Data Protection Consulting

In January 2012 the European Commission published its draft proposals for a new Data Protection Directive.  The framework of the Regulation largely corresponds to the existing Directive 95/46 but there are some key additions.  The Regulation is still in draft form and will be subject to negotiation and amendment before adoption possibly as long as two years.  It provides for the Regulation to come into force 2 years after that, so it could be 2015 or 2016 before the provisions apply.Here is a summary of the key additions to current data protection standards:

New principles

There will be increased responsibility for data processors, those who process personal information on behalf of third parties will share responsibility with the controller and be subject to the Data Protection Principles directly.

There will be a new data protection principle around the concept of data protection by design and default.  The controller will need to implement appropriate technical and organisational measures and procedures in such a way that the obtaining and subsequent processing of personal information meets data protection standards and protects the rights of the data subject.

There will be a new principle of Accountability with a requirement to maintain documentation to include

a) the name and contact details of the controller, joint controller or processor and any representatives

b) the name and contact details of the data protection officer, if any

c) the purposes of the processing

d) a description of the category of data subjects and of the personal information or categories of information relating to them

e) the recipients or categories of recipient including controllers to whom personal information are disclosed 

f) transfers of personal information  to third countries

g) time limits for erasure of different categories of personal information

h) results of verifications of measures around the responsibility of the controller, for example systems of control for data protection compliance.

New rights

There will be a new right to be forgotten, with personal information being erased where it is no longer necessary for the purpose for which it was processed, or where the data subject either withdraws consent on which the processing is based or objects to the processing.

There will be a new right to data portability.  Data subjects will be able to obtain a copy of their personal information from the controller in an electronic and structured format which allows further use by the data subject.  This is designed to help data subjects take their profile details from one social networking site to another for example.

Introduction of a data security breach notification law

The proposals include a new data security breach notification requirement obligation.  Notification to the supervisory authority will be required within 24 hours.  In certain circumstances where the breach is likely to adversely affect the protection of personal information or privacy of the data subject, notification to the data subject will also be required within 24 hours.

The Article 29 Working Party published a working document on the current EU personal data breach framework with recommendations for future policy developments and specifically including reflection to "extend the personal data breach framework of the ePrivacy Directive in the context of the review of Directive 95/46" (Working Document 01/2011 adopted on 5 April 2011.)  This document gives a bit more detail as to what is meant by a “data breach” and the circumstances when the notification requirement might be triggered:

a) the definition of data breach, it "means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community".  Key elements, "personal data" unauthorised disclosure or access, or accidental destruction or alteration not followed by unauthorised access.

b) applicable legal thresholds to notify individuals and authorities.  This is "When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual.."

c) content and timing of the notification "...without undue delay.." (note that the draft Regulation states “within 24 hours”) The content includes the nature of the personal data breach, contact information and measures to mitigate possible adverse effects.  It should also include steps taken by the provider to address the breach.

d) possible exceptions due to technological protection measures and law enforcement such as encryption of the personal information that is the subject of the breach.

Mandatory Data Protection Officers with job security for a minimum of 2 years

There will be a requirement for a designated Data Protection Officer for organisations where 

a) the processing is carried out by a public authority or body or

b) the processing is carried out by an enterprise employing more than 250 persons or

c) the core activities of the controller or processor consist of processing operations which by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects.

The Data Protection Officer should be appropriately qualified and experienced in both data protection law and the legal environment in which the organisation operates.  There is provision for a minimum 2 year period of service and the organisation will have to ensure that the Officer’s  other duties (if any) are compatible and do not give rise to any conflict of interest where the position is held by an officer or employee of the organisation.

The tasks of the Data Protection Officer  are intended to include:

:a)  informing  and advising the controller or processor of their obligations under data protection law 

b) monitoring the implementation and application of the policies of the controller or processor around the protection of personal information, including the assignment of responsibilities, the training of staff involved the in the processing operations, and the related audits

c) monitoring the implementation and application of the Regulation, in particular as to the requirements related to data protection by design, data protection by default, and data security and to the information of data subjects and the exercising of data subject rights

d) ensuring that the documentation requirements are met

e) monitoring the documentation, notification and communication of data security breaches

f) monitoring the performance of Privacy Impact Assessments carried out by the controller or processor 

g) monitoring responses to requests from the supervisory authority and cooperation with the supervisory authority at their request or on the Officer’s own initiative

h) acting as contact point for the supervisory authority on issues related to data processing.

Increased powers for the Information Commissioner’s Office

The powers of national supervisory authorities will be improved with the power to require entry to premises and access to any information in the control of a controller or processor which will probably equate to the power to require any organisation to submit to an audit.

Penalties under the draft Regulation

Various levels of monetary penalty are set out for breaches of the provisions of the Regulation.  The penalties will be imposed by the supervisory authority, taking into account the nature, gravity and duration of the breach, intentional or negligent character of the infringement, and the degree of responsibility of the natural or legal person involved and any previous history of data protection breaches.

A fine up to 250k euro or up to 0.5% of the annual worldwide turnover of the organisation would be levied in cases where, for example, there is no mechanism for handling subject access requests and there is evidence that such requests are not responded to promptly.  A fine of up to 500k euro or up to 1% of the annual worldwide turnover of the organisation would be levied, for example, in cases where fair processing information (the Privacy Notice)is not provided or is incomplete or where the controller fails to comply with the right to be forgotten or the right to data portability  A fine of up to 1m euro or up to 2% of the annual worldwide turnover of the organisation is recommended where, for example, the controller processes personal information without sufficient legal basis or fails to comply with the consent.  This level of fine would also apply where the controller or processor fails to adopt internal policies to meet the accountability standards around documentation and designating a Data Protection Officer and around reporting data security breaches appropriately.

Retention of personal information

There is significant focus on the requirement to delete or anonymise personal information that is no longer required.  Data subjects will have to be informed how long it is intended to store their personal information at the time of obtaining it.

I have IT contacts who are keen to project manage a data deletion or data anonymisation project and would be willing to hold an initial discussion at no cost to the client.  If anyone is interested in following this offer up, please let me know.