1

EU Data Protection: How to Comply and If You Don't, What's the Worst that Can Happen?

Presentation by:

Robert Bond, BA, CompBCS,

FSALS, Partner & Notary Public

Head of Data Protection and

Corporate Social Responsibility

“From regulatory compliance to practical advice on data security issues, Robert’s expertise in this field and the creativity of the advice that he provides has ensured that he stands head and shoulders above the competition.”

Robert BondRobert has specialised in data protection law since 1983 and was voted one of the Top 20 data privacy experts in Computerworld in Feb 2011. He co-authored the International Chamber of Commerce (ICC) BCR Report in 2006, and the ICC Guidelines on Basel II and Data Protection in 2007. Robert is the author of many books, including most recently for Sweet & Maxwell who publish his book Negotiating International Software Licenses and Data Transfer Agreements.

Robert is a Companion of the British Computer Society, a Fellow of the Society of Advanced Legal Studies, a member of IAPP and SCCE and in 1994 was a researcher in Information Security and Data Protection at the University of Leicester. He is Chairman of the ICC (UK) E-Business, IT & Telecoms Committee, a Liveryman of the Worshipful Company of Stationers and Newspaper Makers and a Freeman of the City of London.

His clients include multinationals such as 3M, Daimler, Astellas, Sony, Flowserve, 3Par, Pentair, Tennant, Watson Pharmaceutical, Affiliated Computer Services, BancTec, Merck, Millipore and Dresser whom he advises on a range of IT and commercial contracts, bribery and corruption, ethics and responsibility, EU regulations and global data protection and information security compliance. Robert has close relationships with in-house teams at the data protection authorities in the US, UK, Ireland, France and Canada as well as in the European Commission and the Council of Europe.

Robert is listed as a data protection expert in Chambers (2010), Chambers (2009) and in Chambers (2008) where clients describe him as “a brilliant lecturer, a meticulous lawyer” and “responsive – if you contact him, you know he’ll get back to you within the hour” and “authoritative – he really knows his stuff, and he has so many contacts within the EC he can predict trends and what’s coming further down the line, which is very useful for forward planning.” Chambers 2010 describes him as ”having taught almost every lawyer something about computers."

2

Our team

• We are a full service law firm providing local and international

services to a diverse range of clients

• Our core legal services are provided in three sectors: Business

Services, Real Estate & Construction and Private Client

• Our Data Protection & Information Law team provide a range of

expertise on data privacy audit, compliance, risk management,

information security and data breaches

• We are listed in Chambers 2010 as a leading law firm for Data

Protection and have advised on this area of law since 1983

• We have a team of 14 lawyers in London dealing with data

protection matters globally

Freedom of Information

• Public Sector

• Private Sector

• Prejudice test and public

interest analysis

Surveillance, Interception

and Monitoring• RIPA

• Lawful business regulations

• Security

• Tracking and location data

Data Protection• Privacy

• Confidentiality

• International transfers

• Employment laws

• CCTV

• Direct marketing

• Cloud computing

• Outsourcing

Compliance• Sarbanes Oxley

• Ethical hotlines

• FCPA/OFAC/Bribery

• E-Discovery Rules

• Data retention

• Data destruction

• Records management

Data Protection

and

Information Law

Data Protection and Information Law

3

Topics

• The compliance issues

�EU Data Protection Law: Key Concepts

�EU Data Protection Law: Principles

�International Data Transfers

�E-Privacy Directive

�Subject Access Rights

�Ethical hotlines

• The compliance audit

• The cost of non-compliance

Why you should care about data protection compliance?

• Failure to meet legal obligations

• Lack of customer confidence

• Penalties for violations of laws

and regulations

• Personal liability including fines

and prison sentences

• Damage to brand and reputation

• High crisis-management costs to

repair damage

• Business is in compliance

• Risk is managed

• Trust is established

• Gain competitive advantage

• Legal use of data

DOWNSIDE

UPSIDE

4

EU Data Protection Law:

Key Concepts

“Robert Bond and his team

have always provided

comprehensive, practical

advice on a timely basis.

Their knowledge of the EU

regulatory scene, including

experience with specific

agencies, as well as privacy

issues globally has been

instrumental in establishing

our privacy policies and

procedures.”

The EU Data Protection Directive (95/46/EC)

The EU Data Protection Directive (95/46/EC) seeks to protect the

privacy and protection of all personal data collected for or about

citizens of the EU, especially as it relates to processing, using, or

exchanging such data.

It encompasses all key elements from article 8 of the European

Convention on Human Rights, which states its intention to respect

the rights of privacy in personal and family life, as well as in the

home and in personal correspondence.

The Data Protection Directive operates in EU Member States

through national implementing laws, so each EU Member State has

a similar data protection law.

5

Implementing legislation

The EU Data Protection Directive (95/46/EC) does not apply

directly but operates through implementing legislation in each EU

member state.

The applicable legislation will be the law of the country in which the

data controller is established.

Key Concepts

• Personal data

• Sensitive personal data

• Processing

• Data controller

• Data processor

• Data subject

• Data Protection Authority

• Notification

6

Key Concepts: Personal data

• Data which relate to a living individual who can be identified:

- from such data

- from such data and other information which is or is likely be in the possession of the data controller

- and which are in electronic form or held manually in a relevant filing system

E.g. Name, job title, telephone number, email address, date of

birth, postal address, HR file, customer record, contact details for

individuals working for suppliers.

Key Concepts: Sensitive personal data

• Personal data consisting of information on:

• racial or ethnic origin

• political opinions

• religious or similar beliefs

• trade union details

• health data

• sexual life data

• offences or alleged offences

• court proceedings

Eg. Medical records, sick leave records, criminal record,

whistleblower hotline report.

7

Key Concepts: Processing

• capture, transmit, manipulate, record, store or communicate

• Processing includes:

– collecting personal data from employees or customers

– storage in a database

– ordering in a filing system

– editing data records

– transmission to a third party

• E.g.

– Processing job application, maintaining an HR database or Customer relationship management (CRM) database, maintaining a database of suppliers.

Key Concepts: Data Controller

• A “data controller” is a person or organisation that (alone or with others) determines the purposes for which and the manner in which personal data will be processed

E.g. employer for employee’s data; supplier for customers’ data.

8

Key Concepts: Data Processor

• A “data processor” any person or organisation (other than an employee of the data controller) who processes personal data on behalf of the data controller

• Processes personal data on the data controller’s instructions

• Does not take decisions in relation to personal data

• E.g. outsourced payroll provider, website host, fulfillment house, IT / Server host.

Key Concepts: Data Subject

• Individual to whom personal data relates

• E.g.

– Employee

– Job applicant

– Former employee

– Customer:

• Consumer

• Contact person in business-to-business context

– Prospective customer

– Supplier

9

Key Concepts: Applicable law

The EU Data Protection Directive (95/46/EC) does not apply

directly but operates through implementing legislation in each EU

member state.

The applicable legislation will be the law of the country in which the

data controller is established.

Key Concepts: Data Protection Authority

• Administers and enforces data protection law in jurisdiction

• May maintain register of data controllers

• Provides guidance on compliance with the law

• Investigates alleged breaches of the law

• May authorise data transfers outside the EEA

• May require specific security documentation

10

Key Concepts: Notification

• Registration and description of data processing with Data

Protection Authority

• Some countries do not require notification (Germany)

• Some require it in limited circumstances (UK and Ireland)

• Most require it before personal data can be processed (France,

Italy, Poland and Spain)

• Some require notification of data processors as well (Ireland)

• Some require detailed notification of each activity (France)

• Some countries have sophisticated online procedures (UK)

• Some countries charge a scale of fees (UK, Belgium, Ireland)

• Some DPA’s have searchable websites to check on notifications

(UK)

EU Data Protection Law: Principles

11

The Data Protection Principles

• Data must be fairly and lawfully processed with the consent of the

individual

• Data may only be obtained for specified lawful purposes, and may not

be further processed in any manner incompatible with that purpose

• Data must be adequate, relevant, and not excessive in relation to the

purpose(s) for which it is collected

• Data must be accurate and, where necessary, kept up to date

• Data must not be kept longer than necessary

• Data must be processed in accordance with rights of data subjects

under the Directive (right to inspect and correct data)

• Security measures must be taken against unauthorized or unlawful

processing, and against accidental loss, destruction, or damage of

data

• Data must not be transferred outside EEA unless recipient country

provides adequate data protection

Data Protection Principles:

Fair and Lawful Processing

• Consent

• Explicit consent - sensitive personal data

To get their data you have to give them information!

Personal data shall be processed fairly and lawfully

12

Data Protection Principles:

Specified and lawful purposes

Data may only be obtained for specified lawful purposes, and may

not be further processed in any manner incompatible with that

purpose

• “Fair processing” statement should explain purpose(s)

•E.g. an individual provides information to an estate agent in the

course of looking to purchase a property, which the agent passes on

to its financial adviser, who tries to sell the individual financial

products.

Data Protection Principles:

Adequate, relevant and not excessive

• Data must be adequate, relevant, and not excessive in relation to

the purpose(s) for which it is collected

13

Data Protection Principles:

Accurate and up to date

• Personal data shall be accurate and where necessary kept up to

date

• UK Information Commissioner regards inaccurate information as a

significant problem:

– Inaccurate police records

– Inaccurate credit reference

Data Protection Principles:

Not kept for longer than is necessary

• Personal data processed for any purpose or purposes shall not be

kept for longer than is necessary for that purpose or those

purposes

• Indefinite retention unlikely to be justifiable

• Need Retention policy

14

Data Protection Principles:

Data subject’s rights

Data must be processed in accordance with rights of data subjects

under the Directive.

Data subject’s right to:

– Object

– Amend

– Access

Data Protection Principles:

Security

Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Consider:

• Sensitivity of information

• Consequences of breach

• Remote access

• Outsourcing

15

Data Protection Principles:

International transfers

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

Consider:

• Pushing or pulling of data

• Staff data/bios

• Customer data

• Outsourcing

Location of the data - data protection laws

Approved

Non approved

EEA

Only countries in green have been approved as providing “adequate protection” for transfer of personal data:

Andorra / Argentina / Canada / Faroe Islands / Guernsey / Isle of Man / Israel / Jersey/ Switzerland

16

Location of the Data – Local Laws

EU Data Protection Law:

International data transfers

17

Overview

To determine whether a transfer to a third country is permitted under

European law, consider the following:

• Is the data “personal data”?

• Is the data protected under national legislation implementing the Directive?

• Is there a “transfer”?

• Does the “third country” ensure an adequate level of protection by reason of its domestic laws, or its international commitments (e.g., the U.S. Safe Harbor)

Does the “third country” ensure an adequate level of protection?

• Only Switzerland, Canada, Argentina, Isle of Man, Jersey, the

Faroe Islands, Guernsey, Andorra and Israel have adopted

“adequate” data protection laws in the opinion of the EU

• The EU/U.S. Safe Harbor also provides an “adequate” level of

protection – but only for transfers from EU to US; NOT onward to

other non-EU countries

• The Swiss/U.S. Safe Harbor also provides an “adequate” level of

protection for personal as opposed to corporate data

18

Does an exception apply?

• Consent

• Contract performance

• Important public interest

• Legal claims

• Vital interests

• Public registers

Note: There is no exception for compliance with laws of other

countries such as U.S. Discovery rules

Data Exported

Within EEA

Automatically adequate

Outside EEAWhich country/jurisdiction?

Argentina, Channel Islands,Isle of Man, Switzerland,Faroe Islands, Israel

Adequate for transfer to proceed

Canada

Mostly adequate for transfer to proceed

USA

To a signatory of the Safe Harbor principles?

Other countries

Yes NoAdequate for transfer to proceed

Do any of the other key legal grounds for transfer apply?1. Transfers using the appropriate EU Commission approved Model Transfer Terms2. Transfers subject to the use of Binding Corporate Rules3. Transfers in accordance with an approved private contract4. Companies that have self-assessed their adequacy (in some jurisdictions)

Yes

Adequate for transfer to take place

No

Can adequacy be presumed?

Yes No

Transfer can proceed Legal advice required

19

U.S. Safe Harbor – Comparison With Principles in the Directive

Issue U.S. Safe Harbor Principles of the Directive

Notice Notice of information collected, entity collecting it, and how it will be used

Data must be fairly and lawfully processed with the express consent of the individual (inform of use)

Choice Must provide choice, including “opt out” right with respect to use and processing of data and disclosure to third parties; special treatment for sensitive information

Data may only be obtained for specified lawful purposes, and may not be further processed in any manner incompatible with that purpose

Onward Transfer Outside of EU

Only to a recipient that is qualified under the Notice and Choice principles above and is a subscriber to the Safe Harbor principles

Only if recipient country provides adequate data protection

Security Must take reasonable precautions to protect data from loss, misuse, and unauthorized access and disclosure

Must take security measures against unauthorized/unlawful processing, and against accidental loss, destruction, or damage of data

Data Integrity Must ensure that data is relevant to the purpose collected, accurate, reliable, and kept up to date

Data must be adequate, relevant, and not excessive in relation to the purpose(s); must be accurate and kept up to date; must not be kept longer than necessary

Access Must allow parties whose personal information has been collected to later locate and correct, modify, or delete inaccurate information

Data must be processed in accordance with rights of data subjects under the Directive (right to inspect and correct)

Enforcement Enforcement of these principles, including effective dispute resolution mechanism

Non-compliance may lead to fines, publication of breaches, and possible imprisonment (varies depending on country)

20

Have the parties themselves assured adequate protection?

There are contractual solutions that are certain to be deemed

“adequate” under European data protection laws:

• The parties must enter into a “transborder data flow agreement”

that incorporates either model clauses promulgated by the

European Commission (SET I) or proposed by the ICC and

approved by the European Commission SET II)

• The parties could negotiate “one-off” contracts

• A further solution, Binding Corporate Rules (BCR) has been

approved by several member states in the EU

SET I and SET II Model Clauses

• Set I developed by EC and often criticised as uncommercial

• Set II developed by a consortia of business organisations led by ICC

• ICC model clauses were drafted and developed from 1997

• Robert Bond was part of the drafting group

• Set I imposes joint and several liability on parties

• Set II imposes liability on defaulting party

• Set I gives data subject 3rd party rights against either party

• Set II gives 3rd party rights against data importer only after data

exporter has failed to find a remedy

• Set I allows claims for all damages

• Set II allows for actual damages suffered excluding punitive

• Set II imposes due diligence re importer on exporter

• Set I does not………though it is implicit in local laws

21

ICC BCR Working Group

• Representatives from ICC Paris and USCIB

• Lawyers from Microsoft, Oracle, Phillips, Daimler Chrysler,

Accenture, AOL

• Lawyers in private practice

- Questionnaire on enforceability and binding nature of BCR

- Report published in 2004 welcomed by DPAs in UK, Austria,

Germany and Netherlands

- Robert Bond co-authored the ICC Report available at

www.iccwbo.org

- Article 29 Guidelines lean heavily on this Report

BCR Guidelines (WP 108)

• Published by Art 29 in April 2005 requires:

• Description of data processing and flows

• Description of provision of adequacy of rights

• Reporting and recording of changes

• Internal compliance procedures

• Complaints handling

• Co-operation with DPA

• Submission to jurisdiction of data subject

• Rights for data subjects

• Training and audits

22

ICC Single BCR Application Form and Guidelines

• Submitted to Art. 29 Working Party in 2006

• Subsequently adapted and republished by Art 29 as an EU

approved Single Application Form and Procedure

• WP 133 dated 10 January 2007

• WP 153-155 dated 24 June 2008

Data Processing contracts

• The Data Controller must ensure that the Data Processor is

suitable for the processing activities having regard to the nature of

the data – so due diligence is required

• Contractual controls need to be put in place – the Data Processor

may already have these, but check!

• If the Data Processor is outside the EU then the EU Model Clauses

for transfers to a Data Processor should be used

• Reliance on Safe Harbor is possible provided that the Certification

is in relation to the type of personal data being transferred

• Notwithstanding the use of Model Clauses, some DPA’s require

notification and deposit of the contract for approval

• Some DPA’s have difficulty in the concept that Sensitive Data

needs to be transferred to a 3rd party outside the EU

23

APEC Cross Border Privacy Rules

• Australia, China, Japan, Korea, Mexico, Peru, Thailand, Vietnam and the United States.

• The APEC initiative is not based upon strict legislation such as exists in the EU but more upon a framework of a mutual recognition by parties within APEC economies

• The Cross-Border Privacy Rules rely on businesses self assessing their compliance with the APEC privacy principles which are similar to the privacy principles of the US Safe Harbour and the seven data protection principles set out in the UK Data Protection Act 1998.

• The International Chamber of Commerce is taking a leading role in providing Cross-Border Privacy Rules for the APEC privacy framework that were approved by APEC country leaders in 2004.

E-Privacy Directive

24

Data Protection

Personal data shall be processed fairly and lawfully• Consent • Explicit consent - sensitive personal data

To get their data you have to give them information!

Always give them the opportunity to say “no” to future mailings.

And ensure you have technical means to remove them from

your mailing list.

What you should already be doing

Data Protection – B2C

• Notify with Data Protection Authorities

• Highlight Privacy Policy

• Implement “unsubscribe” and “subject access” procedures

• Train staff on data handling practices & have an internal e-

mail/internet policy

• Maintain information security generally and when passing data to

third parties – 7th Principle

• Address trans border data flows – 8th Principle

25

EU Privacy & Electronic Regulations

• Aimed at unsolicited electronic commercial communications (inc

SMS & MMS)

• Deals with

– Consent requirements

– Internet Cookies and Tracking Devices

– Value-Added Services – Traffic and Location Data

– Subscriber Directories

Cookies

• Transparency/consent requirements for cookies (and internet tracking devices)

• Not technology-specific

• Clear information on where/why they are used, and an opportunity to refuse them

• Exception where cookies are essential for provision of service/used solely for transmission

26

Consent

• Controls on phone and fax i.e. opt out

• Opt out consent sufficient in most EU countries unless sensitive data. Now new opt-in for commercial e-mail/SMS to individuals

• New soft opt-in for existing customer relationships- can continue to market similar products and services on an opt-out basis

• New right for corporate subscribers to register on the Telephone Preference Service (TPS)

What you must do in the EU

“Soft opt-in” will apply if certain conditions are met:

– Existing customer relationship

– Customer of the same legal entity

– Same or similar products marketed

– An “unsubscribe” option provided:

• Free of charge and in an easy manner

• On the collection of data

• On each and every subsequent message

If above conditions are met, a simple “opt out” procedure is allowed.

Unless “soft opt-in” applies, only market to those who have expressly consented, i.e. opted-in

27

Obtaining individuals’ consent

• Must think how and when personal data may be obtained

• Must only use personal data obtained with informed consent

• Must ensure that lists acquired from 3rd parties are lawful

• Must use personal data in accordance with policies and

procedures

• Must use personal data in accordance with the law

• Must balance consent obtained online with offline

Update on the EU Cookies Law

• EU Directive 2009/136/EC: amended Article 5(3) of the E-Privacy Requirement

• Changed requirements from informed opt-out to informed opt-in

• The use of cookies will only be allowed if the user has given his consent after being provided with clear and comprehensive information about the purposes of the tracking of their data

• Recital 66: consent to cookies “may be expressed by way of using the appropriate settings of a browser or other application”

• Member states must have implemented the revisions to the E-Privacy Directive by 26 May 2011

28

Revised wording of the e-privacy Directive

Revised wording of the e-privacy Directive (cont.)

29

How is the Cookie law being implemented

• Denmark, Netherlands, Ireland, UK and Estonia have implemented

• UK has given businesses 12 months to get compliant

• France, Slovenia, Luxembourg, Latvia and Lithuania have partially

implemented

• Other member states are still drafting legislation or have decided to

defer implementation

• There is no clear idea as to how consent is to be given

• Browser solutions are still a work in progress

• The International Chamber of Commerce is producing a Cookie

Compliance Toolkit for launch in the next few weeks to help

businesses understand the cookie landscape and how to audit for

compliance

Subject Access Requests

30

Subject Access Requests: The Basic Rules

• Data subjects’ right of access to data held by data controller.

– Valid request?

– Request in writing?

– Comply promptly and no later than relevant period

– Is a fee payable?

– Information reasonably needed to verify identity of requestor or to locate the information

– Requesting identity/ location information “stops the clock” until receipt

Subject Access Requests: Maximum Response

Period

• Germany: Germany no statutory time period (but

expectation between 2-3 weeks)

• UK: 40 days

• France 2 months

• Belgium 45 days

• Poland 30 days

• Italy 15 days (30 days for complex requests)

31

Subject Access Requests: Fees

• Germany No fee

• UK £10 (40 day period does not start until receipt)

• France No fee (though the data controller may charge if copying costs are significant)

• Belgium No Fee

• Poland No fee

• Italy Fee may be payable

Subject Access Requests: What has to be given?

• Confirmation of whether data is held

• Copy of the data

• Details

– Purposes

– Recipients

– Sources

• Redaction

32

Subject Access Requests: Exemptions

Exemptions

• Prejudicial to crime/prevention/detection

• Confidential references

• Prejudicial to management forecasting/planning

• Prejudicial to negotiations with data subject

• Self incrimination

• Legal professional privilege

Subject Access Requests: common practical issues

• How extensive must the search be?

• Disproportionate effort

• Duplication of information

• Exact copies or a summary?

• Repeated and vexatious requests

33

Subject Access Requests: Where to look

•Personnel files

•Notes of meetings

•Minutes of meetings

•Emails

•References

•CCTV records

•Door entry system records

•Internet logs

•Telephone records

•Payroll information

Subject access requests: tips for dealing with SARs

• Be prepared – train staff, designate responsibility, know what

information you have, and where, have a written policy

• Information held by third parties – e.g. payroll providers or

occupational health

• Do any exemptions apply

• Don’t Delay!

34

Ethical hotlines, audits and whistleblowing

Sarbanes Oxley Act requirements

• SOX mandatory Code of Ethics– A confidential, anonymous reporting mechanism

SOX Section 301(4) states that "Each audit

committee shall establish procedures for

the receipt, retention and treatment of

complaints received by the issuer

regarding accounting, internal accounting

controls or auditing matters; and the

confidential anonymous submission by

employees of the issuer of concerns

regarding questionable accounting or

auditing matters.“

35

E.U. data protection principles

• an individual has a right to know what data is being processed

about them;

• personal data has to be processed fairly and lawfully;

• personal data must be kept for no longer than is necessary and

must be accurate and up to date;

• each data subject has the right to know that their personal data is

being processed;

• personal data must be, at all times, kept secure and where

processed by a third party be managed securely; and

• personal data should not be transferred outside the European

Economic Area to any other country that does not have adequate

protection for the rights of the individual.

Conflict between SOX and EU Data Protection Law

• EU member states data protection laws

– E.U. data protection authorities

• All interpret the law differently

CNIL Decision 2005-110 of 26 May 2005

(Group McDonald’s France)

CNIL Decision 2005-111 of 26 May 2005

(CEAC/Exide Technologies)

The 5th Division of the Wuppertal Labour

Court on 15 June 2005 (Wal-Mart

Decision) – Appeal dismissed too

36

CNIL reasons for their decision

• Anonymity

• Whistleblowing on too wide basis

• Information shared too widely

• Unfair collection of personal data

• Accused not immediately notified

• Rather long retention of data

• Lack of proportionality

• Fundamental data protection concerns

UK Bribery Act and EU Data Protection

• Bribery is to “dishonestly persuade (someone) to act in one’s

favour by a gift of money or other inducement”

• The Act came into force on 1st July 2011 and applies to those who

give or receive a bribe in relation to a business in the UK

• Advice from the UK Government is that businesses should put in

place anti-bribery policies and procedures including training to all

officers and staff and any agents and suppliers

• Businesses that then implement reporting mechanisms such as

ethical hotlines need to be aware of EU restrictions on such

hotlines

37

Where do we find what is required by EU?

• CNIL, Art. 29 Working Party issued guidelines http://europa.eu.int

– Allows anonymous reporting under certain conditions– SEC and CNIL letters– http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2006-others_en.htm

• CNIL Guidelines, FAQ’s – www.cnil.fr

• CNIL on-line authorization Decision and forms – www.cnil.fr

• Other member states have guidance (Spain, Germany, Austria)

• Local advice

French law amended for hotlines

• The CNIL Unique Authorisation no. 4 (authorisation unique no.4)

deals with whistleblowing hotlines

• This authorisation only deals with whistleblowing relating to reports

with regard to serious breaches in the accounting, financial, and

banking sectors as well as anti-bribery

• The CNIL adopted a new ‘deliberation’ in October 2010 modifying

its AU-004. The aim was to avoid the confusion previously created

by its art. 3 which included facts damaging the ‘vital interests of the

undertaking or to the physical or moral integrity of its employees’

• The companies benefitting from an AU-004 for whistleblowing

hotlines not strictly confined to the new text of the authorisation

have a six-month deadline to ensure they comply with AU-004.

There is no need to submit a new authorisation request

38

Differing stances of EU member States

• Compulsion

• Scope limitation

• Notification requirements

• Permission to transfer personal data outside the EEA

• Anonymity

• Specific requirements of local regulators

• Labor law requirements

Sweden

• Notification (may impose limitations)

• Data Protection applies

• Limited to senior executives

• Regulatory body: Datainspektionen

• Published guidelines:

– guidance is limited to the following:

• the system must be a complement to the company’s

normal internal administration and must be voluntary to use

• the system must be limited to serious irregularities

concerning accounting, internal accounting control,

auditing, the fight against bribery and banking and financial

crimes. The system may also be used for other serious

irregularities concerning the company’s vital interests or the

life and health of individuals

• only key personnel may be reported

39

Anonymity

• Spain

– regulatory body: Agencia de Protection de Datos

• http://www.agpd.es/portalwebAGPD/index-ides-idphp.php

– published guidelines:

• http://www.tnwinc.com/downloads/SPMWhistleOpinion_ENGTranslation.pdf

• Portugal

– regulatory body:

• http://www.cnpd.pt/english/index_en.html

– published guidelines:

• http://www.ecgi.org/codes/documents/cg_code_cnmv_sept2007_en.pdf

• http://www.ecgi.org/codes/documents/cmvm_cg_recommendations_2010_en.pdf

• http://www.cmvm.pt/NR/rdonlyres/7F744DB2-D365-4552-8AF6-8EB931B99C69/12798/SecuritiesCodeConsDL357DL211AL282009DL185200920091.pdf

• Finland

– published guidelines: Whistleblowing System in Working Life

– regulatory body: Data Protection Ombudsman

• http://www.tietosuoja.fi/index.htm

• http://www.tietosuoja.fi/43647.htm

Poland

• Difficulty faced by GIODO because of fair processing requirements

of Polish Personal Data Protection Act

• PDP also requires specific documents for compliance whether or

not there is a whistleblower hotline

40

Hungarian whistleblower guidance

• The Guidelines follow the Article 29 Guidelines…..but

• Reports must be limited to grave violations of company policies

• The system must not be used to control work performance

• Reports cannot be made by staff directly to the parent company

• They must be reported to the local company

• The local company must manage the system and any contract with

the service provider

• An employee that transfers personal data direct to the parent

company may be liable to criminal and civil actions

Ethical hotlines: How do you achieve compliance?

• One size does not fit all – ethical hotlines must be tailored to meet local requirements

• Reconfigure procedures

• Narrow scope of reports

• Remember country by country specifics

• Anonymity

• Retention periods

• Third party vendors – accept reports subject to country-specific restrictions

41

Auditing your EU entities for data

protection compliance

What should the audit achieve?

• “ A systematic and independent examination to determine whether

activities involving the processing of personal data are carried out

in accordance with an organisation’s data protection policies and

procedures, and whether this processing meets the requirements

of the [law].” ICO June 2001

• Assess compliance with the law

• Assess compliance with entities’ own policies

• Assess gaps and weaknesses

• Provide information to ensure compliance

• Ensure awareness

• Minimise risk

42

Analysing entities and their roles

• Establish names and locations of all entities

• Establish whether they are controllers or processors

• Establish types of data and systems used

• Establish data subjects and data recipients

• Establish points of collection of data

• Audit notifications/registrations

Analysing fair processing and policies

• Audit methods of data collection and consents

• Audit websites and terms of use

• Audit business codes of conduct and policies

• Audit contracts of employment and staff manuals

• Audit staff knowledge and training

• Audit appointments of CPO/DPO

43

Contracts and Codes

• Audit trans border data flow solutions

• Audit 3rd party processor contracts

• Audit permissions from DPA

• Ensure all policies and procedures comply with local laws

• Monitor ongoing changes to company structures, data handling

practices and notifications

Benefits of a compliance audit

• Facilitates compliance with the law

• Measures and helps improve compliance with policies

• Increases awareness amongst staff and management

• Elevates data protection to a key part of corporate governance

• Minimises risk

• Satisfies insurance requirements

• Improves trust and customer satisfaction

44

EU Data Protection:

The Cost of Non-Compliance

“The quality of any professional

advisor is dependent on the expertise

and quality of the individual advisor

and the support provided by the firm.

If you work with Robert you get

excellence on both counts. Robert has

built a great team at Speechlys and

he is the undoubted expert and

leader. He is also great to work with

on a personal level and will go the

extra miles to get the job done to the

client’s timetable. I have used

Robert’s services at Speechlys, as

well as when he was at his previous

firm; I have been his client while at

three different companies myself. I

cannot recommend Robert highly

enough, he is the “go to” guy in his

highly complex field.”

Data Protection Directive Principles

• Data must be fairly and lawfully processed with the consent of the individual.

• Data may only be obtained for specified legal purposes, and may not be further processed in any manner incompatible with that purpose.

• Data must be adequate, relevant, and not excessive in relation to the purpose(s) for which it is collected.

• Data must be accurate and, where necessary, kept up to date.

• Data must not be kept longer than necessary.

• Data must be processed in accordance with the rights of the data subject under the Directive (right to inspect and correct data).

• Security measures must be taken against unauthorised/unlawful processing and against accidental loss, destruction or damage of data.

• Data must not be transferred outside the EEA unless the recipient country provides adequate data protection.

45

Understanding Enforcement Actions

• Article 29 WP have issued advice on how DPA’s must interpret

Article 28 (6) of the DP Directive regarding multi-member state

enforcement investigations

• Investigating and sanctioning a controller in various member states

• Handling complaints where the controller is in another member

state

• Collecting facts and evidence of processing for another DPA

Penalties for Data Breaches

• Penalties for breaches vary throughout the member states.

• Some member states have always imposed harsh penalties (e.g.

Spain).

• General trend towards harsher penalties for breach throughout the

EU (e.g. UK fines, CNIL / Google; Finnish Ombudsman).

46

Potential Fines

Potential Imprisonment

47

Recent enforcement for breaches

The United Kingdom: the Sanctions

• The ICO can issue an Enforcement Notice for breaches of the data protection principles. Failure to comply with an Enforcement Notice is a criminal offence, punishable by an unlimited fine (also for directors).

• The Information Commissioner can also impose administrative fines of up to £500,000 if:

– there is a serious breach of the data protection principles;

– this is likely to cause substantial damage or substantial distress; and

– the breach is deliberate or reckless.

• Both failure to notify and the unlawful obtaining/disclosing of personal data are criminal offences punishable by unlimited fines (also for directors) The Government has the power to increase the sentence for unlawfully obtaining or disclosing personal data to two years’ imprisonment.

• The ICO regularly asks for undertakings from organisations in breach in order to “name and shame” them.

• ICO Data Protection Officer Conference 2011, Christopher Graham pushing for increased use of prison sentences in UK data protection legislation.

48

The United Kingdom: Enforcement

• November 2010: A4e Limited: fine of £60,000 imposed when an

unencrypted laptop containing sensitive personal data relating to

24,000 clients was stolen from the residence of one of its

employees.

• November 2010: Hertfordshire County Council: fine of £100,000

imposed where (1) very sensitive materials were sent by fax to a

member of the public by mistake; and (2) a fortnight later, very

sensitive materials were sent by fax to a Barristers Chambers

rather than the Court, after a warning from the ICO had been

issued in relation to the first incident.

• 8 February 2011: Ealing Council: £80,000 and Hounslow Council:

£70,000 when two unencrypted laptops containing sensitive

personal information were stolen from an employees home.

The United Kingdom: the Sanctions

• Regulated financial services firms must also comply with the

Financial Services Authority’s rules on data protection.

• The Financial Services Authority has power to fine firms that do not

fulfil their obligations “in such amount as the FSA considers

appropriate” (FSMA S.206(1)).

49

The United Kingdom: Enforcement

• August 2010: FSA fined Zurich Insurance £2.275m for the loss of

computer back-up tapes containing the details of 46,000

policyholders.

• July 2009: FSA fined HSBC Life £1,610,000, HSBC Actuaries

£875,000 and HSBC Insurance Brokers £700,000 when

unencrypted data disks were lost in the post.

Spain: the Sanctions

• Spain has one of the most stringent penalty systems in the EU.

• Under the Data Protection Act, fines from EUR900 to EUR600,000

can be imposed depending on the severity of the breach.

• The Spanish Criminal Code also establishes criminal offences

based on the violation of secrets and breach of privacy, however

criminal enforcement is not common.

• Recent changes – minor/serious/very serious.

50

Spain: Enforcement

• August 2010: EUR31,201 fine imposed on both Antena 3 de Television S.A. and y Zed Worldwide S.A.

• 23 August 2010: EUR60,101.21 fine imposed on France Telecom Espana.• 23 August 2010: EUR 60,101.21 fine imposed on Endesa Distribucion

Electrica S.L.U.• 1 September 2010: EUR 6,000 fine imposed on Sociedad Estatal de

Correos y Telegrafos.• 1 September 2010: EUR 60,101.21 fine imposed on Caixa de Aforros de

Vigo, Ourense e Pontevedra (Caixanova). • September 2010: EUR 60,101.21 fine imposed on Pescatrade S.A. y Frio

de Cantabria S.A. (FRICANSA).• 9 September 2010: EUR 6,000 fine imposed on Banco Vitalicio de Espana

C.A. de Seguros y Reaseguros (Vitalicio Seguros).• 10 September 2010: EUR60,101.21 fine imposed on Mone de Piedad y

Caja de Ahorras San Fernando de Huelva, Jerez y Sevilla (Cajasol). • 10 September 2010: EUR 60,101.21 fine imposed onFinanzia, Banco de

Credito, S.A.• 16 September 2010: EUR 30,001 fine imposed on Vodafone Espana. • 20 September 2010: EUR 61,101.21 fine imposed on France Telecom.

Spain: Enforcement

• Largest fine ever: EUR1,091,822 imposed by Spanish data

protection authority on Zeppelin Television SA and confirmed by

Spain’s Supreme Court.

• The personal data of applicants and contestants on the Spanish

version of the Big Brother television show was not adequately

protected, processed without their consent and transferred to third

parties.

51

Germany: the Sanctions

• Data protection authorities can impose fines of up to EUR50,000

for simple violations and EUR300,000 for serious violations.

• If breaches are commercially motivated, the fine must not be less

than the profit resulting from the data breach.

• Criminal courts can impose prison sentences up to two years.

Germany: Enforcement

• 30 November 2010: Klaus Treschan, formally of Deutsche

Telekom Group Security, sentenced to imprisonment for three and

a half years. His use of telephone connection data of journalists,

unionists and supervisory board members was a breach while the

sentence reflects three additional charges of bad faith and fraud.

• 23 November 2010: fine of EUR200,000 imposed on Hamburger

Sparkasse for illegally allowing its customer service

representatives access to customers’ bank data, and for profiling

its customers.

• October 2009: EUR 1,123,503.50 fine imposed in Deutsche Bahn

AG by data protection authority of Berlin, chairman also stepped

down.

52

France: the Sanctions

• The CNIL has the following administrative powers:

– issue a warning;

– Issue a formal demand;

– Issue compliance notices;

– Issue an injunction to cease proceeding; and

– Issue an administrative fine of up to €150,000 for the first breach, or up to €300,000 for a repeat breach or 5% of turnover, up to a maximum of €300,000.

• The CNIL has powers in cases of emergency to order cessation of

processing, the locking of personal data or to inform the prime

minister so that appropriate security measures may be taken.

• Criminal sanctions may also be imposed:

– Up to a maximum of five years imprisonment; and

– Fines from €15,000 (up to €75,000 for legal entities) to €300,000 (up to € 1,500,000 for legal entities).

France: Enforcement

• 270 investigations, four warnings and 5 financial sanctions

imposed by the CNIL in 2009.

• 21 March 2011: Google Inc fined EUR100,000, the largest fine

ever, for the personal data it mistakenly gathered in setting up its

Street View car project.

• CNIL conducts “dawn raids”, e.g. our client was a multinational

headquarted in France, CNIL carried out dawn raid and discovered

that appropriate procedures were not in place.

53

Italy: the Sanctions

• Administrative fines from EUR6,000 to EUR120,000 can be

imposed depending on the type and severity of the breach.

• Prison sentences of up to three years can also be imposed

together with publication of the judgment decision.

• 2010 fines by Garante were 4 Million Euros

Enforcement

• Many investigations have been undertaken, but general practice is

to order rectification of the breach and to prevent such a breach

from happening again.

• Google Inc: criminal investigation being undertaken: potential fine?

54

The Netherlands: the Sanctions

• Certain breaches qualify as criminal offences with potential fines of EUR3,800 to EUR19,000 depending on whether the data controller is an individual or legal entity.

• A notice to comply may be issued, with an administrative fine of up to EUR4,500 if this is not complied with.

• Potential prison sentence of six months if criminal offence breach is deliberate.

• There is a bill pending in the House of Representatives to increase the level of the fines.

• The data protection authority may also present its findings to the press.

• 2009: the data commissioner imposed a fine of EUR250,000 on individual for sending unsolicited emails in violation of the act together with an administrative order for a penalty sum of EUR5,000 per day.

Czech Republic

• Entities who breach that data protection legislation may be liable to

a fine of up to EUR204,000 while if the breach relates to sensitive

data processing or if the breach endangers the privacy and private

lives of more people, the fine can be raised to EUR408,000.

• An individual may be fined EUR40,760 to EUR203,000 in respect

of the above.

• A person who is employed by or works for a data controller who

comes into contract with the personal data and breaches the duty

of confidentiality may be subject to a fine of up to EUR4,100.

• November 2010: a fine of EUR200,000 was considered for Prague

City over its Opencard multi-functional chip card system.

• 2009: highest fine to date of EUR94,000 imposed on State Institute

for Drug Control who unlawfully collected and processed personal

data in connection with drug distribution.

55

Portugal

• Persons in breach can be subject to a fine of EUR250 to

EUR15,000. The severity of the fine depends on the nature of the

breach.

• The limit can be increased to EUR30,000 where the data

processing was subject to the data protection authority’s

authorisation, as is the case with sensitive data.

• Individuals can be liable to imprisonment for up to four years for

certain breaches.

• Highest fine so far EUR20,000 in April 2004 applied to

Radiotelevisão Portuguesa, S.A. (“RTP”) after it instructed a

company to assess data related to the professional skills of its

employees without notifying them.

Poland

• Persons in breach may be liable to a fine of up to EUR270,000, a

partial restriction of freedom or a prison sentence of up to three

years.

• The data protection authority is very pro-active and investigates

thousands of breaches each year.

• Practice so far as been to order rectification of the breach and

prevent it happening again.

56

Switzerland

• Not in the EU but follows general EU law practice.

• Fines of up to EUR7,900 for non-compliance with more severe criminal sanctions for breaches of professional secrecy.

• Swiss Penal Code also provides that a person who obtains sensitive data or personality profiles from a non-public data collection without authorisation shall be punished by imprisonment or fined.

• There have been 10 criminal convictions under the penal code and one under the data protection act.

• January 2011: Former Swiss banker Rudolf Elmer fined CHF7,200 (EUR5,570) and received two year suspended prison sentence for handing Julian Assange of WikiLeaks a CD containing details of tax evasion by wealthy individuals.

• January 2010: HSBC suffered data breach where close to 80,000 customer's details were taken from HSBC Private Bank (Switzerland) by an employee. The matter is being investigated by Swiss regulators.

What can you do?

• Don’t do nothing!

– Self-audit

– Notify

– Policies, procedures & processes

– Training

– Data transfers

57

•Construction & Engineering•1 November 2006

Further Information

For more information on our services,

please contact:

Robert Bond

+44 (0)20 7427 6660

robert.bond@speechlys.com

www.speechlys.com