Photo of Gail Crawford

Gail Crawford

Subscribe to Gail Crawford's Posts

Gail Crawford, Global Chair of Latham’s Data & Technology Transactions Practice, helps clients navigate complex data privacy and security matters, as well as to license, develop, and exploit disruptive technology. Ms. Crawford advises many of the world’s leading global technology companies on multifaceted and precedent-defining data privacy and security matters. Her work in the data privacy and security space encompasses advising on compliance programs, product counseling, responding to data breaches and regulatory inquiries, advising on optimal organizational structures, and supporting large, strategic alliances and M&A transactions. Highlighted in the market for combining an impressive technology practice with an in-depth understanding of data protection laws, Ms. Crawford is highly sought after by tech giants for her knowledge of compliance in technology sectors.

Contact:Read more about Gail Crawford

It seems fitting that on Data Privacy Day, a day designed to raise awareness of privacy issues (and not, as reported by Wikipedia, an international public holiday), we touch on the issue of “transparency” e.g. how to ensure individuals understand how their data is being processed. The EDPS, in its 14th January Opinion, describes transparency of processing as being of paramount importance for individuals, because only “if individuals know about data processing, can they exercise their rights”.

Within

It is perhaps no surprise that the European Data Protection Supervisor (EDPS) agrees with my view in my blog of 5th January that there is an urgent need for greater harmonisation of data protection laws in Europe. The EDPS describes the lack of harmonisation as “one of the essential shortcomings of the current framework” in its recent Opinion of 14th January 2011, particularly in an “information society where physical borders between Member States are less and less relevant” and

The processing of personal data in the context of evolving technology and globalisation of commerce has prompted the Article 29 Working Party to take a hard look at the applicable law provisions under the European Data Protection Directive and its implementation by the Member States in its most recent Opinion.

The Working Party believes that the increase in the number of multi-jurisdictional businesses and changes in technology, together with the current inconsistency in approach to the applicable law provisions seen across the Member States, make this a pressing area for review.

Whilst the guidance provides some helpful clarification on the current rules that apply national laws to controllers either (i) “established” in an European country or (ii) that use equipment located in a European country where the controller is not established in any EU territory; what is more interesting is some of the more fundamental changes which are being considered as part of the proposed overhaul of the Data Protection Directive (and how the approach has changed since the views of the Working Party issued in 2002).

There is a suggestion that Europe should return to a country of origin principle, where all establishments of a controller within Europe will apply the law of the territory of the controller’s head quarters or “main” establishment (as opposed to different national laws applying to each establishment that carries out processing depending on the territory in which it is situated). Given the marked differences in implementation of the Directive, enforcement activity and imposition of penalties throughout Europe, without a major harmonisation exercise such an approach could only result in forum shopping and confusion for individuals as to what rights apply.

One of the newest and most talked about developments outlined by the European Commission (as part of its plans to update the EU’s data privacy regime), is the introduction of a ‘right to be forgotten’ for individuals. The Commission intends for individuals to be given much more control over their personal data, including rights to tell those using and storing their personal data to permanently delete it from their records when no longer required. This follows the theme of the