EU Data Protection ReformJanuary 25, 2012 Draft

Francoise GilbertManaging Attorney - IT Law Group

fgilbert@itlawgroup.com +1 650 804 1235

(C) 2012 IT Law Group - All rights reservedThis presentation is offered for information purposes only, and the content should not be construed as legal advice on any matter.

State Bar of California Business Law Section - Cyberspace Committee

February 14, 2012

1

IT Law Group • Niche law firm that focuses on information

privacy and security, data governance and cloud computing

• Providing services to clients in the US and throughout the world through long term relationships with carefully selected privacy / security lawyers established on all continents

Francoise Gilbert• Founder & Managing Attorney, IT Law

Group, Palo Alto• Author & Editor, Global Privacy & Security

Law (2 volumes, 2,900 pages)(Aspen Publishing / Wolter Kluwer)

• Founding Member & General Counsel, Cloud Security Alliance

• CIPP/US; admitted to practice law in CA, IL and France

2

Agenda

• Background and history

• Proposed new structure

• Implications for businesses

• Proposed expanded rights for individuals

• Proposed rules for cross-border transfers

3

Background

• European Union has been slowly built since the mid 1950’s

• Uniformity was ensured through directives• In the data protection field:

• Directive 95/46/EC• Directive 2002/58/EC (amended by Directive

2009/136/EC)• Directive 2006/24/EC• Framework Decision 2008/997/JHA (police and

criminal matters)

4

Proposed framework

• General Data Protection Regulation• http://ec.europa.eu/justice/data-protection/

document/review2012/com_2012_11_en.pdf• Intended to replace Directive 95/46/EC

• Directive on the protection of individuals with respect to the processing of personal data for prevention, investigation, detection, prosecution of criminal offenses• http://ec.europa.eu/justice/data-protection/

document/review2012/com_2012_10_en.pdf• Intended to replace Framework Decision

2008/977/JHA

5

Key goals of the Regulation

• Creating a uniform framework throughout the European Union

• Putting citizens in control of their data

• Ensuring more transparency, better privacy

• More accountability, better security, immediate disclosure of security breaches

• Facilitating cross border transfers

• Giving more funds, powers, authority to the DPAs

6

Uniformity? ... Not so clear

• Other laws• Not clear how the Regulation would interact with the other

sectoral laws, and the extent to which it would supersede them.

• Member States• Significant freedom given to Member States to create

supplemental legislation and set up their own minefield, e.g.• health information, employee data• rules on penalties

• Uncertainty• Delegated acts and implementing acts to supplement the Reg

7

Broad scope

• Regulation would apply to• processing of personal data in the context of activities of

an establishment of a processor or controller in the European Union

• companies that are established in third countries when:• offer goods or services to individuals located in the EU• monitor behavior of individuals located in the EU

• Regulation would NOT apply to• natural person without gainful interest, in the course of

own exclusively personal or household activity• activities outside scope of EU law, e.g., national security,

prevention, investigation, detection of crimes

8

Simplified regulatory environment

• Would reduce red tape and formalities

• No more “notification” requirement

• One-stop-shop for companies that operate in several countries

• Company would designate a “main establishment”

• Would interact only with the DPA of their main establishment

9

Increased power for DPAs

• Strengthen the independence and powers of the Data Protection Authorities:• better equipped to handle complaints• power to carry out investigations• power to take binding decisions• power to impose effective sanctions

• Provide means for more coordination between the DPAs so that there is more consistency in enforcement

10

Data Protection Officer

• Obligation to appoint a Data Protection Officer if• Company has more than 250 employees; or• Company is involved in processing that, by virtue

of its nature, scope or purpose, presents specific privacy risks

• Would apply both to controllers and processors• DPO would have to be independent, and not

receive instructions on how to exercise functions• DPO’s identity to be disclosed to individuals

11

Stronger rules for consent

• When consent is required, it must be “specific, informed and explicit” and freely given

• Individual must be aware that he is giving consent • Requirement for consent must be presented separately from

other matters• Data subject must be able to withdraw consent at any time• Consent would not be legal basis for the processing if there

is a significant imbalance between position of the controller and that of the individual

• For child under 13, consent would have to be given by parent• Companies would have to be able to prove that the data

subject has consented to the collection and use of the data

12

More obligations

• Companies would have extended obligations with respect to data processing, including:• establish detailed policies and procedures• implement security measures• disclose security breaches• perform data protection impact assessment in

special circumstances• implement verification / audit mechanisms• document compliance with Regulation

13

New concepts

• Privacy by Design

• make sure that data protection safeguards are taken into account at the planning stages

• must be able to demonstrate compliance with privacy by design requirement

• Privacy by Default

• use privacy-friendly default settings

14

Emphasis on security

• Increased emphasis on using appropriate security measures

• Security breach reporting for all companies • Definition of security breach much broader than

in the US• Obligation to notify the DPA within 24 hours, if

feasible• Obligation to notify individuals “without undue

delay” if their data were adversely affected by the breach

15

New rights for individuals

• Right to be forgotten: Individuals would have the right to have their data deleted if they withdraw their consent, and if there are no other legitimate grounds for retaining the data

• Right to data portability: Individuals would have the right to obtain a copy of their stored data from the data controller, in an electronic, commonly used, structured format, and the freedom to move it from one service to another without hindrance

16

Streamlined formalities

• Significant savings resulting from streamlined formalities for cross border transfers

• No more notification

• But, requirement for prior checking would remain for special kind of processing

• Interaction with one single DPA

• Ability to use Binding Corp Rules in the 27 States

17

Complaints; Enforcement

• Individuals would have the right to lodge a complaint with a DPA

• Individuals would have the right to seek judicial remedy against data controller or data processor

• Organizations and associations would have the right to lodge complaints and to seek judicial remedies on behalf of injured individuals

18

Significant penalties

Up to 250 K Euros or .5% of annual worldwide G.I.

Minor violations, e.g., failure to provide mechanism for access

Up to 500 K Euros or1% of annual worldwide G.I.

Most violations

Up to 1 M Euros or.5% of annual worldwide G.I.

Serious violations, e.g., processing data without legal basis, without complying with consent requirement; failure to adopt required policies

19

Questions?

Francoise Gilbert + 1-650-804-1235 fgilbert@itlawgroup.com

ITLG: www.itlawgroup.com

Blog: www.francoisegilbert.com

Book: www.globalprivacybook.com

20