Incorporating EuropeanGC Login / Join  


















Johan Huizing
Director and Head of European
Legal Affairs
Atmel Corporation
France

 
 

Hefty fines and sanctions worry legal departments as new EU data privacy regulation beckons

On 25 January 2012, the European Commission released its proposal* to reform the European Union’s data protection framework. It would replace Data Protection Directive 95/46/EC. The reform takes shape via a Regulation on data protection and a directive “protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences”. This is a very radical attempt to regulate the exploitation and flow of personal information. Before the proposal becomes law, it will be passed to the European Parliament and the Council of the European Union for amendment and adoption following the normal EU legislative procedure.

Clearly some industries will be more affected by the proposal than others. But every General Counsel should understand the potential implications of the new framework for their business. Even though the rules are not yet in effect it is good to come to grips with them now: a Regulation becomes immediately enforceable as law in all member states simultaneously, unlike directives, which normally need to be transposed into national law. Beware; the Regulation contains increased enforcement powers. Penalties of up to €1 million or up to 2 percent of the global annual turnover of a company are foreseen. If you think risk management is the legal department’s responsibility, you should be aware of these rules.

*You find the full text of the proposal at: Data protection document 

In this edition of TalklawGlobal™ Johan Huizing, Director and Head of European Legal Affairs for Atmel Corporation unites leading specialists across Europe to look at the risks associated with the recently-updated European data protection regulation. This edition is also co-chaired by Monika Kuschewsky, who is a highly regarded expert in this area of law and a Partner with the Belgian independent law firm of Van Bael & Bellis.


The other experts joining them on this panel are (in alphabetical order by country): 


England & Wales: Alexander Brown, Partner, Simons & Simmons 

France: Stephanie Faber, Of Counsel, Squire Sanders

Germany:  Heisse Kursawe Eversheds (coming soon...) 

Hungary:  Janos Tamas Varga, Managing Partner, VJT & Partners 

Italy:  Francesco De Biasi, Counsel, Cleary Gottlieb 

Poland:  Agata Szeliga, Partner, Soltysinski Kawecki & Szlezak 

Romania:  Roxana Ionescu, Managing Associate, Nestor Nestor Diculescu Kingston Petersen

Turkey:  Gonenc Gurkaynak, Partner, ELIG


DISCLAIMER: Any opinions, statements or other information expressed in TalklawGlobal by the respective author(s) do not necessarily state or reflect those of TalklawMedia, the chairperson or his employer, the firm to which the author belongs or other panellists. The information submitted by the legal experts is for educational purposes only and does not create an attorney-client relationship between the reader, their firm, or any lawyer in their firm, and does not prevent any lawyer in any firm on this panel, from representing a party in any matter or manner (including taking a different position to that which he/she might have expressed or endorsed in TalklawGlobal) or serving as arbitrator, mediator, dispute board member or in any similar position based on the expression of his/her opinions on the various subjects published on TalklawGlobal. No information published on TalklawGlobal may be quoted or reproduced elsewhere without the prior written consent of the author and TalklawMedia.


Johan's questions for each jurisdiction are:

Question 1) The Regulation contains increased enforcement powers. Companies risk up to €1 million or up to 2 percent of the global annual turnover of a company in case of non-compliance with some rules. Suppose I meet one of our senior executives in an elevator, who is based in your jurisdiction, who is worried about these proposed fines. He knows we are fully compliant with local law, but asks me what top 3 actions I propose the company take now, in preparation for the new Regulation. Please help me build my elevator pitch: What are the 3 priority actions I should identify specifically to prepare now for future compliance in your jurisdiction?

Question 2) The proposed Regulation harmonizes the patchwork of deviating local rules based on the Directive 95/46/EC. One law for all member states will eliminate unnecessary administrative burdens and costs to companies. “This will save businesses around 2.3 billion Euros per year,” European Justice Commissioner Reding said at a conference. But harmonization also has its disadvantages: in some countries a higher level of protection and stricter rules are envisaged. Therefore, can you explain for your jurisdiction, if the new Regulation as proposed will lead to more stringent compliance and more far reaching rules as compared to the system in place today? If so, which rules will be tougher for companies in your jurisdiction, when the Regulation is adopted?

Question 3) What elements of the new Regulation are specifically debated or criticized in your jurisdiction and do you expect your representatives will want to amend anything during the legislative process?

Question 4) Binding corporate rules (BCRs) are now specifically mentioned in the legal text; Article 43 describes the conditions for transfers by way of binding corporate rules. Do you think it will become easier to get BCRs approved in your jurisdiction when the Regulation is adopted as proposed?
 
 




















Monika Kuschewsky
(biography)
Partner
Van Bael & Bellis
Brussels, Belgium
Tel: +32 (0)2 647 73 50      
mkuschewsky@vbb.com

 

 


EU LAW:
Monika Kuschewsky, Partner, Van Bael & Bellis



Answer 1) As the exact future regulatory framework is not known yet, it would be premature to start complying with requirements that do not presently exist. However, general preparatory work will certainly not be in vain and will provide a good return of investment, whatever the final law will look like. I would therefore propose the following three priority actions, which will at the same time prepare the ground for some of the main new obligations under the proposed Regulation:

1. Carry out an audit and prepare a data inventory.
2. Evaluate / prepare your data breach policy.
3. Assign responsibilities for data protection compliance.

An audit tailored to your organisation’s needs is the best starting point for achieving compliance – it will help you to take stock of your data processing operations and systems and to establish the current level of compliance. Since the proposed Regulation aims to harmonise the rules at EU level, compliance should be checked against the main requirements under the present Directive 95/46/EC. This will facilitate the identification of compliance gaps once the proposed Regulation is adopted.




















Alexander Brown
(biography)
Partner
Simmons & Simmons
London, UK
Tel: +44 20 7825 4954 
alexander.brown@simmons-
simmons.com

 
England & Wales:
Alexander Brown, Partner, Simmons & Simmons



Answer 1) As a starting point, it should be borne in mind that the proposed new regulatory framework still has a long way to go before it becomes law; the draft Regulation is scheduled for a first reading before the European Parliament in January 2013, and it will have to undergo many more legislative stages following that before it is finally implemented, and then will be subject to a two year (as currently drafted) implementation period.  A lot could change to the proposals between now and then, but we would nevertheless recommend taking the following three preparatory steps to get ready for compliance:

A. Comply with the existing law:  a large proportion of the new law replicated principles found in the existing law and therefore a good starting point for preparation is to make sure that you are on top of existing compliance requirements.  Also, whether you are a data controller or a data processor (the new rules place obligations on data processors as well), the proposed rules will require you to keep more detailed records of your data processing activities, individuals concerned, recipients of data, right to be forgotten requests and erasure requests.  This is in addition to documenting impact assessments and having to provide information to individuals (data subject access requests). This sort of information may well already be captured currently but the Regulation anticipates that it will be held by data controllers and data processors in a structured, well-documented form. The new rules will require organisations to have transparent and easily accessible policies with regard to the processing of personal data. Establishing these procedures where they do not already exist will involve some potentially significant organisational effort;


























Stephanie Faber
(biography
Of Counsel
Squire Sanders
Paris, France
Tel:  +33 1 5383 7400      
stephanie.faber@
squiresanders.com
 


France:
Stephanie Faber, Of Counsel, Squire Sanders



Answer 1)
• Prepare for data breach notifications. Data breach notification has been introduced only very recently in France and it currently only applies to communication service providers. Businesses need to put the necessary structures in place now. This will involve identifying a key team responsible for dealing with breaches, and putting in place processes and policies to ensure that any breach is recognised, management are informed, its impact assessed and remedial actions taken. 

• Prepare for enhanced “accountability”. Data protection remains the “poor cousin” of compliance, partly due to the low level of the fines compared with those applying to cartels, corruption and bribery. Rightly or wrongly some companies’ compliance boils down to processing the relevant “paper work”. More importantly, reporting on data protection issues does not always reach executive management.  The Regulation addresses this by introducing a set of accountability tools and principles throughout the information life cycle (for more details see reply to question 2).

• Review commercial and marketing practices on the internet taking into account the following:

* The Regulation has a new geographical scope as it will apply to processing activities related to “the offering of goods and services to data subjects residing in the EU” or the “monitoring of their behaviour”;

* Requirement to obtain “explicit” consent and to be able to provide associated evidence. Consent has already become a complex compliance topic with regard to the use of cookies and similar devices;

* Restrictions on profiling;

























Janos Tamas Varga
(biography)
Managing Partner
VJT & Partners
Budapest, Hungary
Tel: +36 1 501 9900
VargaJT@vjt-partners.com
 



Hungary:
Janos Tamas Varga, Managing Partner, VJT & Partners



Answer 1)
General Counsel will primarily have to identify the following priority actions for future compliance with the new Regulation.

Pursuant to the new Regulation, in any case where the data processing is carried out by a public authority or body or an enterprise employing 250 persons or more or if the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects, the data controller and the data processor shall designate a data protection officer. Currently, under the Hungarian law the obligation to designate a data protection officer is prescribed only for specific sectors, i.e. for certain state authorities, financial institutions, electronic communications services providers and utility services providers, therefore the new Regulation broadens the scope of the enterprises obliged to designate a data protection officer. Thus, General Counsel will have to ensure that data protection officer is appointed or the job description of an eligible employee is supplemented with the data protection officer’s tasks at affected companies, as long as the other tasks and duties of that employee do not result in a conflict of interest.

Under the new Regulation consent will no longer provide a valid legal ground for the processing of employees’ personal data by the employer in the employment context. Having regard to this, the General Counsel will not be able to rely on data processing consents granted by employees concerning the processing of employees’ personal data included in employment contracts, policies and other documents. Therefore, General Counsel will have to ensure that proper legal basis is provided regarding the processing of employees’ personal data by the employer.


























Francesco De Biasi
(biography)
Counsel
Cleary Gottlieb
Rome, Italy
T: +39 06 6952 2254 
fdebiasi@cgsh.com
 




Italy:
Francesco De Biasi, Counsel, Cleary Gottlieb


Answer 1)
Under the new Regulation, companies processing personal data will be subject to more stringent and onerous obligations. In particular, companies in Italy must not only implement new procedures or revise existing ones in order to comply, they also should build a culture of compliance. Accordingly, it would be prudent for data processing companies to start reviewing compliance issues even if the Regulation is not expected to enter into force for at least two years.

When preparing for compliance, General Counsel in Italy should prioritize the following three actions:

a) Implementing a comprehensive compliance strategy

The accountability principle (broadly meaning taking responsibility for data processing) requires companies to drastically change their approach with respect to data processing. The new approach must be more proactive and global. Appropriate internal policies and measures should be implemented to reflect this. As a first step, General Counsel in large companies should appoint a data protection officer (“DPO”) to design and implement the company’s compliance strategy. Actually, all companies processing personal data should appoint a DPO or at least entrust an employee with data protection compliance and train him/her accordingly. The DPO should review and assess the company’s information management systems and data processing activities to verify if they comply with the “privacy by design” and “privacy by default” requirements. It is also important that companies start preparing detailed records of all their data processing activities while reviewing their data management process. They should also set up impact assessments to evaluate risky processing. Last but not least, all staff must be trained and made aware of data protection rules and procedures as a way to ensure that employees respect and recognize the importance of complying with the Regulation. Data protection must now be viewed as a priority in corporate culture as any non-compliance will entail severe sanctions.






 


















Agata Szeliga
(biography)
Partner
Soltysinski Kawecki & Szlezak
Warsaw, Poland
Tel: +48 22 608 70 06
agata.szeliga@skslegal.pl
 



Poland:
Agata Szeliga, Partner, Soltysinski Kawecki & Szlezak



Answer 1)
There is no doubt that the new regulation on the protection of personal data proposed by the European Commission will have a significant impact on the operation of businesses and other entities present in the EU. As the Commission proposes more and more measures to ensure that the individuals will enjoy effective control over their personal data, the response from the data controllers should be to simplify the personal data operations and management within their organisations. The simpler the procedures and operations within the organisation, the lower the risk that data protection rules will be violated. With simpler rules it is also easier to ensure that the processes will be understood properly by the personnel involved in data processing operations. How do we achieve this simplicity in a world in which legal regulations and requirements become more and more complex?

Firstly, I would recommend collecting updated information about personal data processing in the organisation, as frequently the knowledge about the processing of personal data in an organisation is fragmented and incomplete. Moreover, the proposed regulation will become applicable also to controllers not established in the EU, in particular, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour. In particular, one should check what categories of personal data are processed within the organisation, for what purposes, and in how many data filing systems this data is processed. The review should also cover the required documentation, procedures and security measures, especially at level of controllers which have not been, so far, obligated to follow EU data protection rules. One may also consider categorizing the personal data processed in the organisation into “must have”, “good to have” and “redundant” categories. If some personal data is classified as “redundant”, the controller of such data may decide to
























Roxana Ionescu
(biography)
Managing Associate
Nestor Nestor Diculescu Kingston Petersen
Bucharest, Romania
Tel: +40-(21) 20 11 200
Roxana.Ionescu@nndkp.ro
 



Romania:
Roxana Ionescu, Managing Associate, Nestor Nestor Diculescu Kingston Peterson



Answer 1)
For Romania, the 3 priority actions I would recommend before the entry into force of the Regulation are: (1) internal audit, (2) define and implement remedial actions, and (3) training.

(1) Internal audit – even if one thinks that the group is compliant with privacy requirements because there are in place internal policies and processes governing the processing of personal data, the reality within the various affiliates may be different. This may be especially true for Romania, where the companies’ overall awareness of privacy-related obligations is still rather low, especially due to:

(i) the maximum amount of the fine that can be applied per breach, which is of approx. Euro 11,000;

(ii) the reduced enforcement initiatives of the Romanian supervisory authority;

(iii) the extremely limited number of court cases addressing privacy-related matters (i.e., only one significant case existed in the recent past where an individual was awarded Euro 10,000 moral damages for the unlawful disclosure of his health data by a local authority).

The adoption of the Regulation may also be a good moment to look again at the processing operations carried out by the Romanian affiliate and decide if and how such operations should be kept in the future. There have been a lot of situations when, further to privacy internal audits, it was ascertained that a lot of processing operations had been carried out unnecessarily or that data no longer useful for the company’s current operations were still kept as updating databases had not seen as a business priority.





 




















Gonenc Gurkaynak
(biography)
Partner
ELIG
Istanbul, Turkey
Tel: +90 212 327 17 24
gonenc.gurkaynak@elig.com
 



Turkey:
Gonec Gurkaynak, Partner, ELIG



Before delving into our responses, the new Regulation would not be applicable in Turkish jurisdiction in most of the cases, as Turkey is not a member of EU. However, as per Article 3 of the new Regulation which spells out the territorial scope, the Regulation would also apply to the processing of personal data by a controller not established in the EU but in a place where the national law of an EU member state would apply by virtue of public international law. In this respect, the new Regulation might apply in cases where the national law of a member state is applied by virtue of public international law.

Furthermore, Turkey has no specific fully-fledged law governing the privacy of personal data. However, Turkish legislators are currently in the process of establishing legislation specifically for data privacy. Considering the fact that the legislation to be enacted would most likely be taken or at least be influenced from the legislation in the EU, some of the principles referred to below could similarly be adopted and implemented in Turkey in the near future. 

Answer 1) The benefit of carrying out an internal audit is the identification of possible breaches within the company. In this case, an unannounced audit would take place by an independent contractor, and all of the stored data would be evaluated. At the end of the auditing, a report would be prepared which would cover the current situation of the company in terms of (i) the data subject’s rights; whether they are sufficiently protected or not, (ii) the compliance of the company and its designated data protection officers with the current applicable legislation. Starting from there, the company would be able to see an overview of the company in terms of data privacy and take the necessary measures for compliance with the current and the upcoming legislation.