1
EU Data Protection: How to Comply and If You Don't, What's the Worst that Can Happen?
Presentation by:
Robert Bond, BA, CompBCS,
FSALS, Partner & Notary Public
Head of Data Protection and
Corporate Social Responsibility
“From regulatory compliance to practical advice on data security issues, Robert’s expertise in this field and the creativity of the advice that he provides has ensured that he stands head and shoulders above the competition.”
Robert BondRobert has specialised in data protection law since 1983 and was voted one of the Top 20 data privacy experts in Computerworld in Feb 2011. He co-authored the International Chamber of Commerce (ICC) BCR Report in 2006, and the ICC Guidelines on Basel II and Data Protection in 2007. Robert is the author of many books, including most recently for Sweet & Maxwell who publish his book Negotiating International Software Licenses and Data Transfer Agreements.
Robert is a Companion of the British Computer Society, a Fellow of the Society of Advanced Legal Studies, a member of IAPP and SCCE and in 1994 was a researcher in Information Security and Data Protection at the University of Leicester. He is Chairman of the ICC (UK) E-Business, IT & Telecoms Committee, a Liveryman of the Worshipful Company of Stationers and Newspaper Makers and a Freeman of the City of London.
His clients include multinationals such as 3M, Daimler, Astellas, Sony, Flowserve, 3Par, Pentair, Tennant, Watson Pharmaceutical, Affiliated Computer Services, BancTec, Merck, Millipore and Dresser whom he advises on a range of IT and commercial contracts, bribery and corruption, ethics and responsibility, EU regulations and global data protection and information security compliance. Robert has close relationships with in-house teams at the data protection authorities in the US, UK, Ireland, France and Canada as well as in the European Commission and the Council of Europe.
Robert is listed as a data protection expert in Chambers (2010), Chambers (2009) and in Chambers (2008) where clients describe him as “a brilliant lecturer, a meticulous lawyer” and “responsive – if you contact him, you know he’ll get back to you within the hour” and “authoritative – he really knows his stuff, and he has so many contacts within the EC he can predict trends and what’s coming further down the line, which is very useful for forward planning.” Chambers 2010 describes him as ”having taught almost every lawyer something about computers."
2
Our team
• We are a full service law firm providing local and international
services to a diverse range of clients
• Our core legal services are provided in three sectors: Business
Services, Real Estate & Construction and Private Client
• Our Data Protection & Information Law team provide a range of
expertise on data privacy audit, compliance, risk management,
information security and data breaches
• We are listed in Chambers 2010 as a leading law firm for Data
Protection and have advised on this area of law since 1983
• We have a team of 14 lawyers in London dealing with data
protection matters globally
Freedom of Information
• Public Sector
• Private Sector
• Prejudice test and public
interest analysis
Surveillance, Interception
and Monitoring• RIPA
• Lawful business regulations
• Security
• Tracking and location data
Data Protection• Privacy
• Confidentiality
• International transfers
• Employment laws
• CCTV
• Direct marketing
• Cloud computing
• Outsourcing
Compliance• Sarbanes Oxley
• Ethical hotlines
• FCPA/OFAC/Bribery
• E-Discovery Rules
• Data retention
• Data destruction
• Records management
Data Protection
and
Information Law
Data Protection and Information Law
3
Topics
• The compliance issues
�EU Data Protection Law: Key Concepts
�EU Data Protection Law: Principles
�International Data Transfers
�E-Privacy Directive
�Subject Access Rights
�Ethical hotlines
• The compliance audit
• The cost of non-compliance
Why you should care about data protection compliance?
• Failure to meet legal obligations
• Lack of customer confidence
• Penalties for violations of laws
and regulations
• Personal liability including fines
and prison sentences
• Damage to brand and reputation
• High crisis-management costs to
repair damage
• Business is in compliance
• Risk is managed
• Trust is established
• Gain competitive advantage
• Legal use of data
DOWNSIDE
UPSIDE
4
EU Data Protection Law:
Key Concepts
“Robert Bond and his team
have always provided
comprehensive, practical
advice on a timely basis.
Their knowledge of the EU
regulatory scene, including
experience with specific
agencies, as well as privacy
issues globally has been
instrumental in establishing
our privacy policies and
procedures.”
The EU Data Protection Directive (95/46/EC)
The EU Data Protection Directive (95/46/EC) seeks to protect the
privacy and protection of all personal data collected for or about
citizens of the EU, especially as it relates to processing, using, or
exchanging such data.
It encompasses all key elements from article 8 of the European
Convention on Human Rights, which states its intention to respect
the rights of privacy in personal and family life, as well as in the
home and in personal correspondence.
The Data Protection Directive operates in EU Member States
through national implementing laws, so each EU Member State has
a similar data protection law.
5
Implementing legislation
The EU Data Protection Directive (95/46/EC) does not apply
directly but operates through implementing legislation in each EU
member state.
The applicable legislation will be the law of the country in which the
data controller is established.
Key Concepts
• Personal data
• Sensitive personal data
• Processing
• Data controller
• Data processor
• Data subject
• Data Protection Authority
• Notification
6
Key Concepts: Personal data
• Data which relate to a living individual who can be identified:
- from such data
- from such data and other information which is or is likely be in the possession of the data controller
- and which are in electronic form or held manually in a relevant filing system
E.g. Name, job title, telephone number, email address, date of
birth, postal address, HR file, customer record, contact details for
individuals working for suppliers.
Key Concepts: Sensitive personal data
• Personal data consisting of information on:
• racial or ethnic origin
• political opinions
• religious or similar beliefs
• trade union details
• health data
• sexual life data
• offences or alleged offences
• court proceedings
Eg. Medical records, sick leave records, criminal record,
whistleblower hotline report.
7
Key Concepts: Processing
• capture, transmit, manipulate, record, store or communicate
• Processing includes:
– collecting personal data from employees or customers
– storage in a database
– ordering in a filing system
– editing data records
– transmission to a third party
• E.g.
– Processing job application, maintaining an HR database or Customer relationship management (CRM) database, maintaining a database of suppliers.
Key Concepts: Data Controller
• A “data controller” is a person or organisation that (alone or with others) determines the purposes for which and the manner in which personal data will be processed
E.g. employer for employee’s data; supplier for customers’ data.
8
Key Concepts: Data Processor
• A “data processor” any person or organisation (other than an employee of the data controller) who processes personal data on behalf of the data controller
• Processes personal data on the data controller’s instructions
• Does not take decisions in relation to personal data
• E.g. outsourced payroll provider, website host, fulfillment house, IT / Server host.
Key Concepts: Data Subject
• Individual to whom personal data relates
• E.g.
– Employee
– Job applicant
– Former employee
– Customer:
• Consumer
• Contact person in business-to-business context
– Prospective customer
– Supplier
9
Key Concepts: Applicable law
The EU Data Protection Directive (95/46/EC) does not apply
directly but operates through implementing legislation in each EU
member state.
The applicable legislation will be the law of the country in which the
data controller is established.
Key Concepts: Data Protection Authority
• Administers and enforces data protection law in jurisdiction
• May maintain register of data controllers
• Provides guidance on compliance with the law
• Investigates alleged breaches of the law
• May authorise data transfers outside the EEA
• May require specific security documentation
10
Key Concepts: Notification
• Registration and description of data processing with Data
Protection Authority
• Some countries do not require notification (Germany)
• Some require it in limited circumstances (UK and Ireland)
• Most require it before personal data can be processed (France,
Italy, Poland and Spain)
• Some require notification of data processors as well (Ireland)
• Some require detailed notification of each activity (France)
• Some countries have sophisticated online procedures (UK)
• Some countries charge a scale of fees (UK, Belgium, Ireland)
• Some DPA’s have searchable websites to check on notifications
(UK)
EU Data Protection Law: Principles
11
The Data Protection Principles
• Data must be fairly and lawfully processed with the consent of the
individual
• Data may only be obtained for specified lawful purposes, and may not
be further processed in any manner incompatible with that purpose
• Data must be adequate, relevant, and not excessive in relation to the
purpose(s) for which it is collected
• Data must be accurate and, where necessary, kept up to date
• Data must not be kept longer than necessary
• Data must be processed in accordance with rights of data subjects
under the Directive (right to inspect and correct data)
• Security measures must be taken against unauthorized or unlawful
processing, and against accidental loss, destruction, or damage of
data
• Data must not be transferred outside EEA unless recipient country
provides adequate data protection
Data Protection Principles:
Fair and Lawful Processing
• Consent
• Explicit consent - sensitive personal data
To get their data you have to give them information!
Personal data shall be processed fairly and lawfully
12
Data Protection Principles:
Specified and lawful purposes
Data may only be obtained for specified lawful purposes, and may
not be further processed in any manner incompatible with that
purpose
• “Fair processing” statement should explain purpose(s)
•E.g. an individual provides information to an estate agent in the
course of looking to purchase a property, which the agent passes on
to its financial adviser, who tries to sell the individual financial
products.
Data Protection Principles:
Adequate, relevant and not excessive
• Data must be adequate, relevant, and not excessive in relation to
the purpose(s) for which it is collected
13
Data Protection Principles:
Accurate and up to date
• Personal data shall be accurate and where necessary kept up to
date
• UK Information Commissioner regards inaccurate information as a
significant problem:
– Inaccurate police records
– Inaccurate credit reference
Data Protection Principles:
Not kept for longer than is necessary
• Personal data processed for any purpose or purposes shall not be
kept for longer than is necessary for that purpose or those
purposes
• Indefinite retention unlikely to be justifiable
• Need Retention policy
14
Data Protection Principles:
Data subject’s rights
Data must be processed in accordance with rights of data subjects
under the Directive.
Data subject’s right to:
– Object
– Amend
– Access
Data Protection Principles:
Security
Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Consider:
• Sensitivity of information
• Consequences of breach
• Remote access
• Outsourcing
15
Data Protection Principles:
International transfers
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
Consider:
• Pushing or pulling of data
• Staff data/bios
• Customer data
• Outsourcing
Location of the data - data protection laws
Approved
Non approved
EEA
Only countries in green have been approved as providing “adequate protection” for transfer of personal data:
Andorra / Argentina / Canada / Faroe Islands / Guernsey / Isle of Man / Israel / Jersey/ Switzerland
16
Location of the Data – Local Laws
EU Data Protection Law:
International data transfers
17
Overview
To determine whether a transfer to a third country is permitted under
European law, consider the following:
• Is the data “personal data”?
• Is the data protected under national legislation implementing the Directive?
• Is there a “transfer”?
• Does the “third country” ensure an adequate level of protection by reason of its domestic laws, or its international commitments (e.g., the U.S. Safe Harbor)
Does the “third country” ensure an adequate level of protection?
• Only Switzerland, Canada, Argentina, Isle of Man, Jersey, the
Faroe Islands, Guernsey, Andorra and Israel have adopted
“adequate” data protection laws in the opinion of the EU
• The EU/U.S. Safe Harbor also provides an “adequate” level of
protection – but only for transfers from EU to US; NOT onward to
other non-EU countries
• The Swiss/U.S. Safe Harbor also provides an “adequate” level of
protection for personal as opposed to corporate data
18
Does an exception apply?
• Consent
• Contract performance
• Important public interest
• Legal claims
• Vital interests
• Public registers
Note: There is no exception for compliance with laws of other
countries such as U.S. Discovery rules
Data Exported
Within EEA
Automatically adequate
Outside EEAWhich country/jurisdiction?
Argentina, Channel Islands,Isle of Man, Switzerland,Faroe Islands, Israel
Adequate for transfer to proceed
Canada
Mostly adequate for transfer to proceed
USA
To a signatory of the Safe Harbor principles?
Other countries
Yes NoAdequate for transfer to proceed
Do any of the other key legal grounds for transfer apply?1. Transfers using the appropriate EU Commission approved Model Transfer Terms2. Transfers subject to the use of Binding Corporate Rules3. Transfers in accordance with an approved private contract4. Companies that have self-assessed their adequacy (in some jurisdictions)
Yes
Adequate for transfer to take place
No
Can adequacy be presumed?
Yes No
Transfer can proceed Legal advice required
19
U.S. Safe Harbor – Comparison With Principles in the Directive
Issue U.S. Safe Harbor Principles of the Directive
Notice Notice of information collected, entity collecting it, and how it will be used
Data must be fairly and lawfully processed with the express consent of the individual (inform of use)
Choice Must provide choice, including “opt out” right with respect to use and processing of data and disclosure to third parties; special treatment for sensitive information
Data may only be obtained for specified lawful purposes, and may not be further processed in any manner incompatible with that purpose
Onward Transfer Outside of EU
Only to a recipient that is qualified under the Notice and Choice principles above and is a subscriber to the Safe Harbor principles
Only if recipient country provides adequate data protection
Security Must take reasonable precautions to protect data from loss, misuse, and unauthorized access and disclosure
Must take security measures against unauthorized/unlawful processing, and against accidental loss, destruction, or damage of data
Data Integrity Must ensure that data is relevant to the purpose collected, accurate, reliable, and kept up to date
Data must be adequate, relevant, and not excessive in relation to the purpose(s); must be accurate and kept up to date; must not be kept longer than necessary
Access Must allow parties whose personal information has been collected to later locate and correct, modify, or delete inaccurate information
Data must be processed in accordance with rights of data subjects under the Directive (right to inspect and correct)
Enforcement Enforcement of these principles, including effective dispute resolution mechanism
Non-compliance may lead to fines, publication of breaches, and possible imprisonment (varies depending on country)
20
Have the parties themselves assured adequate protection?
There are contractual solutions that are certain to be deemed
“adequate” under European data protection laws:
• The parties must enter into a “transborder data flow agreement”
that incorporates either model clauses promulgated by the
European Commission (SET I) or proposed by the ICC and
approved by the European Commission SET II)
• The parties could negotiate “one-off” contracts
• A further solution, Binding Corporate Rules (BCR) has been
approved by several member states in the EU
SET I and SET II Model Clauses
• Set I developed by EC and often criticised as uncommercial
• Set II developed by a consortia of business organisations led by ICC
• ICC model clauses were drafted and developed from 1997
• Robert Bond was part of the drafting group
• Set I imposes joint and several liability on parties
• Set II imposes liability on defaulting party
• Set I gives data subject 3rd party rights against either party
• Set II gives 3rd party rights against data importer only after data
exporter has failed to find a remedy
• Set I allows claims for all damages
• Set II allows for actual damages suffered excluding punitive
• Set II imposes due diligence re importer on exporter
• Set I does not………though it is implicit in local laws
21
ICC BCR Working Group
• Representatives from ICC Paris and USCIB
• Lawyers from Microsoft, Oracle, Phillips, Daimler Chrysler,
Accenture, AOL
• Lawyers in private practice
- Questionnaire on enforceability and binding nature of BCR
- Report published in 2004 welcomed by DPAs in UK, Austria,
Germany and Netherlands
- Robert Bond co-authored the ICC Report available at
www.iccwbo.org
- Article 29 Guidelines lean heavily on this Report
BCR Guidelines (WP 108)
• Published by Art 29 in April 2005 requires:
• Description of data processing and flows
• Description of provision of adequacy of rights
• Reporting and recording of changes
• Internal compliance procedures
• Complaints handling
• Co-operation with DPA
• Submission to jurisdiction of data subject
• Rights for data subjects
• Training and audits
22
ICC Single BCR Application Form and Guidelines
• Submitted to Art. 29 Working Party in 2006
• Subsequently adapted and republished by Art 29 as an EU
approved Single Application Form and Procedure
• WP 133 dated 10 January 2007
• WP 153-155 dated 24 June 2008
Data Processing contracts
• The Data Controller must ensure that the Data Processor is
suitable for the processing activities having regard to the nature of
the data – so due diligence is required
• Contractual controls need to be put in place – the Data Processor
may already have these, but check!
• If the Data Processor is outside the EU then the EU Model Clauses
for transfers to a Data Processor should be used
• Reliance on Safe Harbor is possible provided that the Certification
is in relation to the type of personal data being transferred
• Notwithstanding the use of Model Clauses, some DPA’s require
notification and deposit of the contract for approval
• Some DPA’s have difficulty in the concept that Sensitive Data
needs to be transferred to a 3rd party outside the EU
23
APEC Cross Border Privacy Rules
• Australia, China, Japan, Korea, Mexico, Peru, Thailand, Vietnam and the United States.
• The APEC initiative is not based upon strict legislation such as exists in the EU but more upon a framework of a mutual recognition by parties within APEC economies
• The Cross-Border Privacy Rules rely on businesses self assessing their compliance with the APEC privacy principles which are similar to the privacy principles of the US Safe Harbour and the seven data protection principles set out in the UK Data Protection Act 1998.
• The International Chamber of Commerce is taking a leading role in providing Cross-Border Privacy Rules for the APEC privacy framework that were approved by APEC country leaders in 2004.
E-Privacy Directive
24
Data Protection
Personal data shall be processed fairly and lawfully• Consent • Explicit consent - sensitive personal data
To get their data you have to give them information!
Always give them the opportunity to say “no” to future mailings.
And ensure you have technical means to remove them from
your mailing list.
What you should already be doing
Data Protection – B2C
• Notify with Data Protection Authorities
• Highlight Privacy Policy
• Implement “unsubscribe” and “subject access” procedures
• Train staff on data handling practices & have an internal e-
mail/internet policy
• Maintain information security generally and when passing data to
third parties – 7th Principle
• Address trans border data flows – 8th Principle
25
EU Privacy & Electronic Regulations
• Aimed at unsolicited electronic commercial communications (inc
SMS & MMS)
• Deals with
– Consent requirements
– Internet Cookies and Tracking Devices
– Value-Added Services – Traffic and Location Data
– Subscriber Directories
Cookies
• Transparency/consent requirements for cookies (and internet tracking devices)
• Not technology-specific
• Clear information on where/why they are used, and an opportunity to refuse them
• Exception where cookies are essential for provision of service/used solely for transmission
26
Consent
• Controls on phone and fax i.e. opt out
• Opt out consent sufficient in most EU countries unless sensitive data. Now new opt-in for commercial e-mail/SMS to individuals
• New soft opt-in for existing customer relationships- can continue to market similar products and services on an opt-out basis
• New right for corporate subscribers to register on the Telephone Preference Service (TPS)
What you must do in the EU
“Soft opt-in” will apply if certain conditions are met:
– Existing customer relationship
– Customer of the same legal entity
– Same or similar products marketed
– An “unsubscribe” option provided:
• Free of charge and in an easy manner
• On the collection of data
• On each and every subsequent message
If above conditions are met, a simple “opt out” procedure is allowed.
Unless “soft opt-in” applies, only market to those who have expressly consented, i.e. opted-in
27
Obtaining individuals’ consent
• Must think how and when personal data may be obtained
• Must only use personal data obtained with informed consent
• Must ensure that lists acquired from 3rd parties are lawful
• Must use personal data in accordance with policies and
procedures
• Must use personal data in accordance with the law
• Must balance consent obtained online with offline
Update on the EU Cookies Law
• EU Directive 2009/136/EC: amended Article 5(3) of the E-Privacy Requirement
• Changed requirements from informed opt-out to informed opt-in
• The use of cookies will only be allowed if the user has given his consent after being provided with clear and comprehensive information about the purposes of the tracking of their data
• Recital 66: consent to cookies “may be expressed by way of using the appropriate settings of a browser or other application”
• Member states must have implemented the revisions to the E-Privacy Directive by 26 May 2011
28
Revised wording of the e-privacy Directive
Revised wording of the e-privacy Directive (cont.)
29
How is the Cookie law being implemented
• Denmark, Netherlands, Ireland, UK and Estonia have implemented
• UK has given businesses 12 months to get compliant
• France, Slovenia, Luxembourg, Latvia and Lithuania have partially
implemented
• Other member states are still drafting legislation or have decided to
defer implementation
• There is no clear idea as to how consent is to be given
• Browser solutions are still a work in progress
• The International Chamber of Commerce is producing a Cookie
Compliance Toolkit for launch in the next few weeks to help
businesses understand the cookie landscape and how to audit for
compliance
Subject Access Requests
30
Subject Access Requests: The Basic Rules
• Data subjects’ right of access to data held by data controller.
– Valid request?
– Request in writing?
– Comply promptly and no later than relevant period
– Is a fee payable?
– Information reasonably needed to verify identity of requestor or to locate the information
– Requesting identity/ location information “stops the clock” until receipt
Subject Access Requests: Maximum Response
Period
• Germany: Germany no statutory time period (but
expectation between 2-3 weeks)
• UK: 40 days
• France 2 months
• Belgium 45 days
• Poland 30 days
• Italy 15 days (30 days for complex requests)
31
Subject Access Requests: Fees
• Germany No fee
• UK £10 (40 day period does not start until receipt)
• France No fee (though the data controller may charge if copying costs are significant)
• Belgium No Fee
• Poland No fee
• Italy Fee may be payable
Subject Access Requests: What has to be given?
• Confirmation of whether data is held
• Copy of the data
• Details
– Purposes
– Recipients
– Sources
• Redaction
32
Subject Access Requests: Exemptions
Exemptions
• Prejudicial to crime/prevention/detection
• Confidential references
• Prejudicial to management forecasting/planning
• Prejudicial to negotiations with data subject
• Self incrimination
• Legal professional privilege
Subject Access Requests: common practical issues
• How extensive must the search be?
• Disproportionate effort
• Duplication of information
• Exact copies or a summary?
• Repeated and vexatious requests
33
Subject Access Requests: Where to look
•Personnel files
•Notes of meetings
•Minutes of meetings
•Emails
•References
•CCTV records
•Door entry system records
•Internet logs
•Telephone records
•Payroll information
Subject access requests: tips for dealing with SARs
• Be prepared – train staff, designate responsibility, know what
information you have, and where, have a written policy
• Information held by third parties – e.g. payroll providers or
occupational health
• Do any exemptions apply
• Don’t Delay!
34
Ethical hotlines, audits and whistleblowing
Sarbanes Oxley Act requirements
• SOX mandatory Code of Ethics– A confidential, anonymous reporting mechanism
SOX Section 301(4) states that "Each audit
committee shall establish procedures for
the receipt, retention and treatment of
complaints received by the issuer
regarding accounting, internal accounting
controls or auditing matters; and the
confidential anonymous submission by
employees of the issuer of concerns
regarding questionable accounting or
auditing matters.“
35
E.U. data protection principles
• an individual has a right to know what data is being processed
about them;
• personal data has to be processed fairly and lawfully;
• personal data must be kept for no longer than is necessary and
must be accurate and up to date;
• each data subject has the right to know that their personal data is
being processed;
• personal data must be, at all times, kept secure and where
processed by a third party be managed securely; and
• personal data should not be transferred outside the European
Economic Area to any other country that does not have adequate
protection for the rights of the individual.
Conflict between SOX and EU Data Protection Law
• EU member states data protection laws
– E.U. data protection authorities
• All interpret the law differently
CNIL Decision 2005-110 of 26 May 2005
(Group McDonald’s France)
CNIL Decision 2005-111 of 26 May 2005
(CEAC/Exide Technologies)
The 5th Division of the Wuppertal Labour
Court on 15 June 2005 (Wal-Mart
Decision) – Appeal dismissed too
36
CNIL reasons for their decision
• Anonymity
• Whistleblowing on too wide basis
• Information shared too widely
• Unfair collection of personal data
• Accused not immediately notified
• Rather long retention of data
• Lack of proportionality
• Fundamental data protection concerns
UK Bribery Act and EU Data Protection
• Bribery is to “dishonestly persuade (someone) to act in one’s
favour by a gift of money or other inducement”
• The Act came into force on 1st July 2011 and applies to those who
give or receive a bribe in relation to a business in the UK
• Advice from the UK Government is that businesses should put in
place anti-bribery policies and procedures including training to all
officers and staff and any agents and suppliers
• Businesses that then implement reporting mechanisms such as
ethical hotlines need to be aware of EU restrictions on such
hotlines
37
Where do we find what is required by EU?
• CNIL, Art. 29 Working Party issued guidelines http://europa.eu.int
– Allows anonymous reporting under certain conditions– SEC and CNIL letters– http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2006-others_en.htm
• CNIL Guidelines, FAQ’s – www.cnil.fr
• CNIL on-line authorization Decision and forms – www.cnil.fr
• Other member states have guidance (Spain, Germany, Austria)
• Local advice
French law amended for hotlines
• The CNIL Unique Authorisation no. 4 (authorisation unique no.4)
deals with whistleblowing hotlines
• This authorisation only deals with whistleblowing relating to reports
with regard to serious breaches in the accounting, financial, and
banking sectors as well as anti-bribery
• The CNIL adopted a new ‘deliberation’ in October 2010 modifying
its AU-004. The aim was to avoid the confusion previously created
by its art. 3 which included facts damaging the ‘vital interests of the
undertaking or to the physical or moral integrity of its employees’
• The companies benefitting from an AU-004 for whistleblowing
hotlines not strictly confined to the new text of the authorisation
have a six-month deadline to ensure they comply with AU-004.
There is no need to submit a new authorisation request
38
Differing stances of EU member States
• Compulsion
• Scope limitation
• Notification requirements
• Permission to transfer personal data outside the EEA
• Anonymity
• Specific requirements of local regulators
• Labor law requirements
Sweden
• Notification (may impose limitations)
• Data Protection applies
• Limited to senior executives
• Regulatory body: Datainspektionen
• Published guidelines:
– guidance is limited to the following:
• the system must be a complement to the company’s
normal internal administration and must be voluntary to use
• the system must be limited to serious irregularities
concerning accounting, internal accounting control,
auditing, the fight against bribery and banking and financial
crimes. The system may also be used for other serious
irregularities concerning the company’s vital interests or the
life and health of individuals
• only key personnel may be reported
39
Anonymity
• Spain
– regulatory body: Agencia de Protection de Datos
• http://www.agpd.es/portalwebAGPD/index-ides-idphp.php
– published guidelines:
• http://www.tnwinc.com/downloads/SPMWhistleOpinion_ENGTranslation.pdf
• Portugal
– regulatory body:
• http://www.cnpd.pt/english/index_en.html
– published guidelines:
• http://www.ecgi.org/codes/documents/cg_code_cnmv_sept2007_en.pdf
• http://www.ecgi.org/codes/documents/cmvm_cg_recommendations_2010_en.pdf
• http://www.cmvm.pt/NR/rdonlyres/7F744DB2-D365-4552-8AF6-8EB931B99C69/12798/SecuritiesCodeConsDL357DL211AL282009DL185200920091.pdf
• Finland
– published guidelines: Whistleblowing System in Working Life
– regulatory body: Data Protection Ombudsman
• http://www.tietosuoja.fi/index.htm
• http://www.tietosuoja.fi/43647.htm
Poland
• Difficulty faced by GIODO because of fair processing requirements
of Polish Personal Data Protection Act
• PDP also requires specific documents for compliance whether or
not there is a whistleblower hotline
40
Hungarian whistleblower guidance
• The Guidelines follow the Article 29 Guidelines…..but
• Reports must be limited to grave violations of company policies
• The system must not be used to control work performance
• Reports cannot be made by staff directly to the parent company
• They must be reported to the local company
• The local company must manage the system and any contract with
the service provider
• An employee that transfers personal data direct to the parent
company may be liable to criminal and civil actions
Ethical hotlines: How do you achieve compliance?
• One size does not fit all – ethical hotlines must be tailored to meet local requirements
• Reconfigure procedures
• Narrow scope of reports
• Remember country by country specifics
• Anonymity
• Retention periods
• Third party vendors – accept reports subject to country-specific restrictions
41
Auditing your EU entities for data
protection compliance
What should the audit achieve?
• “ A systematic and independent examination to determine whether
activities involving the processing of personal data are carried out
in accordance with an organisation’s data protection policies and
procedures, and whether this processing meets the requirements
of the [law].” ICO June 2001
• Assess compliance with the law
• Assess compliance with entities’ own policies
• Assess gaps and weaknesses
• Provide information to ensure compliance
• Ensure awareness
• Minimise risk
42
Analysing entities and their roles
• Establish names and locations of all entities
• Establish whether they are controllers or processors
• Establish types of data and systems used
• Establish data subjects and data recipients
• Establish points of collection of data
• Audit notifications/registrations
Analysing fair processing and policies
• Audit methods of data collection and consents
• Audit websites and terms of use
• Audit business codes of conduct and policies
• Audit contracts of employment and staff manuals
• Audit staff knowledge and training
• Audit appointments of CPO/DPO
43
Contracts and Codes
• Audit trans border data flow solutions
• Audit 3rd party processor contracts
• Audit permissions from DPA
• Ensure all policies and procedures comply with local laws
• Monitor ongoing changes to company structures, data handling
practices and notifications
Benefits of a compliance audit
• Facilitates compliance with the law
• Measures and helps improve compliance with policies
• Increases awareness amongst staff and management
• Elevates data protection to a key part of corporate governance
• Minimises risk
• Satisfies insurance requirements
• Improves trust and customer satisfaction
44
EU Data Protection:
The Cost of Non-Compliance
“The quality of any professional
advisor is dependent on the expertise
and quality of the individual advisor
and the support provided by the firm.
If you work with Robert you get
excellence on both counts. Robert has
built a great team at Speechlys and
he is the undoubted expert and
leader. He is also great to work with
on a personal level and will go the
extra miles to get the job done to the
client’s timetable. I have used
Robert’s services at Speechlys, as
well as when he was at his previous
firm; I have been his client while at
three different companies myself. I
cannot recommend Robert highly
enough, he is the “go to” guy in his
highly complex field.”
Data Protection Directive Principles
• Data must be fairly and lawfully processed with the consent of the individual.
• Data may only be obtained for specified legal purposes, and may not be further processed in any manner incompatible with that purpose.
• Data must be adequate, relevant, and not excessive in relation to the purpose(s) for which it is collected.
• Data must be accurate and, where necessary, kept up to date.
• Data must not be kept longer than necessary.
• Data must be processed in accordance with the rights of the data subject under the Directive (right to inspect and correct data).
• Security measures must be taken against unauthorised/unlawful processing and against accidental loss, destruction or damage of data.
• Data must not be transferred outside the EEA unless the recipient country provides adequate data protection.
45
Understanding Enforcement Actions
• Article 29 WP have issued advice on how DPA’s must interpret
Article 28 (6) of the DP Directive regarding multi-member state
enforcement investigations
• Investigating and sanctioning a controller in various member states
• Handling complaints where the controller is in another member
state
• Collecting facts and evidence of processing for another DPA
Penalties for Data Breaches
• Penalties for breaches vary throughout the member states.
• Some member states have always imposed harsh penalties (e.g.
Spain).
• General trend towards harsher penalties for breach throughout the
EU (e.g. UK fines, CNIL / Google; Finnish Ombudsman).
46
Potential Fines
Potential Imprisonment
47
Recent enforcement for breaches
The United Kingdom: the Sanctions
• The ICO can issue an Enforcement Notice for breaches of the data protection principles. Failure to comply with an Enforcement Notice is a criminal offence, punishable by an unlimited fine (also for directors).
• The Information Commissioner can also impose administrative fines of up to £500,000 if:
– there is a serious breach of the data protection principles;
– this is likely to cause substantial damage or substantial distress; and
– the breach is deliberate or reckless.
• Both failure to notify and the unlawful obtaining/disclosing of personal data are criminal offences punishable by unlimited fines (also for directors) The Government has the power to increase the sentence for unlawfully obtaining or disclosing personal data to two years’ imprisonment.
• The ICO regularly asks for undertakings from organisations in breach in order to “name and shame” them.
• ICO Data Protection Officer Conference 2011, Christopher Graham pushing for increased use of prison sentences in UK data protection legislation.
48
The United Kingdom: Enforcement
• November 2010: A4e Limited: fine of £60,000 imposed when an
unencrypted laptop containing sensitive personal data relating to
24,000 clients was stolen from the residence of one of its
employees.
• November 2010: Hertfordshire County Council: fine of £100,000
imposed where (1) very sensitive materials were sent by fax to a
member of the public by mistake; and (2) a fortnight later, very
sensitive materials were sent by fax to a Barristers Chambers
rather than the Court, after a warning from the ICO had been
issued in relation to the first incident.
• 8 February 2011: Ealing Council: £80,000 and Hounslow Council:
£70,000 when two unencrypted laptops containing sensitive
personal information were stolen from an employees home.
The United Kingdom: the Sanctions
• Regulated financial services firms must also comply with the
Financial Services Authority’s rules on data protection.
• The Financial Services Authority has power to fine firms that do not
fulfil their obligations “in such amount as the FSA considers
appropriate” (FSMA S.206(1)).
49
The United Kingdom: Enforcement
• August 2010: FSA fined Zurich Insurance £2.275m for the loss of
computer back-up tapes containing the details of 46,000
policyholders.
• July 2009: FSA fined HSBC Life £1,610,000, HSBC Actuaries
£875,000 and HSBC Insurance Brokers £700,000 when
unencrypted data disks were lost in the post.
Spain: the Sanctions
• Spain has one of the most stringent penalty systems in the EU.
• Under the Data Protection Act, fines from EUR900 to EUR600,000
can be imposed depending on the severity of the breach.
• The Spanish Criminal Code also establishes criminal offences
based on the violation of secrets and breach of privacy, however
criminal enforcement is not common.
• Recent changes – minor/serious/very serious.
50
Spain: Enforcement
• August 2010: EUR31,201 fine imposed on both Antena 3 de Television S.A. and y Zed Worldwide S.A.
• 23 August 2010: EUR60,101.21 fine imposed on France Telecom Espana.• 23 August 2010: EUR 60,101.21 fine imposed on Endesa Distribucion
Electrica S.L.U.• 1 September 2010: EUR 6,000 fine imposed on Sociedad Estatal de
Correos y Telegrafos.• 1 September 2010: EUR 60,101.21 fine imposed on Caixa de Aforros de
Vigo, Ourense e Pontevedra (Caixanova). • September 2010: EUR 60,101.21 fine imposed on Pescatrade S.A. y Frio
de Cantabria S.A. (FRICANSA).• 9 September 2010: EUR 6,000 fine imposed on Banco Vitalicio de Espana
C.A. de Seguros y Reaseguros (Vitalicio Seguros).• 10 September 2010: EUR60,101.21 fine imposed on Mone de Piedad y
Caja de Ahorras San Fernando de Huelva, Jerez y Sevilla (Cajasol). • 10 September 2010: EUR 60,101.21 fine imposed onFinanzia, Banco de
Credito, S.A.• 16 September 2010: EUR 30,001 fine imposed on Vodafone Espana. • 20 September 2010: EUR 61,101.21 fine imposed on France Telecom.
Spain: Enforcement
• Largest fine ever: EUR1,091,822 imposed by Spanish data
protection authority on Zeppelin Television SA and confirmed by
Spain’s Supreme Court.
• The personal data of applicants and contestants on the Spanish
version of the Big Brother television show was not adequately
protected, processed without their consent and transferred to third
parties.
51
Germany: the Sanctions
• Data protection authorities can impose fines of up to EUR50,000
for simple violations and EUR300,000 for serious violations.
• If breaches are commercially motivated, the fine must not be less
than the profit resulting from the data breach.
• Criminal courts can impose prison sentences up to two years.
Germany: Enforcement
• 30 November 2010: Klaus Treschan, formally of Deutsche
Telekom Group Security, sentenced to imprisonment for three and
a half years. His use of telephone connection data of journalists,
unionists and supervisory board members was a breach while the
sentence reflects three additional charges of bad faith and fraud.
• 23 November 2010: fine of EUR200,000 imposed on Hamburger
Sparkasse for illegally allowing its customer service
representatives access to customers’ bank data, and for profiling
its customers.
• October 2009: EUR 1,123,503.50 fine imposed in Deutsche Bahn
AG by data protection authority of Berlin, chairman also stepped
down.
52
France: the Sanctions
• The CNIL has the following administrative powers:
– issue a warning;
– Issue a formal demand;
– Issue compliance notices;
– Issue an injunction to cease proceeding; and
– Issue an administrative fine of up to €150,000 for the first breach, or up to €300,000 for a repeat breach or 5% of turnover, up to a maximum of €300,000.
• The CNIL has powers in cases of emergency to order cessation of
processing, the locking of personal data or to inform the prime
minister so that appropriate security measures may be taken.
• Criminal sanctions may also be imposed:
– Up to a maximum of five years imprisonment; and
– Fines from €15,000 (up to €75,000 for legal entities) to €300,000 (up to € 1,500,000 for legal entities).
France: Enforcement
• 270 investigations, four warnings and 5 financial sanctions
imposed by the CNIL in 2009.
• 21 March 2011: Google Inc fined EUR100,000, the largest fine
ever, for the personal data it mistakenly gathered in setting up its
Street View car project.
• CNIL conducts “dawn raids”, e.g. our client was a multinational
headquarted in France, CNIL carried out dawn raid and discovered
that appropriate procedures were not in place.
53
Italy: the Sanctions
• Administrative fines from EUR6,000 to EUR120,000 can be
imposed depending on the type and severity of the breach.
• Prison sentences of up to three years can also be imposed
together with publication of the judgment decision.
• 2010 fines by Garante were 4 Million Euros
Enforcement
• Many investigations have been undertaken, but general practice is
to order rectification of the breach and to prevent such a breach
from happening again.
• Google Inc: criminal investigation being undertaken: potential fine?
54
The Netherlands: the Sanctions
• Certain breaches qualify as criminal offences with potential fines of EUR3,800 to EUR19,000 depending on whether the data controller is an individual or legal entity.
• A notice to comply may be issued, with an administrative fine of up to EUR4,500 if this is not complied with.
• Potential prison sentence of six months if criminal offence breach is deliberate.
• There is a bill pending in the House of Representatives to increase the level of the fines.
• The data protection authority may also present its findings to the press.
• 2009: the data commissioner imposed a fine of EUR250,000 on individual for sending unsolicited emails in violation of the act together with an administrative order for a penalty sum of EUR5,000 per day.
Czech Republic
• Entities who breach that data protection legislation may be liable to
a fine of up to EUR204,000 while if the breach relates to sensitive
data processing or if the breach endangers the privacy and private
lives of more people, the fine can be raised to EUR408,000.
• An individual may be fined EUR40,760 to EUR203,000 in respect
of the above.
• A person who is employed by or works for a data controller who
comes into contract with the personal data and breaches the duty
of confidentiality may be subject to a fine of up to EUR4,100.
• November 2010: a fine of EUR200,000 was considered for Prague
City over its Opencard multi-functional chip card system.
• 2009: highest fine to date of EUR94,000 imposed on State Institute
for Drug Control who unlawfully collected and processed personal
data in connection with drug distribution.
55
Portugal
• Persons in breach can be subject to a fine of EUR250 to
EUR15,000. The severity of the fine depends on the nature of the
breach.
• The limit can be increased to EUR30,000 where the data
processing was subject to the data protection authority’s
authorisation, as is the case with sensitive data.
• Individuals can be liable to imprisonment for up to four years for
certain breaches.
• Highest fine so far EUR20,000 in April 2004 applied to
Radiotelevisão Portuguesa, S.A. (“RTP”) after it instructed a
company to assess data related to the professional skills of its
employees without notifying them.
Poland
• Persons in breach may be liable to a fine of up to EUR270,000, a
partial restriction of freedom or a prison sentence of up to three
years.
• The data protection authority is very pro-active and investigates
thousands of breaches each year.
• Practice so far as been to order rectification of the breach and
prevent it happening again.
56
Switzerland
• Not in the EU but follows general EU law practice.
• Fines of up to EUR7,900 for non-compliance with more severe criminal sanctions for breaches of professional secrecy.
• Swiss Penal Code also provides that a person who obtains sensitive data or personality profiles from a non-public data collection without authorisation shall be punished by imprisonment or fined.
• There have been 10 criminal convictions under the penal code and one under the data protection act.
• January 2011: Former Swiss banker Rudolf Elmer fined CHF7,200 (EUR5,570) and received two year suspended prison sentence for handing Julian Assange of WikiLeaks a CD containing details of tax evasion by wealthy individuals.
• January 2010: HSBC suffered data breach where close to 80,000 customer's details were taken from HSBC Private Bank (Switzerland) by an employee. The matter is being investigated by Swiss regulators.
What can you do?
• Don’t do nothing!
– Self-audit
– Notify
– Policies, procedures & processes
– Training
– Data transfers
57
•Construction & Engineering•1 November 2006
Further Information
For more information on our services,
please contact:
Robert Bond
+44 (0)20 7427 6660
www.speechlys.com