1

The prospects for data breach laws in 22 European countries

Stewart Dresner, Chief ExecutivePrivacy Laws & Business

Wednesday, 4 November 200916´30-17´45: PARALLEL SESSION A: Ooopsss!!!!! Where did I leave my computer?

Prevention and reaction in light of security breaches

31st International Conference of Data Protection and Privacy Commissioners, Madrid

2

3

The prospects for data breach laws in 22 European countries: Contents

1. Privacy Laws & Business’s knowledge base and contacts2. Rationale and scope for data breach research3. The research method4. Common themes5. Current data breach laws and demand for new laws6. Results: DPAs’ views and preferred policies7. Advantages and disadvantages of a data breach law for

DPAs, companies and individuals*8. Recommendations by DPAs and companies*9. Privacy Laws & Business’s conclusions10. What next?

* Slides available on request

4

5

6

7

Privacy Laws & Business

23rd Annual International Conference

July 5th – 7th 2010

St John’s College

Cambridge

United Kingdom

8

9

EPON Data ProtectionCommissioner Roundtables

• Madrid, Spain (2003)• Rome, Italy (2003)• Czech Republic,

Hungary and Poland in Prague (2004)

• Paris, France (2005)• Berlin, Germany (2005)• Dublin, Ireland (2006)• Russia, Greece, Portugal

in London (2006)

• Stockholm, Sweden (2007)• Helsinki, Finland (2007)• Brussels, Belgium (2007)• Hague, Netherlands

(2007)• Madrid, Spain (2008)• Luxembourg (2008)• Warsaw, Poland (2008)• Zurich, Switzerland (2009)• Rome, Italy (2009)

10

IPON Roundtables

• Argentina’s DP Commissioner/Australia’s DP Commissioner in Montreux, Switzerland - 2005

• Binding Corporate Rules, Washington DC - 2006• European HR issues in Washington DC - 2006• Canadian HR issues in Toronto - 2007• Asia-Pacific Briefing, London - 2007• Asia-Pacific Conference, Strasbourg – 2008• Madrid, November 3rd 2009

Employee surveillance in Europe: Balancing privacy rights and management control

11

12

13

EPON/IPON Participants include:• Accenture• Arnold & Porter• Barclays Bank• Boeing• BP• BT• Citigroup• CSC• Deutsche Bank• eBAY• Eli Lilly• ExxonMobil

• FIFA• Fujitsu• General Electric• General Motors• Google• Halliburton• HBOS• IBM• IMS Health• Intel• Johnson & Johnson

• Kodak• Lloyds Register• Manpower• Nestle• Novartis• Oracle• Pfizer• PwC• Procter & Gamble• Schering-Plough• Sony• Total• Walt Disney• Western Union• Wyeth

EPON/IPON Meeting Hosts

15

Other PL&B Services

• Consulting• Data Protection Audits• Recruitment

– Advice on job descriptions– Interim managers

• Training

16

Rationale for data breach research• USA: data breach laws in most states. Have these US

laws set a trend for Europe or are current data protection laws enough?

• US laws’ role in helping raise awareness• Lack of research linking data breaches to ID theft,

credit card fraud etc. But a consensus that increased data losses should be tackled

• DP and privacy laws in the EU and US cover data security – Is there a need for specific provisions on action to be taken when data is lost or stolen?

17

Scope & Geographical Context

27 EU member statesAll other countries within the EuropeanEconomic Area:

• Norway, Iceland, Liechtenstein• Switzerland • Jersey, Guernsey, Isle of Man

18

Research Timeline 12008

• January: Questionnaire by email to DPAs• Follow-up telephone calls and emails• Responses from: Czech Republic, Denmark, Finland,

Guernsey, Hungary, Iceland, Ireland, Jersey, Slovak Republic, Sweden & United Kingdom

• European Privacy Officers Network members’ survey and results

• February: Report in PL&B’s International newsletter (available on request)

• March: Detailed report for DPAs and feedback

19

Research Timeline 2

• April: Target larger/more experienced countries’ DPAs• May-June: Responses from Italy, Spain, Portugal,

Poland, Luxembourg, France and Belgium• July: Presentation of results at PL&B’s Annual

Conference, Cambridge• Aug-Nov: Drafting report• Jan-Mar 2009: Responses from Austr, Germ, Neths• Feb-April 2009: DPAs check reports. Updates• April/May 2009: Conference and Report published

20

Research Methods• Email responses from most countries. • Face-to-face interviews (Italy, Portugal,

Luxembourg)• Telephone interviews (Jersey, Guernsey,

Germany)Other Methods• National expert’s comments in Switzerland

(David Rosenthal, Special Counsel, IT & Telecommunications, Homburger, Zurich)

21

Questions to DPAs

16 questions covering the following areas:1. Current laws2. Demand for data breach laws3. Purpose and scope of legislation4. Regulatory options and

preferred policies

22

Common themes

1. Definitions – what is a data breach? 2. Breach notification: How, when and

who should companies notify?3. Lack of research particularly on impact

of data breaches on individuals4. Always a risk attached to the processing

of personal data 5. Criminal liability for organisations?

23

Current data breach laws• Data protection legislation in all European countries

but only general application of this legislation to the unauthorised access, loss or theft of personal data

• Data breaches covered by DP laws, criminal & civil codes and additional e-communication legislation

• Some reporting requirements and guidance but no specific mention in law of action to be taken, except

• Specific data breach law in Germany (2009) where individuals suffer considerable damage and for specific data: professional secrecy, criminal or administrative offences and bank or credit card data

24

Demand for data breach laws

• Increase in reported data breach incidents

• Hot topic for the media and growing political interest. Differing pressures in different countries -more in the Netherlands, less in Portugal

• Trend for data controllers to contact the authorities where data has been inappropriately released

• No Europe-wide demand for a specific data breach law as current legislation is sometimes enough

25

DPAs’ views on purpose and scopeof specific data breach rules

1. Harmonisation within the EU but national implementation to reflect national needs

2. Any new data breach provisions to include:• data controllers and data processors• the public and private sectors

3. Problems with breach notification in the US discourage Europe e.g. over-notification and inconsistency of reporting rules

4. Responsibilities and tasks must be stated clearly

26

Regulatory OptionsAgreement that some form of a data breach regulation

would be a good idea. Four options or a combination:

1. Insert data breach provisions into existing relatedlegislation2. EU Member States insert mandatory breach notification requirement as a specific national law3. Amend EU e-comms or general DP Directive 4. Practical Guidelines by the EU Art. 29 Data Protection Working Party

27

Driving factors behind a separate data breach law

1. Increase the protection of personal data2. Make organisations more accountable

for data security3. Force organisations to improve security

standards4. Restore individuals’ confidence in data

controllers

28

• Some consistency is needed across Europe in this area

• EU should regulate first • DPAs favouring amending their current

data protection or other law to cover data breaches (UK, Jersey, Finland, Poland, Portugal, Luxembourg, Italy, Netherlands and Germany)

DPAs views on possible data breach laws

29

DPAs’ Preferred Policies 11. More human and financial resources2. Notification of data breaches.3. Orders from DPAs to data controllers and

processors to act in a specific way in response to a data breach.

4. Discretion to impose sanctions and appropriate fines

5. Compensation to individuals (in conjunction with civil law provisions)

6. Power to conduct audits when necessary7. Power to publicly ‘name and shame’ organisations

30

8. Support new provisions covering both the public and private sectors (All)

9. Favouring new provisions to cover both data processors and controllers (All DPAs apart from UK, Ireland, Guernsey, Germany and the Netherlands)

10. Want companies to notify them of data breaches (UK,Jersey, Czech Republic, Guernsey, Ireland, Finland, France, Portugal, Luxembourg, Italy, and Germany)

11. Favouring companies paying compensation to individuals where appropriate (Poland, UK, Finland, France, Italy, and Austria)

11. Offering data breach guidance (UK and Ireland)12. Some form of redress for data subjects

DPAs’ Preferred Policies 2

31

PL&B’s ConclusionsThe ‘ideal’ is a synthesis of DPAs’ and companies’ views which are also practical for data subjects. A data breach plan should be:

1. proportionate2. an alert to a DPA when there is substantive

rather than a procedural problem3. have more emphasis on a remedy to a

problem, and 4. less emphasis on sanctions.

32

What next?EU Level1. Extension of EU e-communications directive to

include data breach legislation for ISPs, other sectors?2. Amend general EU Data Protection Directive?3. Practical guidelines by the EU Art.29 Working Party?National Level1. Modest amendments to national laws

e.g. Luxembourg amending DP code to include responsibilities of processors as well as controllers

Company Level1. Broader breach management programmes2. Continuing improvement of internal systems

e.g. reporting mechanisms

33

Report from Privacy Laws & BusinessData Breach Dossier on request

Questions?Research Director and Editor: Stewart Dresner

Researcher: Amy Norcup

34

Contact detailsStewart Dresner, Chief Executive Adèle Kendler, Project Manager

Privacy Laws & Business2nd floor, Monument House, 215, Marsh Road, Pinner,

Middlesex,HA5 5NE, United KingdomTel: + 44 208 868 9200 Fax: + 44 208 868 5215

www.privacylaws.com

35