View
879
Download
0
Category
Preview:
DESCRIPTION
Overview of Proposed EU Data Protection Regulation published for comments on January 25, 2012 by the European Commission
Citation preview
EU Data Protection ReformJanuary 25, 2012 Draft
Francoise GilbertManaging Attorney - IT Law Group
fgilbert@itlawgroup.com +1 650 804 1235
(C) 2012 IT Law Group - All rights reservedThis presentation is offered for information purposes only, and the content should not be construed as legal advice on any matter.
State Bar of California Business Law Section - Cyberspace Committee
February 14, 2012
1
IT Law Group • Niche law firm that focuses on information
privacy and security, data governance and cloud computing
• Providing services to clients in the US and throughout the world through long term relationships with carefully selected privacy / security lawyers established on all continents
Francoise Gilbert• Founder & Managing Attorney, IT Law
Group, Palo Alto• Author & Editor, Global Privacy & Security
Law (2 volumes, 2,900 pages)(Aspen Publishing / Wolter Kluwer)
• Founding Member & General Counsel, Cloud Security Alliance
• CIPP/US; admitted to practice law in CA, IL and France
2
Agenda
• Background and history
• Proposed new structure
• Implications for businesses
• Proposed expanded rights for individuals
• Proposed rules for cross-border transfers
3
Background
• European Union has been slowly built since the mid 1950’s
• Uniformity was ensured through directives• In the data protection field:
• Directive 95/46/EC• Directive 2002/58/EC (amended by Directive
2009/136/EC)• Directive 2006/24/EC• Framework Decision 2008/997/JHA (police and
criminal matters)
4
Proposed framework
• General Data Protection Regulation• http://ec.europa.eu/justice/data-protection/
document/review2012/com_2012_11_en.pdf• Intended to replace Directive 95/46/EC
• Directive on the protection of individuals with respect to the processing of personal data for prevention, investigation, detection, prosecution of criminal offenses• http://ec.europa.eu/justice/data-protection/
document/review2012/com_2012_10_en.pdf• Intended to replace Framework Decision
2008/977/JHA
5
Key goals of the Regulation
• Creating a uniform framework throughout the European Union
• Putting citizens in control of their data
• Ensuring more transparency, better privacy
• More accountability, better security, immediate disclosure of security breaches
• Facilitating cross border transfers
• Giving more funds, powers, authority to the DPAs
6
Uniformity? ... Not so clear
• Other laws• Not clear how the Regulation would interact with the other
sectoral laws, and the extent to which it would supersede them.
• Member States• Significant freedom given to Member States to create
supplemental legislation and set up their own minefield, e.g.• health information, employee data• rules on penalties
• Uncertainty• Delegated acts and implementing acts to supplement the Reg
7
Broad scope
• Regulation would apply to• processing of personal data in the context of activities of
an establishment of a processor or controller in the European Union
• companies that are established in third countries when:• offer goods or services to individuals located in the EU• monitor behavior of individuals located in the EU
• Regulation would NOT apply to• natural person without gainful interest, in the course of
own exclusively personal or household activity• activities outside scope of EU law, e.g., national security,
prevention, investigation, detection of crimes
8
Simplified regulatory environment
• Would reduce red tape and formalities
• No more “notification” requirement
• One-stop-shop for companies that operate in several countries
• Company would designate a “main establishment”
• Would interact only with the DPA of their main establishment
9
Increased power for DPAs
• Strengthen the independence and powers of the Data Protection Authorities:• better equipped to handle complaints• power to carry out investigations• power to take binding decisions• power to impose effective sanctions
• Provide means for more coordination between the DPAs so that there is more consistency in enforcement
10
Data Protection Officer
• Obligation to appoint a Data Protection Officer if• Company has more than 250 employees; or• Company is involved in processing that, by virtue
of its nature, scope or purpose, presents specific privacy risks
• Would apply both to controllers and processors• DPO would have to be independent, and not
receive instructions on how to exercise functions• DPO’s identity to be disclosed to individuals
11
Stronger rules for consent
• When consent is required, it must be “specific, informed and explicit” and freely given
• Individual must be aware that he is giving consent • Requirement for consent must be presented separately from
other matters• Data subject must be able to withdraw consent at any time• Consent would not be legal basis for the processing if there
is a significant imbalance between position of the controller and that of the individual
• For child under 13, consent would have to be given by parent• Companies would have to be able to prove that the data
subject has consented to the collection and use of the data
12
More obligations
• Companies would have extended obligations with respect to data processing, including:• establish detailed policies and procedures• implement security measures• disclose security breaches• perform data protection impact assessment in
special circumstances• implement verification / audit mechanisms• document compliance with Regulation
13
New concepts
• Privacy by Design
• make sure that data protection safeguards are taken into account at the planning stages
• must be able to demonstrate compliance with privacy by design requirement
• Privacy by Default
• use privacy-friendly default settings
14
Emphasis on security
• Increased emphasis on using appropriate security measures
• Security breach reporting for all companies • Definition of security breach much broader than
in the US• Obligation to notify the DPA within 24 hours, if
feasible• Obligation to notify individuals “without undue
delay” if their data were adversely affected by the breach
15
New rights for individuals
• Right to be forgotten: Individuals would have the right to have their data deleted if they withdraw their consent, and if there are no other legitimate grounds for retaining the data
• Right to data portability: Individuals would have the right to obtain a copy of their stored data from the data controller, in an electronic, commonly used, structured format, and the freedom to move it from one service to another without hindrance
16
Streamlined formalities
• Significant savings resulting from streamlined formalities for cross border transfers
• No more notification
• But, requirement for prior checking would remain for special kind of processing
• Interaction with one single DPA
• Ability to use Binding Corp Rules in the 27 States
17
Complaints; Enforcement
• Individuals would have the right to lodge a complaint with a DPA
• Individuals would have the right to seek judicial remedy against data controller or data processor
• Organizations and associations would have the right to lodge complaints and to seek judicial remedies on behalf of injured individuals
18
Significant penalties
Up to 250 K Euros or .5% of annual worldwide G.I.
Minor violations, e.g., failure to provide mechanism for access
Up to 500 K Euros or1% of annual worldwide G.I.
Most violations
Up to 1 M Euros or.5% of annual worldwide G.I.
Serious violations, e.g., processing data without legal basis, without complying with consent requirement; failure to adopt required policies
19
Questions?
Francoise Gilbert + 1-650-804-1235 fgilbert@itlawgroup.com
ITLG: www.itlawgroup.com
Blog: www.francoisegilbert.com
Book: www.globalprivacybook.com
20
Recommended