On February 12, the White House released the widely anticipated Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”). Developed pursuant to Executive Order 13636 (issued in February 2013), the Framework strongly encourages companies across the financial, communications, chemical, transportation, healthcare, energy, water, defense, food, agriculture, and other critical infrastructure sectors to implement and comply with its voluntary standards. The provisions set forth in the Framework may establish a new baseline for industry standard practices, and may impact or guide FTC enforcement actions and plaintiff data breach lawsuits.
The European Parliament’s Civil Liberties Committee (the “LIBE Committee”) has after several delays finally voted on the European Commission’s proposed EU Data Protection Regulation and adopted all amendments. The LIBE Committee also approved a mandate to start negotiations with the Council of Ministers (which represents EU Member States) and the Commission – the so called trilogue process. The Regulation was published by the European Commission in January 2012 and has been described as the most lobbied piece of European legislation in history receiving over 4,000 amendments in opinions from other Committees in the European Parliament as well as from numerous industries.
The Council of Ministers has also been very active and a compromise text containing amendments to the Proposed Regulation was published in June 2013. The LIBE Committee have during its vote urged the Council to finalize its position quickly. The race is now on to see if the European Commission, the European Parliament and Council of Ministers can agree the text of the proposed Regulation before the European Parliamentary elections in May of next year. The Proposed Regulation once adopted will have a significant impact on governments, businesses and individuals for the rest of this decade and beyond. Based on the latest amendments of the LIBE Committee the main elements of the proposed Regulation are summarized below.
In a surprise move the amount of the maximum fines for non compliance with the proposed Regulation has been dramatically increased, from the Commission’s proposed 2% of annual worldwide turnover, to 5% with an ability for individuals and any association, acting in the public interest, to bring claims for non compliance.
Scope of Regulation
The Regulation will apply to the processing of personal data in the context of the activities of a data controller or a processor in the EU and to a controller or processor not established in the EU, where the processing activities are related to (a) the offering of goods or services to EU citizens; or (b) the monitoring of such individuals. This means that most non EU companies that have EU customers will need to comply with the proposed Regulation once implemented.
One Stop Shop
The latest amendments provide for a new regulatory “one stop shop” so where a company operates in several EU countries the DPA where it is established will be the lead DPA which must consult with other DPAs before taking action which can be decided upon by the European Data Protection Board in the case of a dispute between DPAs.
Significantly for online companies under the Regulation, every individual will now have a general right to object to profiling. In addition, the Regulation imposes a new requirement to inform individuals about the right to object to profiling in a “highly visible manner”. Profiling which does significantly affect the interests of an individual can only be carried out under limited circumstances such as with the individual’s consent and should not be automated but involve human assessment. These provisions if adopted could have a major impact on how online companies market their products and services.
Consent for processing personal data should be explicit with affirmative action required under the proposed Regulation. So the mere use of a service will not amount to consent. According to the proposal it should also be as easy to withdraw consent as to give it with consent being invalid where given for unspecified data processing. Processing data on children under 13 also requires the consent of the parent or legal guardian. The LIBE Committee also clarified that companies cannot make the execution of a contract or a provision of a service conditional upon the receipt of consent from users to process their data.
Standardized Information Policies
The proposed Regulation requires that certain standardized information should be provided to individuals in the form of symbols or icons similar to those used in the food industry. Individuals should also be informed about how their personal data will be processed and their rights of access to data, rectification and erasure of data and of the right to object to profiling as well as to lodge a complaint with a Data Protection Authority (“DPA”) and to bring legal proceedings.
Right of Erasure
In the latest amendments the “Right to be Forgotten” has been replaced by a “Right of Erasure” giving individuals a right to have their personal data erased where the data is no longer necessary or where they withdraw consent although certain exemptions also apply, such as where data is required for scientific research or for compliance with a legal obligation of EU law.
Controllers will be required to adopt all reasonable steps to implement compliance procedures and policies that respect the choices of individuals which should be reviewed every 2 years. Importantly, controllers will need to implement privacy by design throughout the lifecycle of processing from collection of the data to its deletion. In addition, businesses will need to keep detailed documentation of the data being processed and carry out a privacy impact assessment where the processing presents specific risks such as use of health data or where the data involves more than 5,000 individuals with the assessment being reviewed every two years.
Data Protection Officers
Businesses with data on more than 5,000 people in any 12 month period or that process sensitive data, such as health data, will also need to appoint a data protection officer who should have extensive knowledge of data protection and who does not necessarily need to be an employee.
Security and Security Breaches
The controller and the processor will need to implement appropriate technical and organizational security measures. The proposal also requires that security policies contain a number of elements including, for example, a process for regularly testing, assessing and evaluating the effectiveness of security policies, procedures and plans put in place to ensure ongoing effectiveness. In addition, security breaches will need to be notified to DPAs without undue delay.
In addition to Binding Corporate Rules and other data transfer solutions a new method allowing for international data transfers of personal data from the EU includes use of a “European Data Protection Seal” awarded by European DPAs for businesses and recipients that are audited for compliance with the Regulation. The latest amendments also re-introduce an important provision requiring that any requests for access to personal data by foreign authorities or courts outside the EU must be authorized by a DPA.
The Regulation also has important provisions relating to use of health data including that processing of personal data for scientific research is only permitted with consent subject to exceptions by Member States where the scientific research serves a high public interest with the data either anonymized or pseudonymized under the highest technical standards with measures to prevent re-identification of individuals.
The proposed Regulation reflects the growing concern that governments, regulators and society has to data protection and privacy issues and should continue to be closely monitored as it moves closer to adoption which could take place over the next few months.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.
The recent release of new guidelines on responding to computer security breaches offer important guidance for all companies with valuable electronic information. On October 10, 2003, the Office of Privacy Protection within the State of California’s Department of Consumer Affairs issued its “Recommended Practices on Notification of Security Breach Involving Personal Information.” The Office of Privacy Protection is tasked with recommending policies and practices that protect California consumers’ privacy.