Your SlideShare is downloading. ×
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Francoise Gilbert Proposed EU Data Protection Regulation-20120214

720

Published on

Overview of Proposed EU Data Protection Regulation published for comments on January 25, 2012 by the European Commission

Overview of Proposed EU Data Protection Regulation published for comments on January 25, 2012 by the European Commission

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
720
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. State Bar of California Business Law Section - Cyberspace Committee February 14, 2012 EU Data Protection Reform January 25, 2012 Draft Francoise Gilbert Managing Attorney - IT Law Group fgilbert@itlawgroup.com +1 650 804 1235(C) 2012 IT Law Group - All rights reservedThis presentation is offered for information purposes only, and the content should not be construed as legal advice on any matter. 1
  • 2. Francoise Gilbert• Founder & Managing Attorney, IT Law Group, Palo Alto• Author & Editor, Global Privacy & Security Law (2 volumes, 2,900 pages)(Aspen Publishing / Wolter Kluwer)• Founding Member & General Counsel, Cloud Security Alliance• CIPP/US; admitted to practice law in CA, IL and FranceIT Law Group• Niche law firm that focuses on information privacy and security, data governance and cloud computing• Providing services to clients in the US and throughout the world through long term relationships with carefully selected privacy / security lawyers established on all continents 2
  • 3. Agenda • Background and history • Proposed new structure • Implications for businesses • Proposed expanded rights for individuals • Proposed rules for cross- border transfers 3
  • 4. Background• European Union has been slowly built since the mid 1950’s• Uniformity was ensured through directives• In the data protection field: • Directive 95/46/EC • Directive 2002/58/EC (amended by Directive 2009/136/EC) • Directive 2006/24/EC • Framework Decision 2008/997/JHA (police and criminal matters) 4
  • 5. Proposed framework• General Data Protection Regulation • http://ec.europa.eu/justice/data-protection/ document/review2012/com_2012_11_en.pdf • Intended to replace Directive 95/46/EC• Directive on the protection of individuals with respect to the processing of personal data for prevention, investigation, detection, prosecution of criminal offenses • http://ec.europa.eu/justice/data-protection/ document/review2012/com_2012_10_en.pdf • Intended to replace Framework Decision 2008/977/JHA 5
  • 6. Key goals of the Regulation• Creating a uniform framework throughout the European Union• Putting citizens in control of their data• Ensuring more transparency, better privacy• More accountability, better security, immediate disclosure of security breaches• Facilitating cross border transfers• Giving more funds, powers, authority to the DPAs 6
  • 7. Uniformity? ... Not so clear• Other laws • Not clear how the Regulation would interact with the other sectoral laws, and the extent to which it would supersede them.• Member States •Significant freedom given to Member States to create supplemental legislation and set up their own minefield, e.g. • health information, employee data • rules on penalties• Uncertainty • Delegated acts and implementing acts to supplement the Reg 7
  • 8. Broad scope• Regulation would apply to • processing of personal data in the context of activities of an establishment of a processor or controller in the European Union • companies that are established in third countries when: •offer goods or services to individuals located in the EU •monitor behavior of individuals located in the EU• Regulation would NOT apply to • natural person without gainful interest, in the course of own exclusively personal or household activity • activities outside scope of EU law, e.g., national security, prevention, investigation, detection of crimes 8
  • 9. Simplified regulatory environment • Would reduce red tape and formalities • No more “notification” requirement • One-stop-shop for companies that operate in several countries • Company would designate a “main establishment” • Would interact only with the DPA of their main establishment 9
  • 10. Increased power for DPAs• Strengthen the independence and powers of the Data Protection Authorities: • better equipped to handle complaints • power to carry out investigations • power to take binding decisions • power to impose effective sanctions• Provide means for more coordination between the DPAs so that there is more consistency in enforcement 10
  • 11. Data Protection Officer• Obligation to appoint a Data Protection Officer if • Company has more than 250 employees; or • Company is involved in processing that, by virtue of its nature, scope or purpose, presents specific privacy risks• Would apply both to controllers and processors• DPO would have to be independent, and not receive instructions on how to exercise functions• DPO’s identity to be disclosed to individuals 11
  • 12. Stronger rules for consent• When consent is required, it must be “specific, informed and explicit” and freely given• Individual must be aware that he is giving consent• Requirement for consent must be presented separately from other matters• Data subject must be able to withdraw consent at any time• Consent would not be legal basis for the processing if there is a significant imbalance between position of the controller and that of the individual• For child under 13, consent would have to be given by parent• Companies would have to be able to prove that the data subject has consented to the collection and use of the data 12
  • 13. More obligations• Companies would have extended obligations with respect to data processing, including: • establish detailed policies and procedures • implement security measures • disclose security breaches • perform data protection impact assessment in special circumstances • implement verification / audit mechanisms • document compliance with Regulation 13
  • 14. New concepts• Privacy by Design • make sure that data protection safeguards are taken into account at the planning stages • must be able to demonstrate compliance with privacy by design requirement• Privacy by Default • use privacy-friendly default settings 14
  • 15. Emphasis on security• Increased emphasis on using appropriate security measures• Security breach reporting for all companies • Definition of security breach much broader than in the US • Obligation to notify the DPA within 24 hours, if feasible • Obligation to notify individuals “without undue delay” if their data were adversely affected by the breach 15
  • 16. New rights for individuals• Right to be forgotten: Individuals would have the right to have their data deleted if they withdraw their consent, and if there are no other legitimate grounds for retaining the data• Right to data portability: Individuals would have the right to obtain a copy of their stored data from the data controller, in an electronic, commonly used, structured format, and the freedom to move it from one service to another without hindrance 16
  • 17. Streamlined formalities• Significant savings resulting from streamlined formalities for cross border transfers • No more notification • But, requirement for prior checking would remain for special kind of processing • Interaction with one single DPA • Ability to use Binding Corp Rules in the 27 States 17
  • 18. Complaints; Enforcement• Individuals would have the right to lodge a complaint with a DPA• Individuals would have the right to seek judicial remedy against data controller or data processor• Organizations and associations would have the right to lodge complaints and to seek judicial remedies on behalf of injured individuals 18
  • 19. Significant penalties Up to 250 K Euros or Minor violations, e.g., failure to.5% of annual worldwide G.I. provide mechanism for access Up to 500 K Euros or Most violations1% of annual worldwide G.I. Serious violations, e.g., processing data without legal Up to 1 M Euros or basis, without complying with.5% of annual worldwide G.I. consent requirement; failure to adopt required policies 19
  • 20. Questions?Francoise Gilbert+ 1-650-804-1235 fgilbert@itlawgroup.com ITLG: www.itlawgroup.com Blog: www.francoisegilbert.com Book: www.globalprivacybook.com 20

×