Archive for the ‘Breach Disclosure’ Category

Beware: Europe’s take on the notification of personal data breaches to individuals

Posted on April 10th, 2014 by



Article 29 Working Party (“WP 29“) has recently issued an Opinion on Personal Data Breach Notification (the “Opinion“). The Opinion focuses on the interpretation of the criteria under which individuals should be notified about the breaches that affect their personal data.

Before we analyse the take aways from the Opinion, let’s take a step back: are controllers actually required to notify personal data breaches?

In Europe, controllers have, for a while now, been either legally required or otherwise advised to consider notifying personal data breaches to data protection regulators and/or subscribers or individuals.

Today, the only EU-wide personal data breach notification requirement derives from Directive 2002/58/EC, as amended by Directive 2009/136/EC, (the “e-Privacy Directive“) and  applies to providers of publicly available electronic communications services. In some EU member states (for example, in Germany), this requirement has been extended to controllers in other sectors or to all  controllers. Similarly, some data protection regulators have issued guidance whereby controllers are advised to report data breaches under certain circumstances.

Last summer, the European Commission adopted Regulation 611/2013 (the “Regulation“), (see our blog regarding the Regulation here), which  sets out the technical implementing measures concerning the circumstances, format and procedure for data breach notification required under Article 4 of the e-Privacy Directive.

In a nutshell, providers  must notify individuals of breaches that are likely to adversely affect their personal data or privacy without undue delay and taking account of: (i) the nature and content of the personal data concerned; (ii) the likely consequences of the personal data breach for the individual concerned (e.g. identify theft, fraud, distress, etc); and (iii) the circumstances of the personal data breach. Providers are exempt to notify individuals (not regulators) if they have demonstrated to the satisfaction of the data protection regulator that they have implemented appropriate technological protection measures to render that data unintelligible to any person who is not authorised to access it.

The Opinion provides guidance on how controllers may interpret this notification requirement by analysing 7 practical scenarios of breaches that will meet the ‘adverse effect’ test. For each of them, the  WP 29 identifies the potential consequences and adverse effects of the breach and the security safeguards which might have reduced the risk of the breach occurring in the first place or, indeed, might have exempted the controller from notifying the breach to individuals all together.

From the Opinion, it is worth highlighting:

The test. The ‘adverse effect’ test is interpreted broadly to include ‘secondary effects’. The  WP 29 clearly states that all the potential consequences and potential adverse effects are to be taken into account. This interpretation may be seen a step too far as not all ‘potential’ consequences are ‘likely’ to happen and will probably lead to a conservative interpretation of the notification requirement across Europe.

Security is key. Controllers should put in place security measures that are appropriate to the risk presented by the processing with emphasis on the implementation of those controls rendering data unintelligible. Compliance with data security requirements should result in the mitigation of the risks of personal data breaches and even, potentially, in the application of the exception to notify individuals about the breach. Examples of security measures that are identified to be likely to reduce the risk of a breach occurring are: encryption (with strong key); hashing (with strong key), back-ups, physical and logical access controls and regular monitoring of vulnerabilities.

Procedure. Controllers should have procedures in place to manage personal data breaches. This will involve a detailed analysis of the breach and its potential consequences. In the Opinion, the  data breaches fall under three categories, namely, availability, integrity or confidentiality breaches. The application of this model may help controllers analyse the breach too.

How many individuals? The number of individuals affected by the breach should not have a bearing on the decision of whether or not to notify them.

Who must notify? It is explicitly stated in the Opinion that breach notification constitutes good practice for all controllers, even for those who are currently not required to notify by law.

There is a growing consensus in Europe that it is only a matter of time before an EU-wide personal data breach notification requirement that applies to all controllers (regardless of the sector they are in) is in place. Indeed, this will be the case if/when the proposed General Data Protection Regulation is approved. Under it, controllers would be subject to strict notification requirements both to data protection regulators and individuals. This Opinion provides some insight into  how the  European regulators may interpret these requirements under the General Data Protection Regulation.

Therefore, controllers will be well-advised to prepare for what is coming their way (see previous blog here). Focus should be on the application of security measures (in order to prevent a breach and the adverse effects to individuals once a breach has occurred) and on putting procedures in place to effectively manage breaches. Start today, burying the head in the sand is just no longer an option.

If I’m not mistaken, that’s a breach….

Posted on November 4th, 2013 by



Last year the UK Information Commissioner (ICO) issued 25 fines (22 of which were for data security breaches).  This year ICO has issued 16 fines so far.  We’ll have to see what happens in the next two months but my guess is we’ll be seeing a fair few more fines in the run up to Christmas.

In a recent blog post on ICO’s website, we are told that the local government sector has received fines totalling more than £2million since the ICO’s fining power begun in 2010.  That’s a staggering amount of money which ultimately is paid out of the public purse (presumably to the detriment of the public services it was there to support). 

We are also told in the blog that “all these breaches” could have been prevented if the Data Protection Act had been correctly complied with.  I’m not sure I entirely agree with that statement; can total compliance really eliminate all risk of incidents occurring?

While it is true that organisations should implement rigorous data protection and information governance frameworks to help safeguard the data they handle (think “technical and organisational measures” required by the DPA), surely no amount of policies, guidance or training is going to prevent an accidental slip-up from occurring.  The unfortunate reality is that we humble human beings do make the occasional mistake.  We all know – or can imagine – how easy it is to misdial a number or click on ‘send’ and inadvertently send something to the wrong person.   Indeed, our 2012 ICO Enforcement Tracker (please get in touch for a copy) revealed that of all the fines issued by ICO last year the overwhelming majority were for breaches involving misdirected communications.

So practically speaking, what is the answer? 

Well, the best solution is surely to assess and manage the risks in the hope that you can ensure no harm or damage is suffered in the event an incident occurs.  The best thing you and your organisations can do is (i) sit up and pay a bit of attention to the types of data you handle; (ii) get fully up to speed with what your legal obligations are in relation to it; and (iii) implement a robust system to demonstrate not only that you are doing everything possible to avoid a breach occurring in the first place, but also so that you can be confident you have a proper action plan in place to manage an incident if and when it arises. 

It also goes without saying that we can learn an awful lot from the mistakes that others have already made; we know that the “hot spots” for regulatory action include things like misdirected communications, lack of policies and training, and the failure to encrypt portable media that contains personal information.  Organisations should exploit that knowledge and use it to build better and more effective breach management strategies.

European Commission Adopts Technical Implementing Measures for Data Breaches

Posted on September 3rd, 2013 by



On June 24th, 2013, the European Commission adopted a new Regulation No 611/2013 (the “Regulation”) on the measures applicable to the notification of personal data breaches under the Directive 2002/58/EC (the “ePrivacy Directive”). This Regulation came into force on August 25th, 2013.

Since the revision of the ePrivacy Directive in 2009, providers of electronic communications services to the public (mainly telecom providers and ISPs) must notify the competent national authority in Member States when a personal data breach occurs. The Regulation harmonizes the technical measures that apply to data breaches across EU Member States.

Timeline for notifying data breaches

Under article 4-3 of the ePrivacy Directive, service providers are required to notify the regulator “without undue delay”. The Regulation introduces a new obligation for service providers to notify the competent national authority no more than 24 hours after the detection of a data breach, where feasible.

The Regulation specifies that a data breach is considered to be detected when the service provider has sufficient awareness that a security incident leading to personal data being compromised has taken place. At this point it is necessary for the service provider to make a meaningful notification to the competent national authority. This provision illustrates the need for organizations to adopt an internal action plan allowing them to assess and to respond to data breaches effectively.

Where the company handling the data has no direct relationship with the end user (for example where the service provider uses another provider to perform part of the service, e.g. in relation to billing or management functions), the company is not required to issue notifications, but still has a duty to alert and notify its customer (i.e., the electronic communications service provider) when it becomes aware of a data breach. In this respect, providers of electronic communications services must ensure that this obligation exists in their service provider agreements.

Content of the notification to the regulator

The Regulation specifies under Annex 1 the information that must be mentioned in the notification to the national authority, including: the name of the service provider, the name and contact details of the data protection officer (or another contact person within the organization) and the details of the personal data breach (date and time of incident, circumstances surrounding the breach, nature and content of the data concerned).

Two-step notification process

Where the service provider is unable to gather all the required information within 24 hours because the data breach is still being investigated, the Regulation authorizes the company to make an initial notification within 24 hours of the breach being detected, followed by a second notification as soon as possible and no later than three days following the initial notification. This second notification should complete and, if needed, update the initial notification. If the service provider is unable to provide all the information within the subsequent three day period, it must submit a reasoned justification to the national authority for the late provision of the remaining information.

Electronic procedure for notifying data breaches

The Regulation is particularly innovative in that it obliges the competent national authorities to provide a secure electronic means for the notification of personal data breaches. The Regulation mentions that this procedure should be available in a common format (such as XML) and should contain the information set out in Annex 1 in all the relevant languages. The purpose is to enable all service providers in the EU to follow a similar notification procedure, irrespective of their location or where the breach occurs. This provision is likely to pave the way towards a general data breach notification procedure for all data controllers once the proposed EU Data Protection Regulation comes into force.

Notification to individuals and subscribers

The Regulation clarifies the circumstances under which a data breach is likely to adversely affect the personal data or privacy of subscribers or individuals, for example, where the data concerns financial data (e.g., credit card data or bank account details), sensitive data, or certain data specifically relating to the provision of telephony or Internet services (e.g., emails, location data, Internet log files, web browsing history, and itemised call lists).

In principle, the service provider must notify the subscribers and other individuals concerned “without undue delay”. However, in exceptional circumstances the provider may delay this notification, with the national authority’s permission, where the notification may put the investigation of the data breach (e.g., a criminal investigation) at risk.

If the service provider does not possess the contact details of all the individuals who are adversely affected by the data breach, it may mitigate this by making a notification through advertisements in major national or regional media (such as newspapers) until it is able to identify all the individuals affected and send them an individual notification.

Cross-border data breaches

If a data breach affects the personal data of individuals located in several EU member states, the Regulation imposes on the competent national authorities a duty to inform one another and to cooperate. One can only regret, however, that the European Commission did not go one step further by enabling a “lead” authority to act as the single point of contact for organizations that are facing a cross-border data breach. The European legislator perhaps missed a chance here to streamline the notification procedure and to remove some of the administrative burden on companies.

Direct applicability in Member States

The Regulation is legally binding and is directly applicable in all Member States, which means that in the case of a conflict between the Regulation and a national law, the Regulation must prevail.

Finally, it should be noted that the Regulation was drafted to be consistent with the proposed Data Protection Regulation so as to avoid conflicting legal provisions in the future. It is also expected that technical adjustments will be made to the ePrivacy Directive once the Data Protection Regulation comes into force.

Click here for an overview of upcoming legislation on data breaches in Europe.

Data security breach notification: it’s coming your way!

Posted on July 2nd, 2013 by



Data breach notification laws have existed in the US for several years. California was the first state to introduce a data breach notification law in 2002, followed soon after by forty-five other US states. In 2012, the US Senate introduced a Data Security and Breach Notification Act which, if enacted, would establish a national data security and beach notification standard for the protection of consumer’s electronic personal information across the US.

In Europe, data breach notification has only drawn attention at a political and legislative level following recent press coverage of data breach scandals. Nevertheless, the numerous debates, initiatives and legislative proposals that have appeared in recent months are evidence of Europe’s growing interest in this topic, and recognition of the need to regulate. As an example, the EU Commission’s Directorate General for Communications Network, Content and Technology (DG CONNECT) recently proposed to “explore the extension of security breach notification provisions, as part of the modernisation of the EU personal data protection regulatory framework” in its Digital Agenda for Europe (action 34).

From a legislative perspective, things have been moving forward rather steadily for several years. In 2009, the European legislator adopted a pan-European data breach notification requirement for the first time, under the amended ePrivacy directive 2002/58/EC (“ePrivacy directive”). True, the directive only applies to “providers of publicly available electronic communications services” (mainly telecom operators and ISPs), but in a limited number of EU Member States the ePrivacy directive was implemented with a much broader scope (e.g., Germany). In June 2013, the European Commission released a new regulation explaining the technical implementing measures for data breach notification by telecom operators and ISPs.

Following this first legislative step, the European Commission has recently made two further legislative proposals. The first, which has drawn the most attention, was the European Commission’s proposal of a new regulation to replace the current Data Protection Directive 95/46/EC. If adopted, this Regulation would introduce a general obligation for all data controllers, across business sectors, to notify the regulator in case of a breach without undue delay, and not later than 24 hours after having become aware of it. Companies would also have to report data breaches that could adversely affect individuals without undue delay. This Regulation would apply not only to organizations that are established on the territory of the EU, but also to those that are not established within the EU, but target EU citizens either by offering them goods and services, or by monitoring their behaviour.

Needless to say, in Brussels, stakeholders and lobbyists have been actively campaigning against the proposed data breach provisions for months on the grounds that they are unfriendly to business, cumbersome and impractical. Following the debates at the European Parliament and the Council of Ministers on the proposed Regulation, a less prescriptive, more business-friendly version of the data breach provisions may end up being adopted. Currently, discussions are ongoing in an attempt to limit the scope of the data breach requirements to breaches that are “likely to severely affect the rights and freedoms of individuals”. The deadline for reporting breaches could also be extended to 72 hours. At this point, it is impossible to predict with certainty what will be the final wording of those provisions. However, there does seem to be a consensus among the EU institutions and member states that, one way or another, a data breach notification requirement must be introduced in the Regulation.

Secondly, the European Commission has proposed a directive that aims to impose new measures to ensure a high common level of network and information security across the EU. The Directive concerns public administrations and market operators, namely “providers of information society services” (i.e., e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services, application stores) and “operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health.” The Directive would require them to report significant cyber incidents (e.g., an electricity outage, the unavailability of an online booking engine, or the compromise of air traffic control due to an outage or a cyber attack) to a national competent authority.

So what does this tell companies?

First, that data security in general and data breach notification in particular are drawing more and more attention, and thus cannot be ignored. As was the case a few years ago in the US, data breach notification is bound to become one of the hottest legal issues in Europe in the coming years. The legal framework for data breach notification may still be a work-in-progress, but nevertheless it is becoming a reality in Europe. Second, companies should not wait until data breach laws come into force in Europe to start implementing an action plan for handling data breaches. While data breach notification may not yet be a legal requirement for all companies in Europe, the reputational damage caused by a single data breach should motivate companies to implement robust data breach handling procedures. Finally, data breach notification can be viewed as a competitive advantage that enables companies to be more forthcoming and transparent vis-à-vis clients and customers who entrust them with their personal data.

For more information on data security breach notification rules in France, view my article in English: “Complying with Data Breach Requirements in France” (first published in BNA’s World Data Protection Report); and in French: “La notification des violations de données à caractère personnel: analyse et décryptage” (first published in Lamy Droit de l’Immatériel) .

What will happen if there is no new EU privacy law next year

Posted on June 20th, 2013 by



The European Parliament has just announced another delay affecting the vote on its version of the EU Data Protection Regulation. That means that we will now not know where the Parliament truly stands on this issue until September or October at the earliest. Although this was sort of expected, optimistic people like me were still hoping that the LIBE Committee would get enough consensus to issue a draft this side of the Summer, but clearly the political will is not quite there. This is obviously disappointing for a number of reasons, so in case the MEPs need a bit of motivation to get their act together, here are a few things that are likely to happen if the new Regulation is not adopted before next year’s deadline:

* Inconsistent legal regimes throughout the EU – The current differences in both the letter of the law and the way it is interpreted are confusing at best and one of the biggest weakness to achieve the right level of compliance.

* Non application of EU law to global Internet players – Thanks to its 90′s references to the ‘use of equipment’, the Directive’s framework is arguably not applicable to Internet businesses based outside the EU even if they collect data from millions EU residents. Is that a good idea?

* Death by paperwork – One of the most positive outcomes of the proposed Regulation will be the replacement of the paper-based compliance approach of the Directive with a more practical focus. Do we really want to carry on spending compliance resources filling in forms?

* Uncertainty about the meaning of personal data – Constantly evolving technology and the increasing value of data generated by our interaction with that technology have shaken the current concept of personal data. We badly need a 21st century definition of personal data and its different levels of complexity.

* Massive security exposures – The data security obligations under the existing Directive are rather modest compared to the well publicised wish list of regulators and, frankly, even some of those legal frameworks regarded as ‘inadequate’ by comparison to European data protection are considerably ahead of Europe in areas like data breach notification.

* Toothless regulators – Most EU data protection authorities still have very weak enforcement powers. Without going overboard, the Regulation is their chance to make their supervisory role truly effective.

The need to modernise EU data protection law is real and, above all, overdue. A bit of compromise has to be better that not doing anything at all.

Cybersecurity in the EU – massive change on its way

Posted on February 8th, 2013 by



Is anyone unsure about the EU agenda for cyber and data security? If you want some insight you could easily check the UK Information Commissioner’s website and you see that in 2012 over 20 data controllers were hit with big fines for security breaches affecting personal data.

Or you could rewind to January 2012, when the EU published the Draft General Data Protection Regulation, which will impose mandatory breach disclosure on every data controller operating in the EU, backed up with potential fines of up to 2% of annual worldwide turnover for those organisations who fail badly.

Or you could go back a little further still, to October 2009, when the EU introduced the mandatory breach disclosure rule for telcos and ISPs, which has been operating since early 2011.

Actually, you don’t need to do any of that. Instead, just focus on the draft EU Cybersecurity Directive, which was published today. Its a short document, easy to get to grips with, and within a few minutes the implications will be obvious to you.

The new Directive makes it compulsory for all “market operators”, including utilities, transport and financial services businesses, as well as public authorities who use “network and information systems” within their businesses to implement technical and organisations measures to manage cyber risks. These organisations will be subject to independent regulation, they will have to disclose security breaches to the regulators, they will have to submit to compulsory regulatory audits and they will be sanctioned if they fail to comply with the law.

The scope and magnitude of this new Directive is huge. Obviously, the regulation of cyber risks in utilities, transport, financial services and public authorities is massive in its own right, but its the wider concept of “market operator” that really needs to be looked at.

A market operator includes a provider of information society services “that enable the provision of other information society services”.

Information society services are colloquially called ecommerce services in the EU, but this is about much more than online shopping, because in the EU an information society service is essentially a service that is provided over the internet, whether or not a fee is charged. In other words, an information society service can be a shopping site, a social network, a search engine, or an “over the top” communications systems (like Skype) and so on, whether or not they are web or app based.

Looking again at the definition of market operator, what really counts is whether the information society service is supporting another information society service. This website, privacylawblog.ffw.com, is an information society service, but it’s not supporting another, so its not caught by the Cybersecurity Directive. What the Directive is looking for is the platform of support – if you are a platform for an ISS, then you are regulated.

If all of this sounds too complicated, don’t worry, the Directive provides some indicative examples. These are: ecommerce platforms, internet payment gateways, social networks, search engines, cloud computing services and application stores.

This is an incredible list and the magnitude of the Directive becomes obvious when you start adding names to the list:

* ecommerce platform = Amazon and eBay provide market platforms for traders and iTunes has to be captured too

* internet payment gateways = Paypal is the most obvious one, but there loads of others, like Worldpay

* social networks = Facebook, LinkedIn, Twitter and so on

* search engines = Google (are there any others?)

* cloud = basically every tech co in the World!!!

* application stores = I think Apple has one (!), Google too, Amazon again and what about the telcos … isn’t Blackberry launching one now too?

This seems quite incredible at first, but its real. And its obvious really, isn’t it, because it is the Cybersecurity Directive after all! It wouldn’t deserve this name if it didn’t regulate these household names.

There is a lot to like in the Directive, but businesses will have concerns about the nature of regulation and the competence of the regulators. There are also some worrying grey areas in the Directive, such as the delegation of many powers to quangos, which is never good for legal certainty. I would expect many big tech companies to be looking hard at how to engage with the EU on this, because there is much to be shaped-up.

But wrapping this altogether and tying up the various strands, what we see within the EU is radical lawmaking for security. Any organisation that misses this point will come unstuck. That’s why the law is being reformed, specifically to cause behavioural change. Whether you look at security from a data protection angle or a cyber angle, it does not matter; you just have to be more secure.

I’ve posted a diagram below which shows the core legal pillars for data and cybersecurity in the EU, now and coming. What you are seeing here is a coalescence of approach and obligation. The end game is a single legal test – take appropriate technical and organisational measures to secure your networks and data. That’s the European approach.

Privacy in the global village

Posted on September 4th, 2012 by



There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world.  Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed.  In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in every corner of the planet.  At the same time, a common pattern can be seen in many of those developments: their attempt to strike the right balance between the exploitation and the protection of the most valuable asset of our time.  So whilst Brussels wakes up from its legislative recess, it is worthwhile having a look at what has been happening in other parts of the world and spot trends and priorities in the regulation of personal information.

The most veteran jurisdiction in this area of law in Asia, Hong Kong, has just had a revamp of its 15 year old Personal Data (Privacy) Ordinance.  Interestingly, the changes represent a considerable toughening of the existing regime, covering things like additional requirements in relation to direct marketing, supervisory duties in respect of data processors and enhanced enforcement powers for the privacy commissioner.  So whilst the regulator will not be able to award compensation to aggrieved individuals as originally requested by the Office of the Privacy Commissioner, new financial penalties as well as the potential for up to five years imprisonment signal a stricter approach to the use of personal information.

Further north, in South Korea, the Personal Information Protection Act has only been in force for a few months but is already being branded as the toughest in Asia.  With requirements that mirror some of the most demanding provisions of the proposed EU data protection regulation – like mandatory privacy officers, detailed security measures and data breach notification – Korea’s new law is not one to be taken lightly.  The local regulator is unlikely to be a quiet one and there are reports about a CNIL-like investigation into Google’s changes to its privacy policy, which if anything, will raise the authority’s standing among its peers.

The rest of Asia is not standing still either as countries like Malaysia, Singapore and the Philippines are also making progress in this area.  Malaysia’s Personal Data Protection Act has just come into force, so it is a bit early to say how far reaching it will be in practice but its pedigree looks rather European.  Singapore’s approach is slightly more modest and the legislative process is less advanced, but the draft bill is not without complexity.  As for the Philippines, after some delay, the new Data Privacy Act has now been formally signed by the country’s president and will be fully in force in about a year’s time.  The Philippines’ law is in line with the European approach to privacy as a fundamental right, but much less prescriptive when it comes to regulating international data transfers.

This particular issue is one that concerns global organisations seeking to adopt a coherent and consistent methodology for compliance in respect of data flows.  The European approach to international data transfers is intimidating to say the least, so it is understandable that those organisations that are investing in programmes like Binding Corporate Rules want to take advantage of that solution on a truly global scale.  Otherwise, it would be hugely frustrating to devise and implement a data protection framework that worked for Europe but didn’t quite cut it in a growing number of jurisdictions.

Fortunately, here is where the accountability model championed under the APEC Cross-Border Privacy Rules throughout Asia and other countries around the Pacific Ocean does the trick, as it gives organisations the opportunity to decide how best protect the personal information they collect and use around the world.  That way, whether one is trying to meet the expectations of data protection regulators in Europe, Asia or indeed America in respect of international data flows, it is not only possible but advisable, to devise a system like BCR that regards data protection as a global response to a business need and not as a box-ticking exercise.

 
This article was first published in Data Protection Law & Policy in August 2012.

The new EU framework: Uniform, prescriptive and ambitious

Posted on February 3rd, 2012 by



These are truly exhilarating times for the data protection world.  Viviane Reding’s recent announcement of the Commission’s proposal for a fully harmonised European data protection framework had the connotations of an Olympic opening ceremony – the years of hard work in preparation for this moment, the sense of achievement in the face of challenge and the triumphant belief that something memorable is going to come out of this.  Only the big drums and the flame were missing.  The jury is now out but this is without a doubt the most significant global legislative development affecting the collection, use and protection of personal information of the past 15 years.

As expected, the proposed new general framework for data protection is set out in a regulation, rather than another directive.  This means that once adopted, the regulation will be directly and universally applicable across all EU Member States without the need for national legislation.  Recent legislative history suggests that a single EU-wide regulation is likely to be the only way to achieve the desired uniformity across the European Union.  Member States’ struggle to implement the changes to the e-privacy directive in a coherent way remind us daily of the limitations of a directive.  But a single pan-European law is a double edged sword – one set of rules is meant to be beneficial to organisations operating internationally, but those who are used to dealing with the reasonably practical obligations of jurisdictions like the UK or Ireland face a cultural and legal shock.

The proposed regulation is also aimed at rejuvenating a law which has lost its effectiveness to tackle the data protection challenges of the 21st century.  The novelties are varied and creative, but they all have in common one thing: the principles, rights and obligations are far more prescriptive in nature than under the 95 directive.  This is a natural consequence of having to draft a directly applicable regulation, but it is a fundamental change from the way European data protection has operated until now. 

The bulk of the proposed regulation brings with it a whole new set of obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers.  Plus of course, nearly immediate data breach notification.  These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also the basis for a new way of demanding practical compliance in the black letter of the law.

Above all, the Commission’s proposal is an ambitious one.  Not least because it sets out a very clear basis for its extra-territorial application.  The regulation does away with the cumbersome references to equipment located in the European Union and introduces brand new EU residency grounds.  Any company that processes personal data in the context of an EU-based establishment will be subject to the new law in any event.  But in addition, the regulation will extend the applicability of European data protection rules to organisations established elsewhere that use personal information in relation to the offering of goods or services to, or the monitoring of the behaviour of, individuals who live in the EU.

This approach will affect Internet businesses from all over the world but the Commission’s ambition goes even further than that.  One of the greatest challenges ahead is not faced by organisations using personal information but by the regulators themselves.  They will need to learn a radical new law which demands constant dialogue and closer cooperation than ever before.  The legislative process is now wide open and 2012 will be a crucial year to influence the outcome of the new law.  We have a real opportunity to contribute to this process, so it is our responsibility to get the right result.

This article was first published in Data Protection Law & Policy in January 2012.

Deconstructing the privacy macaron

Posted on December 7th, 2011 by



Compact.  Self-contained.  Multi-layered.  Hard to penetrate and rich inside with a mix of flavours and tones.  Judging by the commentary surrounding the forthcoming EU data protection framework circulating in the corridors of the IAPP European Data Protection Congress that took place in Paris at the end of November, we could have been describing a typical Parisian macaron instead of a new law.  But if the indications of what we are about to see in the regulation being proposed by the European Commission are true, complying with the future European privacy regime is going to require fine confectionery skills.

So what are the likely ingredients of this extremely elaborate piece of legislation and how will they blend together?

*   A Regulation – It is widely accepted that a regulation, rather than another directive, will be the best recipe for a harmonised regime that delivers a consistent level of protection across the EU.

*   Two-fold objective – Like the original directive, the new regulation will most certainly have a dual aim: protecting personal data and facilitating the intra-EU movement of that data.

*   Applicability based on establishment and targeting of European residents – The novelty being that the use of equipment in the EU will be replaced by data processing directed at those individuals who live in the EU.

*   Privacy principles – Transparency, finality, proportionality and data quality – they are all likely to be there but for added flavour, expect some new ones like data minimisation and accountability.

*   Consent – Individual’s consent will remain a cornerstone of European data protection law but the standard for valid consent will be higher than ever before, with a greater emphasis on the individual’s freedom of choice.

*   Big rights – Some rather radical changes are likely to come in the shape of new or strengthened individuals’ rights.  Top of the list will be the much publicised right to be forgotten followed closely by data portability rights.  No doubt the Commission will want to give people as much control as possible over their data, particularly in relation to profiling activities.

*   Controller’s responsibilities – As a flipside of the increased rights of individuals, controllers are bound to face very specific responsibilities ranging from the adoption of policies and principles such as privacy by design and privacy by default to the training of staff and the appointment of data protection officers.

*   Data breach notification – As is already the case for providers of communications services, an obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) will now apply to all controllers.

*   International data transfers – Greater flexibility is expected on this issue alongside an express recognition for binding corporate rules, which will be available to both controllers and processors.  An area of concern however is the potential conflict between data requests by non-EU authorities and the limitations on data disclosures, which will probably require the involvement of data protection authorities in determining how to resolve such conflict.

*   Role of data protection authorities – The main novelty on this front is bound to be in relation to their geographical competence.  In all likelihood, the data protection authority of the Member State where the main establishment of a data processing organisation is based will be responsible for supervising that organisation across the whole of the EU.  We can also assume that greater international coordination mechanisms will be in place.

*   Enforcement powers – The promise by the Commission of stronger enforcement powers for the data protection authorities is bound to bring harmonised and succulent monetary fines, which can only be more substantial than what most Member States have at the moment.

All in all, it is beyond doubt that the Commission has been working very hard to craft a framework that fits the regulatory requirements of today’s and tomorrow’s data protection.  Whether the result will suit everyone’s taste is a different matter.

This article was first published in Data Protection Law & Policy in November 2011.

More indications about the new EU data protection rules

Posted on November 17th, 2011 by



In an interview with the Washington Post, Viviane Reding, the EU Justice Commissioner, gave more indications about what we can expect from the tougher European regime that is in the pipeline.

The key points are:

* “Our reforms are aimed at getting rid of the fragmentation and providing consistency and coherence for the whole of the continent”. This is the clearest sign yet that we can expect a Regulation directly applicable in all Member States, as opposed to a Directive, which is subject to national implementation.

* “Self-regulation can be little more than a fig leaf. It works only if there is strong, legally binding regulation in the first place”. Not only tougher substantive rules, but also more heavy-handed regulation are likely to be on their way. If so, we can expect more disputes and litigation.

* “We do have a set of rules today that is not always applied and controlled in the way it should be. That has led to fragmentation and different interpretations of the rules”. The proposals may also include a mechanism to ensure at least some degree of consistency in the application of data protection rules across Member States; a supra-national data protection regulator perhaps?

* “It is clear that every citizen has a right to their own data. Before a company can use your data they should ask for permission. This is a basic rule of the European Union”. As expected, the new instrument will attempt to further empower consumers, particularly by imposing a requirement for explicit consent before their data are used and by introducing a right to have their data deleted at any time.

* “Data breaches is one of the questions that is very high on the agenda [...] We will extend the telecom rules to the Internet”. As expected, the mandatory breach notification obligations currently applying to Telcos and ISPs will be extended to internet services, online traders and private-sector medical records, and possibly to the broader economy.

The interview can be found here: http://www.washingtonpost.com/blogs/post-tech/post/qanda-eu-chief-privacy-regulator-on-new-internet-rules/2011/11/15/gIQAOeZzRN_blog.htm