European Union

What the January 25, 2012 Draft of the Proposed EU Data Protection Reform Means for Companies Doing Business with or in the EU

January 27, 2012 – Francoise Gilbert

The comprehensive proposed data protection package that the European Commission unveiled on January 25, 2012 provides a sneak preview of the plans for the European Commission for the reform of the data protection rules in the European Union. It the draft legislative texts are adopted in a form substantially similar to that which was presented in the package, by 2015, the European Union will be operating under a single data protection law that applies directly to all entities and individuals in the Member States. In addition, much of the administrative burden that are currently costing billions of Euros to companies will have been removed. The savings would allow companies to allocate their data protection budget to more meaningful, efficient, data protection practices that are better adapted to the uses of personal data, the new technologies and the 21st century way of life.

(more…)

Read More

EU Data Protection Overhaul – New Draft Regulation

Francoise Gilbert

Note: This post is superseded by the post above, due to the publication of a new draft of the proposed legislative texts.

The European Commission has just published drafts of the two documents that will form the new legal framework for the protection of personal data throughout the European Economic Area. The draft documents are intended to provide a last opportunity for comments. The final version is expected to be published during the first quarter of 2012, and will come into force two years after publication. Thus, the new rules are currently not expected to be effective before the middle of 2014.

The proposed new legal framework consists of two legislative proposals: a proposal for a General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which will supersede Directive 95/46/EC; and a proposal for a Police and Criminal Justice Data Protection Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. This article discusses only the Regulation.

(more…)

Read More

Upcoming New, Streamlined BCR Regime to be Unveiled in Early 2012

Francoise Gilbert
 
Very exciting news were provided at the IAPP EU Conference in Paris, which I have the pleasure of attending.
 
While we had hoped that Viviane Reding, the EU Vice President, would give an overview of the upcoming new EU Data Privacy Regulation, in her keynote address, she focused on what is being planned for the overhaul of the BCR regime.
After noting that, as result of the use of cloud computing services, data are being moved everywhere in the world. 

Ms. Reding encouraged companies to adopt global binding rules that govern the protection of personal information throughout the global enterprise, and to file applications for the approval of BCRs reflecting these global privacy rules.
 
When talking about the upcoming publication of the new Data Privacy Regulation in early 2012, Ms. Reding stated: "My reform will make binding corporate rules binding within companies, but also with respect to third parties. This implies that the rules provide for the necessary legal mechanisms to apply to all entities involved."

  
 

(more…)

Read More

How to Submit a Complaint to the EDPS

Alain Bensoussan

On June 15, 2011, Peter Hustinx, European Data Protection Supervisor (EDPS), and Giovanni Buttarelli, Assistant Supervisor, presented their Annual Report of activities for 2010 (read full report here). This Report covers the sixth full year of activity of the EDPS as a new, independent supervisory body. Peter Hustinx, the EDPS, said it “is fully in line with the need to increase our efforts to ensure a more effective protection of privacy and personal data in a changing world which is increasingly global, Internet driven and dependent on the wide spread use of ICTs in all areas of life.”

This report is a good opportunity to get to know the European guardian of personal data protection. Do you know that you can lodge a complaint to the EDPS? (more…)

Read More

EU Commission Launches Consultation on DBN

Alain Bensoussan

The European Commission has launched a consultation (read EU press release here) on the practical rules needed for the entry into force of the obligation requiring ISPs to inform relevant national authorities of any personal data breaches, introduced by the ePrivacy Directive 2009/136/EC of November 25, 2009.
 
The purpose of the consultation is to seek the views of telecoms operators, Internet service providers, Member States, national data protection authorities and consumer organizations on data breach notification (“DBN”).
 
Stakeholders have until next September 9 to provide their feedback and input on the issues involved.
 
The consultation could result in the proposal by the Commission of “technical implementing measures” to be reviewed by the EU Parliament.
Read More

Large-Scale Police Databases: Creation of a European Agency

Alain Bensoussan

An independent regulatory Agency for EU Member States

The Proposal for a Regulation of the European Parliament and of the Council establishing an Agency for the operational management of large-scale IT systems in the area of freedom, security and justice was reviewed on April 11, 2011, by the Council of the European Union. A political agreement was found in June 2011. (more…)

Read More

Israel Found to Provide Adequate Level for Data Transfers!

Alain Bensoussan

Last April 4, 2011, the EU Article 29 Data Protection Working Party issued an Opinion on the level of protection of personal data in New Zealand. This is the occasion to make a recap on the EU legal rules for transborder flows of personal data, with a focus on the latest country found to provide an adequate level —Israel.

Today, with globalization, it’s common practice for businesses to transfer personal data around the globe. This of course raises issues on the security of such data. The European Union does not allow businesses to send personal data outside its boundaries unless the recipient country provides an adequate level of protection. The last country to join the club of countries with an adequate level: Israel! (more…)

Read More

France: Proposed Legislation to Better Protect the Right to Privacy in the Digital Age

Alain Bensoussan

The European Union is planning to overhaul its data protection regime, notably because of rapid technological developments (social networking sites, blogs, cloud computing, geo-location devices, biometric devices, RFID applications, video surveillance…) and globalization have brought new challenges for the protection of personal data. A French bill has decided to take up these challenges.

Know your rights & Be your own privacy watchdog!

The French data protection framework could be changed by a French bill to better protect the right to privacy in the digital age. The bill was proposed to the Senate on November 6, 2009, and filed for first reading in the National Assembly on March 24, 2010.

This proposed legislation is mainly based on an information report on “privacy in the age of digital memories” issued in May 2009, and which recommended, among other things to enable citizens to become the actors of their own protection. To meet the new challenges of the digital era, the report calls for an increased involvement of individuals in the protection of their own privacy.

How is that to be achieved? The report suggested to educate and raise citizen awareness of their right to privacy and privacy threats from an early age, and to update the Data Protection Act of January 6, 1978 to provide stronger guarantees. 

The bill thus amends the Data Protection Act to reflect the recommendations made in the report, as explained at the time by the then-current Digital Economy Secretary of State Nathalie Kosciusko-Morizet during the “Right to be forgotten” workshop in November 2009.

(more…)

Read More

More Changes in the EU Data Protection Regime – 2006 Data Retention Directive to be Amended

Francoise Gilbert

The European Commission has announced that it plans to amend the 2006 Data Retention Directive, Directive 2006/24/EC. This Directive states that the national laws of the EU Member States must require providers of publicly available electronic communications services and public communications networks to retain traffic and location data for a period between six months and two years, in order to allow for the investigation, detection and prosecution of serious crime.

According to the Report of the EU Commission, while it is clear that rules on data retention remain necessary as a tool for law enforcement, the protection of victims, and the criminal justice systems, the current regime has many flaws. The report, published in mid April 2011, provides an initial analysis of the problems raised by the current draft of the 2006 Data Retention Directive and explains that the Commission intends to develop a better legal framework that balances the needs of governments, the rights of data subjects, and the financial constraints of the operators. (more…)

Read More