Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Much as was anticipated, the European Commission (the Commission) announced its long-awaited proposals on Jan. 25, 2012, on what are likely to be viewed as drastic changes to data protection law in Europe. The aim of the proposals is to make EU privacy laws fit for the 21st century, and they seek to both change the system and increase penalties for breach, with fines of up to 2% of a corporation's annual global turnover. They also seek to introduce data breach laws similar to those that exist in most U.S. states, but possibly with a requirement to report a breach within 24 hours.
The European Union (EU) introduced the initial Data Privacy Directive (the Directive) in 1995, although a number of European countries had their own data protection laws that pre-dated the Directive. The Directive sought to give each country in the EU a template to follow for its own data protection laws. Theoretically, the law in each country must include the provisions mandated by the Directive, although additional measures are also permitted over and above its requirements. Implementation and enforcement is left to each country in the EU, which has led in some instances to conflicts, complexity and inconsistencies.
The European Commission proposed a comprehensive reform of the 1995 rules to try and bring in more uniformity. The Regulation does not appear to be written in the most helpful language. The Commission's undated draft stretches to 119 pages. In addition to greater penalties and the new security breach laws, the new proposals have a number of interesting elements.
A Single Set of Rules on Data Protection
It is also proposed that some activities that are thought to be a particular concern for privacy are more heavily regulated. This list includes:
Initial reaction has been mixed. Even national regulatory authorities have concerns. For example, the UK Information Commissioner has said:
' in a number of areas the proposal is unnecessarily and unhelpfully over prescriptive. This poses challenges for its practical application and risks developing a 'tick box' approach to data protection compliance. The proposal also fails to properly recogni[z]e the reality of international transfers of personal data in today's globali[z]ed world and misses the opportunity to adjust the European regulatory approach accordingly.
France's data protection authority, CNIL, says that it is firmly against the proposals, although it is in favor of some parts of it, including the right to be forgotten. CNIL believes the proposals will weaken its powers. It also objects to the Regulation provision that would make the data protection authority in the country where a business is headquartered the one in charge of data protection oversight and enforcement, rather than the DPA in the country where the data subject is based
Germany has seen fierce debate as to whether the proposals are constitutional, despite many of the proposed changes being inspired by the current German data regime. The offices of the German Justice Minister, a prominent judge and at least two of the German data protection authorities (Germany has a state level not Federal system for privacy law enforcement) have expressed reservations. According to reports in Germany, the judge, Johannes Masing, said that he felt that the Regulation would encroach upon the German Constitution and remove the German Constitutional Court's jurisdiction over privacy and data protection issues. Masing said that the Regulation would render three decades of jurisprudence on data protection and informational self-determination in Germany obsolete.
The head of the Italian data protection authority (Garante per la Protezione dei Dati Personali), Francesco Pizzetti,, has also expressed concerns at possible economic consequences as a result of the changes. Additionally, Pizzetti told the Italian Parliament that he was concerned about the greater centralization of data protection powers in Brussels.
In the U.S., the proposals have also not been without their critics. Jeffrey Rosen, Professor of Law at The George Washington University, said of the proposed right to be forgotten that “it represents the biggest threat to free speech on the Internet in the coming decade.”
Extraterritorial Scope
The proposed new rules will have extraterritorial reach. EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens. How this works in practice remains to be seen. The UK Commissioner has also expressed doubts as to how the Regulation's requirements can be readily enforced outside the EU.
Who Will Enforce the New Rules?
The new rules will still be enforced by the independent data protection authorities in each country and by the national courts. This is likely to lead to inconsistencies as in the present system. Fines vary across Europe for relatively similar incidents. In addition, the regulators in each country generally rely on registration fees to pay for their offices. The Commission wants enforcement to be stepped up, but it remains to be seen who will pay for that, especially with the main regular source of income taken away. Fines are unlikely to be the answer, at least initially, as prosecutions are less likely with a prosecutor lacking resources. Given the current economic climate, it is unlikely most countries will prioritize strengthening data protection instead of other areas of spending like health and education. Already, the European Commission is threatening Hungary over its noncompliance with the existing data protection rules. Other countries have received less-well-publicized threats over underfunding of their regulatory authorities. Whether the Commission has the resources to pay for extra staff, or the ability to successfully force individual member states to prioritize spending in this area, is another question yet to be answered.
What About Security Breach?
Security breaches are the single most common source of data investigations. The EU has had proposals to implement EU-wide laws in the past. Last May, a second EU Directive (the e-Privacy Directive (2009/136/EC)) introduced a requirement to give notifications following some security breaches. Telecom companies and Internet Service Providers (ISPs) offering access to public networks are covered by the obligation. They have to notify regulators and, in some cases, those individuals whose personal data is affected. While the European Commission was anxious that this requirement to notify was extended across all sectors, this proposal was resisted. However, some countries ' notably Germany and Austria ' introduced a general data breach notification requirement. This proposal is also not without its critics. There is credible evidence of security breach fatigue in the United States with too many consumers being told too much about relatively trivial breaches. The UK Information Commissioner, in his response, recognizes this risk, saying he considers that the reporting requirement should be restricted to serious breaches only. Currently, the proposed threshold for reporting is lower. The proposal is that a breach would have to be reported to the regulator even if only one person's information is involved and/or all of the information is already in the public domain. In addition ' and unlike most U.S. states where similar laws already exist ' there is no exception if the data is protected. Even if the information is subject to strong encryption or other security measures with the effect that it could never reasonably be accessed, a notification would still need to be made. For U.S. corporations, this could impose a significant burden as even with very few customers in the EU, the breach notification requirements could be triggered in Europe and effectively also in the U.S., despite U.S. law not requiring notification.
Many people who have experience of working through a breach would prefer the first 24 hours to be spent limiting its effects, helping to ensure it is not repeated, and finding the people responsible. It would be unfortunate if companies were instead having to use that time to prepare reports to regulators and even more unfortunate if the perpetrators of crimes went unpunished, as the reporting obligation had prejudiced an investigation.
Article 30 of the proposed new Regulation imposes a general obligation to keep data secure. In many respects the language of Article 30 is little different from current data protection legislation in Europe ' for example Principle 7 of the UK's Data Protection Act 1998 has very similar language. What is different is the fact that the obligations to secure data are on the controller and the processor rather than just on the data controller alone. Article 30 also requires the controller and processor to evaluate the risks in their data handling and allows the Commission to “adopt delegated acts” to add to the detail that is required of controllers and processors “ including the determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default.” The Commission is also given the power to specify requirements for safeguarding personal data and preventing unauthorized access.
Article 31 contains the first new data breach notification requirement. The report should be made to the relevant data protection regulator “without undue delay and, where feasible, not later than 24 hours after having become aware of [the breach].” If a report is not made within 24 hours, then the report must be accompanied by a “reasoned justification” as to why the report is being delayed. The notification must:
Again, the Commission in the Regulation wants the power to “adopt delegated acts” to further specify the criteria and requirements for the data breach notification requirement. This would include prescribing a standard notification format.
Article 32 deals with the need to communicate details of a breach to data subjects ' the second new reporting requirement. Communication should be made to a data subject “when the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject.” Again, it is envisaged that the notice to the data subject is in similar format to the notice sent to the regulator. Article 32(3) has a caveat however. It says:
The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures will apply to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.”
These measures could include encryption or software locking a stolen laptop, for example. Again, the Regulation seeks to reserve to the Commission the power to further specify the criteria under which a breach should be notified to data subjects and the format in which notice is given.
The Right to be Forgotten
In introducing the right to be forgotten, Commissioner Reding explained that the idea was to assist social medial users who posted comments or photographs they later regretted. She said, “if an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from [his] system.” The right is contained in Article 17.
There are some limited exceptions to the right to be forgotten, for example where the accuracy of the data is contested or where the data controller still needs the data “for purposes of proof.” The “for the purposes of proof” exception only allows storage of the data ' processing can only be undertaken on that data with the data subject's consent “or for the protection of the rights of another natural or legal person or for an objective of public interest.” If consent is not obtained, the data controller must tell the data subject before this processing starts. There must also be a regular review of the continued need to hold and process the data, which is explained in paragraphs 53 and 54 of the preamble in the Regulation.
Challenges
The right to be forgotten, however, poses a number of challenges, not just to social media operators. All data controllers face penalties of up to 2% of their global income if they fail to remove photographs that people have posted in a moment of madness. Some may argue that the Commission's efforts would be better directed at educating individuals in proper social media use. In the UK, for example, Duane Morris has supported Nominet's Knowthenet Campaign, which sought to do just that for social media users through a mixture of education, articles, outreach and an online self-assessment test (http://accidentaloutlaw.knowthenet.org.uk/). Instead, the Commission is proposing that any individual can exercise his or her right to be forgotten. This could have a chilling effect on law enforcement ' for example, it is easy to envisage a criminal stalking somebody on Facebook and then asking Facebook to delete his postings. This wider right could play into the hands of those who wish to manage their reputation or distort an investigation into their past. More worryingly, criminals could also transfer their ill-gotten gains around the world and also exercise the right to be forgotten.
Since at the time that they exercised the right there would be “no legitimate reason for keeping it” (for example to assist law enforcement), the trail could legitimately be erased. If the data controller keeps the data “for the purposes of proof,” it can only store (and not process) the data once consent is withdrawn and if any of the limited reasons apply to justify processing it must notify the data subject before any processing commences.
It is important to remember that the Commission's proposals as they stand are not limited to personal data that people themselves put onto social media sites but instead they create a new right to delete personal data “relating to a data subject.” How the right to be forgotten will work in practice seems to be deliberately vague. Reding said that it needed to “stand for 30 years ' it needs to be very clear, but is precise enough that changes in the markets or public opinion can be manoeuvered in the Regulation.”
How Long Will the New Rules Take to Implement?
Contrary to some ill-informed reports, the new Regulations are not law now. The Commission's proposals will now be passed on to the European Parliament and EU member states (meeting in the Council of Ministers) for discussion. The Commission itself feels that those negotiations should be complete this year. In our view, that is perhaps a little optimistic. The European Parliament has clashed before with the European Commission over data protection issues, including the well-publicized disagreement over the transfer of airline data to the United States. It is fair to say that the Council of Ministers has a fairly full agenda currently with the euro crisis, and whether they will divert attention to the Regulation instead of those issues remains to be seen.
Realistically, this process may take a year or more, especially given the fact that some of these proposals have previously been rejected and given the opposition already in some countries. The Commission has said it then intends for a two-year implementation process, making the earliest realistic date sometime in 2015. While that may seem far into the future, since the law will apply to employees being hired now and contracts with a term beyond 2015, companies may want to start preparing now.
Conclusion
There are many uncertainties with the new proposals. It is apparent that changes will be made and there is likely to be widespread confusion between now and then. Companies should think now about how best to plan for those changes.The text of the 1995 Directive is here: http://bit.ly/1995Dir. The text of the proposed new Regulation is here: http://bit.ly/2012Reg.
Jonathan P. Armstrong ([email protected]) is a partner in the London office of Duane Morris LLP. A member of this newsletter's Board of Editors Armstrong practices in the area of corporate law with a concentration in technology and compliance, counselling multinational companies on matters involving risk, technology and compliance across Europe.
Much as was anticipated, the European Commission (the Commission) announced its long-awaited proposals on Jan. 25, 2012, on what are likely to be viewed as drastic changes to data protection law in Europe. The aim of the proposals is to make EU privacy laws fit for the 21st century, and they seek to both change the system and increase penalties for breach, with fines of up to 2% of a corporation's annual global turnover. They also seek to introduce data breach laws similar to those that exist in most U.S. states, but possibly with a requirement to report a breach within 24 hours.
The European Union (EU) introduced the initial Data Privacy Directive (the Directive) in 1995, although a number of European countries had their own data protection laws that pre-dated the Directive. The Directive sought to give each country in the EU a template to follow for its own data protection laws. Theoretically, the law in each country must include the provisions mandated by the Directive, although additional measures are also permitted over and above its requirements. Implementation and enforcement is left to each country in the EU, which has led in some instances to conflicts, complexity and inconsistencies.
The European Commission proposed a comprehensive reform of the 1995 rules to try and bring in more uniformity. The Regulation does not appear to be written in the most helpful language. The Commission's undated draft stretches to 119 pages. In addition to greater penalties and the new security breach laws, the new proposals have a number of interesting elements.
A Single Set of Rules on Data Protection
It is also proposed that some activities that are thought to be a particular concern for privacy are more heavily regulated. This list includes:
Initial reaction has been mixed. Even national regulatory authorities have concerns. For example, the UK Information Commissioner has said:
' in a number of areas the proposal is unnecessarily and unhelpfully over prescriptive. This poses challenges for its practical application and risks developing a 'tick box' approach to data protection compliance. The proposal also fails to properly recogni[z]e the reality of international transfers of personal data in today's globali[z]ed world and misses the opportunity to adjust the European regulatory approach accordingly.
France's data protection authority, CNIL, says that it is firmly against the proposals, although it is in favor of some parts of it, including the right to be forgotten. CNIL believes the proposals will weaken its powers. It also objects to the Regulation provision that would make the data protection authority in the country where a business is headquartered the one in charge of data protection oversight and enforcement, rather than the DPA in the country where the data subject is based
Germany has seen fierce debate as to whether the proposals are constitutional, despite many of the proposed changes being inspired by the current German data regime. The offices of the German Justice Minister, a prominent judge and at least two of the German data protection authorities (Germany has a state level not Federal system for privacy law enforcement) have expressed reservations. According to reports in Germany, the judge, Johannes Masing, said that he felt that the Regulation would encroach upon the German Constitution and remove the German Constitutional Court's jurisdiction over privacy and data protection issues. Masing said that the Regulation would render three decades of jurisprudence on data protection and informational self-determination in Germany obsolete.
The head of the Italian data protection authority (Garante per la Protezione dei Dati Personali), Francesco Pizzetti,, has also expressed concerns at possible economic consequences as a result of the changes. Additionally, Pizzetti told the Italian Parliament that he was concerned about the greater centralization of data protection powers in Brussels.
In the U.S., the proposals have also not been without their critics. Jeffrey Rosen, Professor of Law at The
Extraterritorial Scope
The proposed new rules will have extraterritorial reach. EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens. How this works in practice remains to be seen. The UK Commissioner has also expressed doubts as to how the Regulation's requirements can be readily enforced outside the EU.
Who Will Enforce the New Rules?
The new rules will still be enforced by the independent data protection authorities in each country and by the national courts. This is likely to lead to inconsistencies as in the present system. Fines vary across Europe for relatively similar incidents. In addition, the regulators in each country generally rely on registration fees to pay for their offices. The Commission wants enforcement to be stepped up, but it remains to be seen who will pay for that, especially with the main regular source of income taken away. Fines are unlikely to be the answer, at least initially, as prosecutions are less likely with a prosecutor lacking resources. Given the current economic climate, it is unlikely most countries will prioritize strengthening data protection instead of other areas of spending like health and education. Already, the European Commission is threatening Hungary over its noncompliance with the existing data protection rules. Other countries have received less-well-publicized threats over underfunding of their regulatory authorities. Whether the Commission has the resources to pay for extra staff, or the ability to successfully force individual member states to prioritize spending in this area, is another question yet to be answered.
What About Security Breach?
Security breaches are the single most common source of data investigations. The EU has had proposals to implement EU-wide laws in the past. Last May, a second EU Directive (the e-Privacy Directive (2009/136/EC)) introduced a requirement to give notifications following some security breaches. Telecom companies and Internet Service Providers (ISPs) offering access to public networks are covered by the obligation. They have to notify regulators and, in some cases, those individuals whose personal data is affected. While the European Commission was anxious that this requirement to notify was extended across all sectors, this proposal was resisted. However, some countries ' notably Germany and Austria ' introduced a general data breach notification requirement. This proposal is also not without its critics. There is credible evidence of security breach fatigue in the United States with too many consumers being told too much about relatively trivial breaches. The UK Information Commissioner, in his response, recognizes this risk, saying he considers that the reporting requirement should be restricted to serious breaches only. Currently, the proposed threshold for reporting is lower. The proposal is that a breach would have to be reported to the regulator even if only one person's information is involved and/or all of the information is already in the public domain. In addition ' and unlike most U.S. states where similar laws already exist ' there is no exception if the data is protected. Even if the information is subject to strong encryption or other security measures with the effect that it could never reasonably be accessed, a notification would still need to be made. For U.S. corporations, this could impose a significant burden as even with very few customers in the EU, the breach notification requirements could be triggered in Europe and effectively also in the U.S., despite U.S. law not requiring notification.
Many people who have experience of working through a breach would prefer the first 24 hours to be spent limiting its effects, helping to ensure it is not repeated, and finding the people responsible. It would be unfortunate if companies were instead having to use that time to prepare reports to regulators and even more unfortunate if the perpetrators of crimes went unpunished, as the reporting obligation had prejudiced an investigation.
Article 30 of the proposed new Regulation imposes a general obligation to keep data secure. In many respects the language of Article 30 is little different from current data protection legislation in Europe ' for example Principle 7 of the UK's Data Protection Act 1998 has very similar language. What is different is the fact that the obligations to secure data are on the controller and the processor rather than just on the data controller alone. Article 30 also requires the controller and processor to evaluate the risks in their data handling and allows the Commission to “adopt delegated acts” to add to the detail that is required of controllers and processors “ including the determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default.” The Commission is also given the power to specify requirements for safeguarding personal data and preventing unauthorized access.
Article 31 contains the first new data breach notification requirement. The report should be made to the relevant data protection regulator “without undue delay and, where feasible, not later than 24 hours after having become aware of [the breach].” If a report is not made within 24 hours, then the report must be accompanied by a “reasoned justification” as to why the report is being delayed. The notification must:
Again, the Commission in the Regulation wants the power to “adopt delegated acts” to further specify the criteria and requirements for the data breach notification requirement. This would include prescribing a standard notification format.
Article 32 deals with the need to communicate details of a breach to data subjects ' the second new reporting requirement. Communication should be made to a data subject “when the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject.” Again, it is envisaged that the notice to the data subject is in similar format to the notice sent to the regulator. Article 32(3) has a caveat however. It says:
The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures will apply to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.”
These measures could include encryption or software locking a stolen laptop, for example. Again, the Regulation seeks to reserve to the Commission the power to further specify the criteria under which a breach should be notified to data subjects and the format in which notice is given.
The Right to be Forgotten
In introducing the right to be forgotten, Commissioner Reding explained that the idea was to assist social medial users who posted comments or photographs they later regretted. She said, “if an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from [his] system.” The right is contained in Article 17.
There are some limited exceptions to the right to be forgotten, for example where the accuracy of the data is contested or where the data controller still needs the data “for purposes of proof.” The “for the purposes of proof” exception only allows storage of the data ' processing can only be undertaken on that data with the data subject's consent “or for the protection of the rights of another natural or legal person or for an objective of public interest.” If consent is not obtained, the data controller must tell the data subject before this processing starts. There must also be a regular review of the continued need to hold and process the data, which is explained in paragraphs 53 and 54 of the preamble in the Regulation.
Challenges
The right to be forgotten, however, poses a number of challenges, not just to social media operators. All data controllers face penalties of up to 2% of their global income if they fail to remove photographs that people have posted in a moment of madness. Some may argue that the Commission's efforts would be better directed at educating individuals in proper social media use. In the UK, for example,
Since at the time that they exercised the right there would be “no legitimate reason for keeping it” (for example to assist law enforcement), the trail could legitimately be erased. If the data controller keeps the data “for the purposes of proof,” it can only store (and not process) the data once consent is withdrawn and if any of the limited reasons apply to justify processing it must notify the data subject before any processing commences.
It is important to remember that the Commission's proposals as they stand are not limited to personal data that people themselves put onto social media sites but instead they create a new right to delete personal data “relating to a data subject.” How the right to be forgotten will work in practice seems to be deliberately vague. Reding said that it needed to “stand for 30 years ' it needs to be very clear, but is precise enough that changes in the markets or public opinion can be manoeuvered in the Regulation.”
How Long Will the New Rules Take to Implement?
Contrary to some ill-informed reports, the new Regulations are not law now. The Commission's proposals will now be passed on to the European Parliament and EU member states (meeting in the Council of Ministers) for discussion. The Commission itself feels that those negotiations should be complete this year. In our view, that is perhaps a little optimistic. The European Parliament has clashed before with the European Commission over data protection issues, including the well-publicized disagreement over the transfer of airline data to the United States. It is fair to say that the Council of Ministers has a fairly full agenda currently with the euro crisis, and whether they will divert attention to the Regulation instead of those issues remains to be seen.
Realistically, this process may take a year or more, especially given the fact that some of these proposals have previously been rejected and given the opposition already in some countries. The Commission has said it then intends for a two-year implementation process, making the earliest realistic date sometime in 2015. While that may seem far into the future, since the law will apply to employees being hired now and contracts with a term beyond 2015, companies may want to start preparing now.
Conclusion
There are many uncertainties with the new proposals. It is apparent that changes will be made and there is likely to be widespread confusion between now and then. Companies should think now about how best to plan for those changes.The text of the 1995 Directive is here: http://bit.ly/1995Dir. The text of the proposed new Regulation is here: http://bit.ly/2012Reg.
Jonathan P. Armstrong ([email protected]) is a partner in the London office of
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
GenAI's ability to produce highly sophisticated and convincing content at a fraction of the previous cost has raised fears that it could amplify misinformation. The dissemination of fake audio, images and text could reshape how voters perceive candidates and parties. Businesses, too, face challenges in managing their reputations and navigating this new terrain of manipulated content.
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.