Datonomy readers who wish to influence the detail of the EU’s reform proposals via the UK Government have until 6 March to do so.  The Ministry of Justice has this week issued a Call For Evidence to help inform its negotiating stance on the proposed Regulation.  The link to the document and to an online questionnaire is here.

Datonomy readers could be forgiven for having a sense of deja vu – the MoJ conducted a similar exercise in 2010 as part of  the lengthy consultation process which preceded the Commission’s formulation of the current proposal.  Of course, a new consultation exercise is necessary now that the “phoney war” is over and we are dealing with actual draft legislation  rather than a series of policy objectives and statements. 

What line is the UK Government likely to take? The Secretary of State For Justice, Ken Clarke expressed a conservative (in both senses of the word) approach in this May 2011 speech . He suggested that the reform of the EU data protection regime called for “a good service or test on a well loved old car, rather than writing off the vehicle altogether and trying to buy a flashy but impractical new one“.  The need for pragmatism is also repeated  in the introduction to the  new Call for Evidence.

Well, there are plenty of well loved – or at least familiar – principles in the new draft, many of these amplifying existing requirements and advancing  soft law and best practice approaches  into black letter law.  One suspects however that the Secretary (and others) might view many aspects of the draft Regulation as “flashy” and/or impractical. 

One of Datonomy’s more data-sceptic colleagues (I  won’t name names) has promised to eat his (or her)  hat if a a fine of 0.5% of global turnover is ever imposed on a data controller for responding late to a data subject access request – as is theoretically possible, if the Regulation were to be  adopted in its current form. 

Could Olswang’s offices be witness to hat-eating in, say, four or five years’ time?  For all kinds of reasons, Datonomy hopes not.  The black letter law detail of the Regulation has many hurdles to cross first, and then there will be the small matter of regulatory enforcement policy.  The immediate milestone on the horizon, for  data sceptics and for data enthusiasts alike, is to make your views and concerns known to the UK Government by 6 March. 

 

 

 


Posted in Reform of EU DP law, reform proposals, Uncategorized | Leave a comment

So, the reports that we would not see the detail of the reforms until March proved unfounded. The official publication of the Commission’s DP reform proposals earlier today, exactly on schedule,  cannot have escaped the notice of Datonomy readers. (But just in case, the link to the package of new measures is here .)

The centre of attention is the comprehensive Regulation, weighing in at 139 Recitals and 91 Articles and a total of 118 pages (if you include the memo at the front and the impact statement at the back).

The Datonomy correspondents at Olswang have been busy all afternoon analysing the practical implications of the proposal, and their initial analysis for in house counsel is now available.

The new regime will obviously have a major impact on data protection regulators too – the  initial reactions of the UK’s  regulator are here on the ICO’s website.

Anyone who missed Vice President Reding’s press conference at lunchtime can watch it at their leisure.  Datonomy was delighted to see that the Vice President echoed the views in the  recent post by Christina Motejl that the strong new rules draw inspiration from Germany.

There will be no shortage of law firm and business commentary in the media over the hours and days to come – Datonomy looks forward to hearing the views and comments of its correspondents and readers (both in house and in private practice) from around the globe, and to some lively debate as the details of the proposals are evaluated in more depth – and at greater leisure.


Posted in EU data protection reform, EU Legislation, eu proposals, Germany, ICO | Leave a comment

If , like this Datonomist, you have been trying to make sense of the conflicting reports about  delays – or otherwise – to publication of the draft DP Regulation, then this report  just posted byEuractiv.com confidently predicts the publication of a “package” comprising a communication, a regulation, a directive and a technical report on the 25 January – the date  expected for formal publication, following the unofficial debut of an interservice text last month.    

Datonomy is sure that its readers have already seen the various reports since last week, rumouring the possible delay and detailing the numerous objections from various Directorates General at the Commission which prompted it.   If not,  the Euractiv article provides  a useful snapshot of these, as does recent coverage on MLex.

Which report is right?  Who knows.  Datonomy is saving it energies for analysing the official draft of the proposal – whenever it may emerge!

The leaked proposal for the new Regulation has also attracted criticism from the other side of the Atlantic – an  ”informal note” detailing 9 pages of concerns (but “not necessarily represent[ing] the views of the FTC nor any other US governmental agency” appears on the on the Statewatch site . Those specific (and non exhaustive) concerns, relating to matters within the remit of the FTC, follow two broad themes: potential adverse effect on interoperability of privacy frameworks, and implications for enforcement activities.

And, as Datonomy’s Berlin  correspondent Christina Motejl reported yesterday, the draft proposal has attracted criticism from Germanyby virtue of its form – a directly applicable regulation – on constitutional and political grounds.

Last but not least, the business lobby is already weighing up the potential impact of the regulation on day to day operations.  If the reports are to be believed, we can expect to see some toning down of certain  aspects of the leaked draft.   Additional red tape is never going to be welcome, but will the next draft have been  watered down enough to make it  palatable?

Datonomy looks forward to some concrete developments in the week ahead.


Posted in Directive 95/46/EC, EU Legislation, Germany, Reform of EU DP law, United States | Leave a comment

The draft data protection regulation of the European Commission that had leaked in early December has been widely criticised by the German Minister of the Interior and aFederal Constitutional Court judge. The points of concern were not the new and mainly stricter rules of the draft regulation, but that the European Commission chose a regulation instead of a directive.

First, Johannes Masing, one of the sixteen judges of theFederal Constitutional CourtinKarlsruhe, unmistakably warned about the new regulation in a newspaper article last Monday titled “Goodbye to fundamental rights”. Mr. Masing said that as a regulation was in fact a directly applicable law in every member state, national rights would be pushed aside. This would also be the case with regard to the fundamental rights of the Grundgesetz, the German constitution.

In Germany, data protection laws do not originate from the European Directive 95/46/EC or a simple law, but were “invented” by the Constitutional Court in a fundamental decision in the year 1983, in which the court derived personal data protection rights directly from the constitution. Therefore, all German courts apply data protection regulations also with regard to the fundamental rights guaranteed by the constitution.

As a consequence of data protection law being regulated in a regulation, national German courts could no longer decide on the interpretation of data protection law, but would need to present critical cases to the European Court of Justice (ECJ) being the only decisive authority on European law. Mr. Masing fears that this would lead to a decline of legal protection, as the ECJ was not a special human rights court and in charge of 27 member states. Furthermore, only courts and not individuals could present cases to the ECJ. Contrary, inGermany, subject to further requirements every citizen can appeal to the Federal Constitutional Courtif they feel that their basic rights are violated. 

Judge Masing’s opinion is mainly shared by the Federal Minister of the Interior, Hans-Peter Friedrich, who criticised in an interview on 15 January that a regulation would relocate further legal competences to the European Union. Despite this material criticism, both stressed that an increasingly harmonised data protection law would strengthen the internal market.

Especially Judge Masing’s reaction is interesting, as constitutional court judges are generally more reserved when it comes to direct criticism of laws, especially European laws. Rumours say that Commissioner Viviane Reding’s ambitious draft is subject to highly controversial debates between the other members of the commission and that this may have been a reason why its text leaked more than six weeks prior to its official announcement. Therefore, the draft may not even be the final version that will be presented on 25 January.  

This shows, however, that the discussion on the new regulation on data protection has just started. The regulation will be adopted, if at all, according to the ordinary legislative procedure pursuant to article 294 of the Treaty on the Functioning of the European Union. This means that both the Council of the European Union and the European Parliament have to approve the regulation in two or three readings. Normally, this procedure can take up to two and a half years – enough time for national governments and lobby groups to look for like-minded governments and politicians to push for legislative changes in the new data protection law’s form and content.


Posted in Directive 95/46/EC, EU data protection reform, EU Legislation, EU powers, eu proposals, Germany | Leave a comment

After a first read through of the leaked Commission proposal for a new data protection regulation (Draft Regulation) that was published by statewatch.org (it is not meant to be officially published until the end of January), I remembered a speech by Viviane Reding’s Chief of Cabinet who said that the Commissioner for Justice was very impressed by German data protection rules. This might help in explaining several provisions of the Draft Regulation.

Take for example the rules on data processing. After some scandals on data leakages at data processors,Germanytightened the requirements for the contract on data processing to cover several specific details of data security. Article 27 of the  Draft Regulation takes up this idea and requires controller and processor to stipulate several rules and precautionary measures in their agreement, as that the controller may only act on instructions from the controller and that its staff must have committed themselves to confidentiality. However, contrary to German law, the contract must not cover specific details on data security measures.

Another principle deriving from German data protection is Article 4 of the Draft regulation, which says that personal data must be limited to the minimum necessary in relation to the purposes for which they are processed. This is almost the same as the principle of data reduction in sec. 3 a of the German Federal Data Protection Act. In comparison, Article 6 of the current Directive only required data processing not to be “excessive in relation to the purposes for which they are collected and/or further processed”.

Also the stricter requirements to consent to data processing seem to derive from German data protection law. Article 7 of the Draft Regulation provides amongst others that consent to data processing in a written declaration on another matter must be made distinguishable in its appearance, which is almost the same provision as in sec. 4 a of the German Federal Data Protection Act (BDSG). Also the data subject’s right to withdraw such consent at any time is an unwritten principle of German law, as well as the assumption that a consent is not freely given where there is a significant imbalance between the data subject and the controller.

The Draft Regulation also covers the use of personal data for direct marketing for commercial purposes and makes it subject to the data subject’s consent to such marketing (Article 5 para 2 Draft Regulation). This is even stricter than German data protection law, which provided an important exception for the requirement of a consent in allowing the use of personal data for advertising if the data was listed and contained only categories as name, occupation, title, address and year of birth and was obtained through a contract or a similar relation with the data subject or from public sources.

Therefore, reading the Draft regulation as a German is an interesting déja vu. The fact that the European Commission proposes a regulation to create a harmonised level of data protection will – if it is eventually adopted – certainly make the life of many companies easier, as the legal requirements were sometimes very different in several member states. However, the regulation contains quite strict and detailed rules. It remains to be seen if other member states will agree that the principles of countries with a stricter approach to data protection should be applied to the whole European Union.


Posted in EU data protection reform, EU Legislation, eu proposals, Germany, Germany; address lists | Leave a comment

The ICO has today  published its promised “half term report” on organisations’ compliance with the new cookie consent rules, along with updated practical guidance.   On third party cookies, which the ICO acknowledges is “one of the most challenging areas” for compliance, the ICO states that it is still working with industry and other DP regulators to find the right answers on this complex issue.

The new version of the guidance replaces  and expands on the 10 page version published back in May.   As well as providing more practical illustrations of the various possible consent options(pop ups, footer bars, terms and conditions, settings led and feature led consent) it  sets out the ICO’s likely enforcement stance when the “amnesty” period ends in May 2012. 

In line with the ICO’s Regulatory Action Strategy,  any formal action taken for cookie breaches would need to be proportionate – but the tone of the guidance and the half term report is very much that of a school master who is running out of patience:  there are pockets of good practice and transparency – but many businesses “must try harder” to get compliant in time for May 2012.

Datonomy confesses that it was somewhat distracted by last week’s  news about the unofficial publication of a draft of the new General Data Protection Regulation, but will now turn  its attention to matters of current, rather than future, law and will review the latest cookie guidance in more depth.


Posted in Uncategorized | Leave a comment

The Statewatch website has published what appears to be a draft of the Proposal for a Regulation to replace the current Data Protection Directive.  The   draft for the proposal is still at the inter-service consultation stage, i.e. doing the rounds of the different DGs with a potential interest in the proposal.  So, the final draft of the proposal (not due to make its official appearance until January)  might differ from the version currently on the Statewatch site – and of course, assuming this version is authentic….

However, with those caveats in mind, following the FT’s teaser at the weekend, those eager for a preview of the content may not be able to resist taking a look.  There are 116 pages to trawl through, but notably:

  • the proposal is for a Regulation, not a Directive, therefore directly applicable in and binding on Member States
  • for proposals on sanctions, see Chapter 8 (and for fines in particular, Article 79 (4) on page 89)
  • the hot topic of data security and breach notification rules are contained in Section 2.

Datonomy is grateful to one of its eagle-eyed correspondents for spotting the document  on Statewatch.  We will continue to track the progress of the new Regulation and  its potential implications, and we look forward to Datonomy readers’ views too.

 

 


Posted in Uncategorized | Leave a comment

FT readers will have already seen FT’s report (4/12/11) that it  has had a sneak preview of the eagerly awaited  draft Data Protection Directive.  The most headline grabbing issue is the possible introduction of fines of up to 5 % of global turnover for privacy breaches.   If that doesn’t make data protection exciting, nothing will!

Remember that the new Directive still has a long way to go.  When the proposal is published officially and in full – expected to be in January – there will be much for data protection practitioners (in every sector and every practice area)  to analyse.

The likely headline issues and broad areas for reform were well signposted in the Commission’s Communication of November 2010.  Just how these broad proposals translate into the detail of the first draft remains to be seen – but if “stronger sanctions” in the Communication translates into “fines of 5% of global turnover” in the first draft, then the detail of that first draft is going to make for interesting and possibly controversial reading!

The UK’s regulator the ICO last month published a “wish list” of issues it hoped to see addressed, and has also begun its own blog on the future of the EU DP regime.

Datonomy will be tracking the progress of the new Directive as it begins its official legislative journey shortly.  With the festive season approaching, Datonomy would love to hear what’s on the wish lists of its readers and correspondents around the globe – at least as far as the future of privacy legislation is concerned!


Posted in Uncategorized | Leave a comment

Datonomy attended the event “Datendialog” hosted by Google in Berlin on 24 November, where many interesting speakers discussed the current situation and future of privacy, but also openness.

Blogger and Science Fiction author Cory Doctorow described the current situation of many free internet offers as “privacy bargain”, in which users traded their personal data for services. The deal, however, would be one-sided and never negotiated. Therefore, Doctorow called for technical measures that would prevent companies from tracking users with cookies and compared the situation to pop up windows, the widespread use of which decreased after Mozilla, as first browser, started offering a tool to block these windows. In his words, cookie managers could be the new pop up blocker.

Federal data protection commissioner Peter Schaar said that German data protection law needed to be amended especially with regard to the question of applicable law. If companies systematically offered services in Europeand collected and used personal data of millions of European users, they should be forced to comply with basic values of European law. He criticised the government’s current preference of self-regulatory solutions as these had the inherent danger of staying below legal rules. Secretary of State Rogall Grothe of the Ministry of Interior, on the other hand, stressed that youth protection level had increased due to self-regulatory solutions in the industry.

Contrary, author Jeff Jarvis emphasised that the principles of publicness and ethical sharing should also be protected, as they allowed for a more open society. He would not want a society that was “private by default”. However, he also stressed that privacy and publicness are not self excluding principles.

Google, once tagged as “data kraken”, is at the moment in the rather comfortable situation that Facebook attracts almost all criticism regarding data protection problems with its approach that German data protection law does not apply to them. For example, Cory Doctorow described their business model as “making big changes and settle for a little less after public outcry”. However, the event showed that Google does not hesitate to invite critics as Cory Doctorow and data protection commissioner Peter Schaar and seems to be interested playing an active role in the discussion about the necessary extent of data protection.


Posted in data collection, Facebook, Germany, Google | Leave a comment

At a recent roundtable event hosted by theBrusselsoffice of Olswang LLP, Datonomy heard a range of perspectives on data protection issues in the context of social network sites (SNS).

Around 50 members of the Belgian Institute of In-House Counsel attended the event.

Iain Stansfield from Olwang’s Londonoffice set the scene and demonstrated through a number of practical examples what can go wrong for companies that are active on SNS – and further, what can go wrong when they are not active. Besides the risks, there are of course clear advantages of being social online and Iain discussed the need to find a balance between being social on the one hand and complying with the law on the other hand.

Christine De Keersmaeker from Olswang’sBrusselsoffice explained what social media do to your Intellectual Property, how they affect trade marks and copyrights and how trademark and copyright holders can deal with the threats of social media through prevention e.g. through creating awareness and policies, and how and why repression is not necessarily the right solution.

Patricia Cappuyns elaborated on the data protection and privacy issues related to SNS. She made in-house counsel aware of the obligations companies face when they are online on SNS. She explained how to apply the fundamental distinction between the data controller and the data processor to the different SNS scenarios, and concluded that companies will often be considered to be joint data controllers.

The ensuing discussion with in-house counsel revealed that most companies are not ready to meet their data protection obligations vis-à-vis virtual customers. Companies should have a policy in place with detailed guidelines, for example on how to comply with a request for access, rectification and deletion of data.

In order to prevent employees from misusing their company’s trade mark on SNS – or simply to prevent them from wasting their time – companies also feel the need to monitor their employees’ online activities. It is easy to see how the legitimate right of supervision, exercised through cyber-surveillance, may conflict with the fundamental right of privacy, which also applies in the workplace. Under Belgian law, a Collective Labour Agreement (N° 81) deals with this issue and sets the conditions in order for companies to legally monitor their employees. This agreement provides amongst others that employers are only allowed to monitor their employees’ electronic communication to the extent that this monitoring meets the principles of legitimacy, finality, proportionality and transparency.

For companies taking their chances on SNS it is therefore of key importance to put in place a legal step-by-step plan without hindering the main objective of the SNS effort, which is to present the company as a social online presence.


Posted in cyber-privacy, data controller, data processor, data protection compliance, privacy policy; privacy notice;, Social networking sites, surveillance | Leave a comment