Ten relevant practical consequences of the upcoming General Data Protection Regulation

22. January 2016

After several negotiations, the European Parliament, the European Council and the European Commission finally reached a consensus in December 2015 on the final version of the General Data Protection Regulation (GDPR), which is expected to be approved by the European Parliament in April 2016. The consolidated text of the GDPR involves the following practical consequences:

1) Age of data subject´s consent: although a specific, freely-given, informed and unambiguous consent was also required according to the Data Protection Directive (95/46 EC), the GDPR determines that the minimum age for providing a legal consent for the processing of personal data is 16 years. Nevertheless, each EU Member State can determine a different age to provide consent for the processing of personal data, which should not be below 13 years (Arts. 7 and 8 GDPR).

2) Appointment of a Data Protection Officer (DPO): the appointment of a DPO will be mandatory for public authorities and for data controllers whose main activity involves a regular monitoring of data subjects on a large scale or the processing of sensitive personal data (religion, health matters, origin, race, etc.). The DPO should have expert knowledge in data protection in order to ensure compliance, to be able to give advice and to cooperate with the DPA. In a group of subsidiaries, it will be possible to appoint a single DPO, if he/she is accessible from each establishment (Art. 35 ff. GDPR).

3) Cross-border data transfers: personal data transfers outside the EU may only take place if a Commission decision is in place, if the third country ensures an adequate level of protection and guarantees regarding the protection of personal data (for example by signing Standard Contractual Clauses) or if binding corporate rules have been approved by the respective Data Protection Authority (Art. 41 ff. GDPR).

4) Data security: the data controller should recognize any existing risks regarding the processing of personal data and implement adequate technical and organizational security measures accordingly (Art. 23 GDPR). The GDPR imposes strict standards related to data security and the responsibility of both data controller and data processor. Security measures should be implemented according to the state of the art and the costs involved (Art. 30 GDPR). Some examples of security measures are pseudonymization and encryption, confidentiality, data access and data availability, data integrity, etc.

5) Notification of personal data breaches: data breaches are defined and regulated for the first time in the GDPR (Arts. 31 and 32). If a data breach occurs, data controllers are obliged notify the breach to the corresponding Data Protection Authority within 72 hours after having become aware of it. In some cases, an additional notification to the affected data subjects may be mandatory, for example if sensitive data is involved.

6) One-stop-shop: if a company has several establishments across the EU, the competent Data Protection Authority, will be the one where the controller or processor’s main establishment is located. If an issue affects only to a certain establishment, the competent DPA, is the one where this establishment is located.

7) Risk-based approach: several compliance obligations are only applicable to data processing activities that involve a risk for data subjects.

8) The role of the Data Protection Authorities (DPA): the role of the DPA will be enforced. They will be empowered to impose fines for incompliances. Also, the cooperation between the DPA of the different Member States will be reinforced.

9) Right to be forgotten: after the sentence of the ECJ from May 2014, the right to be forgotten has been consolidated in Art. 17 of the GDPR. The data subject has the right to request from the data controller the erasure of his/her personal data if certain requirements are fulfilled.

10) Data Protection Impact Assesment (PIA): this assessment should be conducted by the organization with support of the DPO. Such an assessment should belong to every organization’s strategy. A PIA should be carried out before starting any data processing operations (Art. 33 GDPR).

 

UK’s Information Commissioner demands prison penalties for serious data offences

22. July 2013

Information Commissioner Christopher Graham said, that people who misuse personal information should face tougher penalties, including the threat of prison in the most serious cases.

The Information Commissioner referred to a case in which a former manager of a health service based at a council-run leisure centre was prosecuted by the Information Commissioner’s Office for unlawfully obtaining sensitive medical information belonging to more than 2,000 people. The manager used the information, which he had sent to his personal email account, to approach patients to advertise a similar service he had set up.

The manager was  prosecuted under section 55 of the Data Protection Act and fined £3,000. He was also ordered to pay a £15 victim surcharge and £1,376.50 prosecution costs.

Mr. Graham issued following statement:

“Nobody expects that their health records will be taken and used in this way. The manager [name removed ] had been told about the need to keep patients’ details confidential, but he decided to break the law to benefit his new business. At very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated. The government must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.”

Category: UK
Tags: , ,

UK Ministry of Justice clarifies Negotiating Position on proposed EU Data Protection Regulation

4. July 2012

According to a report by huntonprivacyblog.com, the UK Ministry of Justice outlined its negotiating position on the basis of a previously started Call for Evidence. The Call for Evidence gave a perspective and feedback on the impact of the proposed EU Data Protection Regulation on business and individuals.

The results led to the position of the Ministry of Justice that reassured organizations to negotiate against regulations that would overburden business and for a legislative framework that support economic growth and innovation. The Ministry also stressed that people’s personal data must be protected at the same time.

Following issues need to hold negotiations from the perspective of the Ministry:

  • Right to be forgotten: It should be overhauled to clarify its scope and cost implications;
  • Bureaucratic and costly burdens on organizations: The Ministry will resist them if no greater protection for individuals is foreseeable; In particular mandatory data protection impact assessments, prior authorization from supervisory authorities and mandatory data protection officers were mentioned as such burdens without benefit for individuals;
  • Data Breach Notification: This Provisions will be supported depending on reflected timescales needed to properly investigate the breach and sensible and proportionate thresholds;
  • Penalties for Data Breaches: These administrative penalties will be supported with the objective to a more proportionate level of maximum fines;

Powers for the European Commission: The Ministry will push for the removal of many of the powers, especially where there is scope for the European Commission to substantially alter fundamental requirements.

American Bar Association urges U.S. courts to regard foreign privacy laws

23. May 2012

One step further in resolving the dilemma of pre-trial Discovery in the U.S. in conflict with non-U.S. data protection laws: The American Bar Association adopted a resolution with the stated purpose to urge courts to respect foreign data protection and privacy laws in case of decisions on discovery issues.

Currently the interests of U.S. litigants to discovery are privileged by the courts when requirements of foreign privacy laws are not regarded. Other parties are in the situation to face inconsistent legal requirements and possible sanctions of foreign legal systems.

The resolution reads as follows:

“RESOLVED, That the American Bar Association urges that, where possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.”

The American Bar Association says that the permission of unlimited discovery could impede global commerce or harm the interests of U.S. parties in foreign courts. Especially the laws in European jurisdictions and the EU Data Protection Directive limit the legal processing of personal data and the transfer of personal data outside of the EEA. There is also the fact, that some jurisdictions have enacted blocking statues to prohibit the seeking for disclosure of information that shall be used for evidence in foreign proceedings. For example in France a French lawyer had to pay a 10.000 Euro fine for obtaining discovery in France for a litigation in the U.S.

The resolution of the American Bar Association is not binding but could encourage U.S. courts to have a critical look at foreign privacy jurisdiction and the consequences of discovery for affected litigants or third parties. At the moment, data controllers who are forced to transfer data from the EU to U.S. for the purpose of discovery would be well advised to follow at least the guidance of Article 29 Working Party to comply with EU data protection obligations and to check in detail which way is the best.

Category: USA
Tags:
Pages: Prev 1 2 3 ... 59 60 61 62 63 64 65 66 67 68 69
1 67 68 69