Category

General

01 November 2014

The Privacy, Data Protection and Cybersecurity Law Review

The first edition of The Privacy, Data Protection and Cybersecurity Law Review appears at a time of extraordinary policy change and practical challenge for this field of law and regulation. Several Sidley lawyers in the Privacy, Data Security and Information Law practice have contributed to this publication.

Editor’s Preface, Alan Charles Raul

  • Chapter 1, “European Union Overview,” William Long, Geraldine Scali and Alan Charles Raul
  • Chapter 2, “APEC Overview,” Catherine Valerio Barrad and Alan Charles Raul
  • Chapter 9, “Hong Kong,” Yuet Ming Tham and Joanne Mok
  • Chapter 12, “Japan,” Takahiro Nonaka
  • Chapter 16, “Singapore,” Yuet Ming Tham, Ijin Tan and Teena Zhang
  • Chapter 20, “United Kingdom,” William Long and Geraldine Scali
  • Chapter 21, “United States,” Alan Charles Raul, Tasha D Manoranjan and Vivek Mohan
EmailShare
20 May 2014

European Court of Justice Finds ‘Right to be Forgotten’ and Compels Google to Remove Links to Lawful Information

A recent judgment of the highest court in the European Union announced that search engines within the court’s jurisdiction must respond to “right to be forgotten” requests. This authoritative interpretation of the existing data protection laws may create significant issues for Internet intermediaries and exacerbate the differences between the European privacy-based “right to be forgotten” and the United States’ free-speech based “right to remember.” This judgment will have a significant impact not only on search engine companies and publishers, but also on many other industries, including financial services and life sciences, that need to maintain data on individuals for legitimate business reasons, often for lengthy periods.

(more…)

EmailShare
17 March 2014

European Parliament Votes to Approve New EU Data Protection Regulation and Immediate Suspension of Safe Harbor

The European Parliament has voted in a plenary session on March 12, 2014 to fully endorse the draft EU Data Protection Regulation (the Regulation) and the draft EU resolution calling for the immediate suspension of Safe Harbor (the Resolution), both of which were adopted previously by the European Parliament’s Civil Liberties Committee (the LIBE Committee).

According to the European Commission’s press release “today’s plenary vote means the position of the Parliament is now set in stone and will not change even if the composition of the Parliament changes following the European elections in May.”

(more…)

EmailShare
13 February 2014

White House Releases NIST Cybersecurity Framework

On February 12, the White House released the widely anticipated Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”). Developed pursuant to Executive Order 13636 (issued in February 2013), the Framework strongly encourages companies across the financial, communications, chemical, transportation, healthcare, energy, water, defense, food, agriculture, and other critical infrastructure sectors to implement and comply with its voluntary standards. The provisions set forth in the Framework may establish a new baseline for industry standard practices, and may impact or guide FTC enforcement actions and plaintiff data breach lawsuits.

(more…)

EmailShare
10 January 2014

European Parliament’s Civil Liberties Committee Report calls for immediate suspension of Safe Harbor

A draft report by the European Parliament’s Civil Liberties Committee (the LIBE Committee) indicates that it is attempting to fundamentally alter the existing compliance mechanisms for transferring personal data from Europe. The recently leaked draft is dated December 23, 2013 and expresses the LIBE Committee’s response to the U.S. NSA surveillance programs, surveillance in various EU Member States and the impact on EU citizen’s fundamental rights and on transatlantic cooperation (the Report).

(more…)

EmailShare
22 October 2013

European Parliament votes on new EU Data Protection Regulation

The European Parliament’s Civil Liberties Committee (the “LIBE Committee”) has after several delays finally voted on the European Commission’s proposed EU Data Protection Regulation and adopted all amendments. The LIBE Committee also approved a mandate to start negotiations with the Council of Ministers (which represents EU Member States) and the Commission – the so called trilogue process. The Regulation was published by the European Commission in January 2012 and has been described as the most lobbied piece of European legislation in history receiving over 4,000 amendments in opinions from other Committees in the European Parliament as well as from numerous industries.

The Council of Ministers has also been very active and a compromise text containing amendments to the Proposed Regulation was published in June 2013. The LIBE Committee have during its vote urged the Council to finalize its position quickly. The race is now on to see if the European Commission, the European Parliament and Council of Ministers can agree the text of the proposed Regulation before the European Parliamentary elections in May of next year. The Proposed Regulation once adopted will have a significant impact on governments, businesses and individuals for the rest of this decade and beyond. Based on the latest amendments of the LIBE Committee the main elements of the proposed Regulation are summarized below.

Enforcement

In a surprise move the amount of the maximum fines for non compliance with the proposed Regulation has been dramatically increased, from the Commission’s proposed 2% of annual worldwide turnover, to 5% with an ability for individuals and any association, acting in the public interest, to bring claims for non compliance.

Scope of Regulation

The Regulation will apply to the processing of personal data in the context of the activities of a data controller or a processor in the EU and to a controller or processor not established in the EU, where the processing activities are related to (a) the offering of goods or services to EU citizens; or (b) the monitoring of such individuals. This means that most non EU companies that have EU customers will need to comply with the proposed Regulation once implemented.

One Stop Shop

The latest amendments provide for a new regulatory “one stop shop” so where a company operates in several EU countries the DPA where it is established will be the lead DPA which must consult with other DPAs before taking action which can be decided upon by the European Data Protection Board in the case of a dispute between DPAs.

Profiling

Significantly for online companies under the Regulation, every individual will now have a general right to object to profiling. In addition, the Regulation imposes a new requirement to inform individuals about the right to object to profiling in a “highly visible manner”. Profiling which does significantly affect the interests of an individual can only be carried out under limited circumstances such as with the individual’s consent and should not be automated but involve human assessment. These provisions if adopted could have a major impact on how online companies market their products and services.

Explicit Consent

Consent for processing personal data should be explicit with affirmative action required under the proposed Regulation. So the mere use of a service will not amount to consent. According to the proposal it should also be as easy to withdraw consent as to give it with consent being invalid where given for unspecified data processing. Processing data on children under 13 also requires the consent of the parent or legal guardian. The LIBE Committee also clarified that companies cannot make the execution of a contract or a provision of a service conditional upon the receipt of consent from users to process their data.

Standardized Information Policies

The proposed Regulation requires that certain standardized information should be provided to individuals in the form of symbols or icons similar to those used in the food industry. Individuals should also be informed about how their personal data will be processed and their rights of access to data, rectification and erasure of data and of the right to object to profiling as well as to lodge a complaint with a Data Protection Authority (“DPA”) and to bring legal proceedings.

Right of Erasure

In the latest amendments the “Right to be Forgotten” has been replaced by a “Right of Erasure” giving individuals a right to have their personal data erased where the data is no longer necessary or where they withdraw consent although certain exemptions also apply, such as where data is required for scientific research or for compliance with a legal obligation of EU law.

Accountability

Controllers will be required to adopt all reasonable steps to implement compliance procedures and policies that respect the choices of individuals which should be reviewed every 2 years. Importantly, controllers will need to implement privacy by design throughout the lifecycle of processing from collection of the data to its deletion. In addition, businesses will need to keep detailed documentation of the data being processed and carry out a privacy impact assessment where the processing presents specific risks such as use of health data or where the data involves more than 5,000 individuals with the assessment being reviewed every two years.

Data Protection Officers

Businesses with data on more than 5,000 people in any 12 month period or that process sensitive data, such as health data, will also need to appoint a data protection officer who should have extensive knowledge of data protection and who does not necessarily need to be an employee.

Security and Security Breaches

The controller and the processor will need to implement appropriate technical and organizational security measures. The proposal also requires that security policies contain a number of elements including, for example, a process for regularly testing, assessing and evaluating the effectiveness of security policies, procedures and plans put in place to ensure ongoing effectiveness. In addition, security breaches will need to be notified to DPAs without undue delay.

Data Transfers

In addition to Binding Corporate Rules and other data transfer solutions a new method allowing for international data transfers of personal data from the EU includes use of a “European Data Protection Seal” awarded by European DPAs for businesses and recipients that are audited for compliance with the Regulation. The latest amendments also re-introduce an important provision requiring that any requests for access to personal data by foreign authorities or courts outside the EU must be authorized by a DPA.

Health Data

The Regulation also has important provisions relating to use of health data including that processing of personal data for scientific research is only permitted with consent subject to exceptions by Member States where the scientific research serves a high public interest with the data either anonymized or pseudonymized under the highest technical standards with measures to prevent re-identification of individuals.

The proposed Regulation reflects the growing concern that governments, regulators and society has to data protection and privacy issues and should continue to be closely monitored as it moves closer to adoption which could take place over the next few months.

 


 

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

EmailShare
14 February 2013

The UK Data Protection Authority issues a Code of practice on anonymization

In November 2012, the UK Information Commissioner’s Office (ICO) published a Code of Practice on managing data protection risks related to anonymization. This Code provides a framework for organisations considering using anonymization and explains what it expects from organisations using such processors.

One of the benefits of anonymization is that the onerous data protection obligations under EU data protection laws, including the UK’s Data Protection Act 1998, will not apply to data rendered anonymous such that individuals are no longer identifiable.

As the Code notes, anonymization can allow organisations to make information derived from personal data available in a form that is rich and usable whilst protecting individuals.

The main good practices and recommendations provided in the Code are summarised below:

  • Personal data, anonymization and identification: the Code highlights that the concept of “identify” and therefore “anonymized” is not straightforward because individuals can be identified in numerous ways and re-identification by a third party can also take place. It is therefore crucial for businesses to assess the risk of identification when they decide to disclose anonymized data.
  • Ensuring effectiveness of anonymization: the ICO recommends the use of the “motivated intruder” test to assess the risk of re-identification. This test involves determining whether a “motivated intruder”, who is a person who starts without any prior knowledge but wishes to identify the individual from whose personal data the anonymized data has been derived, would be successful. It can be done by (i) carrying out a web search to verify if date of birth and postcode can lead to the identification of a specific individual; or (ii) using social networks to establish if anonymized data can lead to an individual’s profile.
  • Consent: importantly, the Code provides that consent is generally not needed to legitimize an anonymization process as it could be logistically onerous or even be impossible to obtain such consent.
  • Governance: organisations using anonymization should have in place an effective and comprehensive governance structure that should include (i) a Senior Information Risk Owner (SIRO) with the technical and legal understanding to manage the process, (ii) staff trained to have a clear understanding of anonymization techniques, the risks involved and the means to mitigate them, (iii) procedures for identifying cases where anonymization may be problematic or difficult to achieve in practice, (iv) knowledge management regarding any new guidance or case law that clarifies the legal framework surrounding anonymization, (v) a joint approach with other organisations in their sector or those doing similar work, (vi) use of a privacy impact assessment, (vii) clear information on the organization’s approach on anonymization including how personal data is anonymized and the purpose of the anonymization, the techniques used and whether or not the individual has a choice over the anonymization of its personal data, (viii) review of the consequences of the anonymization programme, and (ix) a disaster recovery procedure should re-identification take place and the individual privacy is compromised.
  • Trusted Third Party: a Trusted Third Party is an organisation which can be used to convert personal data into anonymized data. The Code highlights the value of using a Trusted Third Party arrangement especially where a number of organisations each want to anonymize personal data they hold for use as part of a collaborative project. Use of Trusted Third Party arrangements can facilitate large scale research using data collected by a number of organisations without the organisations involved ever having to access each others’ personal data. It also allows researchers to use anonymized data when the use of personal data is not necessary or appropriate, and can be used to link datasets from separate organisations to create anonymized records for researchers.

The Code also clarifies when the research exemption under the UK Data Protection Act can be relied upon to process personal data for research purposes and concludes with explanations of key anonymization techniques and various case studies such as one on the use of anonymization in clinical studies.

The Code which also sets out other good practices and recommendations is welcome having been published at a time when anonymization techniques and the status of anonymized data are key issues for many industries including digital media, financial services and life sciences. Anonymization and the ability to use data will also remain key issues with the current discussions on the proposed EU Data Protection Regulation and clarity on these issues at an EU level would also be welcome.

For further details on anonymization of personal data please contact William Long (wlong@sidley.com) or John Casanova (jcasanova@sidley.com).


 

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

EmailShare
15 January 2013

Business Concern over Amendments to Proposed EU Data Protection Regulation

The European Parliament’s Civil Liberties Committee has published its draft report on the proposed EU Data Protection Regulation that is causing concern for many corporations. http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf.

The report sets out amendments to the draft EU data protection regulation published by the European Commission last January (the “Regulation”)
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf.

Despite being one of the most lobbied pieces of European legislation, many will be disappointed that as amended the draft Regulation still imposes very significant burdens on businesses that are in the EU, or which are outside the EU but offer goods or services to EU customers, with fines of up to 2% of annual worldwide turnover.

Although there has been considerable debate on the proposed Regulation, there is still time for those concerned to make their views known to the European legislature. A summary of the main elements of the proposed regulation as amended by the Committee are set out below.

Scope of Regulation and Enforcement

  • The Regulation will apply expansively to all global businesses, including any Internet company with more than 500 European customers. To be specific, it would apply to “data controllers” established in the EU or operating from outside the EU where the processing activities are aimed at the offering of goods or services to individuals in the EU irrespective of whether payment is required. A data controller outside the EU will need to appoint a representative in the EU if it processes personal data of 500 or more individuals a year, irrespective of whether payment is required for the goods or services.
  • For the first time, the regime will directly affect software and hardware development. So called “producers” (i.e. hardware and software developers) that produce systems to process personal data must take measures to ensure data protection compliance when designing systems.
  • Provisions for fines of up to 2% of annual worldwide turnover for violations of the Regulation remain, although additional criteria are proposed that would be taken into account by Data Protection Authorities (DPA) when determining the administrative sanction.
  • There are a number of amendments to strengthen the position on collective redress: Bodies or associations acting in the public interest would be able to go to court on behalf of data subjects to seek damages and damages will now also be permitted for non-pecuniary loss such as distress.

International Data Transfers

  • Transfers of personal data from the EU to countries that are not deemed to provide an adequate level of protection (such as the United States) should be on the basis of binding legal instruments (such as Binding Corporate Rules and the EU’s standard contractual clauses). The ability of the European Commission to decide that a particular industry sector provides an adequate level of protection (such as the U.S. healthcare industry) has also been rejected.
  • The U.S.-EU Safe Harbor and other previous adequacy decisions as well as decisions relating to standard contractual clauses will remain in force for only two years after the Regulation takes effect. This may lead to companies needing to assess whether their prior compliance efforts remain valid.
  • International investigations will become significantly more complicated. An important new provision will require that a controller’s representative must notify the DPA and obtain an authorization for transfer pursuant to the requests or orders of a court, tribunal or authority of any country outside the EU.

Consent, Legitimate Interest and Data Protection Notices

  • Compliance will also become more complex given that consent may not be available in the employment context. Although the report emphasizes the importance of consent, it adds the condition that consent should not be valid if there is a significant imbalance between the position of the data controller and the data subject (i.e. the individual) remaining in the Regulation. However, incentives are also included for data controllers to use pseudonymous data (e.g. key coded) for which lighter consent obligations will apply.
  • More detail is also provided on when it is possible for a data controller to rely on the legitimate interest ground to process personal data with the controller required to publish why it believes its interests override those of the data subject. The legitimate interests of the data controller include enforcement of legal claims.
  • Data protection policies are to be communicated using multi-layered formats and icons with full information available on request. Data subjects also have a right to be informed about the disclosure of their personal data to a public authority.

Right to be Forgotten, Data Portability and Profiling

  • The Right to be Forgotten (i.e. to have personal data erased) remains in the Regulation but has been amended so data controllers would no longer have to take reasonable steps to contact third parties to request them to erase copies of the data if the personal data has been transferred or made public based on legal grounds (such as legitimate interest).
  • The Right to Data Portability (i.e. to obtain a copy of the data being processed and to move the data to another platform) has been merged with the Right of Subject Access (i.e. the right for confirmation whether personal data is being processed). The Right of Subject Access has also been amended so data subjects now have a right to be informed if their personal data has been disclosed to public authorities.
  • Targeted Internet advertising could also face significant impacts. Profiling will only be permitted with the data subject’s consent or based on an express statutory provision.

Documentation, Impact Assessments, Security and DPOs

  • The requirement in the proposed Regulation for data controllers and processors to retain detailed documentation on the processing has been merged with the requirement to provide information to individuals about how their personal data are processed. The exemption on small businesses employing less than 250 persons from having to retain such documentation has been removed.
  • In the case of a security breach the period to notify the DPA is extended from 24 to 72 hours while the obligation to notify data subjects has also been extended to require that information be included regarding the rights of the data subject including redress.
  • The obligation to appoint a Data Protection Officer (DPO) has been amended so a DPO is required where a legal entity processes personal data on more than 500 persons. The DPO must be a direct report to the head of management, such as the CEO, and the minimum appointment of the DPO is also extended from 2 years to 4 years. The DPO will also have an obligation to report suspected breaches to the DPA.
  • The requirement to carry out data protection impact assessments where data involves specific risks (such as health data and data on children) remains as does the obligation to seek the views of data subjects. However, instead of having to consult with a DPA it is now proposed that a data controller can consult with their DPO.

Life Sciences and Scientific Research

  • Importantly the report provides a comment that processing of sensitive data (e.g. health data) for the purposes of historical, statistical and scientific research are “not considered as urgent or compelling as public health or social protection.” This is of particular concern for the life sciences industry and other industries carrying out research including academic research.
  • The provisions in the Regulation on processing of sensitive data (including health data) for the purposes of historical, statistical and scientific research are also amended to provide that such processing shall only be permitted with the consent of the data subject, but Member States may legislate for exceptions to the requirement of consent for research that serves an exceptionally high public interest, if that research cannot possibly be carried out otherwise. The amendments go on to provide that “The data in question shall be anonymized, or if that is not possible for the research purposes, pseudonymized under the highest technical standards, and all necessary measures shall be taken to prevent re-identification of the data subjects.” The possibility of EU Member States determining when scientific research is permitted, where consent has not been obtained, will also be of concern to the life sciences industry.

New One Stop Shop, Codes of Conduct and Certification Schemes

  • A modified ‘one stop shop’ approach to regulation is proposed under which a DPA is competent to supervise processing operations within its territory or affecting data subjects resident in its territory. Where the processing activities of a controller or processor are established in more than one EU Member State or affecting data subjects in several Member States, the authority of the Member State of the main establishment of the data controller will be the lead authority acting as a single contact point for the controller or processor.
  • Some of the powers of the European Commission to adopt delegated acts (i.e. to provide more detailed requirements) for certain provisions have been removed.
  • Industry Codes of Conduct and data protection certification schemes are encouraged with a formal procedure required to be set down for the issue and withdrawal of a data protection seal or mark and to ensure the independence of the issuing organization.

The next steps in the EU legislative timetable include: (i) February 27, 2013: deadline for tabling amendments by MEPs on the Civil Liberties Committee; (ii) end of April 2013: vote by the Civil Liberties Committee; and (iii) from May 2013 on: (depending on progress in the EU’s Council of Ministers) negotiations between European Parliament, the Council and the Commission (the so called “Trilogue”).

For further details on the proposed EU Data Protection Regulation, please contact William Long (wlong@sidley.com) or John Casanova (jcasanova@sidley.com). Edward McNicholas (emcnicholas@sidley.com) in Washington, D.C. is also available to assist U.S. companies in addressing the potential conflicts between U.S. and EU requirements.

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.

Prior results do not guarantee a similar outcome.

EmailShare
14 March 2011

European Shift to Concrete Cost Analysis of Data Protection

BNA’s Privacy & Security Law Report

Following meetings held Feb. 24-25, the Council of the European Union released its ‘‘Conclusions’’ in response to the EU Commission’s Nov. 4, 2010 ‘‘Communication’’ proposing ‘‘a comprehensive approach on personal data protection in the European Union.’’ The Council is the main decision-making body of the European Union, comprising the ministers of the Member States. Depending on the issue on the agenda, each country is represented by the minister responsible for that subject (foreign affairs, finance, social affairs, transport, agriculture, etc.).

View Article

EmailShare
22 December 2003

Stringent Canadian Privacy Law to Take Effect January 1, 2004

United States companies that conduct business in Canada, as well as most other organizations that collect, use or disclose personal information in the course of a commercial activity within Canada, may be subject to a new law providing expansive privacy protections for Canadian citizens. Effective January 1, 2004, such companies will have to comply with Canada’s Personal Information Protection and Electronic Documents Act. The Canadian Privacy Law deserves particular attention because it entails more extensive privacy requirements than are generally applicable under United States law.

View Alert

EmailShare
XSLT Plugin by BMI Calculator