Transcript Slide 1
Data Protection Compliance Title goes here
Subtitle goes here
5 March 2012
Name Surname One Name Surname Two Sue Pawar-Price, Barrister
INTRODUCTION
o Background o Definitions o 8 Data Protection Principles o Data Sharing o Data Protection Reform
BACKGROUND (1)
Eu Data Protection Directive (Directive 95/46/Ec)
o Directive 95/46/EC addressed to all 27 member states.
o Requirement on each member state to transpose the Directive into internal law.
o Directive 95/46/EC had to be transposed by end of 1998.
o Each member state enacted it’s own Data Protection Legislation.
o UK enacted Data Protection Act 1998 (DPA) o Similarly, Malta enacted it’s own Data Protection Act; Finland enacted the Finish Data Protection Act; Norway enacted the Personal Data Act 2000 etc…
BACKGROUND (2)
UK DATA PROTECTION ACT 1998
o UK also used this as an opportunity to review existing legislation and 1984 Act was repealed by the 1998 Act.
o Main piece of legislation that governs the protection of personal data in the UK.
o The Act itself does not refer to PRIVACY.
o Intended to balance the interests of data subjects with data controllers.
o Freedom to process data Vs. Privacy of individuals.
BACKGROUND (3)
o UK DPA is large!
o It has a reputation of being a very complex piece of legislation!
o The new legal framework is also very complex (more later)!
TERRITORIAL SCOPE OF THE ACT: s5 DPA 1988
The Act applies to any Data Controller (DC) in respect of any Data where: a) Data Controller is established in UK & data processed in context of that establishment; b) Data Controller is not established in UK or any other EEA state but uses equipment in UK for processing data o/w than for the purposes of transit through UK.
DEFINITIONS.
S1(1) & s2 DPA contain all the relevant definitions:
o Data o Personal Data o Sensitive Personal Data o Processing o Data Controller/Data Processor o Relevant Filing System o Information Commissioner o Data Sharing
Once you understand the terminology – you can begin to understand the law and the compliance obligations on you.
DATA
“Data” means information which:
(a) Is being
processed
by means of
equipment
operating
automatically
in response to instructions given for that purpose i.e., computer based data.
(b) Is recorded with the intention that it should be processed by means of such equipment; (c) Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or (d) Does not fall within paragraphs (a), (b) or (c) but forms part of an accessible record as defined by s68.
PERSONAL DATA (1)
Personal data means data which relates to a
living individual
who can be
identified
: a) From those data, or b) From those data and other information which is in the possession of, or is likely to come into the possession of the data controller.
PERSONAL DATA (2)
o It includes any expression of opinion or fact such as: – date of birth, postal address, e-mail address, telephone number, NI number, bank a/c number, credit card number, photos, video footage etc… o Whether the data relates to the particular individual in each case will be a question of fact in each case.
SENSITIVE PERSONAL DATA
S2 DPA states sensitive personal data means personal data consisting of information as to: a) Racial or ethnic origin b) Political opinions c) Religious/similar beliefs d) Trade Union Membership e) Physical or mental health or condition f) Sexual Life g) Offences h) Proceedings for any offence committed or alleged to have been committed, the disposal of proceedings or sentence passed.
*Sensitive personal data very often root cause for privacy issues.
PROCESSING
Processing information or data includes: a.
Organising, adapting or altering information or data; b.
Retrieving, consulting or using information or data; c.
Disclosing through transmission, dissemination or otherwise making available; d.
Alignment, combination, blocking, erasure or destruction of the information or data.
o
This means that just about any use, or non-use, of data is covered, including simply keeping it!
DATA CONTROLLER? (1)
o Data Controller (DC) means a person who (alone or jointly with other persons) determines the
manner
in which and the
purpose
for which personal data are to be processed.
o Data processor (DP) is any person (other than an
employee
of a Data Controller) who processes data
on behalf of
the Data Controller e.g. third party mailing house.
DATA CONTROLLER (2)
Posting data on HIFID:
a.
The Company that holds the information will be the DC & will be processing that data.
b.
Following transfer, IMTRC Solutions Ltd is also the DC.
c.
The Company which then accesses that information by retrieving it will at that point also become DC.
DATA CONTROLLER (3)
o This means that
all of you
are DCs: – Members that use HIFID are DCs; – IMTRC Ltd is DC.
o
Para 6 User Agreement: “IMTRC Solutions will act as DC and third party manager of the data logged”.
DATA CONTROLLER (4)
o Being a DC carries with it
serious legal responsibilities.
o Including ensuring compliance.
o A DP has no responsibilities under DPA for personal data processed by it. o DC is responsible for the actions of the DP under DPA.
o DP have very limited obligations.
INFORMATION COMISSIONER
o New name for Data Protection Registrar.
o UK’s Independent authority set up to uphold information rights in public interest, promote openness & data privacy for individuals. o Sponsored by the Ministry of Justice. o Based in Wilmslow, Cheshire.
DATA SHARING (1)
ICO Data Sharing Code of Practice, May 2011.
o Published under s52 DPA (so it’s the statutory Code of Practice): – “The disclosure of data from one or more organisations to a third party organisation or organisations or the sharing of data between different parts of an organisation” o If you are going to share data – make sure it is covered in your Register entry.
DATA SHARING (2)
ICO Data Sharing Code of Practice, May 2011.
o Does
not
impose additional legal obligations.
o
Not
an authoritive statement of law.
o If there has been a breach of Code ICO
cannot
take action unless there is also a breach of DPA.
o But Code
can
be used as evidence in any legal proceedings (not just proceedings under DPA).
DATA SHARING AGREEMENT
o Does not provide you with immunity from action under DPA.
o It helps you to justify your data sharing & demonstrate that you have thought about compliance issues and documented them.
Data Sharing Agreements
o
Data Sharing Code of Practice recommends the Agreement covers the following issues:
– Purpose of the data sharing initiative – Data items to be shared – Legal basis for data sharing – Access and individual rights under DPA and FOIA – Information governance o Which data sets are shared o o o o o o o Provisions to ensure accuracy e.g; periodic sampling Compatibility of data sets and how data is recorded Rules for retention and deletion of data Technical and organisational security measures, including procedures for transmission of data and breaching agreement Procedures for DPA/FOI access Timescales for review of data sharing arrangements and the agreement Procedures for dealing with termination and consequences.
STARTING POINT (1)
DOES THE SHARING COMPLY WITH LAW?
o The organisations in the Data Sharing Agreement must have the power to share information with each other.
STARTING POINT (2)
You need to ensure that the data sharing complies with the 8 Data Protection Principles.
o At the outset when the data is first shared/provided; & o On an on-going basis for the duration of the data sharing agreement.
STARTING POINT (3)
What data is to be shared?
o Personal Data?
o Sensitive Personal Data?
o Both?
8 DATA PROTECTION PRINCIPLES
It is your responsibility as DCs to ensure that data is:
1.
2.
3.
4.
5.
6.
7.
8.
Processed fairly & legally Processed for limited purposes in an appropriate way.
Relevant & sufficient for the purpose Accurate Kept for no longer than is necessary Processed in line with individual’s rights Secure Only transferred to countries that have suitable data protection controls.
PRINCIPLE 1 (1)
o
Non sensitive personal data
must be processed
fairly & lawfully
& shall not be processed unless one of the below is met (Sch.2): – Consent – the most important – Contract –
Legal obligation
– Vital interests of the subject (life or death) – Public functions – Balance of interests o What has the individual(s) been told about who processes their data, how it will be used and who it will be shared with?
o What are their expectations regarding use of their data?
o Do any exemptions apply (s29 – Crime & taxation)
PRINCIPLE 1 (2)
SENSITIVE PERSONAL DATA
o Sensitive personal data can only be held if one of the following is met: a. Explicit & informed consent b. Employment law c. Vital interests of subject (life or death) d. Legal proceedings e. Medical purposes (by medical professionals) f.
Equal opportunities monitoring
PRINCIPLE 1 (3)
DATA POSTED ON HIFID (PERSONAL OR SENSITIVE PERSONAL DATA?)
o Data posted on HIFID is personal data: – E.g. name, date of birth, fraud type, region.
o No evidence is posted here e.g.,
no medical records.
o No sensitive personal data.
o
Privacy Notice warning members that the information is provided in accordance with Data Protection and Privacy legislation in country of issue.
PRINCIPLE 1 (4)
CONSENT
o Must be “freely given”, “specific” & “informed”.
o Cannot use implied consent.
o Cannot use blanket consent.
Note:
you are unlikely to get consent from a person under investigation for fraud!
Note:
If you tip off individual it would allow them to destroy evidence, dissipate funds and is highly likely to prejudice a prosecution.
PRINCIPLE 1 (5)
EXEMPTION
s29(3) DPA 1988 states that personal data processed for: (a) (b) (c) the prevention or detection of a crime, the apprehension or prosecution of offenders; the assessment or collection of any tax or duty or of any imposition of a similar nature o o o o is exempt from the first data protection principle
but only to the extent that it causes prejudice.
This is the crucial section.
No consent is necessary & no obligation to process data fairly or disclose it to the data subject.
It has very wide & general application.
Covers the activities of HICFG.
PRINCIPLE 1 (6)
What is meant by a Crime?
o “F” word rarely used – commercial and/or tactical reasons.
o Beyond the legal definition of Fraud (contained in s1 Fraud Act 2006), there is no UK statutory definition of Health care fraud (other than the various categories/baskets which have evolved over time such as Upcoding, Unbundling, phantom billing, double billing, unnecessary services, misrepresenting etc…).
The reality is that you “process” personal data in order to detect & prevent crime/fraud. It is also done with a possible prosecution in mind. The prosecution can be a public prosecution or a private prosecution.
PRINCIPLE 1 (7)
What is meant by a crime?
o Defrauding insurance companies usually involves an element of
DISHONESTY.
o Where there is dishonesty, there is usually an associated crime.
Examples include:
o Fraud by false representation:
s2 Fraud Act 2006
o Fraud by failure to disclose information when there is a legal duty to do so:
s3 Fraud Act 2006
o Obtaining services by deception:
s11 Fraud Act 2006
o Theft:
Theft Act 1968
PRINCIPLE 1 (8)
What about those cases with no dishonesty?
o If a claim has been made honestly but mistakenly – then this is
not
a crime.
o So investigating these sorts of cases cannot amount to investigation of a crime.
o However, these sorts of cases will probably start out as an investigation into potential criminal activity then may stop short of discovery of a criminal act.
o
Strong argument
– investigating honestly made but mistaken claims which bear all the hall marks of a fraud (but ultimately turn out not to be a fraud) is also investigation of a criminal activity.
PRINCIPLE 1 (9)
PARA 6 USER AGREEMENT States
o
“Use of the health fraud hub and HIFID database is done under the exemption section within the Data Protection or Privacy Act from the country in which you operate for the purpose of fraud detection, fraud prevention, fraud management the apprehension or prosecution of offenders”.
o
“Data will be used for the exclusive objective of detecting
and preventing fraud within Private Medical Insurance”.
PRINCIPLE 2
o Data must be obtained only for one or more specified & lawful purposes.
– For what purpose does the sharing organisation obtain data?
– Will the sharing of information with the receiving organisation be for a new purpose?
– Are the old and new purposes compatible?
PRINCIPLES 3 & 4
o
Personal Data must be adequate, relevant & not excessive
– You must not stock up on data unnecessarily!
– Which datasets will it be necessary to share with the receiving organisation to meet it’s particular purpose?
– Will it be necessary to restrict some datasets to use only for particular purposes?
o
Personal Data shall be accurate & up to date.
– This is an on-going requirement & means data needs to be kept under constant review.
PRINCIPLE 5 (1)
How long should the data be kept on HIFID?
o o Principle 5 says that data should
not
be kept for longer than necessary for the purposes of the primary processing.
1995 Directive does not set any time limits.
PRINCIPLE 5 (2)
Para 13 User Agreement states that information will be destroyed automatically after 7 years.
o This follows guidance from ICO.
o Key – to look at limitation period.
o In UK the Limitation period for dishonesty cases is 6 years from the date the cause of action arises.
o Time does not begin to run until the fraud has, or with reasonable diligence would have been discovered if the defendant deliberately conceals any act relevant to the cause of action (s32 Limitation Act).
o Arguably – no reason for information to be destroyed at all.
o But 7 years is reasonable.
PRINCIPLE 7 (1)
o Technical or organisational measures must be taken to prevent unauthorised or unlawful processing of data, accidental loss, damage or destruction of data.
– Firstly, it relates to IT Systems in place (access, backups, password security etc…) for all the Users and IMTRC Ltd?
– Secondly, it relates to the individuals using the system (adopt “need to know” principles). – See ICO Checklist on Data Sharing
PRINCIPLE 7 (2)
Build a culture within your organisation where employees know and understand good practice in respect of: o Your own data; & o Data received from other organisations.
PRINCIPLE 7 (3)
o What security measures have been built around HIFID?
o User agreement contains an agreed set of security standards.
PRINCIPLE 7 (4)
USER AGREEMENT states:
o
Health Fraud Hub and HIFID Software is registered with the ICO: Para 3
o
It adheres to best practice of Office of European Commission: Para 3
o
The System is hosted by IMT RC Solutions Ltd on a secure Rack space server located in UK: Para 4.
o
It adheres to strictest of security information standards, has undertaken “bust testing” and has been scrutinised on site by a consortium of technology security experts provided by it’s members: Para 4.
o
IMTRC Solutions Ltd agrees to sign up to a Non Disclosure Agreement: Para 7.
PRINCIPLE 7 (5)
USER AGREEMENT also states:
o o o o o o o o o
The Principles and Practices of sound data management must be adhered to: Para 2.
Ensure that only authorised individuals have access: Para 2(g); Information shared amongst users must be treated as highly confidential & not to be disclosed to TP w/o prior written consent of IMTRC: Para 2(f).
The number of users having access to the information is restricted, exclusive & relevant: Para 3.
Ensure system users are trained & made aware of principles of data protection: Para 3.
Ensure that their systems are registered with the ICO in UK and that registration is up to date: Para 3.
Changes in employment status of company employees with access to Health Fraud Hub and HIFID: Para 5.
Ensure that if a TP is given access then they too are contractually bound: Para 6 All members agree not to disclose (Non Disclosure agreement) data outside the controlled user group: Para 7.
PRINCIPLE 8 (1)
INTERNATIONAL DATA TRANSFER
o Putting things on a website is tantamount to transfer of data.
o The transfer takes place at the point when someone accesses the website.
o If Data is accessed in a country outside EEA then there will be a transfer outside EEA.
o The Law says that you may transfer personal data to countries within EEA on the same basis you transfer data in UK
(no restrictions).
PRINCIPLE 8 (2)
EEA
Austria Belgium Bulgaria Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary Iceland* Ireland Italy Latvia Lichtenstein* Lithuania Spain Luxemburg Malta Netherlands Norway* Poland Portugal Romania Slovakia Slovenia Sweden United Kingdom
EEA comprises 27 EU member states with the addition of Iceland, Lichtenstein and Norway.
PRINCIPLE 8 (3)
Transferring data to countries outside EEA
o You can only send personal data to a country outside EEA if (a) that country or territory ensures an adequate level of protection for it; or (b) one of the exemptions apply.
PRINCIPLE 8 (4)
EXEMPTIONS
o Data can be transferred to
any country
outside EEA where at least one of the following applies: – The data subject has given his or her consent to the transfer – Transfer necessary for the performance of a contract between data controller and data subject; or a contract between data controller and TP entered into at request of data subject; or is in interests of data subject; – Transfer is necessary for legal proceedings or defending legal rights; – The transfer is necessary for reasons of substantial public interest – Transfer necessary to protect vital interests of the data subject (life or death) – Transfer is part of the personal data on a public register.
PRINCIPLE 8 (5)
COUNTRIES OUTSIDE EEA WITH ADEQUATE PROTECTION
The European Commission has decided that the following countries outside EEA also have adequate level of protection for personal data.
Andorra Argentina Australia Canada Faroe Islands Guernsey Isle of Man Israel Jersey New Zealand Switzerland Uruguay
PRINCIPLE 8 (6)
USA
o o o USA has no national-level data protection legislation.
USA is
not
included in the European Commission list.
However, companies that sign up to the
“Safe Harbor”
scheme have an adequate level of protection.
o These companies effectively agree to: – Voluntary self certification scheme; – Follow the 7 principles of information handling; & – Be held responsible for keeping to those principles by the Federal Trade Commission or other oversight schemes; – There are some types of institutions that cannot sign up to the Safe Harbor Scheme (e.g., Higher education & research institutions).
PRINCIPLE 8 (7)
What about countries that are:
o o o o Not in EEA Not on list.
Not signed up to “Safe Harbor” Does not come within one of the exceptions
Then you need to assess adequacy yourself:
o Is the level of protection in that country adequate?
o If not, can you put in place adequate safeguards?
– Model Contract clauses (standard contractual clauses approved by EC) – Binding Corporate Rules (applies to multi national organisations transferring out of EEA but within their group of companies) – Or other contractual arrangements
Transfer unlikely to be adequate if
– Transfer is to an unstable country; & – Nature of information means it is at particular risk.
PRINCIPLE 8 (8)
Persian Gulf - 6 new members of HICFG.
o o Share data through Health Fraud Hub.
Risk assessments have been carried out: – Adequacy test satisfied – Transfer of Data to these countries has been registered with ICO.
– Notification to EC
Para 3 User Agreement
: Health Fraud Hub complies with UAE DIFC Law No.1 of 2007
o o
WHO OWNS THE DATA POSTED ON
o
HIFID?
This is not a matter of Data Protection.
It is a
contractual
issue between HICFG and it’s members.
Paragraph 9 User agreement – “
All data input by the companies is the property of the inputting company”.
o o One can only own information if it is confidential.
So…if it is not confidential – nobody owns it in the sense of being able to control it’s dissemination (rather than manner of it’s representation).
What about the Data Subject?
o The Data subject has some rights but only if the data has been processed in breach of the 8 data protection principles.
o It follows that if the data is processed in accordance with the 8 data protection principles then the data subject has no recourse.
CONSEQUENCES OF NOT COMPLYING WITH DATA LEGISLATION
o Inconsistent powers and enforcement throughout EU.
o Some DPAs use fines, some audit, some use undertakings, information notices and some also use criminal sanctions.
PENALTIES (UK)
o Maximum financial penalty used to be
£5k!
o From
06.April.2010
ICO granted the power to impose monetary penalties of up to
£500k
on DC where there has been a serious contravention of 8 data protection principles.
UK EXPERIENCE
o Undertakings: 44 (2010 – 2011) o Monetary penalties to date up to £325,000 (all fines from 2010 are in the public sector)
TRAIN YOUR STAFF
Train your staff in the following areas:
o Relevant law surrounding data sharing.
o Relevant professional guidance or ethical rules.
o Data sharing agreement & the need to review them.
o How different information systems work together.
o Security and authorising access to systems holding data.
o How to conduct data quality checks o Retention periods.
Note: Para 3 User Agreement (training)
THE FUTURE
DIFFICULTIES WITH CURRENT LAW (1)
o Currently 27 different data protection laws.
o Can prevent the free flow of data within EU & offer different levels of protection for personal data o Few adequacy findings made under Art 25(6) o Technology is not restricted by geographical boundaries.
o Doesn’t reflect the realities of globalised data processing.
o Restricts international transfers
DIFFICULTIES WITH CURRENT LAW (2)
o Problems with Safe Harbor – Only covers transfers to US – Some DPAs have questioned it’s legitimacy and still require authorisations for relying on safe harbour – Limitations on onward transfers from US parent company.
o Problems with Model Clauses o Problems with BCRs o Derogations are limited.
MOUNTING CRITICISM
o 2007 – 2009 mounting criticisms of 1995 Data Protection Directive (inc. UK Rand Report) o 25/01/2012 – extensive legislative reform package launched.
o Changes likely to be implemented 2 years after publication (01/2014).
o Watch this space!
DATA PROTECTION REFORMS
o Contained in the EU Data Protection Regulation.
o Fact that it is a Regulation (and not a directive) means that it will automatically apply to all EU member states without need to implement legislation at a national level.
o No room for each member state interpreting it in a different way.
o One size fits all.
KEY PROPOSALS
Remember: It is not a complete overhaul of existing Directive and exemption contained in s29(3) remains.
NEW DEFINITIONS (1)
“Data Subject”
o Re-ordering of substantive elements of personal data definition to be inside data subject definition.
o Now include location data and online identifiers e.g. IP addresses, cookie identifiers etc… o Recital 24 draft Regulation states – such information does not necessarily constitute personal information – unhelpful.
“Child” o Regulation definition - under 18.
o Art 8 however refers to parental consent if child under 13 & accessing online services.
o N.B commission may lay down standard forms for identifying verifiable consent.
NEW DEFINITIONS (2)
Special Data
o Includes genetic data, health data, criminal convictions.
o Special data processing prohibited subject to exemptions
Biometric Data
o Need for PIA if personal data in large scale filing systems on children, genetic data or biometric data.
CONSENT
o Wherever consent is required for data to be processed – it must be
explicit
and not implied or assumed.
o In other words only
one type
of consent.
DC V DP DISTINCTION (1)
CURRENT POSITION
o DP regulated by contract only.
o DPAs can’t audit or fine (usually).
o Significant personal data processing in the hands of processor providers and cloud service providers.
o Blurring of responsibilities between DC/DP o Difficulties in compliance with data transfers.
DC V DP DISTINCTION (2)
DP BROUGHT WITHIN THE SCOPE OF DP LAW.
o DP subject to enforcement regime: Art 53 – DP may be subject to orders – DP may be warned or admonished – DP must grant access to all personal data, information & premises.
o DP have new rights – Right to Judicial Review: Art 75 – Right to compensation & liability: Art 77 o o o o Requirements for processor contracts strengthened.
Obligation to keep internal documentation Obligation to appoint a DPO Compliance with data transfer obligations e.g. model clauses and BCRs.
DATA BREACHES
NOTIFY BREACHES ACROSS EUROPE WITHIN 24 HOURS
o If there is a
“personal data breach”
o DC must notify the Regulator o In many cases this means “going public” with the bad news and fast.
o You will need incident management plans and agile support to ensure compliance.
o If there is a delay then the reasons for the delay must be provided when reporting.
o DP must alert the DC immediately after establishment of personal data breach.
FINE RISK
o Different levels of fines.
o Maximum - up to €1mn/or up to 2% of
annual worldwide turnover
e.g. unauthorised international transfer or failure to appoint DPO. o
Aim
– for data protection to grab the attention of board level executives – DPOs will need to be empowered so that they have board influence – they will be ensuring existing Rules are enforced appropriately.
APPOINTMENT OF DPO
o All companies will be required to appoint DPO o No requirement for DPO on SMEs (up to 250 employees) o Good idea?
EU COUNTRIES WITH MANDATORY DPO OBLIGATION
Belgium
o By decree of the King o 7 laws require the appointment of DPO
Germany
o o Public bodies Private bodies
Hungary (for DC or DP)
o National Authorities, National Labour or Criminal Data files o o Financial institutions Telecoms services and Public Utility Services providers
Netherlands
o 2 public sector organisations concerned with: – – Education inspection; & Social service number
Slovakia
o More than 5 employees
o o o o o o o o o o o
EU COUNTRIES WITH OPTIONAL DPO OBLIGATIONS
Estonia France Germany – Private bodies with 9 employees or less where the processing is automated – Private bodies with less than 20 employees where processing is not automated.
Latvia Lithuania Luxemburg Malta Netherlands – Except for 2 public sector organisations Slovakia – Less than 6 employees Spain Sweden
DATA TRANSFERS (OUT OF EEA)
CURRENT POSITION
o o o DC considers whether protection is adequate (Article 25).
DC adduces “adequate safeguards” (EU Model Clauses, BCRs etc…). Exception applies – consent, performance of contract, etc…
NEW POSITION
o o o Commission decides whether protection adequate.
DC or DP adduces “appropriate safeguards” … in a legally binding instrument Exception applies – consent, performance of contract, etc…
NEW EXCEPTION
o Transfer is necessary o o For legitimate interests of DC or DP, and Adduced appropriate safeguards.
ESTABLISHMENT OF NATIONAL DATA
o
PROTECTION AUTHORITY
Establishes each national Data Protection Authority – one stop shop for business & citizens
KEY OBJECTIVE
o o o o To introduce clear Rules for data transfers across borders (within multi national corporations) – A much more streamlined process – Once approved by one data authority it will be accepted by all the others.
Organisations will only have to deal with one single national data protection authority in the EU country where they have their main establishment.
Similarly individuals can refer to the data protection authority in their country, even where their data is being processed outside the EU.
EU Rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
APPLICABLE LAW & JURISDICTION
THE POSITION TODAY
o o o EU established DC regulated globally.
Non EU DC regulated if they “use” equipment in EU.
In both cases – multiple national laws may apply and may conflict.
WHAT IS PROPOSED
o o o EU established DC and DP to be regulated globally.
If non-EU DC process data in EU to offer goods/services to EU Residents or to monitor behaviour – must appoint representative.
DPA “one stop shop” for EU DC based on “main establishment.”
ONE STOP SHOP
o Distributed business no longer need to comply with different data protection laws in each of the EU states where it operates.
o It can comply with the data protection law of it’s main establishment.
PRIOR AUTHORISATION
o There are no prior authorisation mechanism in UK.
o Regulation does contain prior authorisation provisions.
o Disproportionately burdensome & beaurocratic?
NEW RIGHTS CREATED (1)
RIGHT TO BE FORGOTTEN & ERASURE
– Very controversial.
– Means people will be able to delete their data unless there are legitimate reasons for keeping it.
– Limited practical application.
o There are derogations & qualifications o Technical difficulties around online erasure.
NEW RIGHTS CREATED (2)
RIGHT TO OBJECT
o Individuals have the right to object to processing.
o DC to demonstrate why the objection is invalid.
o Compelling
legitimate grounds
exception should assist.
HARMONISATION? CLARIFICATION? SIMPLIFICATION?
o Too soon to tell.
o Some improvements, especially (supposed) one stop shop & reduced red tape such as notifications.
o Benefits – likely to be outweighed by additional burdens relating to record keeping, breach notification processes, DPOs, PIAs, prior authorisations & consultation, etc…