European Data Protection Reform Focus of 2nd European Data Protection Day

Posted by Admin on May 04, 2012

A day-long conference on European data protection will be held in Berlin on May 7. Representatives of the European Commission and the Parliament, as well as EU member countries and legal practitioners will be taking part in the 2nd European Data Protection Day, organized by Euroforum. Privacy partner Ulrich Wuermeling, based in Latham's Frankfurt office, is chairing the conference that will focus specifically on the planned reform of Europe's data protection law.

The European Commission will present the draft Data Protection Regulation at the conference. The presentation will include a video message from Vice-President Viviane Reding as well as a detailed review of the reform package by Thomas Zerdick, Member of the European Commission's Justice Directorate, who will take part in a discussion with practitioners.

At present, the proposed reform is with the European Parliament and the Council. The first opinion from the Parliament is expected by the end of the year and soon after the opinion of the Council. If both the Council and the Parliament reach agreement from the first or second reading, the reform could pass as early as 2013 and take effect in 2015 or 2016, retiring most of the national privacy laws in Europe.

Comments on the draft will be offered in a conference keynote address from European Data Protection Supervisor Peter Hustinx. The international and national implications of the planned reform will be presented by the UK Data Protection Commissioner, Christopher Graham, and the Data Protection Officer of Daimler AG, Hans-Joachim Rieß. Shadow rapporteur Axel Voss of the European Parliament will then take part in a discussion on the implications of the planned reform for businesses. This discussion will offer participants the opportunity to raise questions and issues of concern about the draft regulation. The remainder of the conference will be dedicated to data protection issues worldwide.

DIFC to Seek Adequacy Approval

Posted by Brian A. Meenagh on May 01, 2012

By Justin Cornish, Alice Marsden, Brian Meenagh

On February 26, 2012 the Office of the Commissioner of Data Protection (OCDP) for the Dubai International Financial Centre (DIFC) published its Strategic Plan for 2012-14. One of the key statements in the Strategic Plan is the statement of the OCDP's intention to apply to the European Commission for acceptance of the DIFC as a jurisdiction with an adequate data protection regime. If the DIFC is officially declared 'adequate' by the European Commission, this will offer EEA data exporters a simple and reliable route to complying with European export rules for data exports to the DIFC.

The main alternatives (entering into the European Commission approved Standard Contractual Clauses or establishing intra-group Binding Corporate Rules) require considerable administrative effort, time and costs. This would also be good news for DIFC-based service providers or group companies, who should find their administrative and compliance costs reduced and would open up the DIFC's potential as a base for outsourcing and information services industries. It is worthy of note however that an adequacy declaration may be revised or revoked once the new European regime (set out in the draft General Data Protection Regulation issued on January 25, 2012) comes into force, meaning a declaration prior to the implementation of the new regime may only provide temporary respite.

Click here for the full text of the Strategic Plan.

Obama Administration Unveils Blueprint for Consumer Data Privacy

Posted by Jennifer Archie on February 27, 2012

By Jennifer Archie and Rebekah Lewis

WH Report2.JPGThe Obama Administration has unveiled a 50-page blueprint for consumer data privacy, including a recommendation for a federally legislated and FTC-enforced Consumer Privacy Bill of Rights. While it would not alter existing laws, the legislation would extend privacy protections to unregulated sectors and preempt conflicting state law. The Administration's framework also recommends a national standard for security breach notifications.

The report proposes an immediate "multistakeholder process" to develop enforceable codes of conduct, and embraces the FTC’s Do Not Track proposal

Consumer Privacy Bill of Rights. The Bill of Rights applies to personal data, defined as any data, including aggregated data, which is linkable to a specific individual. Though not a rigid set of requirements, it establishes individual rights based on seven Fair Information Practice Principles:

  • Individual Control: Consumer choice mechanisms must be proportionate to the amount and sensitivity of data an entity collects. Consumers have an affirmative right to withdraw or limit their prior consent via methods equally accessible as those by which they initially granted consent.
  • Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
  • Respect for Context: Consumers have a right to expect that data use will be consistent with the context in which they provided the data. Companies should consider the age and technological sophistication of users, particularly children and teenagers. This principle contemplates agreements not to create individual profiles about children regardless of consent.
  • Security: Consumers have a right to secure and responsible handling of personal data, though companies are given discretion to implement through reasonable means.
  • Access and Accuracy: Properly-authenticated consumers have a right to access and correct data collected about them.
  • Focused Collection: Consumers have a right to reasonable limits on data collection and retention.
  • Accountability: Consumers have a right to data handlers made accountable by mechanisms such as enforceable privacy commitments, internal controls and contract requirements. Companies transferring data remain accountable for using and disclosing the data consistent with the Bill of Rights and thus should hold transferees contractually accountable.

Stakeholder Developed Codes of Conduct. With Congress unlikely to act this year, the report endorses a more immediate multistakeholder process of voluntary industry codes of conduct, to be backed up by FTC enforcement. These codes of conduct would be developed through voluntary open stakeholder discussions convened by the Department of Commerce’s National Telecommunications and Information Administration. In addition to stakeholder input, the codes would take into account globally accepted accountability mechanisms so that they may be recognized across boundaries. As proposed, Federal and state government officials can advise, but the process will ultimately be controlled by private sector stakeholders. Entities can choose to adopt multiple codes to cover different lines of business, but they will only be bound by codes they affirmatively adopt. The Administration further plans to include international stakeholders in this process, in the hope that such "multistakeholder-developed codes of conduct, combined with existing [international] mutual recognition frameworks, hold the promise of greatly simplifying companies' [international] compliance burdens." The Safe Harbor Framework is praised, but its limited reach has made it an imperfect solution to the challenges of transatlantic data transfers.

FTC Enforcement. Like privacy policies, the adopted codes of conduct will be enforceable by the FTC through its authority to prohibit unfair or deceptive acts or practices. The codes can be updated and Congress could prescribe renewal periods for periodic FTC reviews. As an incentive to adopt the codes, it is proposed that the FTC consider a company's adherence to codes favorably in any related enforcement action. In addition, the report recommends congressional authorization for the FTC to review and approve codes and grant companies that commit and adhere to approved codes forbearance from enforcement of provisions of the legislation.  Companies that decline to adopt a code or do not seek FTC review would be subject to the general obligations of the Bill of Rights.

The House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade is expected to hold a hearing on the report in March. 

European Commission Adopts Privacy Reform Package

Posted by Ulrich Wuermeling on January 25, 2012

The European Commission adopted a proposal to reform European privacy law on 25 January 2012. According to the Commission the reform will "strengthen online privacy rights and boost Europe's digital economy." Time will tell whether the former is compatible with the latter.

The proposal now moves to the European Parliament and to the Council representing the member state Governments for discussion. Since the first draft leaked in November, a number of amendments have been made to make the proposal less onerous, but it still imposes severe new restrictions and introduces many new bureaucratic obligations.

The draft European General Data Protection Regulation still contains a provision which leads to a wide reaching extra-territorial effect (Article 3). Any business outside the European Union that offers goods or services to individuals in the European Union or monitors their behavior has to comply with the Regulation if it processes and uses personal data about European Union residents. This also applies to B2B contacts details, if they refer to individual employees of the company.

Non-EU companies caught by the Regulation will have to appoint a representative in the European Union (Article 25). This will enable data subjects, data protection authorities and courts to serve notices and enforce the Regulation. In response to criticism from the US, the European Commission added several exemptions to the rule (for example for small- and medium-sized companies or companies that offer goods and services only occasionally to European customers), but it will still apply in many situations.

The proposed Regulation requires breach notification to data protection authorities "without undue delay and, where feasible, within 24 hours" with an explanation for any delay beyond 24 hours and notice to data subjects "without undue delay". The potential fines for a breach of the Regulation can be up to 2% of the total annual worldwide turnover of an enterprise.

The proposal will surely be the subject of much debate as it proceeds through the European legislative process. Watch this space for details of interest to your global business.

Compromise on Draft European Data Protection Regulation in Reach

Posted by Ulrich Wuermeling on January 22, 2012

The Directorate General for Justice of the European Commission has in recent weeks worked to overcome criticism from other Directorates on its draft proposal to reform Europe’s privacy law. It now appears possible that the proposal for the reform is back on track for adoption at the Commissioner’s Meeting scheduled for 25 January 2012. From there, the proposal would move into the legislative process, requiring approval by the European Parliament and the national Governments via their representatives in the Council of Ministers.

On 22 January 2012, Viviane Reding, the European Commissioner in charge of the reform of the European privacy law, claimed in the keynote speech at a DLD-Conference held in Munich that the reform will help businesses. Reding argued that the reform will bring more certainty, simplify rules, and will provide better protection for third country data transfers. She also made clear that businesses must respect privacy in a stricter way. She did not reveal whether she expects the revised proposal to pass next week, a possible indication that the timeline still is up in the air.

An unofficial draft of the European General Data Protection Regulation dated 16 January 2012 reveals that the Directorate General for Justice has implemented several changes to ease the concerns voiced by the other Directorates. The revisions include:

  • The Regulation will be based not only on Article 16 (2) of the Treaty on the Functioning of the European Union but also on Article 114 (1). The change underlines that the purpose of the Regulation is not only to provide strict privacy protection but also to help the functioning of the internal market. Critics questioned whether Article 16 (2) is a suitable legal basis to regulate privacy in the private sector at all. The change, however, does not necessarily result in the Regulation being more business friendly.
  • The recitals and provisions relating to the application of the Regulation to non-EU businesses have been modified, but the extra-territorial approach still applies if goods or services are offered to European individuals or contracts are entered into with them. In addition, the Regulation still applies if non-EU businesses monitor behavior of European individuals.
  • Small or medium sized enterprises or businesses which only occasionally offer goods or services to European individuals are now exempt from the obligation to appoint a European representative. They do, however, still have to comply with the Regulation.
  • The definition of “main establishment” (important as it determines which country’s regulator a company has to deal with) has been altered to cover situations in which the main establishment of a company is outside the European Union. The rule, however, only covers situations in which a company is one single legal entity within the European Union where it does not provide a framework for a one-stop-shop for groups of legal entities. The provision, therefore, will have limited application in practice.
  • The ban of commercial direct marketing without consent now has one exemption with respect to existing customers of goods and services. This, however, will not allow businesses to market to potential new customers. Business may also ask for consent without breaching the rules, but the potential success of such requests is questionable.
  • The so-called “balance of interest clause”, which allows the processing of data if no overriding legitimate interest of the individual are concerned, still does not allow a company to take into account legitimate interests of third parties. This would appear to make it impossible for the data industry to collect and provide data in the interest of their customers, for example credit information bureaus. The modified draft only mentions that third party interest can be considered for security related processing.
  • The limitation to process data only for purposes “compatible” with the purposes for which they have been collected has been modified, but the balance of interest clause still cannot be used to justify a change of purposes not compatible with the original purpose.
  • The requirements for a valid consent have been adjusted, but certain limitations, for example with respect to employment relationships, still apply. Only “explicit” consent is stated to be valid. The unlimited right to withdraw a given consent remains as well.
  • The limitation to gain consent from individuals below the age of 18 has been cut back and now applies mainly to individuals below the age of 13. The balance of interest clause, however, still does not apply to children under 18.
  • The revised draft now confirms that not all identification numbers, location data, or online identifiers need to be considered as personal data. A provision on “processing not allowing identification” has been added, but probably only as a clarification.
  • The provision on the “right to be forgotten” has been modified and softened especially in relation to the obligation to delete data that have been published, but the provision would still be difficult to follow in practice. In addition, the broad right to object to data processing has not been limited. Finally, the provisions on the “right of data portability” and on “profiling” remain as well.
  • Several exemptions to data subjects rights, like transparency, rectification or erasure rights, have been modified. These exemptions, however, mainly apply for public authorities and have to be implemented by the member states. In this regard, the Regulation departs from its original aim to harmonize privacy laws in the European Union, because each member state will have the right to implement different restrictions on data subject rights.
  • The obligations of controllers and processors have been modified to take some of the additional administrative burdens out of the draft Regulations. However, most of the obligations (for example to maintain policies, to implement data protection by design and by default, to maintain extensive documentation, to carry out data protection impact assessment, and to request prior authorization from data protection authorities) remain essentially unchanged. The same holds true for the new obligations of data processors.
  • The requirement to inform authorities and data subjects about data breaches within 24 hours has been modified slightly to give some flexibility with respect to the timing of notifications. It still, however, imposes obligations which are unrealistic to be followed in practice.
  • The third country data transfer provisions have been modified. Decisions made under the existing Directive shall remain in force until amended. This will help businesses that rely on such decisions, for example with respect to the Safe Harbor Privacy Principles or standard contractual clauses. In the long run, however, the instruments might be amended. The same applies to individual authorization, for example authorizations of binding corporate rules.
  • Significantly, the provisions on fines have not been changed much. The maximum fine of 5% of the global turnover has been reduced to 4%.
  • The extensive powers of the European Commission to pass delegated acts or to specify the implementation of the Regulation remain.

The next few days will be critical to establish whether the European Commission will formally issue the proposal of the reform or will need more time to come to a compromise between the different Directorates and Commissioners.

European Commission Reconsiders Approach to European Privacy Reform

Posted by Ulrich Wuermeling on January 11, 2012

Viviane Reding, the European Commission Vice President in charge of the reform of the European privacy law, has received negative opinions from a handful of Directorates-General in the European Commission on an internal draft of the General Data Protection Regulation. As a consequence, the draft will not be ready for the official publication that was originally scheduled for the end of January 2012. Instead, Commissioner Reding is said to be working on a communication outlining reconsidered objectives for the reform process. Publication of the draft Regulation is now expected sometime in February or March.

In December, the Directorate-General Justice circulated an internal draft of the Regulation (that recently was leaked to the public) to the other Directorates-General for the so-called "inter-service consultation." The consultation process allows the Directorates-General not in charge of a legislative initiative to comment on a draft prior to its official publication. In this process, a handful of Directorates-General raised serious concerns, because the proposed draft Regulation is stricter than the strictest privacy laws in existence in the European member states or elsewhere in the world.

The negative opinions issued during the consultation process criticize the draft for its potential impact on businesses as well as public authorities in the European Union and abroad. The opinions refer to additional administrative burdens as well as overly restrictive requirements for data processing like consent requirements, limitations on profiling, documentation obligations and third country data transfer restrictions. On the whole, none of the opinions are surprising given the far-reaching restrictions proposed in the draft. So, while it seems fair to predict that things will not go as originally suggested, the scope and means of the future European privacy regime remains up in the air.

First Draft of European Privacy Reform Leaked to the Public

Posted by Ulrich Wuermeling on December 06, 2011

Thumbnail image for Thumbnail image for iStock_000005643842XSmall.jpgA recent draft of the new European Data Protection Framework has leaked from the European Commission. It is still subject to internal discussions between the different Commissioners and Directorates-General, but is likely to be reasonably close to the official Commission draft expected to be published by the end of January 2012. According to the draft framework, the European Data Protection Directive (95/46/EC) will be superseded by a new General Data Protection Regulation. In addition, the framework includes a Police and Criminal Justice Data Protection Directive.

The European Commission aims to set global standards for privacy protection. As such the new Regulation is drafted to apply far beyond the borders of the European Union. For example, whenever a US internet service targets individuals resident in the European Union, the draft would require that use and analysis of the personal data of such individuals comply with the Regulation. If the internet service has no establishment in the European Union, it would have to appoint a representative in one of the member states. The representative would be responsible for the compliance with the Regulation including the obligation to pay fines for breaches of up to 5% of the total worldwide turnover.

The draft Regulation is packed with new concepts and stricter rules in comparison to the current Directive. Many changes originate from existing laws in member states with privacy rules that exceed what is now required: 

  • Stronger protection for children below the age of 18
  • Introduction of extraterritorial effect
  • Additional requirements for a valid consent
  • Prohibition of any direct marketing without consent
  • Extended transparency obligations and access rights
  • Introduction of the "right to be forgotten" and the "right to data portability"
  • Limitations on profiling
  • Obligation to implement privacy "by design" and "by default"
  • Strict requirements for the engagement of commissioned data processors
  • General breach notification obligation to both the authority and the data subject
  • Extended duty to carry out data protection impact assessments
  • Obligation to designate a privacy officer
  • Revised third country data transfer rules
  • Ban of data transfers based on third country court decisions or administrative orders
  • Comprehensive powers of data protection authorities
  • Enforcement action to be taken by regulator where the main establishment is located
  • Rigorous sanctions for breaches
  • A new European body to ensure consistent interpretation within the European Union
  • Introduction of rules for specific data processing situations (for example health, employment or public interest)

After its official submission by the European Commission, the draft Regulation will have to go through a legislative process involving the European Parliament and the European Council, and, given its terms, extensive lobbying by industry. In the course of this process, the Commission's proposal is likely to change substantially. If the Regulation is finally passed, it will have direct effect. In contrast, the old Directive from 1995 had to be implemented into national law enabling the member states to take a liberal view of it provisions on the implementation. This approach caused a fragmented regulatory framework in the European Union. That is why the European Commission now proposes a Regulation instead of a Directive to enforce a stricter harmonization between the member states. It also means that the Regulation might become effective earlier than a Directive would, because it would not need the years it usually takes to implement a Directive into national law.

Viviane Reding, Vice President of the European Commission, reiterated today in a speech to the 2nd Annual European Data Protection and Privacy Conference her goal of a "free flow of data" between the European Union and the US. The proposed European reform, however, contradicts this goal. Rather than make things easier for companies trying to operate globally, it is likely to make it more difficult. The debate to come should be interesting.

European Court of Justice Enforces Strict Harmonization

Posted by Ulrich Wuermeling on November 29, 2011

The European Court of Justice (ECJ) is challenging national legislators in the European Union who introduced privacy laws stricter than those provided for by the European Data Protection Directive (95/46/EC). In a decision issued on November 24, 2011, the ECJ declared a provision in the Spanish Organic Law 15/1999 invalid because it imposes additional requirements for data processing not contained in the Directive.

The decision supports the plans of the European Commission to enhance harmonization of privacy laws in the European Union. In a speech held on November 28, 2011, Viviane Reding, Vice President of the European Commission, confirmed that the planned reform of the Directive will lead to consistent rules across the European Union. The plans are in line with the direction taken by the ECJ. The proposal of the European Commission will be published by the end of January 2012, Reding said.

According to the ECJ, however, the existing legal framework addressed by Reding might not be as fragmented as suggested. A strict interpretation of the decision suggests that any data processing permitted under the Directive cannot be limited under national law. Consequently, the decision calls into question the validity of many provisions set out in the existing national privacy laws in the European Union. If all national laws that are stricter than the Directive are disregarded in accordance with the recent ECJ decision, privacy laws in Europe could already be more harmonized than previously thought.

Many member states of the European Union view the Directive as providing a pan-European "floor" of data protections, rather than ruling out more restrictive national laws or requirements.  They have relied on a provision stating that national legislators shall "determine more precisely the conditions under which the processing of data is lawful" (Article 5 of the Directive). The ECJ confirmed in an earlier decision (Lindqvist) that the Directive allows member states "a margin for manoeuvre in certain areas", but the court already stressed that this margin is limited due to the overall objective of the Directive to allow free movement of data (Paragraph 97).

Over the past 15 years, many member states have taken the liberty of introducing stricter requirements for data processing than contemplated in the Directive. The ECJ evaluated the validity of a condition included in the Spanish Organic Law 15/1999 that allows the use of data for marketing purposes under the so-called balance of interest clause (Article 7 (f) of the Directive) only if the data are included in public sources (Article 6 (2) of Organic Law 15/1999). As the balance of interest clause in the Directive does not contain a limitation requiring data to be from public sources, the ECJ ruled that the provision in the Spanish law is in breach of the Directive.

If a member state is in breach of a European Directive, the European Commission can instigate proceedings, but it could take years before such proceedings have any practical effect. It is therefore important that the ECJ has not only confirmed the breach by the Spanish legislature as such but also has stated that Article 7 (f) of the Directive has "direct effect". As a result, the Spanish court which put the questions before the ECJ may now disregard the wording of the existing Spanish provision and rule in favour of the two associations who initiated the case.

From a practical perspective, data controllers regulated by European privacy laws are left with a tricky issue. One could take the view that any data processing should be undertaken solely under the rules of the Directive and stricter provision under any national law could be ignored. On the other hand, it is unlikely that national authorities will give up that easily on the additional limitations imposed by national law. Therefore, it will take some gumption to oppose the authorities based on the new ECJ decision. Finally, it should be noted that additional restrictions imposed by other European Directives (for example the Cookie consent rules under the ePrivacy Directive) remain valid.

SEC Guidance on Cybersecurity Disclosures

Posted by Kevin Boyle on November 22, 2011

Thumbnail image for Thumbnail image for Thumbnail image for iStock_Lock.jpgBy Kevin Boyle and Kee-Min Ngiam

The SEC's Staff of the Division of Corporation Finance recently issued guidance to help clarify public reporting companies' disclosure obligations in the area of cybersecurity risks and cyber incidents. The guidance, which does not change existing disclosure obligations for public companies, should help company officers responsible for security, privacy, or securities compliance, as well as securities law practitioners, better understand the Staff's expectations on disclosure in this area. Our recent Client Alert reviews the guidance in greater detail. Here, we highlight a few points worth noting:

  • Cyber incidents that may need to be disclosed include not just targeted attacks or security breaches, but may include security lapses or systems failures;
  • Cybersecurity can implicate disclosure obligations not only in a company's risk factors, but also its MD&A, description of business, legal proceedings, financial statements, and disclosure controls and procedures; and
  • Compliance with its disclosure obligations does not require a public company to provide detailed information that might compromise its cybersecurity, only such information that would help investors appreciate the risks involved.

The ever-increasing importance of technology for most companies brings with it increased cybersecurity risks and the potential for a material cyber incident. Public awareness of cybersecurity issues is also growing--politicians and regulators have held hearings or commenced investigations into recent cyber incidents involving some large companies, and the plaintiffs' bar has not been idle either. Public reporting companies can expect the scrutiny to increase. Close cooperation between the technology and legal functions in identifying and responding to reportable events is required.

New EU Privacy Rules Will Apply to All Online Businesses with EU Customers

Posted by Gail Crawford on November 15, 2011

European Union Justice Commissioner Viviane Reding has confirmed that we can expect to see a draft of the eagerly awaited new Data Privacy Directive in January.

The new rules are likely to significantly strengthen the rights of individuals. According to a press release issued jointly last week by Reding and Germany's Federal Minister for Consumer Protection, Isle Aigner, "consumers in Europe should see their data strongly protected, regardless of the EU country they live in and regardless of the country in which companies, which process their personal data, are established."

The press release sets out three key changes to the current rules. The first is that the new laws will apply to any online business that directs its services at EU consumers, irrespective of where the business or data is located. While that is fine in theory, and is aligned to the approach at least some other consumer protection laws take, it will only be effective if the laws can be enforced against overseas entities.

The second is that EU law should require the explicit consent of consumers before their data is processed. Does this mean the end of the legitimate interests exception, which enables non-sensitive personal data to be processed if it is in the legitimate interests of the data controller... provided that those interests are not overridden by the rights and interests of the data subject? A move to explicit consent for all processing is not likely to be welcomed by industry nor improve a consumer's online experience, with frequent requests for consent interrupting browsing activity.

Finally, it looks like the widely discussed "right to be forgotten" will be enacted in some form, as the press release states that consumers should generally have the right to delete any personal data at any time, especially data they post on the internet themselves. Whether this is technically achievable will depend on the scope of the actual provisions; this has been discussed in this earlier blog post and by others.

The ball still is very much in play, but based on this glimpse of the new regime, we can expect a significant response by industry as they grapple with the real impact to online business if they have to address these three issues. 

Archives

The purpose of this communication is to foster an open dialogue and not to establish firm policies or best practices. Needless to say, this is not a substitute for legal advice or reading the rules and regulations we have summarized. In any particular case, you should consult with lawyers at the firm with the most experience on the topic. Depending on your specific situation, answers other than those outlined in this blog may be appropriate. Your use of this blog site alone creates no attorney client relationship between you and Latham & Watkins. Do not include confidential information in comments or other feedback or messages left on the Global Privacy & Security Compliance Law Blog, as these are neither confidential nor secure methods of communicating with attorneys.