower have also increased in 2012. As the years pass by, the CNIL continues to grow and to become more resourceful. It is also more experienced and better organized. Thus, data controllers should pay close attention to the actions of the CNIL as it becomes a most powerful authority in France and within the European Union.

The CNIL’s 2012 Annual Activity Report is available (in French) at

ICO audits of the NHS – new powers coming

Posted on March 27th, 2013 by

The UK Ministry of Justice opened a public consultation yesterday on the expansion of the Information Commissioner’s compulsory audit power to the NHS. The NHS, which is one of the UK’s biggest employers and controllers of sensitive personal data, has been firmly in ICO’s sights for over a year now, as back in January 2012 the Commissioner identified “health” as his number 1 priority for regulatory action (see the “Information Rights Strategy”), which led to a series of high profile fines being imposed on NHS bodies for various data breaches (after Local Authorities the NHS was the sector that received most fines in 2012). ICO has long been arguing for the extension of its compulsory audit power to the NHS and its clear from the consultation document that the Government is supportive.

These audits, or “Assessment Notices” as the statutory language prefers, were introduced into ICO’s regulatory tool kit by the Coroners and Justice Act 2009 but while the legislation envisaged the possibility of ICO being able to audit any part of the economy, at the moment the audit power is restricted to Government departments. Many commentators regard this as odd and out of kilter with both the Parliamentary intent and the overall trajectory of data protection law. For instance, under the E-Privacy Regulations ICO has a related compulsory audit power which they can use in the electronic communications sector (principally telecoms companies and ISPs). Likewise the draft Data Protection Regulation includes a proposed wide-ranging audit power for national regulators in the EU. Similarly, the draft Cybersecurity Directive published in 2013 proposes a regulatory audit power for “Market Operators” who underpin the Internet, Cloud Computing services, health, transport, financial services and energy. In other words, compulsory regulatory audit powers are considered to be a fundamental component of mature regulation, albeit, of course, these powers should be exercised sparingly, proportionately and in a non-discriminatory manner.

The current proposal is a welcome opportunity for Government, ICO and the NHS to sort out the mess that is data protection regulation in the NHS. Currently, the “assessment” regime leads to very unfair results, in the sense that a data controller who undergoes a compulsory audit or assessment of legal compliance receives much more favourable treatment through immunity from fines than one who voluntarily reports a data handling problem to ICO for investigation. The recent pattern of fining in the NHS has not been universally welcomed, but these developments may reduce their frequency in a sector that feels harshly treated.

However, NHS bodies should not think that compulsory audits or assessments leave them free of enforcement measures. While ICO cannot fine after exercising an Assessment Notice, they can still impose Enforcement Notices, which are backed up by criminal sanctions for those controllers who do not comply with their terms. Yet, at least Enforcement Notices keep the money in the NHS, which means that the NHS can dedicate what would have been fine money to data protection improvements.

It will be very interesting to see how the NHS responds, but many bodies will be thinking about how they can avail themselves of ICO audits in the meantime to remove the spectre of fines. This is because voluntary audits and assessments carry the same immunity from fines as compulsory ones. Indeed, one might think that it will be a very unfortunate NHS body who is fined, because there is a pathway here to fine neutrality. So, will we see a rush of requests for voluntary audits and assessments? Clever NHS bodies must be thinking about this.

The Consultation closes on 17 May. If you would like to know more about Assessment Notices and how they operate, or if you would like a copy of my firm’s research into ICO enforcement actions in 2012, please contact me.

The guessing game

Posted on August 26th, 2011 by

It has been a busy year for the European Commission’s Data Protection Unit so far.  Day after day, week after week, month after month, a multicultural team of officials based in an unassuming Brussels building have been brainstorming ideas, pouring over written submissions and listening patiently to the wishes, concerns and ideas of those who hope to have a say in the future European data protection framework.  Despite all this hard work, it seems that we may not see a formal proposal until the end of the year.  The reason for this – in addition to the massive pressure to get the first draft right – is that the Commission would like to feed into the proposal the outcomes of the current public consultations on cloud computing and data breach notification.  That is understandable but in the meantime and to temper our anxiety, we can make an informed guess of what we will be presented with.

Much of the debate surrounding this process so far has been around the form that the new legislative framework will take.  If, as it has been made patently clear, the primary objective of the legislative reform is to achieve the greatest possible degree of harmonisation, the Commission is likely to favour a Regulation over another Directive.  The effect of this would be a single piece of legislation immediately applicable across the European Union without the need for implementation at a national level.  If the extremely clumsy implementation process of the revised e-privacy directive is anything to go by, the prospect of a Regulation seems very possible indeed.  However, even a Regulation would be enforced at a national level by each data protection authority, so an element of local interpretation will always exist.

A crucial building block of the new regime will be the rules determining the applicability of the law.  For EU-based organisations, a Regulation would solve the problem of facing multiple national laws and the ‘country of origin’ principle seems the way forward in terms of determining the competent data protection authority.  The big change in this respect will be for overseas organisations, which will find themselves subject to EU law, not when they happen to serve a humble cookie on an EU-based machine, but when they target people in Europe, for example by employing them or marketing to them.

With regard to the substantial content of the new framework, much of our beloved law will stay with some tweaks.  An important objective of the new legal framework will be to give greater control to individuals.  The cornerstone of this, as trumpeted by Viviane Reding, is the so-called ‘right to be forgotten’ which is meant to allow individuals to get their personal information removed from publicly available platforms like networking sites and other websites.  However, the huge two-fold difficulty with extending this beyond the current right to object is how to reconcile it with the freedom of expression of others to disseminate information and the intermediary roles of those which only act as conduits for this information.

As for transparency and consent, expect clever attempts to make these two aspects truly meaningful.  Once again, the emphasis will be on putting people in control, but let’s hope that the Commission’s efforts to make legal obligations clear cut do not translate into unachievable targets like the Working Party’s unqualified interpretation of consent as prior, express opt-in and nothing else.  At the very least, it is reasonable to assume that the legal grounds for processing personal data will continue to include – and possibly expand – the legitimate interest condition to justify such processing.

However, for most organisations the key new ingredient will no doubt be the ‘accountability package’.  Not that it will be ever called that, but it is almost certain that a whole range of practical measures – from mandatory data protection officers to  privacy impact assessments, and possibly internal audit and training requirements – will make its way into the black letter of the law.  An outstanding question is to what extent this will be linked to the provisions affecting international data transfers.  With all probability, the Commission is likely to retain some restrictions but widen the mechanisms available to ensure that such transfers are lawful.  The greatest hope of all is that at the end of the day, the EU legislative bodies manage to come up with a regime that shows the benefits of data protection for all and encourages compliance not just for the sake of it, but for the good of the future generations.  Time will tell.

This article was first published in Data Protection Law & Policy in August 2011

FFW launches Cookie Assessment Tool to help businesses fulfil new cookie requirements

Posted on May 17th, 2011 by

To help online businesses prepare for the the new “consent” regime for cookies in the UK (and the rest of Europe), Field Fisher Waterhouse has developed a new Cookie Assessment Tool.

In its advice on how to comply with the incoming cookie consent regime, the Information Commissioner’s Office (the “ICO“) recommended that website operators:

(i) Identify what cookies they place through their site;

(ii) Assess the intrusiveness of those cookies; and

(iii) Consider appropriate strategies for obtaining consent.

Field Fisher Waterhouse’s new Cookie Assessment Tool helps online businesses fulfil points (i) and (ii) of the ICO’s recommentaions. It provides an assessment document that can be circulated amongst internal IT, marketing and other relevant stakeholders to raise questions and gather relevant information about website cookie use. The information it captures enables businesses to assess the intrusiveness of the cookies they use and facilitates consideration as to what transparency and consent requirements may be needed as a consequence.

FFW is providing this tool free of charge to its clients and contacts. If you would like to obtain a copy of the tool for your internal business purposes, please e-mail Phil Lee, Senior Associate within FFW’s Privacy and Information Law Group at