Indeed a spate of new data protection legislation has been prepared and in some cases already passed in the last year. For example, Malaysia will have its new data protection regime come into force this summer and just last month the Philippine government passed its privacy legislation.

Particular interest has been generated by the Singaporean draft legislation, the latest (and potentially last) draft of which was published a few weeks ago. Whilst the legislation does borrow some concepts from the current European regime, other provisions draw more comparison with US privacy laws (particularly with regard to information which is made publicly available).

Areas of difference to familiar European legislation which caught Datonomy’s eye include:

• The focus of the legislation is only on the private sector. Government agencies are not covered.
• All organisations that are engaged in data collection, processing or disclosure within Singapore would be caught by the regime, even where the organisation is not physically located in Singapore. So, for example, an organisation which is based in the UK (such as a UK website) but which collects personal data from Singaporean customers would need to comply. This raises similar extra-territorial debates to those raised recently with the new draft European Regulation. In this case the Singaporean government has admitted that it recognises enforcement and investigation may be rather difficult in the case of overseas companies.
• The Act draws no distinction between personal and sensitive personal data – all must be treated the same.
• The law specifically incorporates a reasonableness test so organisations must  consider “what a reasonable person would consider appropriate in the circumstances” when complying with the Act.
• There are no notification requirements so less bureaucracy.
• Perhaps most interestingly, the government made a decision to extend rights to cover data of deceased individuals in terms of obligations around data disclosure and security up to 10 years from the date of death.

 So, what do readers think of the proposals?  To date the European legislation remains silent as to whether data subjects must be living but most national regimes (including that of the UK) have limited it in this way. Do you think that there may be merit in revisiting this like Singapore?

Datonomy wll be keeping an eye on the developments in Asia and, in particular, will feed back when the final Singaporean draft is published.

Firstly, the court said that the users’ consent in Facebook’s terms and conditions regarding the use of their personal data for advertising purposes is void. The reason for this assessment is not known yet – however, in a case against Google, the regional court of Hamburg had decided in 2009 that a consent provided in terms and conditions to a certain use of personal data unreasonably disadvantages a consumer if they are not specifically informed about the intended use of their personal data (LG Hamburg, judgement of 7 August 2009, 324 O 650/08). Facebook does not provide such information to their users either.

In addition, the court ruled that Facebook cannot use terms and conditions to obtain a comprehensive, world-wide and royalty-free license to use the users’ content, as the users remain owners of the intellectual-property rights of pictures and music they compose. The court also provided that Facebook must ensure that the user will be informed about amendments of the terms and conditions and the privacy guidelines in good time before changes become effective.

Finally, the court said that Facebook’s friend finder service violates the law against unfair competition (UWG). Said service offers Facebook users the possibility to check their email address books to see if their friends are already on Facebook. If the friends are not Facebook members yet, the user can send an invitation to them. The court said that Facebook must not send friendship requests without the addressee’s prior consent. Here, it will be interesting to read the written verdict, as one could also regard invitations that were initiated by a user as sent by the users and not by Facebook.

However, the verdict has not been published in detail yet and all information about the case comes from the plaintiff and the regional court. While it is still disputed if German data protection law applies to Facebook’s activities inGermany, as the data controller is probably Facebook Ireland Ltd. whose activities are subject to Irish data protection law, this might not be the case for German consumer rights. Article 6 of the Regulation 593/2008 (Rome1) provides that a contract between a professional from one country and a consumer from another country must comply with the mandatory rules of the consumer’s country of residence, if the professional directs commercial activities to that country.

The case had been brought to court against Facebook Ireland Ltd. by the consumer-rights institution Verbraucherzentrale Bundesverband e. V. Consumer organisations are entitled under German law to take action against companies that use prohibited terms and conditions or illegal marketing practices. Sources say that it is likely that Facebook will appeal the decision.

The Initial analysis of the European Commission’s proposals for a revised data protection legislative framework covers both the draft Regulation and the proposed Directive on data protection in the context of criminal matters.   The ICO makes it clear that this is unlikely to be its last word on the proposals, with more detailed analysis to come as the legislative process kicks off. Nonetheless, the ICO’s observations are an invaluable source for businesses currently analysing the potential practical implications. The ICO has focussed on aspects of the proposal which it views as unduly onerous or unlikely to work well in practice.

Given the breadth and ambition of the European Commission’s proposal, it is not surprising that the ICO’s reactions to various dimensions of the proposal are mixed.  There are however some consistent themes in the ICO’s response: the need for proportionate, sensible and effective privacy protection, and less emphasis on red tape, form filling and common processes. “Harmonisation on paper…will not necessarily deliver sensible and effective data protection in practice“, states the ICO. As well as highlighting the potential burdens on the regulator itself, the response is in many respects a business-friendly one.

For those preparing a consultation response of their own, the ICO’s 29 page critique of the draft Regulation merits reading in full, but here are some key issues on which the UK regulator’s stance will be of particular interest.

• Right to be forgotten:   this new right, and its practical implications, “need thinking through carefully” and should be presented in “less ambitious terms” to avoid a mismatch between individuals’ expectations and the various exceptions to the right already proposed. If the new right is “insufficiently qualified” it will have serious implications for freedom of expression in particular. – See pages 13-14
• Data portability: is welcomed in principle, but with acknowledgement of the practical burdens for data controllers and the need for businesses’ IP rights to be safeguarded.
• Profiling: clarification is needed as to whether online behavioural advertising is intended to be caught or not; a more risk-based approach is need to reflect that different types of profiling pose different levels of privacy risk – see page 15.
• Prior authorisation and prior consultation: the ICO has a number of concerns about the “unrealistic” proposals in Article 34 concerning pre vetting of certain processing activities, particularly overseas transfers. See page 19.
• Breach notification: while broadly welcoming the notification requirement, the ICO calls for more proportionate triggers and thresholds and more flexible deadlines – see page 17-18. 
• DPOs: the ICO takes a measured and risk-based stance on the mandatory appointment of DPOs and rightly points out that the 250 employee threshold is too blunt an instrument for determining when an organisation should have a dedicated privacy officer – page 19.
• Sanctions:  the ICO “has doubts” about a number of aspects of the proposals on turnover based fines.  Again, proportionality and “a link between administrative failure and practical [privacy] consequences” are missing – page 27.
• One stop regulation for multinationals: the ICO foresees various practical obstacles to the ideal of “one stop” regulation for EU multinationals. Identifying the “main establishment” of a business with multiple centres of processing and decision making may not be as easy in practice as the draft Regulation assumes. See pages 7 and 22-23.
• Enforcement against non EU businesses: the ICO also has doubts about the efficacy of the extra-EU reach of the Regulation (page 5) and need for the designation of an EU representative – page 17.
• Children: on the issue of verifiable parental consent from under 13s, the ICO argues for a less black and white requirement, proposing that the approach to parental consent be applied more flexibly, according to the privacy risks of the particular online service – page 8.
• Personal data, sensitive personal data and  data subject: the ICO broadly welcomes the proposed extension of the personal data definition – pages 5-6. However it has reservations about the continued “binary distinction” between sensitive and non sensitive personal data, and the lack of correlation which can sometimes result between the categories of sensitive data and privacy risk.

It is helpful that the ICO has shared its views with other potential respondents before the MoJ deadline, and reassuring that the regulator is alive to the practical businesses impacts and costs of the proposed changes.  Businesses may be less pleased by the ICO’s assertion that the new rules – once agreed at EU level – should have a shorter lead in time than the two years currently  proposed (see page 2). The ICO’s argument is that DP rules are not new, and that many aspects of the proposals simply represent current best practice.  

As we’ve said before, the Regulation has a long way to go before adoption.  But let’s hope that – if the ICO’s wish for a tight compliance deadline is heeded by the EU institutions –  that its various suggestions for moderation of the rules are taken on board too.

For those wishing to add their views to the Ministry of Justice’s consultation by next Tuesday, the link is here.

Datonomy readers could be forgiven for having a sense of deja vu – the MoJ conducted a similar exercise in 2010 as part of  the lengthy consultation process which preceded the Commission’s formulation of the current proposal.  Of course, a new consultation exercise is necessary now that the “phoney war” is over and we are dealing with actual draft legislation  rather than a series of policy objectives and statements. 

What line is the UK Government likely to take? The Secretary of State For Justice, Ken Clarke expressed a conservative (in both senses of the word) approach in this May 2011 speech . He suggested that the reform of the EU data protection regime called for “a good service or test on a well loved old car, rather than writing off the vehicle altogether and trying to buy a flashy but impractical new one“.  The need for pragmatism is also repeated  in the introduction to the  new Call for Evidence.

Well, there are plenty of well loved – or at least familiar – principles in the new draft, many of these amplifying existing requirements and advancing  soft law and best practice approaches  into black letter law.  One suspects however that the Secretary (and others) might view many aspects of the draft Regulation as “flashy” and/or impractical. 

One of Datonomy’s more data-sceptic colleagues (I  won’t name names) has promised to eat his (or her)  hat if a a fine of 0.5% of global turnover is ever imposed on a data controller for responding late to a data subject access request – as is theoretically possible, if the Regulation were to be  adopted in its current form. 

Could Olswang’s offices be witness to hat-eating in, say, four or five years’ time?  For all kinds of reasons, Datonomy hopes not.  The black letter law detail of the Regulation has many hurdles to cross first, and then there will be the small matter of regulatory enforcement policy.  The immediate milestone on the horizon, for  data sceptics and for data enthusiasts alike, is to make your views and concerns known to the UK Government by 6 March. 

The centre of attention is the comprehensive Regulation, weighing in at 139 Recitals and 91 Articles and a total of 118 pages (if you include the memo at the front and the impact statement at the back).

The Datonomy correspondents at Olswang have been busy all afternoon analysing the practical implications of the proposal, and their initial analysis for in house counsel is now available.

The new regime will obviously have a major impact on data protection regulators too – the  initial reactions of the UK’s  regulator are here on the ICO’s website.

Anyone who missed Vice President Reding’s press conference at lunchtime can watch it at their leisure.  Datonomy was delighted to see that the Vice President echoed the views in the  recent post by Christina Motejl that the strong new rules draw inspiration from Germany.

There will be no shortage of law firm and business commentary in the media over the hours and days to come – Datonomy looks forward to hearing the views and comments of its correspondents and readers (both in house and in private practice) from around the globe, and to some lively debate as the details of the proposals are evaluated in more depth – and at greater leisure.

Datonomy is sure that its readers have already seen the various reports since last week, rumouring the possible delay and detailing the numerous objections from various Directorates General at the Commission which prompted it.   If not,  the Euractiv article provides  a useful snapshot of these, as does recent coverage on MLex.

Which report is right?  Who knows.  Datonomy is saving it energies for analysing the official draft of the proposal – whenever it may emerge!

The leaked proposal for the new Regulation has also attracted criticism from the other side of the Atlantic – an  ”informal note” detailing 9 pages of concerns (but “not necessarily represent[ing] the views of the FTC nor any other US governmental agency” appears on the on the Statewatch site . Those specific (and non exhaustive) concerns, relating to matters within the remit of the FTC, follow two broad themes: potential adverse effect on interoperability of privacy frameworks, and implications for enforcement activities.

And, as Datonomy’s Berlin  correspondent Christina Motejl reported yesterday, the draft proposal has attracted criticism from Germanyby virtue of its form – a directly applicable regulation – on constitutional and political grounds.

Last but not least, the business lobby is already weighing up the potential impact of the regulation on day to day operations.  If the reports are to be believed, we can expect to see some toning down of certain  aspects of the leaked draft.   Additional red tape is never going to be welcome, but will the next draft have been  watered down enough to make it  palatable?

Datonomy looks forward to some concrete developments in the week ahead.

First, Johannes Masing, one of the sixteen judges of theFederal Constitutional CourtinKarlsruhe, unmistakably warned about the new regulation in a newspaper article last Monday titled “Goodbye to fundamental rights”. Mr. Masing said that as a regulation was in fact a directly applicable law in every member state, national rights would be pushed aside. This would also be the case with regard to the fundamental rights of the Grundgesetz, the German constitution.

In Germany, data protection laws do not originate from the European Directive 95/46/EC or a simple law, but were “invented” by the Constitutional Court in a fundamental decision in the year 1983, in which the court derived personal data protection rights directly from the constitution. Therefore, all German courts apply data protection regulations also with regard to the fundamental rights guaranteed by the constitution.

As a consequence of data protection law being regulated in a regulation, national German courts could no longer decide on the interpretation of data protection law, but would need to present critical cases to the European Court of Justice (ECJ) being the only decisive authority on European law. Mr. Masing fears that this would lead to a decline of legal protection, as the ECJ was not a special human rights court and in charge of 27 member states. Furthermore, only courts and not individuals could present cases to the ECJ. Contrary, inGermany, subject to further requirements every citizen can appeal to the Federal Constitutional Courtif they feel that their basic rights are violated. 

Judge Masing’s opinion is mainly shared by the Federal Minister of the Interior, Hans-Peter Friedrich, who criticised in an interview on 15 January that a regulation would relocate further legal competences to the European Union. Despite this material criticism, both stressed that an increasingly harmonised data protection law would strengthen the internal market.

Especially Judge Masing’s reaction is interesting, as constitutional court judges are generally more reserved when it comes to direct criticism of laws, especially European laws. Rumours say that Commissioner Viviane Reding’s ambitious draft is subject to highly controversial debates between the other members of the commission and that this may have been a reason why its text leaked more than six weeks prior to its official announcement. Therefore, the draft may not even be the final version that will be presented on 25 January.  

This shows, however, that the discussion on the new regulation on data protection has just started. The regulation will be adopted, if at all, according to the ordinary legislative procedure pursuant to article 294 of the Treaty on the Functioning of the European Union. This means that both the Council of the European Union and the European Parliament have to approve the regulation in two or three readings. Normally, this procedure can take up to two and a half years – enough time for national governments and lobby groups to look for like-minded governments and politicians to push for legislative changes in the new data protection law’s form and content.

Take for example the rules on data processing. After some scandals on data leakages at data processors,Germanytightened the requirements for the contract on data processing to cover several specific details of data security. Article 27 of the  Draft Regulation takes up this idea and requires controller and processor to stipulate several rules and precautionary measures in their agreement, as that the controller may only act on instructions from the controller and that its staff must have committed themselves to confidentiality. However, contrary to German law, the contract must not cover specific details on data security measures.

Another principle deriving from German data protection is Article 4 of the Draft regulation, which says that personal data must be limited to the minimum necessary in relation to the purposes for which they are processed. This is almost the same as the principle of data reduction in sec. 3 a of the German Federal Data Protection Act. In comparison, Article 6 of the current Directive only required data processing not to be “excessive in relation to the purposes for which they are collected and/or further processed”.

Also the stricter requirements to consent to data processing seem to derive from German data protection law. Article 7 of the Draft Regulation provides amongst others that consent to data processing in a written declaration on another matter must be made distinguishable in its appearance, which is almost the same provision as in sec. 4 a of the German Federal Data Protection Act (BDSG). Also the data subject’s right to withdraw such consent at any time is an unwritten principle of German law, as well as the assumption that a consent is not freely given where there is a significant imbalance between the data subject and the controller.

The Draft Regulation also covers the use of personal data for direct marketing for commercial purposes and makes it subject to the data subject’s consent to such marketing (Article 5 para 2 Draft Regulation). This is even stricter than German data protection law, which provided an important exception for the requirement of a consent in allowing the use of personal data for advertising if the data was listed and contained only categories as name, occupation, title, address and year of birth and was obtained through a contract or a similar relation with the data subject or from public sources.

Therefore, reading the Draft regulation as a German is an interesting déja vu. The fact that the European Commission proposes a regulation to create a harmonised level of data protection will – if it is eventually adopted – certainly make the life of many companies easier, as the legal requirements were sometimes very different in several member states. However, the regulation contains quite strict and detailed rules. It remains to be seen if other member states will agree that the principles of countries with a stricter approach to data protection should be applied to the whole European Union.

The new version of the guidance replaces  and expands on the 10 page version published back in May.   As well as providing more practical illustrations of the various possible consent options(pop ups, footer bars, terms and conditions, settings led and feature led consent) it  sets out the ICO’s likely enforcement stance when the “amnesty” period ends in May 2012. 

In line with the ICO’s Regulatory Action Strategy,  any formal action taken for cookie breaches would need to be proportionate – but the tone of the guidance and the half term report is very much that of a school master who is running out of patience:  there are pockets of good practice and transparency – but many businesses “must try harder” to get compliant in time for May 2012.

Datonomy confesses that it was somewhat distracted by last week’s  news about the unofficial publication of a draft of the new General Data Protection Regulation, but will now turn  its attention to matters of current, rather than future, law and will review the latest cookie guidance in more depth.

However, with those caveats in mind, following the FT’s teaser at the weekend, those eager for a preview of the content may not be able to resist taking a look.  There are 116 pages to trawl through, but notably:

• the proposal is for a Regulation, not a Directive, therefore directly applicable in and binding on Member States
• for proposals on sanctions, see Chapter 8 (and for fines in particular, Article 79 (4) on page 89)
• the hot topic of data security and breach notification rules are contained in Section 2.

Datonomy is grateful to one of its eagle-eyed correspondents for spotting the document  on Statewatch.  We will continue to track the progress of the new Regulation and  its potential implications, and we look forward to Datonomy readers’ views too.