Regulations Released Implementing Malaysian Data Protection Act

This post was written by Cynthia O'Donoghue.

The Minister of the Malaysian Communications and Multimedia Commission (the Minister) has announced by Gazette that Malaysia’s Personal Data Protection Act 2010 (the PDPA) will finally take effect as of 15 November 2013, introducing a privacy regime in Malaysia for the first time. To accompany this announcement, a series of regulations have been issued to implement the provisions of the PDPA. Data controllers will have three months from the date of enactment to comply with the PDPA to avoid enforcement.

The Regulations on Classification of Data Users highlight that the PDPA requires certain organisations to register as data users with Malaysia’s new Personal Data Protection Commissioner. These include:

  • Banking and financial institutions
  • Communications service providers
  • Tourism and hospitality providers
  • Insurers
  • Real estate firms
  • Education bodies
  • Direct marketing organisations
  • Transportation firms
  • Utility providers

TheRegulations on Registration of Data Users sets out the costs of registration, which are valid for a period of 24 months prior to renewal. Failure to register as a data user could result in a fine of up to 500,000 Ringgit and imprisonment of up to three years.

UK ICO survey shows businesses unaware of data protection reform and its costs

This post was written by Cynthia O’Donoghue.

The UK’s data protection authority, Information Commissioner’s Office (ICO), commissioned an independent survey investigating the understanding of the proposed EU data protection reform and associated costs. The survey involved 506 organisations, and one of the key findings is that as a general rule, businesses do not understand the implications of the proposed General Data Protection Regulation. In addition, as businesses are unable to assess their existing data protection costs, it is nigh on impossible to estimate costs of compliance with a new regulation, or to substantiate the cost savings of £2.3 billion estimated by MEP Viviane Reding. This makes it impossible to assess the overall cost implications of the reform.

The study identified five key cost-generating elements of the Regulation:

  • Subject access requests
  • Breach notification
  • Data protection impact assessments
  • Appointment of data protection officer (DPO)
  • Increased fines

Elements with indirect impact on costs include the "right to be forgotten," data portability, unclear definitions, a higher standard of consent, and data minimisation. The survey results found that almost half of the respondents didn’t fully understand any of the above provisions, and none of the respondents could accurately describe all of them.

Nearly four-fifths of respondents could not quantify their current data protection spend, and almost nine in 10 were unable to project costs post-reform. Only large organisations were capable of assessing current and expected costs, resulting in no clear picture of compliance costs. Existing predictions of the EU reform costs vary wildly. Notwithstanding MEP Reding’s estimated savings to businesses of £2.3 billion, the UK Ministry of Justice predicted that UK companies will suffer a net cost of between £80 million - £320 million per year.

The Information Commissioner, Christopher Graham, suggests that the benefits of the reform must be justified by the burdens, such that the ‘legislation [sic] delivers real protections for consumers without damaging business or hobbling regulators.’

EU Presidency seeks political guidance on most contested aspects of the draft Data Protection Regulation

This post was written by Cynthia O'Donoghue.

On 24 April 2013, the EU Presidency, currently held by Ireland, prepared a Note to the Committee of Permanent Representatives (COREPER) regarding the proposed General Data Protection Regulation (Regulation). The Note was leaked and published on Statewatch’s website. Statewatch is a civil liberties organisation. In the Note, the Presidency discusses “pivotal issues, the resolution of which requires political guidance,” including the scope of the Regulation and the requirement for “explicit”’ consent. The Annex to the Note proposes specific drafting amendments.

The Note focusses on five key issues:

  • Material scope
  • Territorial scope (or jurisdiction)
  • Consent
  • Data processing principles
  • Freedom of expression and access to public documents

The proposed Regulation excludes data processing where the activity is outside the scope of EU law, and processing by EU institutions and law enforcement, both of which are considered problematic. Concern was also raised about the exclusion of household uses, which as drafted would exempt processing” by a natural person without any gainful interest in the course of its own exclusively personal or household activity.” Most delegations wanted the scope of the household exemption clarified, and the Presidency proposed a compromise extending the provision to all social networking and online activities carried on in the context of personal and household activity.
The Note acknowledged that the territorial scope of the Regulation is ambitious by seeking to govern “the offering of goods or services (…) to data subjects in the Union,” or “the monitoring of their behaviour as far as their behaviour takes place within the European Union.” The Presidency suggested setting out factors that can indicate whether a particular offer is aimed towards EU residents, even though many delegations questioned the practicality of such a wide jurisdictional scope, doubting whether non-EU controllers will be aware of and willing to comply with the Regulation.

The Presidency acknowledged that the proposed definition of consent is beyond that required under the 1995 Data Protection Directive, and many delegations view the new requirement for explicit consent as unrealistic and of little value, especially on the Internet. The Presidency proposed replacing “explicit” with “unambiguous” for all non-sensitive personal data, and removing the exclusion of consent obtained in relationships with an imbalance of power, because it would lead to legal uncertainty.

While the Presidency noted that the data protection principles are largely the same as those within the 1995 Directive, a new principle of data security and confidentiality was added, and consequently there should be further discussion in light of processing of data for historic, statistical, or scientific or archiving purposes.

Lastly, the Presidency suggested adding articles enabling Member States to reconcile the right of data protection with the other fundamental rights of freedom of expression and freedom of information.

CNIL satisfied with draft European Parliament report on the new Data Protection Regulation

This post was written by Daniel Kadar.

The French Data Protection Authority (DPA), the CNIL, has expressed its satisfaction on the draft report (the “draft Report”) released by the European Parliament on the new European Data Protection Regulation (the “Regulation”).

One of the major points of concern for the CNIL was that the draft Regulation had proposed that the competent DPA to rule over a complaint was to be the DPA where the data controller had its main establishment.

The CNIL considered in January 2012 that “In practice, this means that where a web user has a problem with a social network which main establishment is in another member state, the complaint will be handled by the authority of the latter,” resulting in practice in less protection for citizens given the broadening gap between European Data Protection Authorities, especially with the UK Commissioner.

The CNIL therefore welcomes warmly the conclusions of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs report that was published a couple of weeks ago. The amendments tabled by the rapporteur, Mr Albrecht, are considered by the CNIL as “real progress and an important stepping stone.”

Four major items have been highlighted by the CNIL:

  • Criterion of competence of the supervisory authorities:
    The draft Report changes the “rules of jurisdiction” and sets forth that the place of residence of the citizen will be used as criterion of competence instead of the main establishment. The CNIL will in that respect regain power (and jurisdiction) over complaints filed in France, even if the main establishment of the data controller is located outside France.
  • Single point of contact:
    According to the draft Report, the lead authority will be designated as single point of contact for controllers and processors who have activities in more than one Member State. This authority would have to instruct cross-border situations in the name and on behalf of all the competent authorities, and to ensure coordination before adopting a decision. The CNIL sees here a real opportunity to expand its area of influence. The fight against Google that this blog has been following is to be seen in that respect as a real life test.
  • Role of the European Data Protection Board (EDPB):
    The CNIL welcomes the creation of the EDPB that would help to generate a harmonized implementation of the European rules and would have decisional power. According to the draft Report, the EDPB would draft guidelines for the supervisory authorities, and deliver opinions on the codes of conduct drafted at EU level. Moreover, the EDPB would have to be consulted by the European Commission in the preparation of delegated acts and implementing acts, which number would be much reduced.
  • Protection of citizens’ rights:
    The draft Report improves citizens’ rights by the use of ‘pseudonymisation' and anonymisation of data, as well as by the free exercise of a right to object and the clarification of what constitutes the expression of consent in the online environment.

The CNIL finally welcomes the removal by the draft Report of the possibility to use non-binding legal instruments in the context of data transfers to non-EU Member States.

All in all, this draft Report constitutes a strong support for the “hardliners” led by the CNIL in the on-going discussions on the draft Regulation.

The Article 29 Working Party tackles the most contested elements of the new Data Protection Regulation

This post was written by Cynthia O'Donoghue.

The Article 29 Working Party (“Art. 29 WP”), which has already released two opinions (WP191 and WP199) regarding the draft General Data Protection Regulation (“Regulation”), issued a statement and two accompanying annexes addressing some of the most heavily debated elements. This statement addresses relaxation of rules for the public sector, a one-stop-shop for data controllers, the pseudonymisation of data, the standard of consent, cross-border transfers, a risk-based approach, and the household exemption. Many of the views expressed by the Working Party appear to be in direct opposition to a number of observations made by other organisations, such as ITRE (see also our blog and client alert regarding the ITRE’s opinion.

The Art. 29 WP vehemently opposes the concept that the public sector should have a different regulatory regime for data protection from that of the private sector, on the basis that data protection is a fundamental right that is not affected by the status of the data controller being a public body.

The Art. 29 WP seeks the inclusion of pseudonymised and encrypted data with the scope of ‘personal data’ on the basis that they are security techniques that do not change the inherently personal nature of the data.

The Art. 29 WP discourages removing the requirement for explicit consent because it is both essential to ensure that consent is not misused by data controllers, and goes to the heart of proving the validity of consent. It also expressed support for consent being invalid when obtained where there is a significant imbalance of power.

Permitting cross-border data transfers without the need for a binding mechanism was rejected by the Art. 29 WP. The Art. 29 WP’s statement advocated the introduction of Mutual Legal Assistance Treaties (“MLATs”) to govern disclosures of data not otherwise authorized under EU or EU member states’ national laws, where such disclosures would be based on important grounds of public interest. Without such MLATs, data controllers would continue to be prohibited from transferring data outside EU even when subject to the court order of a third country.

The Art. 29 WP supports a risk-based and scalable approach to data protection, with risk depending not only on the size of the controller, but also on the nature and categories of the data being processed.

In relation to the household exemption, commonly relied upon by organisations that ask members or users to add their contacts, such as social media, the Art. 29 WP recommended removing the exemption when its use would result in gainful interest connected with a commercial activity.

This statement will be weighed by the LIBE Committee as part of determining which of the more than 3,000 suggested amendments to incorporate into the Regulation; but given that the Art. 29 WP is made up of the 27 EU member states’ data protection authorities, the Art. 29 WP statement is likely to be influential.

EU member states argue for watering down the proposed Data Protection Regulation

This post was written by Cynthia O'Donoghue.

The proposed new EU General Data Protection Regulation may need to be watered down. The far-reaching proposed draft, which was published in January 2012, aims to unify and strengthen the data protection laws across the 27 EU countries. However, the Financial Times reports that a memo drafted by the Irish presidency admits that “several member states have voiced their disagreement with the level of prescriptiveness of a number of the proposed obligations in the draft regulation.”

There appears to be a prevailing opinion among the member states that the burdens imposed by the draft Regulation must be reduced, especially the most commonly criticised elements, such as the requirement to obtain individuals’ explicit consent and the “right to be forgotten.” Several EU member states, like the UK (see our blog about the UK’s criticism), advocate a “risk-based” approach that would have as its focus whether a substantial threat to a person’s personal data exists. Several EU member states would like small companies spared from many of the compliance burdens contained in the proposed Regulation—an approach advocated by the American Chamber of Commerce.

Some member states, including the UK, would like to see the designation of a data protection officer reduced to an optional requirement. Germany and Belgium argue for the easing of rules related to the use of data by public institutions.

The lobbying for watering down the proposed Regulation has been openly criticised by a coalition of privacy groups, as well as by Jan Philipp Albrecht, the rapporteur for the draft regulation (see also our blog about Albrecht’s report on the proposed Regulation). Given the raging debate, it looks as though enough member states oppose the draft Regulation to block the entire proposal, unless the European Parliament and the European Commission heed the calls for compromise.

European Parliament Committee on Industry, Research and Energy publish opinion on the proposed General Data Protection Regulation

This post was written by Cynthia O'Donoghue.

Following the lead of the Committee on Civil Liberties, Justice and Home Affairs (LIBE), which already released its draft report (see our prior blog) 20 February, the European Parliament Committee on Industry, Research and Energy (ITRE Committee) published its Draft Opinion on the proposed General Data Protection Regulation. This opinion has been submitted to LIBE, which has the task of consolidating amendments and voting on its own report at the end of April.

In the Draft Opinion, ITRE rapporteur Seán Kelly outlined his substantial support for the proposed Regulation and suggested that the changes should help avoid excessive administrative burdens for enterprises, and introduce a greater degree of flexibility, especially in terms of accountability and the notification requirements to supervisory bodies. The ITRE Committee, however, proposed significant amendments to the Regulation in an attempt to ease restrictions on companies by focusing on corporate governance, the use of impact assessments, and bringing increased clarity to the provisions. It has recommended significant alterations to the most contentious provisions, such as consent mechanisms; the rights of access, portability, and to be forgotten; the 24-hour breach notification requirement; and the sanctions regime.

For a more detailed analysis, click here to read the issued Client Alert.

UK Information Commissioners Office presents article-by-article analysis of the proposed new General Data Protection Regulation

This post was written by Cynthia O'Donoghue.

Following the publication of its “further thoughts" on the European Commission’s proposed new data protection framework, the ICO has now published an in-depth, article-by-article analysis of the proposed General Data Protection Regulation (the Regulation). The ICO pointed out that this is an important opportunity to get the framework correct, as it is likely to remain in force for many years. The paper reflected the ICO’s general concerns and expressed its opinion about some of the more contested elements of the Regulation.

The ICO reiterated the need for further clarity and expressed concerns about the number of delegated acts of the European Commission in the Regulation on the basis that use of the delegated acts is likely to result in continued uncertainly for businesses and data subjects.

The ICO emphasises that the new data protection framework should promote a truly risk-based approach, instead of focusing on the administrative detail and compliance process rather than outcomes, as it could encourage paper-only compliance. The ICO also voiced strong support for the concept of protection by design, so long as the model was principle-based to accommodate scalability and flexibility.

The ICO welcomed “the high standard of consent”, but raised concerns that some data controllers may be left without a lawful basis for processing, and criticised the unequivocal barring of consent obtained in cases of alleged “significant imbalance", pointing out that consent can be obtained for employer-employee data processing. The ICO continues to advocate for the inclusion of “pseudonymised' data within the definition of the personal data, but floated the idea that individuals’ access rights should not apply.

While the ICO generally supports the new right to be forgotten, the paper acknowledges that it may be impossible in practice, because data in the public domain will often be disseminated without the original data controller’s consent or knowledge, which could result in individuals developing a false belief that data is capable of being erased. Despite acknowledging the concerns regarding the right to portability’s potential impact on property rights and trade secrets, and admitting it is not a “classical" element of data protection law, the ICO welcomed its inclusion highlighting that it empowers consumers.

Rapporteur Jan Philipp Albrecht presents report on the European Commission's proposed Data Protection Regulation

This post was written by Cynthia O'Donoghue.

On January 10, 2013, Jan Philipp Albrecht, the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), presented his draft report (the “Report”) proposing amendments to the European Commission’s proposed Data Protection Regulation (the “Proposed Regulation”).

Albrecht’s amendments to what was already a complex and prescriptive piece of draft legislation have received mixed reviews from government and industry. The UK recently voiced its criticism of the current proposals, while the European Data Protection Supervisor (EDPS) reacted positively to Albrecht’s report, indicating that it was impressed with the changes made, as they included many of the EDPS and Article 29 Working Party recommendations.

Albrecht has recommended significant alterations to the most contentious provisions, such as the definition of personal data, consent, the rights of access, portability and to be forgotten, and the 24-hour breach notification. Albrecht has sought to simplify the legal framework while also strengthening individuals’ rights.

The definition of personal data includes data that would single a person out, either from data held alone or when used in “combination with associated data,” and seeks to clarify uses of pseudonymised data and create a definition for anonymous data that prevents identification of a person, where identification, directly or indirectly, would require a “disproportionate amount of time, expense and effort.”

Albrecht believes consent “is the best way for individuals to gain more control over data processing activities,” and his proposed amendments consent to be explicit, freely given, specific-informed, and obtained through "clear affirmative action," since pre-ticked boxes cannot be seen to express free consent.

The right of access would now include the ability to obtain information about profiling and whether a governmental authority had requested data, as well as whether an organisation had complied with that request. The right of portability would be amended to be part of the right of access, so that copies of data are provided in a format that can be migrated to another service.

In relation to the right to be forgotten, Albrecht includes a provision for erasure if there is no legitimate grounds to retain the data. This aims to ensure that companies that have transferred data to third parties without a legitimate legal basis, do actually erase the data. Vivian Reding, in a speech at the EC Justice Council meeting in Dublin 18 January 2013, endorsed this “ambitious and pragmatic” approach in being necessary to prevent imposing unreasonable obligations on businesses.

Responding to the perceived short time limit of 24 hours for notifying the National Supervisory Body of personal data breaches initially proposed by the European Commission, Albrecht suggests extending the time frame to 72 hours.

Albrecht also recommends more onerous notification requirements, with data controllers required to use a multi-layered approach including easily understandable, icon-based descriptions for different types of processing.

Albrecht also recommends that organisations’ ability to rely on legitimate interest basis for processing data be limited to “exceptional circumstances,” where it would be possible for data controller’s interests to override the fundamental rights and freedoms of data subjects.

Other amendments proposed by Albrecht include replacing the criterion for mandatory appointment of a data protection officer (DPO) from being based on having more than 250 employees, to processing the data of 500 individuals or more per year. This means that even small companies and start-ups would incur this expense.

In its recent response to the UK Justice Select Committee’s opinion on the Data Protection framework proposals, the UK Ministry of Justice found mandatory appointments of DPOs unnecessary and suggested that data controllers should be encouraged to appoint DPOs “if they were felt necessary to ensure compliance with the proposed Regulation.” Both the UK Ministry of Justice and the UK Justice Select Committee have been highly critical of proposed Regulation, finding it overly prescriptive and likely to increase costs to the UK economy of between £100 million – £360 million per annum; and the UK Government likely would view Albrecht’s amendments even more harshly, since the UK would like to see the draft Regulation re-casting as a Directive to allow Member States a degree of flexibility.

The Irish government, which currently holds the EU presidency, also expressed concern at a Justice Council meeting in Dublin, suggesting that the household exemption (which permits individuals processing data as part of purely personal activity) and the right to be forgotten are unrealistic. While the Irish have previously said that the proposed Regulation is a priority they would like to see passed during their EU term of presidency, the draft Regulation is continuing to prove highly contentious, and any effort to further constrain business is likely to meet with resistance from some Member States as well as industry.

Art. 29 Working Party seeks refined definition of 'personal data' in the proposed General Data Protection Regulation

This post was written by Cynthia O'Donoghue.

In its second opinion on the proposed Data Protection Regulation, the Article 29 Working Party suggests that a natural person can be considered identifiable when, within a group of persons, he or she can be distinguished from other members of the group and consequently be treated differently. They have therefore recommended that information that can lead to individuals being singled out and treated differently should be considered “personal data.” The Working Party proposes broadening the definition of “data subject” in the proposed Regulation to include not only identified or identifiable natural persons, but also those who could be singled out and treated differently.

The Working Party also suggested that organisations should have to treat “cookie identifiers” and “IP addresses” as personal data. This would be accomplished by altering recital 24 which, although not legally binding, provides additional detail on what is to be meant by the definition of personal data.

The Working Party has also defended the "new and positive elements" drafted into the proposed Regulation on rules around consent. Responding to criticism that it might be impractical to always obtain explicit consent, the Working Party supports broad requirements to explicit consent as "necessary to truly enable data subjects to exercise their rights".

The Working Party raised a concern relating to the delegated acts of the European Commission without seeking approval from the Working Party's successor body, the European Data Protection Board. This concern is shared by the wider data protection community, as the EDPB will be much closer to issues at a national level and be in a position to recommend outcomes.

How to mitigate Compliance requirements and Code of Conduct obligations with Data Protection regulation: Reed Smith Paris provided some illustrative examples

This post was written by Daniel Kadar.

Reed Smith Paris partner Daniel Kadar and counsel Séverine Martel hosted on 25 October 2012, a new edition of the conference cycle organized by Reed Smith Paris with the European American Chamber of Commerce, dedicated to the mitigation of Compliance obligations, particularly as set forth in Codes of Conduct, with data protection requirements.

After a general presentation of the data protection requirements in France, particularly with respect to notification duties with the French Data Protection Authority, the “Commission Nationale de l’Informatique et des Libertés” (CNIL), the panel, which included compliance directors of French health care giant SANOFI and General Electric Health, brought examples of how to mitigate compliance obligations, in particular as set forth in Codes of Conduct most International organisations have now adopted, with applicable data protection regulation.

The first example was dedicated to the New French Health Care Regulation and its transparency and disclosure requirements as to the existence (and the financial range) of agreements between the health care and cosmetics industry with health care professionals (including Medicine students), showing that the disclosure of financial and private information (such as the home address for the medicine students) had to be managed carefully with respect to the data owner’s information and access rights.

The second set of examples was dedicated to the implementation of whistle blowing hotlines in France, which need to have a restricted scope under French law: the grounds for this limited scope is that the French regulator has worked on the basis of the sole Sarbanes-Oxley (“SOX”) Act obligations limited to accounting and audit, and therefore mainly excluded the other fields of application the Code of Conduct generally also contain.

After having highlighted the major characteristics of the requirements under French law, taking into account specific labor law obligations, the panel concentrated on the ways and means of implementing such hotlines in France:

  • Integrating them globally, or based on geographic regions
  • Operating through third-party service providers or through in-house “mediators”
  • Insisting on the necessity that such hotlines constitute only an alternative to more formal ways of notifications to the hierarchy, and excluding anonymous reports

The panel concluded by stating that there is no “one size fits all” Compliance recipe, and that Compliance remains a place of state-of-the-art mitigation of contradictious regulation.


EU Working Party on Information Exchange and Data Protection gives its first consideration of the General Data Protection Regulation and Directive

This post was written by Cynthia O'Donoghue.

On 23 and 24 February 2012, the General Secretariat to the EU presented the proposed Data Protection Regulation to the EU Working Party on Information Exchange and Data Protection (DAPIX), stating that the new proposals were motivated by the European Commission’s (EC) desire to stimulate growth across the EU and the need to protect the fundamental rights of European citizens. The EC’s justification for the proposed overhaul of existing European data privacy legislation was triggered by technological developments that have taken place since the 1995 EU Data Protection Directive, and the global trend towards a digital economy.

In addition, the General Secretariat distributed to the delegates a comparative table of the first 21 articles of the draft General Data Protection Regulation against the 1995 Directive.

The EC set out four key objectives underlying the proposal for a Data Protection Regulation: (1) stimulation of growth through the uniform application of data protection rules across the EU; (2) protection of fundamental rights; (3) adoption of flexible legal instruments capable of adapting to future technologies; and (4) legal certainty.

A summary of the discussions was published on 8 March 2012. Delegates of the DAPIX raised various issues with the draft Regulation, including that the Commission could have been more radical in its proposals. In contrast, many of the DAPIX delegates raised serious concerns about the draft Regulation, fearing that it would increase the administrative burden on organizations and public authorities.

Concerns were raised about obligations on small and medium-sized businesses, the specific obligation on organizations with more than 250 employees to appoint a data protection officer, and rules applicable to individuals rather than utilizing a more risk-based approach.

DAPIX also reviewed the proposed legislative instruments of a Regulation and Directive on data protection in law enforcement, with some of the delegates stating they would have preferred another directive on the basis that a regulation could be too prescriptive.

DAPIX also criticized the delegated powers of the EC under the draft Regulation on the basis that there was an unbalanced division of power between the legislator (the European Council and Parliament) and the EC, which could undermine the desire to simplify data protection rules, and that such delegated acts could lead to modification of the EU Member States’ national legislation.

The delegates also raised strong reservations surrounding the geographical scope concerning the ‘one-stop shop’ principle that makes one Data Processing Authority (DPA) competent for all data processing operations throughout the EU, fearing that organizations would then forum shop, and that it would create an excessive administrative burden on some national DPAs. Other delegates, however, welcomed the ‘one-stop shop’ principle.

Delegates raised additional concerns about whether the draft Regulation is sufficiently technology-neutral, and whether concepts such as the right to be forgotten and the right to data portability were technically feasible, as well as the possible overlap with the e-Privacy Directive.

U.S. lawyers urge courts to respect EU data privacy laws - 'Hobson's Choice' just got harder!

This post was written by Cynthia O’Donoghue, David Cohen, Nick Tyler, and Regis Stafford.

The American Bar Association (ABA) this week passed an important resolution urging all courts in the U.S. to:

“consider and respect…the data protection and privacy laws of any…foreign sovereign, and the interests of any person who is subject to, or benefits from such laws, with regard to data that is subject to preservation, disclosure, or sought in discovery in civil litigation.”

The ABA journal describes the long-standing dilemma faced by litigators on both sides of the Atlantic as “Hobson’s Choice”. The ABA Section of the International Law Report to the House of Delegates further explains the choice too often faced by litigants: “violate foreign law and expose themselves to enforcement proceedings that have included criminal prosecution, or choose noncompliance with a U.S. discovery order and risk U.S. sanctions ranging from monetary costs to adverse inference jury instructions to default judgments.”

It is interesting to note the timing of the resolution, coming as it has less than two weeks after publication by the EU Commission of the long-awaited draft EU Data Protection regulation with its proposed new sanctions of up to 2 percent of annual worldwide turnover for serious breaches, which would include an unlawful data transfer to the U.S..

Such sanctions represent a ‘game-changer’ in the current risk profile and choices presented to multi-nationals faced with U.S. discovery requirements demanding the transfer of personal data held by EU affiliates in breach of EU data protection laws.

Current U.S. jurisprudence will now be tested – up until now the U.S. courts have tended to strike the balance in favour of compliance with U.S. rules on the basis that there is no realistic prospect of prosecution in Europe for an enterprise which breaches EU cross-border transfer restrictions. See In Strauss v. Credit Lyonnais S.A., 242 F.R.D. 199 (E.D.N.Y. 2007).

However, as the report to the ABA House of Delegates regarding the resolution explains, there are other good reasons, in addition to the possibility of sanctions, for U.S. courts to respect Europe’s data privacy laws. If U.S. courts continue to favor broad discovery in violation of EU restrictions, U.S. litigants may face, “a similarly hardened view of U.S. laws and regulations to the detriment of U.S. litigants” in courts outside of the U.S.. Moreover, “[p]ermitting broad discovery in disregard or even defiance of foreign protective legislation can ultimately impede global commerce [and] harm the interests of U.S. parties in foreign courts and provoke retaliatory measures.”

The resolution has been diluted from that originally proposed, with the insertion of qualifying words such as “where possible in the context of the proceedings”. Nonetheless, the ABA have sent a clear signal that the time for a re-evaluation of the status quo is needed and U.S. Courts need to recognise the wider implications of cross-border litigation in the context of an increasingly globalised corporate and legal environment.

EU Commission sends draft EU General Data Protection Regulation and Directive on Criminal Investigations and Judicial Proceedings to the European Parliament

This post was written by Cynthia O'Donoghue and Nick Tyler

The European Commission today completed its task of reforming the EU Data Protection Directive by sending a draft Regulation to the European Parliament. The draft Regulation contains comprehensive reforms and seeks to harmonise data protection laws across the 27 EU Member States, and to enhance EU citizens' privacy protections in the age of the Internet.

There will be two tiers of compliance obligations and sanctions, with one aimed at small- to medium-sized enterprises and the other at large, multinational organizations. SMEs are entitled to certain exemptions to ease administrative burdens, such as no requirement to appoint a data protection officer and a sanctions cap of up to €1 million. Multinationals with more than 250 employees in the EU will have to appoint a data protection officer and may face sanctions of up to 2 percent of worldwide annual turnover for serious breaches. Multinationals outside the EU will also have to comply with the data protection rules if they seek to market products and services to the EU citizens.

Key provisions include:

A single notification to the data protection authority in the country where an organization has its principle establishment. There remains an obligation to notify and seek prior authorization for a range of processing activity considered to present specific risks, such as systematic and extensive profiling and large-scale video surveillance.

Accountability principle for those processing personal data, including impact assessments for SMEs and top-down accountability for all organisations.

Data breach notification to the national data protection authority if feasible within 24 hours, and to individuals if there is a risk of harm.

Increased individual control over their data includes seeking their explicit consent before data may be processed rather than it being assumed, and their ability to refer matters to the data protection authority in their country even if data is processed by a company based outside the EU.

Data Portability will mean that individuals will have easier access to their own data and be able to transfer it from one service provider to another more easily.

A right to be forgotten allows individuals, including children, the ability to delete their data if an organization does not have any legitimate grounds for retaining it. The right provides exemptions for legitimate historic data such as newspaper archives, and seeks to balance the right to privacy with the right to free speech.

The sanction regime has at least been watered down from the draft Regulation circulated in November 2011, which had proposed sanctions of up to 5 percent of worldwide annual turnover.

There have been some ‘business-friendly’ changes to the draft Regulation as compared with the earlier November draft. The proposal for an opt-in for commercial marketing has been substituted with an opt-out, and the provisions relating to children’s privacy now requires parental consent for under the age of 13, rather than 18.
In addition, while there is an emphasis on binding corporate rules for international data transfers outside of the EU, contractual clauses, EU standard contracts, and findings of adequacy, as well as international commitments by countries or international organizations such as U.S. Safe Harbor, will still apply. Given the changes contemplated under the draft Regulation, existing international data transfer mechanisms may need to be reviewed and amended if the draft Regulation is adopted.
The new European Data Protection Board will no longer act as a supernational regulator in relation to approving enforcement actions and sanctions as proposed in the November version of the draft Regulation. Instead, its powers will be limited to ensuring consistent application of the Regulation without the power to overrule decisions in individual cases.
The Commission's proposed draft Regulation and accompanying Directive now goes to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. The Regulation will only take effect two years after adoption by the European Parliament, and we would expect further changes as it makes its way through the legislative process. That means any changes are probably close to three years down the road.

US wades into debate on revision to EU Data Protection Directive

This post was written by Cynthia O'Donoghue and Nick Tyler

The U.S. Federal Trade Commission (FTC) has waded into the political debate with an Informal Note on the draft EU Data Protection Regulation as reported by Statewatch. In addition, Digital Civil Rights in Europe has reported that the U.S. Department of Commerce engaged in significant lobbying of the European Commission in response to the leaked draft Regulation.

The FTC’s Informal Note, provided to the EC in December 2011, focused on “two overarching concerns”:

  • potential adverse effect on the global interoperability of privacy frameworks” – resulting in divergence rather than convergence of data privacy standards globally; and
  • serious implications for regulatory enforcement activities involving third countries” such as the U.S. – resulting in EU data protection laws presenting a significant obstacle to international enforcement cooperation.

In both respects, the Informal Note portrays the draft Regulation as a backward step that would have an adverse effect on the global interoperability of privacy regimes due to it increasing differences rather than promoting convergence. The FTC also raised concerns about the draft Regulation’s potential to adversely impact international investigations, hinder information sharing between regulatory agencies and undercut enforcement cooperation between the EU data protection authorities and similar privacy enforcement agencies round the world.

In doing so, the FTC’s Informal Note emphasises many of the issues highlighted in our two blogs and Client Alert following the leak of the draft Regulation. In particular, the following themes are highlighted:

  • Data breach notification – criticising the Regulation’s “focus on process, instead of on improving security practices”, the note concludes that this “may…dilute the effectiveness and credibility of all such notices.” This echoes a concern first raised by the UK Information Commissioner’s Office during the IAPP Summit in November 2011, relating to notification of all data breaches regardless of seriousness or number of persons affected.
  • The “right to be forgotten” – the FTC’s concern relates to a chilling effect on rights to free speech and intimates that a right to be forgotten is little more than a pipe-dream fraught with legal and practical obstacles that render it unfeasible. Basically, the ubiquity of the Internet means that the cat’s out of the bag and any attempt to put it back is doomed to fail.
  • The definition of “child” – the EU’s definition of child being anyone under the age of 18 runs counter to the U.S.’s longstanding regulation of children’s privacy (defined as under-13 in the Children’s Online Privacy Protection Act (COPPA)). The FTC refers the EC to its recent review of the COPPA Rule1suggesting it take a more modern and less paternalistic view by recognising:

…it would be difficult to require parental permission for teenagers because they’re independent, more sophisticated with new technologies than their parents are, and have access to computers outside the home, particularly with the increasing proliferation of mobile devices.”

  • Transfers to third countries – criticising the increased complexity in determining adequacy for transferring data outside the EU, the FTC believes that the draft Regulation only makes the process more burdensome, opaque and indeterminate rather than the EC achieving its stated objective of clarifying it. There is undoubtedly a degree of self interest in the FTC’s alarm at the possibility that a U.S. Safe Harbor certification may no longer be recognised (at least in its current form) as a lawful basis for transfers of personal information from the EU to the U.S., as we previously highlighted. The prospect that present lawful trans-border dataflow mechanisms will need to be replaced by new or re-vamped versions, including through the use of binding corporate rules, will alarm every U.S. organisation that has invested significantly in putting legal mechanisms in place to transfer data from the EU to the U.S.
  • International Investigations – the FTC raises concerns about the effect on international regulatory enforcement, effectively calling the draft Regulation a ‘blocking statute’, because data controllers will have to notify and receive prior authorisation from a data protection authority before disclosing personal data to any non-EU governmental or regulatory authorities or private litigants outside the EU. The FTC highlights the conflicts as well as perils such provisions will create for U.S. companies with a presence in the EU, especially if an investigation relates to anti-competitive activities, financial or consumer fraud. The FTC suggests that the draft Regulation incentivises “offshoring” evidence, resulting in untimely delays and potentially damaging the interests of consumers, including in the EU.

The FTC’s Informal Note, along with other voices loudly debating the draft Regulation, advocates a more balanced and proportional approach to privacy and data protection. 

Whether this US intervention will contribute to a delay in the EC publishing the draft Regulation, or whether, as recently restated by Ms. Reding’s office, publication will still take place on Data Protection Day on 28 January, we don’t have long to find out.

1 COPPA Rule Review Request for Comment, Fed. Reg. Vol. 76, No. 187, Sept 27 2011 at 5905, available at:

UK Government Proposes Merger of Competition Authorities

This post was written by Edward S. Miller, Marjorie C. Holmes, Richard J. Waite, and Susan Riitala.

The UK Government recently announced proposals to merge the UK’s two main competition bodies, the Office of Fair Trading (OFT) and the Competition Commission, to create a single competition regulator. Currently the OFT, as well as being responsible for conducting antitrust and cartel investigations, also conducts initial merger reviews and market studies. The Competition Commission acts as a second phase review body, conducting more in-depth reviews of those mergers or markets referred to it by the OFT (or, in some case, concurrent regulators) that appear to give rise to more significant competition issues.

The move comes as part of the UK Coalition Government's plans to simplify the work of public bodies, with the creation of a single competition authority intended to streamline procedures and create a stronger enforcement authority. The new body would be responsible for all merger reviews, market investigations, and cartel and antitrust cases. A public consultation on the options for creating the new competition and markets authority is planned for 2011.

Some commentators have raised concerns that the merger would damage the objectivity and independence from political pressures offered by the current system. However, without having the detail of how the new body would operate, the risk of increased political interference in practice would seem relatively low and it is likely that measures could be put in place to protect objectivity in the two-stage review process, which it appears will be retained. Such issues will undoubtedly be addressed in next year’s public consultation process.

On the whole, the announcement is positive and should be welcomed. Frustrations with the existing system include that the Competition Commission begins investigations from scratch once the OFT has already been working on the same case. The proposal should not only cut down the overall timetable of investigations, but should also reduce the time spent by companies providing information to the different authorities when under scrutiny. In a statement issued by the OFT, Chief Executive John Fingleton confirmed that the OFT had advocated the merger for some time and highlighted its potential benefits, pointing to the ability to deliver “better, faster results for consumers and the economy, and greater consistency for businesses".

Connecticut's Muscular New Vision for Government Oversight of Data Security Breach Notifications

This post was written by Diane Bettino and Paul Bond.

Nearly every state in the U.S. has a statute requiring notifications upon discovery of a data security breach.  Most of these laws do not mandate notification to any state authority. T hose few state laws that compel governmental notice are usually satisfied with contemporaneous notice, or notice after the fact.

That all may change, at least for entities licensed or directly regulated by state agencies.  The State of Connecticut’s Department of Insurance has issued a bulletin, Bulletin IC-25.

Bulletin IC-25 envisions a much more active government role whenever a company licensed or regulated by the Department has an “information security incident”.  This Bulletin applies to a variety of regulated entities, from insurers to appraisers, from bail bond agents to pharmacy benefit managers to medical discount plans.

The Bulletin requires that the business send notice of an “information security incident” no later than five calendar days after the incident is identified.  As businesses who have suffered from data security breaches know, it will often take more than five calendar days to know even the basics about a potential incident.

This lightening-quick notification to the Department should include as much as possible about 15 categories of information, including the results of internal reviews and copies of the business’s privacy policies and data breach policies.  If regulated companies did not have adequate incentive to have such policies in place before, they surely do now.

“The Department will want to review, in draft form, any communications proposed to be made” regarding the breach.  Additionally, “depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time” (emphasis added).  Businesses used to drafting their own communications and selecting their own remedies to offer will now be negotiating those points post-breach with a government agency.

In addition, the Department will set up a “monitoring process,” unique to each incident, to keep abreast of “activities associated with any information security incident”.

It remains to be seen whether other state regulatory agencies adopt a similar approach.  However, for those who fall under the ambit of this Bulletin, it represents a sea change in the allocation of authority between government and business in the period between breach and notification.