Data Protection Ensuring high level of privacy while promoting business innovation and competition

Size: px
Start display at page:

Download "Data Protection Ensuring high level of privacy while promoting business innovation and competition"

Transcription

1 Data Protection Ensuring high level of privacy while promoting business innovation and competition Tele2 AB, Skeppsbron 18 P.O Box 2094, SE STOCKHOLM, SWEDEN Tel , Fax Org nr , 1

2 Executive summary The current Data Protection Directive 1 came into force over 15 years ago. While the Directive has provided data subjects within the European Union a high level of protection of their personal data, it is now considered outdated. The main reason for it no longer being considered to be fully sufficient is the rapid technological developments in recent years. Although the core principles and many of the essentials concepts of the Directive shall still be seen as valid, it has become evident that European Data protection regulation needs to be revised to fit current and future innovative developments. In the Proposed Regulation, published by the Commission in January 2012, there are many positive adjustments, such as increased harmonization. However there are also some alterations that raise concern. The Proposed Regulation as it stands now would remake the landscape in Europe in regards to data protection. Tele2 would like to share our views and experiences in regard to data protection in this position paper. We will also propose alterations to principles which are considered to have significant impact on individual s privacy experience, as well as provisions which are expected to have a negative effect on innovation and technological development for European businesses. The most significant provisions and concepts are the following: I. Protection of individuals data shall be technological and sector neutral In order to ensure end-user consistency and to avoid disproportionate burdens for the telecommunication sector Tele2 encourage revising the Proposed Regulation so to ensure that there are no overlapping obligations between the upcoming Regulation and the e- privacy Directive. In order to avoid any uncertainty of applicable law and in order to circumvent divergent and potentially conflicting principles in the time elapsing between the Regulation coming into force and the e-privacy directive potentially being revised, the overlapping provisions of the e-privacy directive shall be repealed by the Regulation II. Harmonization create trust and foster economic growth A Regulation, which is directly applicable in member states will safeguard a consistent application of data protection rules across EU. The harmonized approach will ensure a high level and consistent protection of personal data across EU; this is believed to enhance trust which will generate a well-functioning internal market. The fact that the Proposed Regulation is applicable to all companies offering services to individuals residing in the EU will secure a consistent application of data protection for data subjects situated in EU and ensure a level playing field for European companies providing services within the Union. III. Ensuring consistent application high level cooperation and one-stop shop A Regulation will not on its own achieve full harmonization. In order to achieve a high level of harmonization there is also a need for comprehensive cooperation among Data protection 1 Directive 95/46/EC of the European Parliament and of the Council, on the protection of individuals with regard to the processing of personal data and on the free movement of such data - hereafter referred to as the Directive. 2

3 authorities ( DPA ). The Regulation contains several provisions which are meant to accomplish this, including an obligation for DPAs to communicate certain enforcement and compliance measures it intends to take in advance to the Commission and the European Data protection Board. For a company such as Tele2 this is something very positive, as it will ensure that the Regulation will be applied equally across EU. Furthermore the fact that a company established in many member states will only be supervised by the DPA of the member state where the company has its main establishment is of great benefit. This will create a more business-friendly regulatory environment since it will lead to an efficient and consistent application of data protection rules across EU. IV. Personal data clarified definition and enhanced scope for anonymization A clear definition of personal data is critical in relation to processing of personal Data both for data subjects and for data controllers. Tele2 therefore welcomes the clarification of what shall be considered as personal data in the Proposed Regulation. However an overly inclusive definition of personal data is believed to lead to additional burdens for data controllers while not ensuring better protection of data subjects privacy. What is appreciated from the perspective of a data controller is the principle that data protection legislation does not apply to anonymous data, i.e. data that can no longer be identifiable. However a consistent application of the definition of personal data and what is considered as anonymized data is also essential and shall be monitored by the European Data protection Board, in accordance with the consistency mechanism. V. Consent suited for the online world Tele2 welcomes measures in the Regulation which will provide greater transparency, choice and control of individual s personal data. However the new rules concerning consent for legitimizing data processing is believed to be too burdensome and restrictive both for data subjects and businesses while at the same time not enhancing the level of protection for individuals privacy. Tele2 sees a risk of consent fatigue causing end users to consent by reflex. In order to construct a future proof legislation that ensures that data controllers capture the true will of the end users, in regards to the processing of their personal data, it needs to leave room for flexibility. VI. Processing personal data - safeguards The strengthening of the general conditions for data processing is seen as positive. The fact that data subjects will get enhanced knowledge of their rights in regards to processing of personal data is believed to lead to a greater level of trust, especially in the online world. However some of the new provisions may rather create situations where data subjects receive too much information. There is also a risk that some of the new provisions may hamper companies ability to develop new services in an effective manner. VII. Administration actually cutting red-tapes One of the aims of the new Proposed Regulation was to cut red-tapes and to reduce administrative burdens which have proven to be excessive since they do not enhance privacy 3

4 for individuals. 2 The elimination of the current notification system is positive however the new requirements of new extensive documentation obligations and impact assessment add new bureaucracy measures will drive costs for data controllers even though it has not been established that these measures will lead to better protection of personal data. Tele2 believes that in order to reduce administrative burdens while also ensuring a higher level of protection of data subjects personal data the Regulation shall rather build on the principle of accountability. VIII. Proportionate sanctions when harm has been caused by non-compliance In order to ensure harmonized application of the Regulation a consistent approach to sanctions for non-compliance is essential. However it is outmost important that the level of sanctions introduced are proportionate, fair and applied according to objective criteria. Sanctions shall furthermore take into account the circumstances and harm that has been caused by a breach of the Regulation. The Proposed Regulation does not take into account these requirements as of today. IX. Data breach notification Data breach notification is a measure which is already an obligation for the telecommunication sector under the e-privacy directive. The notification scheme encourages data controllers to handle personal data in a more secure manner while building third party confidence. However the 24-hour requirement in the Regulation shall be considered to be both impractical and counterproductive for the purpose of the breach notification. Tele2 rather believes notification shall take place without undue delay as currently stated in the e- privacy directive. Furthermore there is a need to narrow down the scope of when notification is needed. The current wording may preempt the aim of the obligation, since there may be an overload of notifications to the DPAs and end users (in cases where the data breach affect the privacy of data subject); hence the principle shall rather focus on personal data breaches which have serious and negative consequences on individuals. International transfers For Tele2, being a company with operations both within and outside EEA, international data transfer is important. Tele2 supports the simplified process for adopting Binding corporate rules (BCR). Tele2 especially appreciate how a company will only have to apply for one BCR for the whole Group. However we are still concerned that the provisions and rules outlaying how BCRs, from a procedural aspect, will be applied across EEA. Tele2 suggests that the administrative rules for setting up the BCR process is more clearly defined, including how to handle alterations to a BCR, in order to get the positive effect aimed for. 2 Speech 11/814 of Viviane Reding entiteled Building Truist in the Digital single Market: Reforming the EU s Data Protection Rules, delivered in Brussels on 28 November

5 Protection of individuals data shall be technological and sector neutral As an effect of the vast technological development in the area of telecommunication it was sought that a specific legal framework was needed for the telecommunication sector as to protect individuals privacy the E-privacy directive. 3 When the e-privacy directive came into force it was considered justified since the Directive did not provide sufficient guidance on how to protect individuals data in the sphere of telecommunication. However the Proposed Regulation is meant to be technology neutral and be applied equally for data processing taking place by data controllers who operate both in the on-line and off-line sphere. 4 A technology neutral and general data protection legislation will ensure a consistent protection of personal data. Therefore the provisions of the e-privacy directive which are covered by the Regulation are no longer required or desirable. The prolongation of many of the Articles in the e-privacy directive would, if they are not repealed, lead to inconsistent end user privacy experience where the data protection would differ - depending on if a service is provided by a telecommunication provider or an over the top ( OTT ) actor who fall outside the scope of the e-privacy Directive. 5 The Commission has recognized the problem but has suggested solving it by revising the e-privacy directive so that it is compatible with the Regulation however in a separate process. Tele2 is of the opinion that this is not a satisfactory solution. The reasons for this is three folded; firstly a revision of the e-privacy directive in order to make it consistent can only take place when the final text of the Regulation has been adopted. Since all revision processes are time consuming it cannot be expected that the revision of the e-privacy directive including national implementation would be able to take place within the two years from the date when the Regulation comes into force. This would lead to a period of time where the telecommunication sector would have to be compliant to two contradictory legal instruments covering the same matters. Secondly, national transpositions of a directive leave room for divergence in application. This means that the e-privacy directive may be compatible with the Regulation but national legislation based on the revised e-privacy directive may not be. Thirdly, in order to ensure a consistent application of all articles the Regulation sets out rules for consistency mechanisms where for example opinion by the European data protection board must be asked for in certain circumstance. Even if the e-privacy directive is transposed so that the national law is compatible with the Regulation the interpretation in a legal dispute may not be consistent with the Regulation and not be harmonized across EEA. Furthermore the existence of two parallel legislative frameworks for data protection for the telecom sector will not only lead to uncertainty in regards to which obligation prevails but will also create a disproportionate administrative and reporting burden for the sector who in many member states will 3 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector 4 It is stated in Recital 13 in the proposed Regulation that it shall be technologically neutral and not depend on the techniques being used. 5 For example an application provider or other service provider who has no electronic network is not considered to be a telecommunication provider, why the e-privacy Directive is not applicable. However the OTT provider may offer location services equal to those of mobile operators but based on GPS or WiFI technology. For the end user the privacy implication would in this case differ. 5

6 be monitored by two separate national authorities. 6 Considering that the privacy protection will be sufficient in the general Regulation and also taking into account the wish to ensure that the Regulation is a future proof data protection framework it cannot be considered effective, proportionate or justified to have two parallel legal frameworks for the telecommunication sector, at least not for those provisions that are clearly overlapping. The provisions in the e-privacy Directive which needs to be revoked are those dealing with location data and data breach notification. 7 Harmonization create trust and foster economic growth A legal framework which will be directly applicable to all Member States (i.e. it does not require implementation into national law) will assist in achieving a consistent application of Data protection rules across EU. The current Directive has been highly criticized for not achieving a coherent application across EU. This has led to varying outcomes in court cases which are based on very similar circumstances. Different application of Data protection rules challenges a well-functioning internal market; end-user protection differs and businesses have to attune its data protection processes for each member state they operate in to ensure they are compliant to national legislation. In an era where e-commerce is flourishing and where companies are to a higher extent providing services cross border, while at the same time trying to gain from economy of scale, equivalent application of Data protection rules is essential. Tele2 is of the opinion that the only method of accomplishing full harmonization of data protection measures is to ensure that the legal framework stems from a Regulation rather than a Directive. Also the fact that the EU data protection rules will apply to data controllers located outside the EU when they are offering their services to data subjects located within the EU is in line with ensuring that the regulation is future proof and will lead to a consistent data protection application for end users. Tele2 supports this approach however encourages the EU to consider how to, in an efficient manner, ensure that breaches of the Regulation are enforced when data controllers are based outside the EU and where they do not have a representative established in the Union. Ensuring consistent application high level cooperation and one-stop shop Close cooperation amongst data protection authorities will be essential in order to achieve the aim of the Regulation. Tele2 is positive about the enhanced cooperation obligations set out in the Regulation, for example in Article 55. Tele2 is also a supporter of the creation of the European Data Protection Board. However, the detailed rules set out in the Regulation, concerning the Board lack an obligation for the Board to be transparent and an obligation for the board to consult stakeholders before adopting different types of opinions. Both these criteria s shall be introduced in order to ensure that the work carried out by the Board obeys democratic values and principles. The fact that a group of companies such as Tele2, who have subsidiaries operating in many EU member states, may only be subject to the jurisdiction of a single data protection authority is positive. The main-establishment principle will ensure efficiency and consistency of the data 6 The Data protection authority which are responsible for monitoring the upcoming obligations under the Data protection Regulation and the National Regulatory Authority who are responsible for monitoring the obligations under the e-privacy Directive. 7 Article 2(c), 2(i), Article 4(3) and Article 9 of the e-privacy Directive. 6

7 protection rules across EU, while at the same time minimize administrative costs for Group companies. However the current definition of establishment is in Tele2s opinion very vague, it is not defined in the Regulation but only in recital 19 and the descriptions is not clear. Furthermore it is not clear how the determination of the main establishment is to be made in practice, i.e. would it be the company making the decision or will it be the DPA, and if this creates a dispute, how shall it be solved? Personal data clarified definition and enhanced scope for annonymization The definition of data subject is widened in the Proposed Regulation compared with the Directive. One thing which is still unclear is the meaning of a natural person who can be by means reasonable likely to be used identified. Furthermore there is a clarification in recital 23 stating that when data rendered anonymous in such a way that the data subject is no longer identifiable the principles of data protection does not apply. The usage of anonymization techniques is already frequently used however the definition of what is considered anonymous and when personal data is no longer identifiable must be clarified in order to avoid any ambiguity. Tele2 would also like to emphasize that processing of end user data in medium to long term when all proportionate safeguards are met shall not, by default, be prevented. Personal data is often used as a token for payment by the end users where individuals are able to use services by paying with their data. If their personal data could not be used in this manner other business models would have to be established for example one could expect that search engines would have to use some kind of subscription fee. Therefore, when all parties involved are fully aware of what type of processing will take place of the personal data, the duration for this, the purpose and usage of the data (the receivers of the analyzed data) and the end user has freely provided his/her consent, processing of data on an individual level, i.e. non annoymized data, shall not by default be forbidden. Consent suited for the online world The use of explicit consent is not believed to be suitable for all situations. An explicit consent is believed to be interpreted as an opt-in consent. In the online world this is believed to lead to an increased use of pop-up boxes which in our view may lead to a privacy fatigue where data subjects will automatically tick-in boxes without necessarily understand the implications. Furthermore data controllers bear the burden of proof for retaining consent - this means that data controllers will have to produce new systems collecting individuals consent in a suitable manner and store this, something which will add costs without necessarily leading to enhanced data subjects privacy. The Proposed Regulation states in Recital 25 that electronic consent should not be unnecessarily disruptive and that consent can be given by a clear affirmative action. Tele2 means that the wording in Article 4(8) and recital 25 creates ambiguity. In order to achieve a high level of protection for individuals data while promoting innovation and flexible use of online-activities, it should be clarified that actions such as downloading an application in itself constitutes (implied) consent for the use of personal data while using that application for its main purpose. 8 The type of consent needed for a 8 If the application provider would like to process the data for other services, marketing or other means this would not be covered by the affirmative action why a separate consent from the data subject would be needed 7

8 certain type of processing should rather build on the context of the data processing. Therefore Article 4(8) should be altered in order to be consistent with the wording of recital 25. Furthermore explicit consent, with a separate clear definition, should be limited to categories of personal data which are considered to be sensitive data as outlined in Article 9 of the Proposed Regulation. Furthermore Tele2 would like to ask for a clarification in regards to the definition of significant imbalance, as stated in Article 7(4). The wording in recital 34 provides guidance however in order to avoid misinterpretation Tele2 is of the opinion that this shall be outlined in the Article. Processing personal data safeguards Since an enhanced level of transparency and end-user knowledge of their rights concerning their personal data is believed to lead to increased trust, Tele2 supports new transparency provisions to the extent that these are proportionate. Furthermore with a high level of transparency, a strict informational obligation and the principle of accountability, other safeguards should be less intrusive. This since the data subject has a clear choice of when his/her data is being processed. One example where Tele2 believes that the regulation is not proportionate is Article 5(c) of the Proposed Regulation. The Article requires companies to limit the amount of data they collect and process. Such limitation shall not be considered necessary since controllers have the obligation to ensure that data subjects are fully aware of what data is being processed, they have freely given a specified and informed consent regarding what data is being processed, and have been informed that the data will only be processed for certain reasons and they know that they have the right to withdraw their consent at any time. With the proposed transparency rules and information obligations the limitation in Article 5 must be considered disproportionate. The right to have data erased is not a new obligation however the principle has been strengthened in the new Regulation the right to be forgotten. The wording of the right to be forgotten as it stands now will likely be difficult to apply since the scope goes too far and might raise false expectations by data subjects, especially since it will be difficult to ensure third party compliance and subsequently companies will still have to comply with other legal obligations where specific data must be retained and stored 9 In order to ensure that essential erasure of data is always carried out in an efficient manner the article should be re-phrased, there is otherwise a risk that the whole application of erasure will become ineffective. The new principle of data portability is vague and the practical application of data portability is even more unclear. One concern that Tele2 has in this regard is that data, which could be considered as business secrets, are included in data that shall be ported. In order to prevent a disproportionate application Tele2 believes that principle shall only be applicable to data which may be useful for the data subject to re-use. For example CDRs which are produced by telecommunication operators for billing purposes would not be useful for any other operator than the operator who delivered the services in the first place or for the end-user and they would not assist the end user in any way. The 9 For example obligaiton under national Accoutning Acts and the requirment unde the Data retention Directive 2006/24/EC. 8

9 scope for data portability shall therefore be limited only to data which the end-user directly can reuse. A data subjects personal data, which is being processed by a data controller shall be easily accessible for end users. Data controllers shall provide that data to end user without undue delay and without any costs. If the requests are excessive, based mainly on its repetitive character, the controller may charge a fee. In order to avoid any vagueness and in order to reduced the burden for data controllers to proof repetitive character, Tele2 believes that the regulation shall determine what shall be defined as such, for example if a data subject request information more than once a year the data controller has the right to cover its costs for providing such data. Administration actually cutting red-tapes Tele2 is positive to see that the obligation to notify data protection authorities is abolished in the Proposed Regulation. Firstly because the obligation has been applied differently across the member states and secondly because it has not been shown that the process in any way enhanced data subjects privacy. The new obligation of impact assessment is however likely to lead to new extensive internal processes, therefore it is believed that the new obligation only replaces the old one without achieving anything new. The aim of the Proposed Regulation is to ensure that data controllers ensure effective data protection. This is a policy objective which Tele2 supports, however the way the Proposed Regulation suggests to carry out this obligation shall be seen as excessive and overly bureaucratic. Data controllers have an obligation to carry out an impact assessment when the processing of personal data specific risks. 10 In Article 33 (2) (a) to (e) the categories of data which shall be seen as presenting a specific risk are outlined - Tele2 believes that this list is too descriptive. In order to ensure that data are being appropriately safeguarded and that data controllers use effective measures when processing data, while ensuring flexibility for businesses. With the current wording new services are likely to be delayed and will come with added costs. Furthermore the requirement that data protection authorities need to be consulted before the processing may take place is likely to lead to even longer delays of service launches. The obligation under Article 33(4) outlays additional concern for Tele2. The obligation sets out that data controllers shall seek the views of data subjects or their representatives (e.g. consumer organizations) on intended processing in cases where processing present a specific risk. Firstly Tele2 means that this obligation shall be deemed as disproportionate since it is not proven or even indicated that such a measure would assist in accomplishing the means of the Regulation, i.e. increase the level of privacy for individuals. Secondly, sharing sensitive commercial information, before the launch of a new service, creates a commercial concern for data controllers and could in many European countries be in conflict with legislation protecting trade and business secrets. 10 Article 33 (2) in the Proposed Regulation 9

10 Parallel to the new obligation of impact assessment is the obligation to maintain documentation of all processing operations being carried out by the data controller. 11 The overall aim of the Commission, as stated above, has been to decrease the administrative burden of data controllers and cut red-tapes, when such administrative task does not lead to improving protection of personal data. The new provision of documentation will likely reduce the administrative burden compared with the current notification obligation in Article 18 in the Directive. However the obligations as set out in Article 28 of the Proposed Regulation risk becoming nearly as burdensome as current rules since the documentation requirement stated are very detailed. In order to ensure a future proof Regulation which both improves the protection of personal data while remove obstacles of free flows of personal data and promote European businesses to grow and be innovative the principle of accountability as set out in Article 22 shall be the basis for data controllers general obligations. The obligation of both impact assessment and documentation shall be carried out in the light of the principle of accountability. The principle of accountability leaves room for data controllers to implement measures that are appropriate for the processing of personal data, in order to be compliant with the Regulation. Data will be safeguarded appropriate while leaving room for innovation and quick business decisions. Rather than having a bureaucratic checklist, data controllers and data processors are able to set up internal processes which are appropriate and effective measures in order to ensure that they are compliant with the Regulation. Proportionate sanctions for non-compliance Under the Directive sanction levels were left for Member States to decide, something which has resulted in levels and methodology varying widely. In order to provide for a more consistent approach the Regulation needs to outlay more precise rules than what is currently stated in the Directive. In recital 9 of the Proposed Regulation it is stated that to ensure effective protection of personal data throughout the Union there is a need for equivalent powers for monitoring and ensuring compliance with the rules and equivalent sanctions for offenders. Tele2 supports this but would like to emphasize that a sanction regime must furthermore provide legal certainty and take into account the circumstances leading to the violation and consider the harm that has been caused to individuals as a result of the data breach. Article 78 of the Proposed Regulation states that Member States shall lay down rules on penalties for infringements and that the penalties provided must be effective, proportionate and dissuasive. Noncompliance under the Draft Regulation would in most serious breaches lead to fines of up to 2% of enterprises annual worldwide turnover. In cases of infringement Tele2 means that sanctions should be of a level that ensures compliance while being proportionate to the harm a breach has caused. Additionally the fact that a DPA is obliged to impose a fine for any intentional or negligent violation without first being able to issue warnings to companies shall be altered since this cannot be seen to fall within the principle of necessity. 12 For example a mandatory 2% fine for a breach relating to using personal data for direct marketing purposes which may have been caused by a negligent act by 11 Article 28 in the Proposed Regulation 12 There is now an exemption for companies with less than 250 employees. Tele2 believes that the exemption shall apply to all companies. 10

11 one employee cannot be seen as necessary or proportionate to the means that the Regulation wants to accomplish. The Commission has proposed exemptions for companies with less than 250 employees 13, in order to ensure that Small and Medium companies are given some leeway. Tele2 fully understands and agree that some companies shall not have to obey to the strict legal obligations of the Regulation. However the prerequisite shall not be based on number of employees but rather the type of data that they process. A small company with only a few employees can handle much more sensitive data and cause much larger privacy breaches than a large company barely dealing with any personal data at all for example a small application provider compared with a large construction company. Furthermore the current wording of Article 79 (1) is ambiguous - each supervisory authority shall Impose administrative sanctions. This can be interpreted as if a violation has had effect on individuals resided in more than one member state each DPA of those member states has the power to impose sanctions on the data controller. Since Tele2 believes this is not the intention of the Article Tele2 is of the opinion that this needs to be clarified. The current wording of Article 79 in the Proposed Regulation appears to draw on existing antitrust and merger legislation. 14 In competition legislation the reasoning behind the high level of fines is that companies will have an economic gain from violating competition law, while at the same time preventing end users from all the benefits of fair competition. The level of sanctions for e.g. cartels does therefore not only have the effect of eliminating the gain and profit of a cartel since companies who participate in cartels would have made financial calculations of these gains, but it also need to have a discouraging effect. 15 Many of the provisions which will lead to extensive fines under the Proposed Regulation would, even if the breach is carried out as an intentional act of the gravest kind and for a considerable duration, still not lead to any direct economic gain for the company or often not direct harm to the end users or the wider society. In a competition case leading to extensive fines a deliberate decision would be made in order to achieve some kind of gain. Hence the methodology and reasoning behind high level sanctions cannot be copied from competition legislation to the data protection Regulation. Tele2 proposes that when there is no direct harm to individuals, sanction levels should be based on metrics other than percentages of company global turnover. Data breach notification Tele2 is a supporter of the extension of the current e-privacy obligation of data breach notification to the general Data Protection legislation. An extension will not only promote data controllers, from all sectors, to ensure a high level of data security but will also build confidence among data subjects. However there is a need to ensure that the same rules apply irrespectively of what kind of services a data controller offers. This means that the requirements imposed by the Regulation and the e- 13 These exemption deals with the material scope (Art 2), documentation obligation (Art 28), obligation to have a privacy officer (Art 35 ) and Sanctions under Art 79. All these shall be reconsidered and the exemption shall rather be based on privacy risk and type of data which is being processed by the controller. 14 Article 23 of Regulation 1/2003and Article 14 of Regulation 139/ See the reasoning in Flat Glass IP/08/1685, 12 November 2008, a fine of approximately 1,4 billion. 11

12 privacy directive should be aligned by incorporation the rules from the e-privacy directive into the Regulation. This would help avoid inconsistency and would prevent dual notification obligation for the telecom sector. However there is need to ensure that the type of data breaches need to be notified are limited to only those which have serious and negative consequences on individuals. There is otherwise a risk that the obligation will lead to disproportionate burdens for data controllers and processors, there is also a risk that DPA s would not be able to handle the vast amount of notification they would receive. While limiting the scope the notification scheme would more likely be carried out correctly by all responsible parties. Furthermore the 24 hour requirement should be altered to be in alignment with the current wording of the e-privacy directive. This since it cannot be seen as practical or lead to better processes which would enhance data subject privacy protection. Finally End-user notification shall be limited to cases where there is a direct relationship with the data subject. International transfers Transfer of data to third countries has under the Directive been difficult, in cases where end user consent has not been provided. For many companies transferring data outside the EEA may provide economic gain, for example outsourcing customer care to a non-european country. The Proposed Regulation sets out clear and detailed rules for the usage of Binding Corporate Rules (BCR). The rules stated in Article 43 provides for a greater legal certainty and will likely lead to a greater usage of BCR. Tele2 is also supportive of the fact that BCRs can be applied for by a group of companies in EU i.e. one DPA will be able to adopt and approve a BCR for the whole EEA. This will lead to a great reduction of administrative burdens for the usage of BCRs. However, like the current BCR provision the proposed regime is not flexible enough in order to ensure that BCR can be easily used in practice. Tele2 therefore believes that the Proposed Regulation shall make it possible to use one approved BCR, without have to once more fulfill the process, if minor amendments and updates in regards to the processing happen after the approval of the BCR. 12

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012 The reform of the EU Data Protection framework - Building trust in a digital and global world 9/10 October 2012 Questionnaire addressed to national Parliaments Please, find attached a number of questions

More information

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation Position Paper Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation Our reference: SMC-DAT-12-064 Date: 3 September 2012 Related documents: Proposal for

More information

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS EUROPEAN COMMISSION Brussels, XXX [ ](2011) XXX draft COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

More information

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM On 25 January 2012, the European Commission published a proposal to reform the European data protection legal regime. One

More information

European Privacy Reporter

European Privacy Reporter Is this email not displaying correctly? Try the web version or print version. ISSUE 02 European Privacy Reporter An Update on Legal Developments in European Privacy and Data Protection November 2012 In

More information

Factsheet on the Right to be

Factsheet on the Right to be 101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against

More information

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems Privacy PRESENTATION vs Data TITLE Protection: GOES HERE The Impact of EU Data Protection Legislation Thomas Rivera Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted

More information

Privacy and Transparency for Consumer Trust and Consumer Centrality

Privacy and Transparency for Consumer Trust and Consumer Centrality 1 1 2 2 Ecommerce Europe is the association representing around 5000+ companies selling products and/or services online to consumers in Europe. Ecommerce Europe is a major stakeholder in policy issues

More information

BCS, The Chartered Institute for IT Consultation Response to:

BCS, The Chartered Institute for IT Consultation Response to: BCS, The Chartered Institute for IT Consultation Response to: A Comprehensive Approach to Personal Data Protection in the European Union Dated: 15 January 2011 BCS The Chartered Institute for IT First

More information

Data protection at the cost of economic growth?

Data protection at the cost of economic growth? Data protection at the cost of economic growth? Elina Pyykkö* ECRI Commentary No. 11/November 2012 The Data Protection Regulation proposed by the European Commission contains important elements to facilitate

More information

New EU Data Protection legislation comes into force today. What does this mean for your business?

New EU Data Protection legislation comes into force today. What does this mean for your business? 24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )

More information

EBA/GL/2015/11. 01 June 2015. Final Report. Guidelines on creditworthiness assessment

EBA/GL/2015/11. 01 June 2015. Final Report. Guidelines on creditworthiness assessment EBA/GL/2015/11 01 June 2015 Final Report Guidelines on creditworthiness assessment Contents 1. Executive Summary 3 2. Background and rationale 4 3. Guidelines 6 Section 1 Compliance and reporting obligations

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 2 September 2015 Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 We support the efforts of EU legislators to create a harmonised data protection

More information

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Privacy vs Data Protection PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Introduction The terms privacy and data protection are often used interchangeable In reality they

More information

Comments and proposals on the Chapter IV of the General Data Protection Regulation

Comments and proposals on the Chapter IV of the General Data Protection Regulation Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

We take the opportunity of the proposal to stress the following specific points where we think there is room for improvement.

We take the opportunity of the proposal to stress the following specific points where we think there is room for improvement. D0208G 22/05/2012 Set up in 1960, the European Banking Federation is the voice of the European banking sector (European Union & European Free Trade Association countries). The EBF represents the interests

More information

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service Data protection in a swirl of change Overview 1 Data protection issues in cloud computing 2 Consent for mobile applications Security Seminar 2014: Privacy Radboud University Nijmegen 3 The WhatsApp case

More information

slaughter and may The new EU Data Protection Regulation revolution or evolution?

slaughter and may The new EU Data Protection Regulation revolution or evolution? slaughter and may The new EU Data Protection Regulation revolution or evolution? BRIEFING April 2012 Reform of Europe s data protection regime moved one step closer this January with the publication of

More information

Microsoft response to the Ministry of Justice Call for Evidence on EU Data Protection Proposal - Regulation COM(2012)11.

Microsoft response to the Ministry of Justice Call for Evidence on EU Data Protection Proposal - Regulation COM(2012)11. Microsoft response to the Ministry of Justice Call for Evidence on EU Data Protection Proposal - Regulation COM(2012)11 6 th March 2012 Executive Summary Microsoft welcomes the very idea of a Regulation

More information

Application of Data Protection Concepts to Cloud Computing

Application of Data Protection Concepts to Cloud Computing Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective

More information

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation June 19, 2012 Practice Group(s): Health Care Life Sciences Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation By Mathias Schulze Steinen and Daniela Bohn

More information

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)

More information

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document EUROPEAN COMMISSION Brussels, 10.4.2014 SWD(2014) 135 final COMMISSION STAFF WORKING DOCUMENT on the existing EU legal framework applicable to lifestyle and wellbeing apps Accompanying the document GREEN

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Comments and proposals on the Chapter II of the General Data Protection Regulation

Comments and proposals on the Chapter II of the General Data Protection Regulation Comments and proposals on the Chapter II of the General Data Protection Regulation Ahead of the trialogue negotiations in September, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

Position Paper e-regulation

Position Paper e-regulation Position Paper e-regulation Ecommerce Europe s Proposal for Sustainable Growth of E-commerce in Europe www.ecommerce-europe.eu POSITION PAPER 3 Table of contents 1 Introduction 4 5.1.4 Harmonisation and

More information

Data transfers in the Cloud

Data transfers in the Cloud Data transfers in the Cloud Rapporteur: Emmanuelle Bartoli Meeting date: 28 th March 2014 1 The purpose of this document is to explore options for how contracts between Cloud providers and consumers and

More information

Privacy in the Cloud: Data Protection and Security in Cloud Computing

Privacy in the Cloud: Data Protection and Security in Cloud Computing SPEECH/11/859 Viviane REDING Vice-President of the European Commission, EU Justice Commissioner Privacy in the Cloud: Data Protection and Security in Cloud Computing Round-table High Level conference on

More information

4-column document Net neutrality provisions (including recitals)

4-column document Net neutrality provisions (including recitals) 4-column document Net neutrality provisions (including recitals) [Text for technical discussions. It does not express any position of the Commission or its services] Proposal for a REGULATION OF THE EUROPEAN

More information

Consultation Paper. ESMA Guidelines on Alternative Performance Measures. 13 February 2014 ESMA/2014/175

Consultation Paper. ESMA Guidelines on Alternative Performance Measures. 13 February 2014 ESMA/2014/175 Consultation Paper ESMA Guidelines on Alternative Performance Measures 13 February 2014 ESMA/2014/175 Date: 13 February 2014 ESMA/2014/175 Responding to this paper The European Securities and Markets Authority

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

EU Data Protection Reforms Challenges for Business

EU Data Protection Reforms Challenges for Business www.pwc.com Contents EU Data Protection Reforms Challenges for Business July 2014 1. Introduction 2. The need for change 3. Changes and challenges 4. Recommendations 5. Conclusion 6. For a deeper conversation

More information

EUROPEAN PARLIAMENT 2009-2014. Committee on Industry, Research and Energy. of the Committee on Industry, Research and Energy

EUROPEAN PARLIAMENT 2009-2014. Committee on Industry, Research and Energy. of the Committee on Industry, Research and Energy EUROPEAN PARLIAMT 2009-2014 Committee on Industry, Research and Energy 2012/0011(COD) 26.02.2013 OPINION of the Committee on Industry, Research and Energy for the Committee on Civil Liberties, Justice

More information

1 Data Protection Principles

1 Data Protection Principles Today, our personal information is being collected, shared, stored and analysed everywhere. Whether you are browsing the internet, talking to a friend or making an online purchase, personal data collection

More information

DRAFT DATA PROTECTION REGULATION BRIEFING BY RSA INSURANCE GROUP (RSA) 17 July 2012

DRAFT DATA PROTECTION REGULATION BRIEFING BY RSA INSURANCE GROUP (RSA) 17 July 2012 DRAFT DATA PROTECTION REGULATION BRIEFING BY RSA INSURANCE GROUP (RSA) 17 July 2012 Introduction This paper outlines the views of RSA Insurance Group on the draft Regulation on the protection of individuals

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

Having regard to the Charter of Fundamental Rights of the European Union, and in particular Articles 7 and 8 thereof,

Having regard to the Charter of Fundamental Rights of the European Union, and in particular Articles 7 and 8 thereof, Opinion of the European Data Protection Supervisor on the Commission Proposal for a Directive of the European Parliament and of the Council amending Directive 2007/36/EC as regards the encouragement of

More information

5439/15 PT/ek 1 DG E

5439/15 PT/ek 1 DG E Council of the European Union Brussels, 20 January 2015 5439/15 Interinstitutional File: 2013/0309 (COD) TELECOM 17 COMPET 12 MI 28 CONSOM 13 CODEC 70 NOTE from: Presidency to: Delegations No. Cion prop.:

More information

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data *) For the purposes of these Corporate Guidelines, Third Countries are all those countries, which do not

More information

EUROPEAN DATA PROTECTION SUPERVISOR

EUROPEAN DATA PROTECTION SUPERVISOR C 47/6 Official Journal of the European Union 25.2.2010 EUROPEAN DATA PROTECTION SUPERVISOR Opinion of the European Data Protection Supervisor on the Communication from the Commission on an Action Plan

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

EUROPEAN DATA PROTECTION SUPERVISOR

EUROPEAN DATA PROTECTION SUPERVISOR 20.6.2012 Official Journal of the European Union C 177/1 I (Resolutions, recommendations and opinions) OPINIONS EUROPEAN DATA PROTECTION SUPERVISOR Opinion of the European Data Protection Supervisor on

More information

BEREC Monitoring quality of Internet access services in the context of Net Neutrality

BEREC Monitoring quality of Internet access services in the context of Net Neutrality BEREC Monitoring quality of Internet access services in the context of Net Neutrality BEUC statement Contact: Guillermo Beltrà - digital@beuc.eu Ref.: BEUC-X-2014-029 28/04/2014 BUREAU EUROPÉEN DES UNIONS

More information

Liechtenstein. Heinz Frommelt. Sele Frommelt & Partners Attorneys at Law Ltd

Liechtenstein. Heinz Frommelt. Sele Frommelt & Partners Attorneys at Law Ltd Sele Frommelt & Partners Attorneys at Law Ltd Heinz Frommelt Sele Frommelt & Partners Attorneys at Law Ltd Legislation and jurisdiction 1 What is the relevant legislation and who enforces it? is a member

More information

Improving self-regulation through (law-based) Corporate Data Protection Officials *

Improving self-regulation through (law-based) Corporate Data Protection Officials * Improving self-regulation through (law-based) Corporate Data Protection Officials * Article by Christoph Klug ** The rise of globalization and multinational corporations is creating a pressing need for

More information

Overview of Employment and Employee Privacy Laws and Key Trends in Austria

Overview of Employment and Employee Privacy Laws and Key Trends in Austria P a g e 1 Privacy Interviews with Experts August 2011 Toronto / Washington DC / Brussels www.nymity.com Rainer Knyrim Attorney and Partner Preslmayr Attorneys at Law Vienna, Austria Overview of Employment

More information

5419/16 ADD 1 VH/np 1 DGD 2C

5419/16 ADD 1 VH/np 1 DGD 2C Council of the European Union Brussels, 17 March 2016 (OR. en) Interinstitutional File: 2012/0011 (COD) 5419/16 ADD 1 DRAFT STATEMT OF THE COUNCIL'S REASONS Subject: DATAPROTECT 2 JAI 38 MI 25 DIGIT 21

More information

Registration must be carried out by a top executive or a number of executives having the power to commit the whole company in the EU.

Registration must be carried out by a top executive or a number of executives having the power to commit the whole company in the EU. Questions and answers 1- What is the purpose of The Initiative? Why are we doing this? The purpose of the Supply Chain Initiative is to promote fair business practices in the food supply chain as a basis

More information

A guide for in-house lawyers

A guide for in-house lawyers A guide for in-house lawyers June 2015 The Proposed EU General Data Protection Regulation Index Introduction to the Regulation - 3 Progress of the Regulation - 4 Using this Guide - 5 Conceptual Overview

More information

EUROPEAN COMMISSION Directorate General Internal Market and Services. CAPITAL AND COMPANIES Audit and Credit Rating Agencies

EUROPEAN COMMISSION Directorate General Internal Market and Services. CAPITAL AND COMPANIES Audit and Credit Rating Agencies EUROPEAN COMMISSION Directorate General Internal Market and Services CAPITAL AND COMPANIES Audit and Credit Rating Agencies Brussels, 3 September 2014 Q&A - Implementation of the New Statutory Audit Framework

More information

Securing Internet Payments. The current regulatory state of play

Securing Internet Payments. The current regulatory state of play Securing Internet Payments The current regulatory state of play In recent years the European Union (EU) institutions have shown a growing interest on the security of electronic payments. This interest

More information

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq. EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update By Stephen H. LaCount, Esq. Overview The European Union Data Protection Directive 95/46/EC ( Directive ) went effective in

More information

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE Représentant les avocats d Europe Representing Europe s lawyers CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION

More information

I. EBF KEY PRIORITIES. A. Data breach notification

I. EBF KEY PRIORITIES. A. Data breach notification D1391E-2012 29.10.2012 EUROPEAN BANKING FEDERATION PROPOSED AMENDMENTS TO THE EUROPEAN COMMISSION PROPOSAL FOR A REGULATION ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA

More information

Privacy & Data Security: The Future of the US-EU Safe Harbor

Privacy & Data Security: The Future of the US-EU Safe Harbor Privacy & Data Security: The Future of the US-EU Safe Harbor NAOMI MCBRIDE, LISA J. SOTTO AND BRIDGET TREACY, HUNTON & WILLIAMS LLP, WITH PRACTICAL LAW US INTELLECTUAL PROPERTY & TECHNOLOGY AND UK IP&IT

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

E U R O P E A N E C O N O M I C A R E A

E U R O P E A N E C O N O M I C A R E A E U R O P E A N E C O N O M I C A R E A S T A N D I N G C O M M I T T E E O F T H E E F T A S T A T E S Distribution: EEA EFTA 20 March 2012 SUBCOMMITTEE I ON THE FREE MOVEMENT OF GOODS EEA EFTA Comment

More information

GENERAL COMMENTS. 12 February 2015

GENERAL COMMENTS. 12 February 2015 EBF_013353 The European Banking Federation is the voice of the European banking sector, uniting 32 national banking associations in Europe that together represent some 4,500 banks - large and small, wholesale

More information

EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE. on a common framework for electronic signatures

EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE. on a common framework for electronic signatures COMMISSION OF THE EUROPEAN COMMUNITIES Brussels, 29.04.1999 COM(1999) 195 fmal 98/0191(COD) Amended proposal for a EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE on a common framework for electronic signatures

More information

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL COMMISSION OF THE EUROPEAN COMMUNITIES Brussels, 21.9.2005 COM(2005) 438 final 2005/0182 (COD) Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the retention of data processed

More information

***I DRAFT REPORT. EN United in diversity EN 2012/0011(COD) 17.12.2012

***I DRAFT REPORT. EN United in diversity EN 2012/0011(COD) 17.12.2012 EUROPEAN PARLIAMT 2009-2014 Committee on Civil Liberties, Justice and Home Affairs 17.12.2012 2012/0011(COD) ***I DRAFT REPORT on the proposal for a regulation of the European Parliament and of the Council

More information

Declaration of Internet Rights Preamble

Declaration of Internet Rights Preamble Declaration of Internet Rights Preamble The Internet has played a decisive role in redefining public and private space, structuring relationships between people and between people and institutions. It

More information

CCBE POSITION ON THE PROPOSAL FOR A DIRECTIVE OF THE EUROPEAN PARLIAMENT AND THE COUNCIL

CCBE POSITION ON THE PROPOSAL FOR A DIRECTIVE OF THE EUROPEAN PARLIAMENT AND THE COUNCIL CCBE POSITION ON THE PROPOSAL FOR A DIRECTIVE OF THE EUROPEAN PARLIAMENT AND THE COUNCIL ON CONSUMER RIGHTS DIRECTIVE COM(2008) 614/3 CCBE position on The Proposal for a Directive of the European Parliament

More information

Final Report. ESMA s Technical Advice to the Commission on procedural rules to impose fines and periodic penalty payments to Trade Repositories

Final Report. ESMA s Technical Advice to the Commission on procedural rules to impose fines and periodic penalty payments to Trade Repositories Final Report ESMA s Technical Advice to the Commission on procedural rules to impose fines and periodic penalty payments to Trade Repositories 20 December 2013 ESMA/2013/1965 Date: 20 December 2013 ESMA/2013/1965

More information

AmCham EU position on the General Data Protection Regulation

AmCham EU position on the General Data Protection Regulation AmCham EU position on the General Data Protection Regulation 11 July 2012 American Chamber of Commerce to the European Union Avenue des Arts/Kunstlaan 53, 1000 Brussels, Belgium Telephone 32-2-513 68 92

More information

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data Terms Adopting company an OSRAM associated company in Germany or overseas

More information

25 May 2015 EK VIEWS ON THE DIGITAL SINGLE MARKET STRATEGY The Commission published on 6 May A Digital Single Market Strategy for Europe. The strategy sets out 16 key actions under three pillars which

More information

Guidelines for the use of electronic signature

Guidelines for the use of electronic signature Republic of Albania National Authority for Electronic Certification Guidelines for the use of electronic signature Guide Nr. 001 September 2011 Version 1.3 Guidelines for the use of electronic signature

More information

Working Document 02/2013 providing guidance on obtaining consent for cookies

Working Document 02/2013 providing guidance on obtaining consent for cookies ARTICLE 29 DATA PROTECTION WORKING PARTY 1676/13/EN WP 208 Working Document 02/2013 providing guidance on obtaining consent for cookies Adopted on 2 October 2013 This Working Party was set up under Article

More information

C 128/28 Official Journal of the European Union 6.6.2009

C 128/28 Official Journal of the European Union 6.6.2009 C 128/28 Official Journal of the European Union 6.6.2009 Second opinion of the European Data Protection Supervisor on the review of Directive 2002/58/EC concerning the processing of personal data and the

More information

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof, Opinion of the European Data Protection Supervisor on the Joint Communication of the Commission and of the High Representative of the European Union for Foreign Affairs and Security Policy on a 'Cyber

More information

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 Janine Regan, Associate George Willis, Associate charlesrussellspeechlys.com Janine Regan Associate

More information

Data protection compliance checklist

Data protection compliance checklist Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing

More information

The EBF would like to take the opportunity to note few general remarks on key issues as follows:

The EBF would like to take the opportunity to note few general remarks on key issues as follows: Ref.:EBF_001314 Brussels, 17 June 2013 Launched in 1960, the European Banking Federation is the voice of the European banking sector from the European Union and European Free Trade Association countries.

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

PUBLIC CONSULTATION ON POSTAL SERVICES

PUBLIC CONSULTATION ON POSTAL SERVICES EUROPEAN COMMISSION PUBLIC CONSULTATION ON POSTAL SERVICES PART 2 CONSULTATION ENDS JAN 27 2006 NOV 2005 V1.9 Page 1 of 9 PART 2 CONSULTATION ON POSTAL SERVICES Part 2 asks more detailed questions on a

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG

More information

Data Protection Working Group. Final Report on the Draft Data Protection Bill

Data Protection Working Group. Final Report on the Draft Data Protection Bill Data Protection Working Group Final Report on the Draft Data Protection Bill Background In August 2009, upon a request from the Hon. Attorney General, the Governor-in-Cabinet established a Data Protection

More information

Online Security, Traffic Data and IP Addresses. Review of the Regulatory Framework for Electronic Communications

Online Security, Traffic Data and IP Addresses. Review of the Regulatory Framework for Electronic Communications Brussels, October 8 th 2008 Online Security, Traffic Data and IP Addresses Review of the Regulatory Framework for Electronic Communications Francisco Mingorance Senior Director Government Affairs franciscom@bsa.org

More information

Proposal for a revised Payment Services Directive

Proposal for a revised Payment Services Directive Proposal for a revised Payment Services Directive BEUC position Contact: Financial Services Team financialservices@beuc.eu Ref.: X/2013/079-27/11/2013 BUREAU EUROPÉEN DES UNIONS DE CONSOMMATEURS AISBL

More information

European Commission Consultation document on Voice over IP

European Commission Consultation document on Voice over IP STELLUNGNAHME European Commission Consultation document on Voice over IP This paper provides the eco comment on the European Commission consultation document. eco is the association of German internet

More information

UK Data Protection Newsletter June 2015

UK Data Protection Newsletter June 2015 UK Data Protection Newsletter June 2015 Headlines this month: n Data Protection reform update n New regulation must not lower data protection standards n Raid on Manchester Call Centre n Recent data breaches

More information

South East Asia: Data Protection Update

South East Asia: Data Protection Update Data Privacy and Security Team To: Our Clients and Friends September 2013 South East Asia: Data Protection Update Europe has had data protection laws in place for over a decade. Such laws regulate how

More information

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

CHANGES IN THE WORLD OF CLAIMS MANAGEMENT FROM DEBTORS TO CUSTOMERS

CHANGES IN THE WORLD OF CLAIMS MANAGEMENT FROM DEBTORS TO CUSTOMERS CHANGES IN THE WORLD OF CLAIMS MANAGEMENT FROM DEBTORS TO CUSTOMERS Andreas Aumüller, President of FENCA Federation of European National Collection Associations CONSUMER CREDIT INDUSTRY Annual Convention

More information

Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users?

Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users? 10 Juni 2013 Taylor Wessing - Essay Competition 2013 Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users? by Katarina Kesselová, LLM. Introduction

More information

EUROPEAN ECONOMIC AREA JOINT PARLIAMENTARY COMMITTEE. REPORT on E-Commerce and EEA legislation

EUROPEAN ECONOMIC AREA JOINT PARLIAMENTARY COMMITTEE. REPORT on E-Commerce and EEA legislation EUROPEAN ECONOMIC AREA 30 November 2000 Brussels JOINT PARLIAMENTARY COMMITTEE REPORT on E-Commerce and EEA legislation Co-rapporteurs: Ms. Marjo Matikainen-Kallstöm (EPP-ED, Finland) Mr. Vilhjálmur Egilsson

More information

COMPLYING WITH THE E-COMMERCE REGULATIONS 2002

COMPLYING WITH THE E-COMMERCE REGULATIONS 2002 COMPLYING WITH THE E-COMMERCE REGULATIONS 2002 You should read this guide if you. advertise goods or services online (i.e. via the Internet, interactive television or mobile telephone) sell goods or services

More information

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? Dr. Jörg Hladjk Counsel European Data Protection & Privacy Practice Hunton & Williams, Brussels Cyber Security

More information

I. Personal data and its use in the business to business environment.

I. Personal data and its use in the business to business environment. RESPONSE FROM THE DIRECT MARKETING ASSOCIATION (UK) LTD. TO THE EUROPEAN COMMISSION'S CONSULTATION ON THE IMPLEMENTATION OF DIRECTIVE 95/46 EC ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING

More information

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL EUROPEAN COMMISSION Brussels, XXX COM(2012) 11/3 draft Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal

More information

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Proposal for an Interinstitutional Agreement on Better Regulation

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Proposal for an Interinstitutional Agreement on Better Regulation EUROPEAN COMMISSION Strasbourg, 19.5.2015 COM(2015) 216 final COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL Proposal for an Interinstitutional Agreement on Better Regulation

More information

Adobe Systems Incorporated. Response to the Copyright and Innovation Consultation paper for the Department of Jobs, Enterprise and Innovation

Adobe Systems Incorporated. Response to the Copyright and Innovation Consultation paper for the Department of Jobs, Enterprise and Innovation Adobe Systems Incorporated Response to the Copyright and Innovation Consultation paper for the Department of Jobs, Enterprise and Innovation About Adobe Systems Incorporated Adobe is the global leader

More information

Big Data for Mutuals. Marc Dautlich 25 November 2013

Big Data for Mutuals. Marc Dautlich 25 November 2013 Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?

More information

Cookies Under Control

Cookies Under Control Cookies Under Control On June 5, 2012 the new Dutch legislation on the use of cookies enters into force. What does this mean for the online marketing business? 1 CONTENTS 3 4 4 7 8 NEW RULES FOR THE USE

More information