New Report Finds Much Room For Improvement in EU Data Protection Law

Posted on May 27, 2009 by Jeremy Mittman

On May 12, 2009, the UK Information Commissioner's Office (ICO) released a much anticipated report authored by the RAND Corporation assessing the strengths and weaknesses of the 1995 EU Data Protection Directive (95/46/EC) (the "Directive), the main source of privacy legislation in Europe. While the report highlighted a number of the Directive's positive attributes, it nonetheless concluded that as society becomes more globally networked, "the Directive as it stands will not suffice in the long term."

Specifically, the report found fault with the current practice of notification of data processing under the Directive. Each EU Member State has its own system of notification procedures, resulting in high costs for organizations who may need to notify several EU jurisdictions. The report did not mince words, finding that the hodge-podge of notification procedures "can have a crippling impact on the effectiveness of the [notification] obligation, as obligations which are perceived as excessive, unnecessary or ineffective are more likely to be ignored in practice."

The Report also criticized one of the most well-known features of the Directive, the international transfer obligation of data controllers. Under the Directive, an organization may only transfer personal data outside the EU if the recipient entity is located in a jurisdiction that ensures "an adequate level of protection" or if the organization adopts a transfer mechanism such as the Safe Harbor self-certification program, model (standard) contractual clauses, or Binding Corporate Rules. The Report observed that stakeholders were of the opinion that "distinguishing between countries inside and outside the EU was unnecessary and counter-productive in the modern world. For multi-national organisations operating across boundaries but applying the same high standards of data protection across all geographical divisions, this mechanism made no sense and was seen as contrary to harmonisation and global trade." The report also found that the enforcement of the various EU member states' data protection authorities was inconsistent.

While the Report outlined a number of criticisms, it was not completely negative. The Report noted that the Directive's "principles-based" framework fostered flexibility and that the legislation had served to improve awareness of privacy concerns, and that it was "technology" neutral. These positive attributes aside, the report is nonetheless a frank assessment of the Directive and should serve as an impartial catalyst for updating the Directive to make it consistent with current practices and modern expectations.
Tags: , , , , , , , ,

First Subsidiary of a U.S. Based Multinational Company Fined for Data Protection Violations in France

Posted on May 29, 2007 by Jeremy Mittman

Last month the French subsidiary of the U.S. based company, Tyco Healthcare, became the first local branch of a U.S. company to be fined for data protection violations. France’s data protection agency, La Commission Nationale de L'informatique et des Libertes (CNIL) levied a fine of 30,000 euro (or about $40,350) against the company after it both ignored CNIL’s requests for clarification about one of its human resource databases and then made misrepresentations concerning the database to the regulatory agency.

In order to comply with French data protection laws, any company operating a database in France must register its database with CNIL.  In the registration, it must (among other things) specify the nature of the database and whether the information contained in the database will be sent overseas to another country that lacks an adequate level of data protection (such as the United States, according to the EU).

When Tyco Healthcare sought to register the database in question in 2004, it represented to CNIL that its purpose was to assist human resources in processing employee data relating to salary information. CNIL, however, requested further information about transborder data flow, the nature of the data base, its functions, and security features. The company failed to respond to the agency’s repeated requests for clarification, and then finally represented to CNIL that the database had been suspended.  The data protection agency then launched an investigation, and uncovered that not only was the relevant database still active but moreover, its use was much more important and widespread than the company had earlier represented. 

The Tyco Healthcare case should provide a strong wake-up call to US multinationals with operations in Europe (and particularly France) underscoring the importance of compliance with European data protection laws, which may be unfamiliar to U.S. based companies.  Moreover, any multinational with a global HRIS (Human Resources Information System) that transfers data from Europe to countries other than Switzerland, Argentina, and Canada – those countries that have been anointed by the EU as possessing laws that provide an adequate level of data protection -- should ensure that it sends data overseas pursuant to an EU-sanctioned method. 

Currently, the EU recognizes three such transborder data flow vehicles:  a company can self-certify with the U.S. Department of Commerce that it adheres to data protection principles (known as the "safe harbor" system), or it can enter into "model contracts" with its European subsidiaries, agreeing to abide by mandatory data protection provisions.  Additionally, it can develop a set of "binding corporate rules"-- company-drafted data protection regulations that apply throughout the company and which must be ratified by each EU member states' data protection authorities.   Failure to implement at least one of the above three methods could result in significant liability and negative exposure.

 
Tags: , , , , ,