Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Wednesday, January 25, 2012

European Commission Releases Proposed Revisions to the EU Data Protection Directive

by Mehmet Munur

The European Commission announced the proposed revisions to the EU Data Protection Directive today. The widely expected revisions will create uniformity by using a regulation instead of a directive, remove obligations to notify data protection authorities of data processing activities, require data breach notification, increase fines (up to %2 of a company’s global annual turnover),  streamline access, introduce a right to be forgotten, expand Binding Corporate Rules to processors, and strengthen the Data Protection Authorities. The Article 29 Working Party also issued a press release supporting the new Regulation.

The proposed regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) creates a number of changes based on the Data Protection Directive. While some of the provisions, such as the fines and the right to be forgotten, may prove controversial, other provisions relating to removal of the obligation to notify DPAs will likely be celebrated. The Regulation uses some of the same terms as those defined in the Directive 95/46/EC; however, it also introduces new definitions for terms such as personal data breach, genetic data, biometric data, binding corporate rules, and others. The Regulation also clarifies transparency principle, data minimization principle, and the obligation to obtain consent for processing of personal data. The Regulation also introduces more detailed access rights for individuals adding new elements relating to storage periods of personal information, right of rectification and erasure, data portability, and complaint resolution.  While these protections are likely to bolster the individual’s control over the personal information held by data controllers and processors, it will likely create additional burdens on data controllers and processors to enable the data subjects to exercise these rights.

The Regulation also introduces new obligations on the data controller and data processors. The Regulation will require privacy by design and default, explicitly introduce the principle of accountability, and clarify the responsibilities of joint controllers. The Regulation states that the data processor may be considered a joint data controller in the event it goes beyond the scope of data controller’s instructions. This particular provision appears to be a result of the concerns the Article 29 Working Party had over processors such as SWIFT. The Regulation will also explicitly require the cooperation of both the data controller and the data processor with the Data Protection Authorities. The security obligations of the data controller include the obligation to notify the data subject of the breach of personal data. Currently, that proposal includes a “where feasible, not later than 24 hours after having become aware” provision.  This provision is likely to be revised before the Regulation becomes law to a more reasonable time frame.

The Regulation makes the Data Protection Officer mandatory for the public sector, where processing is carried out by more than 250 people, and where the core activities of the controller or the processor consist of operations that require systemic monitoring of data subjects.  German Data Protection law provided such detailed requirements for the Data Protection Officer. Previously, the creation of such a position decreased the administrative burden on the data controllers and their obligation to notify the Data Protection Authorities with the processing of personal information.  This approach is likely to continue with the new Regulation.

The Regulation also includes further details regarding international data transfers. It specifically mentions Binding Corporate Rules. These rules now specifically refer to a data processor’s, as well as a data controller’s, ability to obtain authorization for Binding Corporate Rules.  This provision should allow service providers to obtain authorizations for BCRs and transfer personal information internationally without having to rely on Standard Contractual Clauses. However, the time and resources required to obtain authorizations for these BCRs may still be substantial. Considering that the Regulation may take some time, as long as a couple of years, to become law, we may not find out about this process for a while. Finally, the Regulation creates the European Data Protection Board that replaces the Article 29 Working Party.  This Board is to ensure the consistent application of the Regulation, review guidelines, recommendations and best practices, and issue opinions, among other responsibilities.

The Regulation comes with both advantages and disadvantages compared to the current regime in place in the EU. On the one hand, the Regulation will likely foster a more uniform approach to data protection in the EU. Once the Regulation becomes law, member states will not be required to transpose it into national law.  This will reduce the local differences in the substance of the law.  However, the Regulation still provides for independent Data Protection Authorities.  These DPAs will ultimately have different interpretations of the Regulation and as it interacts with local law and culture.  However, the European Data Protection Board will hopefully have the effect of creating more uniformity. Many will likely celebrate the end of the notification of DPAs regarding the processing of personal information. These registers of personal information were mostly automated, reviewed by few, yet required the time and resources of many corporations.  Their departure will allow the DPAs and the corporations to work on more substantive privacy and data protection issues.  Assuming that the BCR process is further streamlined, then we can see more companies and services providers getting in line to obtain authorizations.  On the other hand, the right to be forgotten, the increased fines, and the restrictions on the legal basis for processing of personal information will likely draw criticism. Hopefully, in the coming years, the Regulation will be revised to better balance some of the obligations on data controllers.

Labels: , ,


Monday, January 23, 2012

Proposed EU Privacy Rules Concern Businesses

A proposed change to EU privacy law is going to be released this week, proposing a single regulator and increased penalties. It would also include 24 hour data breach disclosure. We will discuss this more once they are released.

Labels: ,


Friday, December 23, 2011

Binding Corporate Rules and the Proposed EU Data Protection Regulation

by Mehmet Munur

The proposed revisions to the EU Data Protection Directive with a regulation sometime next year is likely to result in multitude of changes for privacy regulation in the EU and around the world and may make the use of Binding Corporate Rules more attractive for midsize companies and data processors. While 2011 was the year of Privacy by Design, 2012 may end up being the year of the BCRs if this proposed regulation becomes law. (You may find some examples of these rules at the end of this blog post.)

The revision to the EU Data Protection Directive is likely to be a regulation instead of a directive, which may result in more uniform data protection laws across the EU. Nevertheless, EU data protection law is based on local employment and labor law to a certain extent. Therefore, there is bound to be some variation in implementation and the differences in culture and enforcement are likely to continue. While there will be many exciting and controversial changes to the Directive, from enormous fines to right to oblivion, BCRs have already taken center stage. (You may read more about the proposed revisions to the EU Data Protection Directive titled “Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” here.)

The original BCR system was overly bureaucratic and costly. When the BCR system first started, the applicant would have to seek authorization from each Data Protection Authority In the EU. Considering all of the language and cultural barriers to reviewing a set of rules, this process was mired with reviews and re-reviews until every DPA’s requirements were met. In fact, Peter Fleischer called BCRs data protection for the rich. Then the system was more streamlined with 5-7 DPA reviews with a single DPA acting as the lead. This shrank the time in obtaining from years to around 9 months. However, the process is still expensive and cumbersome. That may not be the case with the revisions to the Directive.

During her keynote address for the IAPP Europe Data Protection Congress, European Commissioner Viviane Reding shared her plans to make binding corporate rules even more effective with simplicity, consistent enforcement, and innovation. She pointed to the bureaucratic nature of the BCR approval stating:

I see this legal fragmentation as a costly administrative burden. It wastes time and money. It is detrimental to the credibility and efficiency of data protection authorities and data protection tools.

I intend to propose a consistent and streamlined approval process with a single point of contact for companies amongst the data protection authorities. And, once the binding corporate rules are approved by one data protection authority, I want them to be recognised by all European data protection authorities. And there should be no need for additional national authorisation in case of further transfers.

Though some DPAs have disagreed with this approach, others have already started pushing for companies to start preparing for these BCRs. Considering that the BCRs are likely to be broad enough to apply to processors as well as data controllers, using BCRs for inter-company as well as intra-company transfers may become a reality in the near future.
Therefore, if they are simplified and expanded to processors, 2012 may indeed be the year of the Binding Corporate Rules. Instead of relying solely on Standard Contractual Clauses, midsize companies can obtain authorization using one DPA for all of their intra-company data flows. Furthermore, they may also be able to obtain BCR authorization as safe processors.  This should enable cloud service providers to provide cloud services to other companies using their BCRs. Using the older BCR system, companies were only able to obtain BCR authorization applying to data for which they were the data controllers. With this new system, BCRs for data processors should also be possible. As a result,  BCRs should become a true option for midsize companies and processors of all kinds--and quite likely a favored option for cloud service providers.

You may read about some of the BCRs that have already been approved by the EU DPAs below. Note, however, that it is the underlying processes and policies that support the BCRs that are difficult to prove and implement. Nevertheless, these BCRs should prove useful in finding out what the DPAs are looking for in these policies.

Accenture with the UK ICO as the lead DPA.
BP with the UK ICO as the lead DPA.
eBay with the Luxemburg DPA as the lead.
First Data with the UK ICO as the lead DPA.
GE  with UK ICO as the lead DPA.
HP with the CNIL as the lead DPA.
Intel  with the UK ICO as the lead DPA.
JPMorgan Chase with the UK ICO as the lead DPA
Michelin with the CNIL as the lead DPA.
Philips (2) with the UK ICO as the lead DPA.
Sanofi Aventis with the CNIL as the lead DPA.
Spencer Stuart with the UK ICO as the lead DPA.

Aside from these companies, the following companies have obtained authorization for BCRs:

Atmel Corporation with the UK ICO as the lead DPA.
American Express with the UK ICO
Bank Austria Creditanstalt
Bristol Myers Squibb with the CNIL as the lead DPA.
CareFusion Incorporated with the UK ICO as the lead DPA.
Citigroup  with the UK ICO
D.E. Master Blenders 1753 ("DEMB") ex Sara Lee International B.V. (indirect subsidiary of Sara Lee Corporation) with the Dutch DPA
Deutsche Post DHL with Germany's Federal Commissioner for Data Protection and Freedom of Information.
Hermès with CNIL 
Hyatt Hotel Corporation  with the UK ICO as the lead DPA.
International SOS with the CNIL as the lead DPA.
IMS Health Incorporated with the UK ICO as the lead DPA.
Linklaters with the UK ICO
Novo Nordisk with the Danish DPA as the lead.
Novartis with CNIL
Safran  with the CNIL as the lead DPA.
Schering with the Berlin Data Protection Commissioner.
Schlumberger Ltd.  With the Dutch DPA
Shell International B.V. with the Dutch DPA

Their policies may also be available publicly. We hope to have this list updated with the appropriate links in the near future.

Labels: , , , , , ,