Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

• Extra-territorial reach: The rules would apply to any processing of personal data related to EU citizens and non-EU citizens living in the EU, even where the data controller is located in a country outside of the EU. Further, Binding Corporate Rules (which have, to date, been used to legitimize transfers among members of the same corporate group only) are also explicitly addressed in the proposed rules, lending them additional support as a mechanism to transfer personal data and simplifying the approval process.

• Data Protection Regulator: Data controllers and data processors would be regulated by the data protection regulator in the EU country where they have their “main establishment,” creating a simplified “one-stop-shop” approach.

• Data Protection Officers: Public authorities and private companies with more than 250 employees would have to appoint a data protection officer to ensure data protection compliance.

• Reporting Obligations: The current obligation requiring companies to notify data protection supervisors of all data protection activities would be repealed. A company would however be required to notify its national data protection regulator of a personal data breach without undue delay and, where feasible, not later than 24 hours of becoming aware of it.

• Right to Data Portability: Individuals would have easier access to their own data and be able to transfer personal data from one service provider to another more easily. This change is intended to improve competition among services.

• Right to be Forgotten: Data controllers would be required to delete an individual’s personal data if that person explicitly requests deletion or otherwise when there is no other legitimate reason to retain it.

• Powers of National Data Protection Authorities: The powers of national data protection authorities would be strengthened so they can better enforce the EU rules in their jurisdictions. They would be empowered to fine companies that violate certain EU data protection rules up to €1 million or up to 2% of the company’s global annual turnover.

• Explicit Consent: Consent to process data would be required to be explicit (rather than merely assumed). Further, parental consent would be required to be obtained when processing personal information from children who are under 13 years old.

• Obligations to Demonstrate Compliance: Companies would be required to adopt measures to document and demonstrate compliance with the new rules.

The EC’s proposals (including this Regulation Proposal and this Directive Proposal) have been passed from the EC to the European Parliament and EU member states for discussion. It is anticipated that the new rules will take effect two years after they have been adopted—hence they are unlikely to be effective prior to 2014.

The Logistep case involved a service provider that collected information about peer-to-peer filing sharing activity and sold this information to copyright holders who used it to identify and sue potential copyright infringers. In January 2008, Switzerland’s data protection authorities (FDCIP) asked Logistep to stop its peer-to-peer monitoring activities. The FDCIP alleged that Logistep’s activities violated the Swiss Data Protection Act since they were unknown to computer users and circumvented certain telecommunications privacy rights that could only be waived in criminal proceedings. Logistep ignored the FDCIP’s request, and quickly became the subject of an FDCIP enforcement action. The administrative court overseeing the FDCIP’s enforcement action ruled that IP addresses did constitute personal information. Nonetheless, the court allowed Logistep to continue its monitoring activities because, in its view, the interests of copyright holders outweighed the interests of computer users seeking to have their IP addresses protected.

On appeal, the Federal Supreme Court affirmed the lower court’s conclusion that IP addresses are personal information. But the Supreme Court reversed the lower court’s conclusion regarding Logistep’s monitoring activities, finding that the contested conduct should be stopped because it involved a major invasion of privacy and could not be justified by any overriding interest. Consequently, as the FDCIP announced on September 9, 2010, Logistep may no longer “collect or pass on any further data” in furtherance of its contested copyright enforcement activities.

For some years, the ICO has had only limited means of securing compliance with section 55 of the DPA, which makes it a criminal offense to knowingly or recklessly obtain or disclose personal data without consent. While the ICO has had the power to take action against individuals who violated section 55, the imposition of a penalty was left to the courts.

All this changed on May 9, 2008 with the enactment of the Criminal Justice and Immigration Act. The Act grants the ICO the power to impose fines directly for violations of section 55 of the DPA. This increase in the ICO’s authority mirrors that of other U.K. regulators like the Financial Services Authority, which in 2001 obtained the power to impose fines on banks and other financial institutions for data security failures.

Proskauer summer associate Noemi Blasutta contributed to this post.