Reform of the EU data protection regime - In house lawyers forum 2013, Richard Nicholas
-
Upload
browne-jacobson-llp -
Category
Data & Analytics
-
view
28 -
download
0
Transcript of Reform of the EU data protection regime - In house lawyers forum 2013, Richard Nicholas
• key dates
– July 2009 – Commission’s online
consultation
– April 2010 – plans announced to prepare
a new comprehensive framework for
data protection
– November 2010 – issues approach to
revising framework and public
consultation launched
• key dates
– March 2011 – Council of EU published
conclusions on ‘approach’
– November 2011 – ICO issued briefing on
the future of the data protection in EU
– January 2012 – Commission proposals
published
• key dates
– January 2012 – Commission proposals
published
– February 2012 – ICO’s initial analysis of
proposals
– 7 March 2012 – opinion of the European
DP Supervisor
• key dates
– 23 March 2012 – Article 29 working party
opinion
– December 2012 – LIBE (Committee on
Civil Liberties, Justice and Home Affairs)
draft report
– February 2013 – ICO article-by-article
analysis of Commission’s proposal
• structure of the regulation
– general provisions
– data protection principles
– rights of data subjects
– obligations on controllers and processors
– transfer of personal data to third
countries or international organisations
• structure of the regulation
– nature, status, duties and powers of
national supervisory authorities
– co-operation and consistency between
member states
– remedies, liability and sanctions
– provisions relating to specific data
processing situations
• regulation
– two year implementation period
– intention is to harmonise
– ICO believes too detailed and
prescriptive
• power to adopt delegated acts
• interaction between regulation and
national laws
Articles 1 to 4
• subject matter
• scope of regulation
• territorial scope
– some of most significant change to
current regime
Articles 1 to 4
• definitions
– data subject and personal data
– online identifiers
– consent
– genetic and biometric data
– child
Articles 5 to 10
• data protection principles
• legal grounds for processing
– legitimate interests conditions
– further incompatible processing
• sensitive personal data
• concept of consent
Articles 11 to 21
• transparent information and
communication
• subject access
• rectification and erasure
– ‘the right to be forgotten’
• right to data portability
Articles 11 to 21
• right to object
– burden of proof
– objecting to processing for the purpose
of direct marketing
• measures based on profiling
Articles 22 to 39
• accountability principle
– document all processing (name, contact
details of controller, purposes of
processing, name of DPO, categories of
data subject, recipients, any transfers,
time limits for erasure of data)
Articles 22 to 39
• data security breach notification
• data protection impact assessment
– before processing that presents ‘specific
privacy risk by virtue of its nature, scope
or purposes’
– appointment of Data Protection Officer
(DPO)
Articles 41 to 45
• commission finding of adequacy
• binding corporate rules
• standard contractual clauses
Articles 41 to 45
• derogations
– consent
– necessary to…
perform a contract
important grounds of public interest
establishment, exercise or defence of
legal claims
protect the vital interests of data subject
or other person
Articles 41 to 45
• derogations
– transfer made from public register
– one off infrequent transfers necessary
for legitimate interests of DC
Articles 46 to 54
• independent
• duty to co-operate
• duties and powers of authorities
– to act as lead authority where DC or DP
established in several member states
– to sanction administrative offences
Articles 55 to 72
• co-operation
• consistency
– creation of EDPB consisting of heads of
DPAs, and Euro Data Protection
Supervisor
Articles 73 to 79
• written warning
• fines, up to
• EUR250,000 (or 0.5%) failure to operate
proper SAR mechanism
• EUR500,000 (or 1%) failure to respond to
SAR
• EUR1,000,000 (or 2%) other compliance
failures
Articles 73 to 79
– amount fixed with regard to nature,
gravity and duration of the breach
– whether intentional or negligent
– degree of responsibility
– technical and organisational compliance
measures in place
– degree of cooperation with authorities to
remedy
Articles 80 to 85
• creates special rules for specific
situations:
– derogations from regulation for
journalism, literary or artistic
expression, freedom of expression
– health data
– employment context
– historical, statistical or scientific
research
Get in touch if you have any questions or
would like further information.
t +(0)121 237 3992