EU Data Protection Authorities approve use of Binding Corporate Rules for Processors

The European data protection authorities (DPAs), represented by the Article 29 Working Party, have launched a Binding Corporate Rules (BCRs) regime for processors. Processors can implement these BCRs from 1 January 2013. BCRs are internal codes of conduct that are legally enforceable for data protection and security and, once approved by DPAs, provide a legal basis for transfer of personal data from the EU.

BCRs had previously been restricted to use by businesses when acting as data controllers (i.e. determine the purpose for which and manner in which personal data are processed) such as a company transferring its own employee data internationally. Although welcomed by many in respect of data controller initiated transfers, the DPAs were criticised for not making BCRs available to data processors that process personal data on behalf of data controllers. The new BCRs for processors should now prove popular for a wide range of international service providers, that act as data processors, such as cloud providers, outsourcing providers, payment processors, data and document storage companies, alertline providers, and many other companies in different industries. The BCRs will be enforceable against the data processor by individuals who suffer damage as a result of a breach of the BCRs and by the data controller.

Data controllers are increasingly requiring their vendors and service providers to provide evidence of data protection compliance, and adoption of BCRs by processors will provide comfort to controllers. Similarly, data processors will be able to use processor BCRs as a way of demonstrating to their customers strong commitment to data protection and so can form part of their customer value proposition. Processor BCRs may also be seen as having advantages over other existing international data transfer solutions, such as use of the EU’s standard form data transfer agreements, known as Model Contracts, which can require data processors to have hundreds of Model Contracts with their customers.

The application procedure for BCRs for processors will be based on the same process as for BCRs for data controllers. The process involves submitting an application form to a lead national DPA in the EU. Once approved by the lead DPA the BCRs will be automatically recognised by many other DPAs due to a system of mutual recognition. In a Working Document (WP195) published in June 2012 the Article 29 Working Party provided a checklist that offers guidance as to which issues should be dealt with in BCRs and what to present to DPAs in the application form including:

  • a description of the data transfers and scope of the BCRs;
  • be binding through reference to BCRs in the service agreement;
  • grant third party beneficiary rights to individuals in the event that the data controller goes out of business or becomes insolvent;
  • provide that the EU data processor accepts responsibility for the acts of other members of the group or breaches by external sub-processors outside the EU;
  • give details of the existence of a suitable training programme, complaint handling process and creation of a network of privacy officers;
  • provide for data protection audits on a regular basis with DPAs having a right of access to the results of the audit together with a duty to co-operate with DPAs; and
  • set out a process for updating the BCRs.

According to the EU’s Article 29 Working Party, BCRs for processors will bring benefits to both data processors and data controllers “Once a BCR for processors is approved it can be used by the controller and processor, thereby ensuring compliance with EU data protection rules without having to negotiate the safeguards and conditions each and every time when a contract is entered into.” BCRs for processors will also increase confidence among customers of data processors while providing a way for customers and data processors to overcome international data-transfer limitations under EU data protection laws.

For further details on BCRs for processors please contact William Long (wlong@sidley.com) or John Casanova (jcasanova@sidley.com).

 

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

EmailShare

EU Website Cookie Consent Requirements Now Being Enforced

The deadline of 26 May 2012 for businesses to comply with new EU website cookie consent requirements in the UK has now passed. Under the EU’s amended e-Privacy Directive 2002/58/EC new rules were introduced last year for businesses to obtain the consent of website users to place cookies on a user’s computer. Although EU Member States were required to implement the consent requirements by 25 May 2011, the UK’s Information Commissioner’s Office (“ICO”) gave businesses a 12 month grace period to become compliant with the new law which ended on 26 May 2012. Many other EU Member States have still to implement the cookie consent requirements with only 20 of the 27 Member States having so far implemented the requirements into their national laws.1

The new EU cookie consent requirements contain an exception where the website is using a cookie “that is strictly necessary” to provide the service explicitly requested by the user. The ICO considers this exception should be narrowly interpreted and cannot, for example, be used to exclude cookies used for analytical purposes, such as counting the number of visits to a website, from the new consent requirements. Failure to comply with the EU cookie consent requirements can lead to enforcement action including fines from national data protection authorities.

UK Guidance

The cookie consent requirements under the amended ePrivacy Directive were implemented in the UK through “The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011” (the “UK Regulations”). The ICO has published helpful guidance on implementing the UK Regulations entitled “Guidance on the rules on use of cookies and similar technologies” (the “UK Guidance”).

Regarding the scope of the UK Regulations, the UK Guidance states that websites based outside of the EU, designed for the European market or providing products or services to customers in the EU, should consider that their users in the UK and the EU will clearly expect that information about cookies will be provided to them and their consent to set cookies obtained.

Providing clear and comprehensive information to the user

In addition to obtaining consent, the requirements under the ePrivacy Directive include that the user is provided with “clear and comprehensive information” about the purposes for which the information, such as that collected through cookies, is used.

The ICO suggests that wherever possible, the placing of cookies on a user’s terminal equipment should be delayed until the user has had the opportunity to understand what the cookies are being used for and so they can make their choice to accept the cookies or not. However, the ICO acknowledges that obtaining prior consent might be difficult as many websites set cookies as soon as a user accesses a website. The ICO therefore states that at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with the option to accept the use of cookies.

Responsibility for compliance

Although the UK Regulations do not define who should be responsible for complying with the new requirements, the ICO clearly states in the UK Guidance that “where a person operates an online service and any use of cookies will be for their purposes, it is clear that that person will be responsible for complying with this Regulation”. The ICO also makes it clear that where third party cookies are used through a website, the person operating the website and the third party should be responsible for complying with the UK Regulations. However, the ICO acknowledges that it could be challenging in practice for third parties to comply, and therefore proposes that a third party using cookies on a website should consider putting a contractual obligation into agreements with the website provider “to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent.”

Potential solutions to gain the consent of the user:

The UK Guidance refers to a number of potential solutions to obtain consent for use of cookies including:

Use of pop ups and similar techniques, such as header or footer bar on the home page – while using a pop up to directly ask a user if they agree to the use of cookies will amount to consent if they click yes, as the ICO acknowledges this could spoil the user experience if the website uses several cookies. Moreover, the ICO comments that some users might not click on the options available and go straight to another part of the website. In these circumstances it may be possible to infer consent from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site.

Terms and conditions – when users open an online account or sign in to use the services, they could consent through terms and conditions to the use of cookies. The ICO specifies that changing the terms of use alone to include consent for cookies is not sufficient even if the user had previously consented to the global terms. To satisfy the new rules on cookies, the website operator must make users aware of the changes and specifically that the changes refer to the use of cookies. The website operators will then need to gain a positive indication that users understand and agree to the changes. The positive indication is commonly obtained by asking users to tick a box.

Settings-led consent – some cookies are set up when a user confirms what he/she wants to do or how he/she wants the site to work, for example, when selecting a feature such as the language of the website. The website should, during that process, explain to the user that by allowing the website to remember the user and the way he/she wants to use the website, the user gives the website consent to use cookies.

Feature-led consent – some information is stored in the user’s computer when the user decides to use a particular feature of a website such a watching a video or when the website remembers what the user did on a previous visit in order to personalise the content of the website. In these cases the website can ask for the consent to set a cookie at this point.

Browser settings – the view of the ICO is that most browser settings are not currently sophisticated enough to allow a website provider to assume that the user has given his consent. The UK Guidance confirms that the ICO and the UK Government are currently working with the major browser manufacturers to establish a new browser solution.

Steps to take now

Many businesses have been considering the best ways to obtain consent to the use of cookies for some time. For those businesses that have not yet implemented a cookie consent solution for their websites it is important that they do so now, particularly as the UK deadline has now passed. According to the UK Guidance the first steps should be:

Cookie Audit – businesses should check what cookies they are using on their websites, confirm the purposes, what data each cookie holds and the type of cookie (i.e. session or persistent and first or third party cookie). This could involve carrying out a comprehensive audit of the websites. The cookies used should also be analysed to determine which, if any, are “strictly necessary” and therefore might not need consent.

Cookie Assessment of Intrusiveness – the more intrusive a cookie the more priority should be given to getting meaningful consent. Some analytical cookies may have a limited privacy impact while cookies involved in creating detailed profiles of an individual’s browsing activity can have a significant privacy impact. An assessment of the intrusiveness of the cookies used should also be undertaken.

Cookie Consent Solution – in addition to deciding on the most appropriate of the cookie consent options, which are referred to above, it is also necessary to consider the information on cookies that should be provided to users. According to the ICO, for most users it may be helpful to provide a broad explanation of the way cookies operate and the categories of cookies that are used on the website.

If you have any questions regarding this update, please contact:

John Casanova, Partner
jcasanova@sidley.com
+44 20 7360 3739

William Long, Counsel
wlong@sidley.com
+44 20 7360 2061


1 Austria, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Greece, Hungary, Ireland, Latvia, Lithuania, Luxembourg, Malta, Slovakia, Spain, Sweden The Netherlands and the UK.


 

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results do not guarantee a similar outcome.   

EmailShare

The New EU Data Protection Regulation: What will the Impact be on the Life Sciences Industry?

Scrip Regulatory Affairs

The EU Data Protection Regulation proposed by the European Commission in January will – if adopted in its current form – require pharmaceutical and medical device companies to adopt a new approach to data processing and data protection.

This article was published in the March 2012 issue of Scrip Regulatory Affairs.

View Article

EmailShare

New EU Data Protection Regulation Announced

The official proposal for an EU Regulation on Data Protection was released in Brussels on Wednesday 25 January 2012 (the “Regulation”). The Regulation, which will replace the existing EU data protection regime, will have a significant impact on almost every business either established in the EU or that has EU customers. The proposed Regulation will now be discussed in detail over the next few months as it goes through the European legislative process and is set to be adopted in 2014. The main implications of the proposed Regulation are summarised below.

  • Greater Enforcement – fines can be imposed of up to 2% of the annual worldwide turnover of a business for failure to comply with the proposed Regulation. In addition, supervisory authorities will be able to impose a temporary or definitive ban on processing personal data, enter premises and suspend data flows to a recipient in a third country or to an international organisation.
  • Class Actions – any organisation which aims to protect the data protection rights of individuals, such as consumer organisations, can make complaints to supervisory authorities and bring class actions on behalf of individuals for non-compliance, even without the consent of those affected.
  • Application to Non European Businesses – the proposed Regulation will apply to businesses established in the EU and importantly to non-European businesses that process personal data of individuals residing in the EU where the processing activities are related to offering goods or services to such individuals or the monitoring of their behaviour.
  • Accountability – businesses will be required to adopt policies and implement measures to demonstrate compliance with the requirements in the proposed Regulation. This will include keeping a detailed record of all forms of data processing and carrying out data protection impact assessments. This will lead to significant compliance costs for affected businesses. Privacy by design measures must also be implemented to ensure, for example, that data is not collected or retained beyond the minimum necessary.
  • Data Protection Impact Assessments – the proposed Regulation introduces a new requirement for impact assessments to be conducted where the processing is likely to present specific risks, such as the processing of health data. As part of the assessment the views of the individuals whose data are being processed need to be obtained.
  • Data Protection Notifications – while the requirement in some EU Member States for data controllers to notify their Data Protection Authority in respect of their data processing activities will be abolished, businesses will be required to consult the relevant supervisory authority prior to the processing of personal data where a data protection impact assessment is required. Where the supervisory authority considers that the assessment insufficiently identifies or mitigates risks it can prohibit the intended processing. Where a data controller or processor is established in more than one EU Member State then the competent authority is where the controller or processor has its main establishment.
  • Information Security – the proposed Regulation requires data controllers and processors to implement appropriate technical and organisational security measures after having carried out an evaluation of data privacy risks. Moreover, data security breaches will have to be notified to the relevant supervisory authority without undue delay and “where feasible” no later than 24 hours after having become aware of it. The proposed Regulation specifies that when the breach notification is not made within 24 hours a reasoned justification must be provided to the relevant supervisory authority. The breach will have to be communicated to the individual without undue delay when the breach is likely to adversely affect the protection of the personal data or the privacy of the individual.
  • Consent – the proposed Regulation places the legal burden on the data controller to prove that the individual has given consent and gives an individual a right to withdraw their consent at any time. The Regulation also significantly restricts reliance on consent “where there is a significant imbalance between the position of the data subject and the controller.”
  • Data Protection Officers – businesses with over 250 employees will be required to appoint a data protection officer who will have to have “expert knowledge” of data protection law and practices. The appointment which must be for a term of at least two years should be notified to the relevant supervisory authority and the public. The proposed Regulation also provides that businesses may appoint a single data protection officer for a corporate group.
  • Increased Rights of Individuals – businesses must have transparent and easily accessible data protection policies and provide information using clear and plain language. An individual also has a right to correct his or her personal data and, importantly for social media, a right to data portability (i.e. to transfer his or her personal data to another provider) and will have a right to be forgotten (i.e. to have his or her personal data erased) which will be complex to apply in practice.
  • Transfer of Personal Data from the EU – the proposed Regulation maintains the restriction under the current Data Protection Directive of transferring personal data to countries outside the EU that are not considered to provide an adequate level of protection including the United States. The Regulation provides that one of the main solutions to permit such international transfers is the adoption of Binding Corporate Rules, which are a set of data protection rules adopted by an international corporate group that meet EU requirements and must be approved by a lead supervisory authority. Significantly, the proposal confirms that that specific sectors of a country could be deemed adequate – perhaps paving the way for recognition of the United States health, communications and financial sectors.

The proposed Regulation will certainly be subject to lengthy discussion and revision by the Council of Ministers and the European Parliament before it is finally adopted and becomes law. However, it is clear that whatever the final form of the Regulation it will have a significant impact on businesses worldwide, increase compliance costs and enforcement actions and will therefore require a new approach to data protection.

If you have any questions regarding this update, please contact:

London

John Casanova
jcasanova@sidley.com
+44 20 7360 3739

William Long
wlong@sidley.com
+44 20 7360 2061

Washington, D.C.

Ed McNicholas
emcnicholas@sidley.com
+1 (202) 736 8010

Alan Raul
araul@sidley.com
+1 (202) 736 8477


 

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results do not guarantee a similar outcome.

EmailShare

First Look: Leaked Draft of New EU Data Protection Regulation Suggests Significant Impacts for Global Businesses

A draft of a new EU Regulation on Data Protection to replace the existing EU Data Protection Directive was released un-officially earlier this week. The draft Regulation once adopted will have a significant impact on virtually all businesses established in the EU, or who carry on business with the EU, introducing significant internal compliance requirements and fines that range up to 5% of worldwide turnover.

In an article published by the Bureau of National Affairs, John Casanova and William Long of the London office of Sidley Austin and Alan Raul and Ed McNicholas of the Sidley Washington office provide their initial analysis of this significant new EU development. For further information on this development and other EU data protection requirements please contact John Casanova or William Long and for counseling in relation to US privacy issues please contact Alan Raul.

Reproduced with permission from Privacy & Security Law Report, Vol. 10 PVLR No. 48, 12/12/2011. Copyright 2011 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

View Article

EmailShare

Business Concern Over New EU Consent Requirement to Use Website Cookies

New EU cookie consent requirement

Amendments to the EU’s ePrivacy Directive have meant that since 25 May 2011 the EU has required website operators to obtain the consent of users to the use of cookies. This is a significant development and it is causing considerable concern among businesses. The new consent requirements for use of cookies, which consist of small text files that are used by virtually every website to recognise a user’s computer and collect information on a user’s activities and preferences, has caused a storm of debate as regulators and businesses struggle to find a practical way of obtaining consent.

There is also particular concern regarding compliance with the new requirements in relation to so called “third party” or “tracking” cookies used in behavioural advertising, where information from cookies is shared with third parties. In these circumstances obtaining consent may be more complex and care needs to be taken to make sure users are made aware of what data are being collected and by whom.

There is only one exception to the new EU consent requirement where the website is using a cookie “that is strictly necessary” to provide the service explicitly requested by the user. However, this is a narrow exception covering, for example, use of a cookie to allow the website to remember items placed in a virtual shopping basket and would not apply, to use of cookies to collect website analytics data.

Confused transposition process in the EU

Another particular concern is the lack of a harmonised approach to implementation of the new consent requirements in different EU Member States. Despite the 25 May 2011 implementation deadline only ten EU Member States have yet implemented the requirements into their national laws, including Estonia, Finland, Ireland, Latvia, Lithuania, Malta, Sweden, Hungary, Luxembourg and the UK. The table on page 3 summarises the current position.

There is also a lack of clarity on how in practice consent may be obtained and in particular whether browser settings can be used to obtain consent. It is understood that in Ireland, Luxembourg, Sweden and the UK the implementing legislation or guidance expressly provides that consent may result from the browser settings. Of these early adopting Member States national guidance has only been published, so far, in Ireland, Sweden and the UK although further national guidance may be published in due course.

In the UK, the Information Commissioner’s Office (the “ICO”) has issued guidance on what may constitute a sufficient opt-in consent:

  • Pop ups and similar techniques – using pop ups on the website screen for users to click that they consent to use of cookies, although the ICO acknowledges that this could spoil the user experience.
  • Terms and conditions – when users open an online account, or sign in to use the services, they could consent through terms and conditions to operation of the account and to use of cookies but a positive indication of consent is required such as through the user ticking a box.
  • Settings–led consent – obtaining consent as part of the process by which the user confirms what they want to do, or how they want the site to work, for example, when selecting a feature as to the size of text they want displayed.
  • Feature–led consent – placing text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when wanting to set a cookie on the user’s device.
  • Browser settings – using browser settings to obtain consent, although the view of the ICO is that most browser settings are not sophisticated enough to allow a website provider to assume that the user has given their consent to the website using a cookie.

To allow businesses to achieve compliance the UK has a grace period of 12 months until May 2012 during which time the ICO will refrain from using its enforcement powers although businesses are expected to take steps to comply with the new requirements. It is also understood that in Sweden a grace period, expected to be around 6 months, will also be applied.

Another question that is still not clear is whether national Member State laws implementing the new cookie consent requirement will apply to website operators not established in a Member State, for example a US website accessed by French consumers.

Practical steps to be considered by businesses now

While there are still some unanswered questions concerning the implementation and scope of the new EU cookie consent requirement it is important that website operators start to consider the new requirements now and how they may apply to their business. Some practical steps that can be taken now include:

  • monitoring the implementation of the cookie consent requirement in different Member States over the next few months;
  • carrying out an audit of the business use of cookies, including the type of cookies used (e.g. first party or third party cookies, session only cookies or persistent cookies);
  • updating privacy policies to include more explicit disclosures on the use and ability to opt-out of use of cookies;
  • evaluating consent options, taking into account customer impact, costs and applicable laws; and
  • reviewing existing arrangements with service providers concerning the collection of data and use of cookies.
For further details on the current implementation of the EU cookie consent requirements please contact:

John Casanova at jcasanova@sidley.com or on +44 (0)20 7360 3739, Jens Rinze at jrinze@sidley.com or on +49 69 22 22 1 4020, William Long at wlong@sidley.com or on +44 (0)20 7360 2061, or the Sidley lawyer with whom you usually work.


1 Based on adopted or draft legislation or based on views of Government authorities or national Data Protection Authorities. Some of the information in this update is based on views of local counsel which is likely to change and where Sidley Austin LLP is not admitted.


 

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Some of the information in this update is based on views of local counsel which is likely to change and where Sidley Austin LLP is not admitted. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results do not guarantee a similar outcome.

EmailShare

European Shift to Concrete Cost Analysis of Data Protection

BNA’s Privacy & Security Law Report

Following meetings held Feb. 24-25, the Council of the European Union released its ‘‘Conclusions’’ in response to the EU Commission’s Nov. 4, 2010 ‘‘Communication’’ proposing ‘‘a comprehensive approach on personal data protection in the European Union.’’ The Council is the main decision-making body of the European Union, comprising the ministers of the Member States. Depending on the issue on the agenda, each country is represented by the minister responsible for that subject (foreign affairs, finance, social affairs, transport, agriculture, etc.).

View Article

EmailShare
EmailShare
XSLT Plugin by BMI Calculator