European Union

Proposed Overhaul of the 2006 Data Retention Directive

Francoise Gilbert

While the Data Protection regime of the European Union is going through a facelift and amendments are expected to be published by 2012, the European Commission has announced that it is embarking onto another major project that focuses on the protection of personal data and privacy rights. This time, the target is the 2006 Data Retention Directive, Directive 2006/24/EC1. In its Evaluation Report on the Data Retention Directive (Directive 2006/24/EC), COM (2011) 225 (Communication 225), published in April 2011, the European Communication has announced its plan intent to revise the 2006 Directive with a view to proposing an improved legal framework that balances the needs of governments, the rights of data subjects, and the financial constraints of the operators.
 
Communication 225 analyses how the 2006 Data Retention Directive has been implemented (or not) in the national laws of the Member States, with a view to determining whether the 2006 Directive should be amended, in particular with regard to its data coverage and retention periods. The report points to the lack of uniformity and discrepancies in these implementations, identifies deficiencies, and analyses the impact of the retention requirements on economic operators and consumers. It also evaluates the implications of the Directive on the protection of fundamental rights, in view of the criticisms that have been made with respect to the retention of personal data for national security reasons. The report concludes that the provisions set forth in the 2006 Data Retention Directive need improvement and indicates how the European Commission plans to drive the preparation of an amendment. 

(more…)

Read More

Privacy Laws may be a Barrier to the Taking of Evidence Abroad

Francoise Gilbert

Litigation and trials are handled in the United States in a manner that is significantly different from that which prevails in other countries. While broad discovery is available here, the gathering and use of evidence is much more limited abroad. For years, there have been disputes between US litigants and the foreign parties who were requested to produce information and documents for use in US courts.  While the 1970 Hague Convention on the Taking of Evidence in Civil and Commercial Matters has provided rules for the regulated taking of evidence, there are still many barriers to the gathering of evidence from foreign parties.  One of them is the data protection laws of many countries, especially those in the European Union and the European Economic Area.  (more…)

Read More

No Attorney Client Privilege for In-House Lawyers Under EU Law

Francoise Gilbert

On September 14, 2010 the European Court of Justice (ECJ) confirmed that there is no attorney-client privilege under EU law for communications with in-house counsel when a company is under investigation by the European Commission.

In its ruling in the case of Akzo Nobel Chemicals Ltd and Akcros Chemicals Ltd v European Commission, the European Court of Justice affirmed a prior decision of the European General Court that had rejected a claim for legal professional privilege over the company’s communications with its in-house lawyer. The court reasoned that in-house lawyers are economically dependent on their employers, and thus cannot be regarded as independent. (more…)

Read More

Coming Soon to the European Union: Security Breach Disclosure Requirements

Francoise Gilbert

Directive 2002/58/EC (or “e-Privacy Directive”), which defines the restrictions that apply to the protection of personal data in the context of wire or Internet communications, was amended in late 2009. This amendment establishes the first mandatory security breach disclosure regime for the European Union and will soon be reflected in the national laws of the EU and EEA Member States.

While this new security breach disclosure regime affects only providers of a publicly available electronic communication services, it is likely that it will be the foundation for defining a security breach disclosure framework that applies to other personal data holders.

For example, when amending their national laws, some of the EU Member States may opt to apply this security breach disclosure regime to the entire spectrum of data controllers and data processors, rather than limiting it to the smaller subset of electronic communication service providers that are subject to the ePrivacy Directive. Further, when the 1995 EU Data Protection Directive is revised, it should be expected, as well, that the security breach provisions of the ePrivacy Directive (as amended), at a minimum, will serve as a starting point.

The amendments must be implemented in each of the national laws of the Member States of the European Union and the European Economic Area by June 2011.

Read More