New legislation out of Hartford means that Connecticut joins Massachusetts in imposing strict state requirements for data protection. S.B. 949. Additionally, the new law amends Connecticut’s data breach notification law, making Connecticut the first in the nation to affirmatively require entities that experience a reportable data breach to offer free credit monitoring to residents affected by the breach. The legislation further imposes significant new requirements on health insurers, as well as contractors that receive confidential information from state agencies, to maintain minimum data security protections. While health insurers have until 2017 to come into full compliance, the requirements for state contractors are effective as of July 1, 2015.
Following the adoption of the EU Data Protection Regulation by the Council of Ministers last week, today saw the first meeting of the European Commission, European Parliament and Council of Ministers under what is known as the trilogue process, with the aim of negotiating the final wording of the Regulation.
More than three years after the initial proposal for the EU Data Protection Regulation was published by the European Commission, it has been agreed by Europe’s Council of Ministers. The negotiations will now start between the commission, the European Parliament and the Council, in what is known as the “Trilogue” process, to agree the final text of the regulation, which is widely expected to be adopted by the end of 2015 or early 2016. The regulation, once adopted, will have a significant impact not only on EU companies but also on U.S. and other international companies that conduct business in the EU.
Cyberthreat Sharing Bills Gain Momentum. On March 12, the Senate Intelligence Committee approved the Cybersecurity Information Sharing Act of 2015 (“CISA”) to increase sharing of cybersecurity threat information by U.S. companies on a vote of 14-1. The legislation grants liability protections for companies that voluntarily share cybersecurity threat information with the government or industry partners. The measure should be scheduled for a vote on the Senate floor shortly.
During the opening session of any new Congress, the House of Representatives sets the rules that will govern hearings, floor proceedings and debate. Typically, rule changes are minor. This year, the House quietly made one important change that could significantly affect institutions that are subject to government inquiries.
The European Parliament has voted in a plenary session on March 12, 2014 to fully endorse the draft EU Data Protection Regulation (the Regulation) and the draft EU resolution calling for the immediate suspension of Safe Harbor (the Resolution), both of which were adopted previously by the European Parliament’s Civil Liberties Committee (the LIBE Committee).
According to the European Commission’s press release “today’s plenary vote means the position of the Parliament is now set in stone and will not change even if the composition of the Parliament changes following the European elections in May.”
On December 26, 2013, Singapore’s Personal Data Protection Commission (the “Commission”) issued advisory guidelines on the “Do Not Call” Provisions (“DNC Guidelines”) of the Personal Data Protection Act 2012 (Act 26 of 2012) (“the Act”). The DNC Guidelines supplement the Commission’s earlier issued Advisory Guidelines1 on the Act. The DNC Provisions came fully into effect on January 2, 2014, and the DNC Guidelines serve to illustrate particular aspects of the DNC Provisions, though “they are not meant to exhaustively address every obligation in the Act.”2
The European Parliament’s Civil Liberties Committee (the “LIBE Committee”) has after several delays finally voted on the European Commission’s proposed EU Data Protection Regulation and adopted all amendments. The LIBE Committee also approved a mandate to start negotiations with the Council of Ministers (which represents EU Member States) and the Commission – the so called trilogue process. The Regulation was published by the European Commission in January 20121 and has been described as the most lobbied piece of European legislation in history receiving over 4,000 amendments in opinions from other Committees in the European Parliament as well as from numerous industries.
The Council of Ministers has also been very active and a compromise text containing amendments to the Proposed Regulation was published in June 2013. The LIBE Committee have during its vote urged the Council to finalize its position quickly. The race is now on to see if the European Commission, the European Parliament and Council of Ministers can agree the text of the proposed Regulation before the European Parliamentary elections in May of next year. The Proposed Regulation once adopted will have a significant impact on governments, businesses and individuals for the rest of this decade and beyond. Based on the latest amendments of the LIBE Committee the main elements of the proposed Regulation are summarized below.
In a surprise move the amount of the maximum fines for non compliance with the proposed Regulation has been dramatically increased, from the Commission’s proposed 2% of annual worldwide turnover, to 5% with an ability for individuals and any association, acting in the public interest, to bring claims for non compliance.
Scope of Regulation
The Regulation will apply to the processing of personal data in the context of the activities of a data controller or a processor in the EU and to a controller or processor not established in the EU, where the processing activities are related to (a) the offering of goods or services to EU citizens; or (b) the monitoring of such individuals. This means that most non EU companies that have EU customers will need to comply with the proposed Regulation once implemented.
One Stop Shop
The latest amendments provide for a new regulatory “one stop shop” so where a company operates in several EU countries the DPA where it is established will be the lead DPA which must consult with other DPAs before taking action which can be decided upon by the European Data Protection Board in the case of a dispute between DPAs.
Significantly for online companies under the Regulation, every individual will now have a general right to object to profiling. In addition, the Regulation imposes a new requirement to inform individuals about the right to object to profiling in a “highly visible manner”. Profiling which does significantly affect the interests of an individual can only be carried out under limited circumstances such as with the individual’s consent and should not be automated but involve human assessment. These provisions if adopted could have a major impact on how online companies market their products and services.
Consent for processing personal data should be explicit with affirmative action required under the proposed Regulation. So the mere use of a service will not amount to consent. According to the proposal it should also be as easy to withdraw consent as to give it with consent being invalid where given for unspecified data processing. Processing data on children under 13 also requires the consent of the parent or legal guardian. The LIBE Committee also clarified that companies cannot make the execution of a contract or a provision of a service conditional upon the receipt of consent from users to process their data.
Standardized Information Policies
The proposed Regulation requires that certain standardized information should be provided to individuals in the form of symbols or icons similar to those used in the food industry. Individuals should also be informed about how their personal data will be processed and their rights of access to data, rectification and erasure of data and of the right to object to profiling as well as to lodge a complaint with a Data Protection Authority (“DPA”) and to bring legal proceedings.
Right of Erasure
In the latest amendments the “Right to be Forgotten” has been replaced by a “Right of Erasure” giving individuals a right to have their personal data erased where the data is no longer necessary or where they withdraw consent although certain exemptions also apply, such as where data is required for scientific research or for compliance with a legal obligation of EU law.
Controllers will be required to adopt all reasonable steps to implement compliance procedures and policies that respect the choices of individuals which should be reviewed every 2 years. Importantly, controllers will need to implement privacy by design throughout the lifecycle of processing from collection of the data to its deletion. In addition, businesses will need to keep detailed documentation of the data being processed and carry out a privacy impact assessment where the processing presents specific risks such as use of health data or where the data involves more than 5,000 individuals with the assessment being reviewed every two years.
Data Protection Officers
Businesses with data on more than 5,000 people in any 12 month period or that process sensitive data, such as health data, will also need to appoint a data protection officer who should have extensive knowledge of data protection and who does not necessarily need to be an employee.
Security and Security Breaches
The controller and the processor will need to implement appropriate technical and organizational security measures. The proposal also requires that security policies contain a number of elements including, for example, a process for regularly testing, assessing and evaluating the effectiveness of security policies, procedures and plans put in place to ensure ongoing effectiveness. In addition, security breaches will need to be notified to DPAs without undue delay.
In addition to Binding Corporate Rules and other data transfer solutions a new method allowing for international data transfers of personal data from the EU includes use of a “European Data Protection Seal” awarded by European DPAs for businesses and recipients that are audited for compliance with the Regulation. The latest amendments also re-introduce an important provision requiring that any requests for access to personal data by foreign authorities or courts outside the EU must be authorized by a DPA.
The Regulation also has important provisions relating to use of health data including that processing of personal data for scientific research is only permitted with consent subject to exceptions by Member States where the scientific research serves a high public interest with the data either anonymized or pseudonymized under the highest technical standards with measures to prevent re-identification of individuals.
The proposed Regulation reflects the growing concern that governments, regulators and society has to data protection and privacy issues and should continue to be closely monitored as it moves closer to adoption which could take place over the next few months.
1 See our previous update: http://www.sidley.com/Business-Concern-over-Amendments-to-Proposed-EU-Data-Protection-Regulation-01-15-2013.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.
The official proposal for an EU Regulation on Data Protection was released in Brussels on Wednesday 25 January 2012 (the “Regulation”). The Regulation, which will replace the existing EU data protection regime, will have a significant impact on almost every business either established in the EU or that has EU customers. The proposed Regulation will now be discussed in detail over the next few months as it goes through the European legislative process and is set to be adopted in 2014. The main implications of the proposed Regulation are summarised below.
- Greater Enforcement – fines can be imposed of up to 2% of the annual worldwide turnover of a business for failure to comply with the proposed Regulation. In addition, supervisory authorities will be able to impose a temporary or definitive ban on processing personal data, enter premises and suspend data flows to a recipient in a third country or to an international organisation.
- Class Actions – any organisation which aims to protect the data protection rights of individuals, such as consumer organisations, can make complaints to supervisory authorities and bring class actions on behalf of individuals for non-compliance, even without the consent of those affected.
- Application to Non European Businesses – the proposed Regulation will apply to businesses established in the EU and importantly to non-European businesses that process personal data of individuals residing in the EU where the processing activities are related to offering goods or services to such individuals or the monitoring of their behaviour.
- Accountability – businesses will be required to adopt policies and implement measures to demonstrate compliance with the requirements in the proposed Regulation. This will include keeping a detailed record of all forms of data processing and carrying out data protection impact assessments. This will lead to significant compliance costs for affected businesses. Privacy by design measures must also be implemented to ensure, for example, that data is not collected or retained beyond the minimum necessary.
- Data Protection Impact Assessments – the proposed Regulation introduces a new requirement for impact assessments to be conducted where the processing is likely to present specific risks, such as the processing of health data. As part of the assessment the views of the individuals whose data are being processed need to be obtained.
- Data Protection Notifications – while the requirement in some EU Member States for data controllers to notify their Data Protection Authority in respect of their data processing activities will be abolished, businesses will be required to consult the relevant supervisory authority prior to the processing of personal data where a data protection impact assessment is required. Where the supervisory authority considers that the assessment insufficiently identifies or mitigates risks it can prohibit the intended processing. Where a data controller or processor is established in more than one EU Member State then the competent authority is where the controller or processor has its main establishment.
- Information Security – the proposed Regulation requires data controllers and processors to implement appropriate technical and organisational security measures after having carried out an evaluation of data privacy risks. Moreover, data security breaches will have to be notified to the relevant supervisory authority without undue delay and “where feasible” no later than 24 hours after having become aware of it. The proposed Regulation specifies that when the breach notification is not made within 24 hours a reasoned justification must be provided to the relevant supervisory authority. The breach will have to be communicated to the individual without undue delay when the breach is likely to adversely affect the protection of the personal data or the privacy of the individual.
- Consent – the proposed Regulation places the legal burden on the data controller to prove that the individual has given consent and gives an individual a right to withdraw their consent at any time. The Regulation also significantly restricts reliance on consent “where there is a significant imbalance between the position of the data subject and the controller.”
- Data Protection Officers – businesses with over 250 employees will be required to appoint a data protection officer who will have to have “expert knowledge” of data protection law and practices. The appointment which must be for a term of at least two years should be notified to the relevant supervisory authority and the public. The proposed Regulation also provides that businesses may appoint a single data protection officer for a corporate group.
- Increased Rights of Individuals – businesses must have transparent and easily accessible data protection policies and provide information using clear and plain language. An individual also has a right to correct his or her personal data and, importantly for social media, a right to data portability (i.e. to transfer his or her personal data to another provider) and will have a right to be forgotten (i.e. to have his or her personal data erased) which will be complex to apply in practice.
- Transfer of Personal Data from the EU – the proposed Regulation maintains the restriction under the current Data Protection Directive of transferring personal data to countries outside the EU that are not considered to provide an adequate level of protection including the United States. The Regulation provides that one of the main solutions to permit such international transfers is the adoption of Binding Corporate Rules, which are a set of data protection rules adopted by an international corporate group that meet EU requirements and must be approved by a lead supervisory authority. Significantly, the proposal confirms that that specific sectors of a country could be deemed adequate – perhaps paving the way for recognition of the United States health, communications and financial sectors.
The proposed Regulation will certainly be subject to lengthy discussion and revision by the Council of Ministers and the European Parliament before it is finally adopted and becomes law. However, it is clear that whatever the final form of the Regulation it will have a significant impact on businesses worldwide, increase compliance costs and enforcement actions and will therefore require a new approach to data protection.
If you have any questions regarding this update, please contact:
+44 20 7360 3739
+44 20 7360 2061
+1 (202) 736 8010
+1 (202) 736 8477
This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.
Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results do not guarantee a similar outcome.
A draft of a new EU Regulation on Data Protection to replace the existing EU Data Protection Directive was released un-officially earlier this week. The draft Regulation once adopted will have a significant impact on virtually all businesses established in the EU, or who carry on business with the EU, introducing significant internal compliance requirements and fines that range up to 5% of worldwide turnover.
In an article published by the Bureau of National Affairs, John Casanova and William Long of the London office of Sidley Austin and Alan Raul and Ed McNicholas of the Sidley Washington office provide their initial analysis of this significant new EU development. For further information on this development and other EU data protection requirements please contact John Casanova or William Long and for counseling in relation to US privacy issues please contact Alan Raul or Ed McNicholas.
Reproduced with permission from Privacy & Security Law Report, Vol. 10 PVLR No. 48, 12/12/2011. Copyright 2011 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com