Heads Up for Privacy, Data Protection and Cybersecurity in 2014
The new year will ring in significant privacy, data protection and cybersecurity changes in the U.S., Europe, Asia and elsewhere around the world. Below are some key developments and possible concrete action items for General Counsels, Chief Privacy Officers and Chief Information Officers:
European Commission makes recommendations to strengthen Safe Harbor
The European Commission has released a comprehensive package of communications, reports and papers that set out actions which the Commission believes can restore trust in transatlantic data flows between the European Union and the United States following recent concerns over access to data by intelligence agencies.
European Parliament votes on new EU Data Protection Regulation
The European Parliament’s Civil Liberties Committee (the “LIBE Committee”) has after several delays finally voted on the European Commission’s proposed EU Data Protection Regulation and adopted all amendments. The LIBE Committee also approved a mandate to start negotiations with the Council of Ministers (which represents EU Member States) and the Commission – the so called trilogue process. The Regulation was published by the European Commission in January 2012 and has been described as the most lobbied piece of European legislation in history receiving over 4,000 amendments in opinions from other Committees in the European Parliament as well as from numerous industries.
The UK Data Protection Authority issues a Code of practice on anonymization
In November 2012, the UK Information Commissioner’s Office (ICO) published a Code of Practice on managing data protection risks related to anonymization. This Code provides a framework for organisations considering using anonymization and explains what it expects from organisations using such processors.
One of the benefits of anonymization is that the onerous data protection obligations under EU data protection laws, including the UK’s Data Protection Act 1998, will not apply to data rendered anonymous such that individuals are no longer identifiable.
Business Concern over Amendments to Proposed EU Data Protection Regulation
The European Parliament’s Civil Liberties Committee has published its draft report on the proposed EU Data Protection Regulation that is causing concern for many corporations. http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf.
The report sets out amendments to the draft EU data protection regulation published by the European Commission last January (the “Regulation”)
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf.
Despite being one of the most lobbied pieces of European legislation, many will be disappointed that as amended the draft Regulation still imposes very significant burdens on businesses that are in the EU, or which are outside the EU but offer goods or services to EU customers, with fines of up to 2% of annual worldwide turnover.
EU Data Protection Authorities approve use of Binding Corporate Rules for Processors
The European data protection authorities (DPAs), represented by the Article 29 Working Party, have launched a Binding Corporate Rules (BCRs) regime for processors. Processors can implement these BCRs from 1 January 2013. BCRs are internal codes of conduct that are legally enforceable for data protection and security and, once approved by DPAs, provide a legal basis for transfer of personal data from the EU.
EU Website Cookie Consent Requirements Now Being Enforced
The deadline of 26 May 2012 for businesses to comply with new EU website cookie consent requirements in the UK has now passed. Under the EU’s amended e-Privacy Directive 2002/58/EC new rules were introduced last year for businesses to obtain the consent of website users to place cookies on a user’s computer. Although EU Member States were required to implement the consent requirements by 25 May 2011, the UK’s Information Commissioner’s Office (“ICO”) gave businesses a 12 month grace period to become compliant with the new law which ended on 26 May 2012. Many other EU Member States have still to implement the cookie consent requirements with only 20 of the 27 Member States having so far implemented the requirements into their national laws.1
The New EU Data Protection Regulation: What will the Impact be on the Life Sciences Industry?
Scrip Regulatory Affairs
The EU Data Protection Regulation proposed by the European Commission in January will – if adopted in its current form – require pharmaceutical and medical device companies to adopt a new approach to data processing and data protection.
This article was published in the March 2012 issue of Scrip Regulatory Affairs.
New EU Data Protection Regulation Announced
The official proposal for an EU Regulation on Data Protection was released in Brussels on Wednesday 25 January 2012 (the “Regulation”). The Regulation, which will replace the existing EU data protection regime, will have a significant impact on almost every business either established in the EU or that has EU customers. The proposed Regulation will now be discussed in detail over the next few months as it goes through the European legislative process and is set to be adopted in 2014. The main implications of the proposed Regulation are summarised below.
First Look: Leaked Draft of New EU Data Protection Regulation Suggests Significant Impacts for Global Businesses
A draft of a new EU Regulation on Data Protection to replace the existing EU Data Protection Directive was released un-officially earlier this week. The draft Regulation once adopted will have a significant impact on virtually all businesses established in the EU, or who carry on business with the EU, introducing significant internal compliance requirements and fines that range up to 5% of worldwide turnover.
In an article published by the Bureau of National Affairs, John Casanova and William Long of the London office of Sidley Austin and Alan Raul and Ed McNicholas of the Sidley Washington office provide their initial analysis of this significant new EU development. For further information on this development and other EU data protection requirements please contact John Casanova or William Long and for counseling in relation to US privacy issues please contact Alan Raul.
Reproduced with permission from Privacy & Security Law Report, Vol. 10 PVLR No. 48, 12/12/2011. Copyright 2011 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com