Articles: EUROPEAN

-DATA PROTECTION AND PRIVACY-

New Direction Discussed for European Data Protection

“Saving jobseekers from themselves,” is the purpose of the German draft law which will regulate the use of information concerning job applicants collected on the internet by employers. Currently we work with very general criteria of transparency and accuracy, with the obligation to inform and with the evaluation of the principle of incompatibility and purpose, but these criteria are no longer sufficient. The European Commission’s Communication announced their commitment to insert privacy by design in the principles of the new discipline. This principle should help us to face problems from the beginning of every project in order to avoid the difficulty of developing data protection systems subsequently, when all the choices have already been made.

The main point is to do things in a more responsible way; data controllers should not consider these principles as something to comply with only when there is a problem, a complaint or an appeal. They should consider their duties as something to be put into practice on a day-to-day basis. They should take on the responsibility of transforming into internal procedure everything which is necessary to adhere to the principles of law. So, we will no longer have a situation in which data controllers choose not to fulfill their privacy obligations and run the risk of incurring fines, thinking that an inspection may never arrive. Instead we will have a new scenario in which the data custodian controller is conscious that protection of privacy is a daily obligation.

Article 29 Working Party Releases Opinion on the Applicability of European Data Protection Law

The Article 29 Working Party issued its Opinion on applicable law, providing guidance on the scope of EU data protection law and the practical implications of Article 4 of the EU Data Protection Directive (95/46/EC, the “Directive”). The purpose of the Working Party’s Opinion 8/2010 (the “Opinion”) is twofold. First, it intends to clarify the current scope of EU data protection law with regard to the processing of personal data within and outside the European Economic Area (the “EEA”). The clarifications by the Working Party are aimed at enhancing legal certainty for data controllers, providing a clearer framework for individuals and stakeholders and avoiding legal loopholes and potential conflicts between overlapping national data protection laws. Throughout the Opinion, practical examples are used to demonstrate the clarifications, such as in the context of centralized HR databases, geolocation services, cloud computing and online social networks.

The Working Party’s main suggestion for the improvement of Article 4(1)a is to shift back to the country of origin principle. This would mean that only the laws of the Member State in which the main establishment of the controller is located would apply. For Article 4(1)c, in situations where the controller is established outside the EEA, the Working Party suggests that additional criteria be developed to ensure that a sufficient connection with the EEA territory exists.

As a final recommendation, the Working Party calls for greater harmonization and clarification regarding the requirement that data controllers located outside the EEA appoint a representative within the EEA.

Read more

Google, Internet Companies Face Too Many Privacy Rules, U.S. Official Says

U.S. Internet companies may be hampered by a multiplicity of data protection rules in Europe and beyond that are “potential barriers to the free flow of information,” a U.S. official said. Daniel Weitzner, an Internet policy official in the U.S. Commerce Department, said regulators don’t always recognize companies’ efforts to set basic data protection standards that are adequate to stem abuses of privacy. “It’s awfully difficult to adapt privacy practices for a hundred or more different” jurisdictions, Weitzner told reporters in Brussels the day after a meeting with Viviane Reding, the European Union’s justice commissioner. “That is a substantial barrier today.” Planned changes to data protection rules in both regions “seem to be quite convergent,” she said. “Our cooperation has a good chance to be the first step towards the development and promotion of international legal standards,” Reding said.

Reding Outlines Data Privacy Plans For Companies In Europe

European commissioner for justice, fundamental rights and citizenship, Viviane Reding, who is currently preparing the new laws , warned that the EU would not hesitate to take action against non-EU companies that broke local laws on data collection and retention. “Stakeholders at a recent public consultation on data protection asked me to make clear that our data protection rules also apply to data retention. Storage of data is already included in the broad definition of ‘processing’ but the general public is unaware that processing includes storing/retention.” Reding explained that EU law would be based on four central principles.

Read more

Reding Outlines Costs To Business Of EU Privacy Legislation

Viviane Reding, European commissioner for justice, fundamental rights and citizenship, has been outlining the costs and legal strategy behind forthcoming EU data privacy legislation. Speaking at a public meeting hosted by the European People’s Party, Reding said that the new plans, expected this summer, would impose some extra costs on businesses. However, these would be more than mitigated by a reduction of red tape within the EU and the opening up of the market to innovation. “All fundamental rights have a cost. The right to the protection of data is not an exception,” she said. “Costs are carried by businesses, administrations and citizens – actually by society as a whole. But I believe that companies have specific responsibility because data is often their main economic asset. “Reding said that by initiating an EU-wide framework for data management, the variable costs to companies of complying with a plethora of different legal frameworks in member states would be eliminated. The rules of applicable law will also be simplified to reduce costs further.

Data Czar Says He Will Step Up Inspections

The European data protection supervisor (EDPS) has warned that he will step up inspections and monitoring to make sure EU institutions abide by EU data protection rules. Peter Hustinx, the European data protection supervisor, said in his office’s annual report for 2010 released yesterday (15 June) that more on-the-spot inspections would be carried out this year on cases it receives where it has grounds to believe EU institutions are failing to comply.

His report added that the EDPS would also give special attention to how member states and the European Commission are drafting and implementing new legislation on border security checks, such as the proposed entry-exit system and the registered traveller programme, as well as an EU-wide system to collect data on airline passengers.

Article 29 Working Party Guidelines on Consent will Lead to More Pop-ups

On July 13, 2011, Europe’s Article 29 Working Party issued an opinion on consent and how it should be interpreted and used under European data protection laws. The guidelines are in large part a compilation of recommendations previously made by the Article 29 Working Party for particular forms of processing, such as collection of patient data for electronic health records, transfer of data to third parties, processing of passenger name records, etc. The guidelines also draw on case law of the European Court of Justice, including an important decision in the field of employment law interpreting what constitutes a valid consent of an employee.

What emerges from the guidelines is first that data controllers should be wary of relying too much on consent as a basis for processing, particularly when other justifications for the processing may suffice under the directive. Another important lesson that emerges from the consent guidelines is that consent must be sufficiently granular to show that the individual specifically gave his or her consent to each type of processing that is envisaged by the data controller. According to their Article 29 Working Party, a general consent to any and all transfers to unspecified third parties would not be sufficiently specific to constitute valid consent. And, Another conclusion that we can draw from the guidelines is that silence or the failure to act can never be considered valid consent. Consent has to be evidenced by an affirmative clicking of a box or any other relevant positive act.

Obtaining Consent in Europe: Mission Impossible?  

The Article 29 Working Party has adopted its opinion on the definition of consent this past July, clarifying the existing concept used in the Data Protection Directive and the e-Privacy Directive.   The opinion breaks down the definition of consent, which is currently used as the legal basis for processing personal data, into several conditions necessary for it to be valid. Consent includes “any indication of wishes…signifying the data subject’s agreement,” but needs to be expressed in a tangible form by way of an oral or written statement. It also should be freely given, specific, well informed, unambiguous, and in specific cases, explicit.   In addition, the opinion includes several proposals to be considered in the review of the Data Protection Directive.

European Privacy: Law and Practice for Data Protection Professionals

European Privacy: Law and Practice for Data Protection Professionals is the essential text for professionals working in privacy, data protection or a related field, either in Europe itself or in any location where responsibilities include data transfer to and from Europe.

Global data protection practitioners and CIPP/E certification candidates will all find this to be a valuable reference guide to pan-European and national data protection laws, the European model for privacy enforcement, key privacy terminology and practical concepts concerning the protection of personal data and trans-border data flows.

Pending Revision of EU Directive Prompts Questions About Safe Harbor

The pending proposal from the European Commission for revision of the EU Directive (expected in early 2012) raises questions about the efficacy under a revised Directive of the EU-US Safe Harbor framework, which permits the legal cross-border transfer of personal data from the EU to the US for companies enrolled in the Safe Harbor and committed to the requisite privacy protections. That’s the recent observation in Europolitics , the European Affairs daily:

It is not clear what impact a revamp of the EU and US data privacy legal frameworks would have on Safe Harbour. According to the Commerce Department official, “we have been assured by the European Commission that Safe Harbour will not be affected by changes in the Data Protection Directive”. The official adds, however, that they do have concerns about US firms lacking the clarity they need should new terms like ‘privacy by design’ and ‘right to be forgotten’ be introduced without their precise meaning being spelled out. A Commission proposal is due to be unveiled in early 2012.

The article goes on to speculate about and comment on pending US privacy legislation and its effect on cross-border transfers, concluding that passage of a new US law is not likely:

European Commission Wants All Non-European Business to Adhere to Data Protection Directive

The European Commission (EC) wants all companies that store data on European citizens, whether based in the EU or not, to be subject to an updated version of the Data Protection Directive due to be unveiled in January. EU justice commissioner Viviane Reding and EC vice president Ilse Aigner stated, “We both believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business in our internal market.” In addition, they expressed their desire for consumers to have more rights to protect their data, such as being able to provide explicit consent before any data is used by businesses and having the right to delete their data at any point.

European Data Protection Supervisor Releases “Inventory” of 2012 Priorities

Peter Hustinx, the European Data Protection Supervisor (EDPS), has released his annual “Inventory” of issues of strategic importance for 2012. The EDPS is an independent supervisory authority devoted to protecting personal data and privacy. His strategic proposals include: new legal framework for data protection; technological developments and the Digital Agenda, IP rights, and Internet; further developments in the Area of Freedom, Security, and Justice; and financial sector reform. Hustinx also identified trends of focus for 2012, which include: employment of effective information-gathering and investigative tools by administrative authorities; significant exchanges of information between national authorities; and developments in the field of technology.

Commission Proposes a Comprehensive Reform of Data Protection Rules

The European Commission has proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy. The Commission’s proposals update and modernize the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights in the future. They include a policy Communication setting out the Commission’s objectives and two legislative proposals: a Regulation setting out a general EU framework for data protection and a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year (roughly 3 billion U.S. dollars). The initiative will also help reinforce consumer confidence in online services, providing a much-needed boost to growth, jobs and innovation in Europe. The Commission’s proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion.

Proposed EU Data Protection Bad for Business, Says CBI

The proposed data protection framework for Europe will restrict and burden businesses and threaten innovation, says the Confederation of British Industry (CBI).Compliance will place a cost burden on businesses, which could deter investment and be passed on to consumers. The CBI is calling on the European Commission (EC) to revise its proposals, in favor of a proportionate, risk-based approach to the scope of data protection regulation that balances the benefits with the costs of changes, the data protection rights of individuals with the needs of customers and businesses, and their impact on innovative business models.”Since innovation is a key driver of economic growth, it’s vital that governments here and in Europe support cutting-edge businesses to continue to innovate, before they get left behind by the rest of the world,” said Matthew Fell, CBI director for competitive markets. Firms from across the commercial spectrum will also be affected by the proposed changes as better quality data increasingly drives improvements to business operations and services.

Increased Data Protection Risks

The ICO has stepped up its enforcement of data breaches by businesses and organizations as well as individual staff members, and have begun issuing monetary penalty notices. So far the fines have totaled over £1m ($1.6 million dollars) across 13 cases and they appear to be on the rise. The fines either relate to unencrypted laptops or paper records being lost or stolen, or unlawful disclosures of personal information to the wrong recipients. In the vast majority of cases, the incidents are due to human error and are avoidable. One of the most noticeable changes over the last year has been the increase in individual criminal prosecutions for unlawfully obtaining personal data. Undertakings from data controllers and ICO audits are other enforcement actions that have increased. Organizations receiving personal data from unauthorized sources need to exercise extreme caution: if there is no audit trail to justify lawful obtaining of the personal data, the business will be placed at risk if it receives it and uses it.

EU Sets Timeline for Consideration of Data Protection Reform

Jan Philipp Albrecht, the rapporteur to the European Parliament for the proposed EU Data Protection Regulation, has set forth a draft calendar that outlines the steps to be taken during the consideration of the Regulation. The proposed Regulation was published on January 25, 2012, and this calendar provides the first concrete timeline indicating how long debate over the Regulation may last, giving stakeholders a better sense of when a final Regulation may be in place. It is anticipated that by summer 2013 the Regulation should be ready for trilogue with the Council and Commission, and that the Regulation shall be put to a vote in the plenary session of the European Parliament in early 2014. The other committees involved must agree upon the calendar before it is finalized, and it will be modified as necessary as the proposed Regulation progresses towards finalization.

Europe Pressures U.S. Tech On Internet Privacy Laws

America’s big technology companies are negotiating the details of a new privacy system called “Do Not Track,” to let people shield their personal data on websites. There’s no deal yet, but American companies are feeling the pressure from Europe. “Enforcement actions against them will be taken,” said European Privacy Regulator, Jacob Kohnstamm. “Not only should people be allowed to block websites from collecting and keeping their data, but that should be the default setting – on European browsers, at least.” Europeans have sincere cultural reasons for tougher privacy rules and many view privacy as a potentially unequal relationship. However, according to privacy law expert Jane Winn, increased legislation is the last thing American companies want, especially in a global data-collection industry that they dominate – at least for now. If European rules become the global standard, then European companies may not be far behind.

Data Protection Officer Role Will Be Key If You Operate in the E.U.

According to Patrick Clawson, a veteran of the security industry, the European Union is considering sweeping new data protection laws that would mandate many organizations in Europe formally appoint a Data Protection Officer (DPO). To get ahead of the potential high demand for qualified candidates, organizations should consider defining their needs now.The new data protection laws have yet to take final shape, and most sources agree they won’t be implemented any sooner than 2014. But Clawson says that shouldn’t stop organizations from beginning their planning now. He suggests two steps organizations that do business in the E.U. can take right now to prepare.

“You’ve got to be watching what’s echoing through the chambers in the E.U. and what you’re hearing about possible changes in legislation,” he says. “And you should begin looking at the strongest examples of data protection laws that currently exist within the E.U., like Germany and France, and try to measure yourself against those. I can’t imagine it gets much worse than that.”

Joint Statement on the Negotiation of a EU-U.S. Data Privacy and Protection Agreement

At the EU-U.S. Justice and Home Affairs Ministerial Meeting, European Commission Vice-President Viviane Reding and U.S. Attorney General Eric Holder released a joint statement highlighting their “determination to finalize negotiations on a comprehensive EU-U.S. data privacy and protection agreement that provides a high level of privacy protection for all individuals and thereby facilitates the exchange of data needed to fight crime and terrorism.” They stated that such an agreement would allow for even closer transatlantic cooperation, which would assist in any subsequent agreements concerning the sharing of a specific set of personal data. Progress has already been made on important principles such as data security, transparency of data processing and data protection oversight and they plan to continue negotiations and revisit these items at the 2013 ministerial meeting.

Article 29 Working Party Issues BCR Guidelines for Data Processors
The Article 29 Working Party has adopted Working Paper WP 195 as a new “toolbox” with recommendations for Binding Corporate Rules (BCRs) for data processors. BCRs are becoming increasingly popular among corporate groups as a legal means for providing adequate protection to personal data, which is covered by Directive 95/46/EC and transferred out of the European Union to countries that are not considered to provide an adequate level of protection. WP195 tries to balance the interests of the parties to the Service Agreement, by enabling the processor to change sub-processors under existing BCRs, but at the same time requiring notice to the controller about such change to give the controller a chance to terminate the Service Agreement. Cloud service providers, outsourcing providers, and any other company offering global data processing services to customers in the EU will now have to consider current approaches and whether it is time to start the process to adopt BCRs.

New Data Protection Rules Propose for Change of Employee Consent

The European-Commission published in late January a proposal to amend the current data protection rules. The proposal aims to increase the level of protection for the individual and if adopted, employers will no longer be able to process sensitive personal information based on the employee’s consent. As it currently stands, sensitive information may only be processed if the employee has provided his/her explicit consent. However, the reason behind the proposal is rooted in the imbalance that occurs in the employee and employer relationship. As long as the employee is in a situation where he/she is dependent on the employer and thus feels pressured to consent, the consent will not be seen as given voluntarily and will not be valid. Therefore, if the employer does not process such information based on the required legal basis, the processing will have to be stopped. It remains unknown which legal basis the employer may use instead of the consent. So far the European Data Protection Supervisor, Peter Hustinx, and the Article 29 Working Party have expressed their concerns in terms of the proposal not leaving “enough discretion for national authorities.” Violation of the rules may imply huge fines for up to €1 million or up to 2% of the global annual turnover of the company.

Commission Decisions on the Adequacy of the Protection of Personal Data in Third Countries  

The Council and the European Parliament have given the Commission the power to determine whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. The adoption of a (comitology) Commission decision involves: a proposal from the Commission; an opinion of the group of the national data protection commissioners (Article 29 working party); an opinion of the Article 31 Management committee delivered by a qualified majority of Member States; a thirty-day right of scrutiny for the European Parliament, to check if the Commission has used its executing powers correctly; and the adoption of the decision by the College of Commissioners. This decision would allow personal data to flow from the 27 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.

Did You Know?

To date, the European Commission has recognized only a limited number of jurisdictions (Andorra, Argentina, Canada, Faeroe Islands, Guernsey, the Isle of Man, Israel, Jersey, Switzerland, Uruguay and the U.S. Department of Commerce Safe Harbor Privacy Principles) as providing an adequate level of data protection.

EU’s Revamped Privacy Rules May Save Companies $3 Billion a Year

Companies could save as much as 2.3 billion euros ($3 billion) in administrative costs thanks to an overhaul of the European Union’s data-protection rules. The proposed changes to the EU’s 17-year-old data protection rules will allow companies to do business in Europe based on just one law. Companies will save a further 130 million euros every year by not having to notify authorities each and every time data is processed. Under the European Commission’s January proposal, companies face fines as high as 2% of yearly global sales for mishandling or losing personal data. The plans would also reduce the number of regulators a company needs to contact for data-protection issues across the region as the regulator of its home base will become a one-stop shop. In practice, this will mean that Ireland’s agency will be in charge of regulating companies like Google Inc. (GOOG) and Facebook Inc. (FB), which run their European operations from the country. Ireland will take over the rotating EU presidency for six months in January 2013.  

Faster Growth of Specialist Data Risk Insurance Market Predicted if Proposed Data Protection Reforms are Introduced, Says Expert

The growth in the market for specialist data risk insurance will continue if proposed changes to rules governing the international transfer of personal information are implemented, an expert has said. There is ongoing debate over proposed reforms to the EU’s existing data protection law framework ever since the European Commission outlined formal proposals on the issue in January 2012. The Commission set out a draft General Data Protection Regulation which would establish a single data protection law that would apply across all 27 EU member states and to companies that wish to process the personal data of EU citizens. MEP Jan Philipp Albrecht’s recent report on the Commission’s draft regulation suggests companies seeking to process data in countries outside of the European Economic Area that have not been designated as meeting EU standards should have to provide “financial indemnification” to individuals for data breaches. The need for insurance products “to transfer risk for the data processor or controller has grown,” said Ian Birdsey, an insurance law and data risk specialist. “While a standard professional indemnity policy may have been considered adequate five years ago, both companies and insurers have appreciated the need for specialist insurance products dealing with the myriad data risks.”

Binding Corporate Rules For Processors Available To Use From 1 January 2013

Data processors will be able to make use of Binding Corporate Rules (BCRs) for processors effective 1 January 2013 in order to facilitate international data transfers. This way of ensuring privacy in international transfers will bring benefits to both processors and controllers. Once a BCR has been approved, there is no need to negotiate the safeguards every time a contract is entered into.

European Directives: Born and Bred

The largest economy in the world isn’t the United States or China, according to the Central Intelligence Agency World Factbook. It’s the European Union. This group of 27 member states has also been at the forefront of employment law trends, addressing topics ranging from conditions of employment and leave laws, to digital data privacy protections. For employers to conduct business in the world’s largest economy, HR professionals must know what the region’s employment laws are and how they are developed. Most EU employment laws are enacted as directives. Like regulations, directives are binding on the member states and have precedence over domestic laws. Don’t make the mistake of thinking they work like U.S. employment laws. Directives don’t tell companies how to treat employees, for example. Rather, directives set an objective or policy and then “direct” the governments of member states to take steps to meet that objective. A directive sets a minimum standard or base line, and each EU member state must pass legislation to give effect to that standard or base line. There is a call for deregulation in response to the global economic downturn and the need to increase competitiveness. Given the already comprehensive coverage of EU employment law, such a trend will be welcomed by employers.

Read more (SHRM Membership required to access)

-CRIMINAL RECORDS-

Animal Rights Extremism In Europe – Where Are We Now?

Animal rights extremism includes clearly biomedical research, fur, intensive farming, meat, greyhound and horse racing, hunting and in fact anything to do with animals can result in a protest campaign. The last two to three years have seen what can only be described as serious, organised criminality, where companies have not only been demonstrated against, but have suffered serious attacks involving the use of incendiary devices, other arson attacks and the personalisation of targeting against senior management. In total in 2009-2010 there have been 27 attacks in 7 Member States, 11 of which involved arson or incendiary devices being used. Small scale demonstrations continue against all the causes mentioned above. Other criminal activity continues and there may well be further infiltration and subsequent exposés of activity within research laboratories. In addition, leading activists in the UK are now being released from lengthy prison sentences, and whilst there is a relatively low level of animal rights activity this may now change. It would seem, therefore, prudent to mitigate this threat.

Companies and organisations need to be informed in respect of what they are doing that may make them a target for extremism, and what the activists are doing. This understanding of the threat allows the risk assessments to be considered and any contingency plans to be tested. If you are undertaking research, I would suggest an effective way of mitigating the threat of infiltration and exposé is to ensure the welfare of your research animals is first rate and that you publish on your website and in other corporate literature exactly what you are doing. Having a robust infiltration prevention plan including extensive pre-employment screening and interviewing and selection skills is also essential. This should ensure there can be no shocks or surprises. Finally, you should always liaise with your local police.