Data Protection and User Security - A Review

Size: px
Start display at page:

Download "Data Protection and User Security - A Review"

Transcription

1 Thomas Boué Manager Government Affairs, EMEA Avenue des Arts Brussels T Fax EU Register of Interest Representatives Registration Nr Views of the Business Software Alliance on the Commission s Data Protection Strategy 14 January 2011 The Business Software Alliance 1 (BSA) welcomes the Commission s Communication on A comprehensive approach on personal data protection in the European Union (the Communication ). Ensuring the robust protection of personal data is critical to the success of the ICT and online services sectors, and thus is a priority for our members. As the Communication recognises, the Data Protection Directive (95/46/EC) seeks to achieve two important objectives: protecting the fundamental rights of European citizens, and promoting the single market by ensuring the free flow of personal data. Increasing globalisation and the advent of new technologies, the Internet foremost among them, have sometimes meant that the existing regime cannot fully achieve these dual objectives. Users needs have evolved as innovative technologies and services have opened up new ways of communicating, socialising and doing business. BSA looks forward to continued dialogue with the Commission on how to best ensure data protection in these changed conditions. We strongly believe the framework s robust protections for personal data must be maintained. In tandem, we must ensure that these protections are structured in such a way that they facilitate, rather than undermine the digital single market. In order to foster continued innovation in Europe s ICT sector, the regime should also remain technology neutral. BSA would also like to emphasise that the Data Protection Directive should focus less on prescriptive requirements and more on substantive outcomes. A greater emphasis on outcomes -- i.e., a focus on what organisations achieve, not how they achieve it -- will maintain strong user protections while reducing compliance burdens for data controllers. This would particularly benefit European SMEs, many of whom may not have the personnel or resources to comply with a complex and fragmented regulatory regime. 1 About BSA: The Business Software Alliance ( is the world s foremost advocate for the software industry, working in 80 countries to expand software markets and create conditions for innovation and growth. Governments and industry partners look to BSA for thoughtful approaches to key policy and legal issues, recognizing that software plays a critical role in driving economic and social progress in all nations. BSA s member companies invest billions of dollars a year in local economies, good jobs, and next generation solutions that will help people around the world be more productive, connected, and secure. BSA members include Adobe, Altium, Apple, Asseco Poland S.A., Attachmate, Autodesk, Autoform, AVEVA, AVG, Bentley Systems, CA Technologies, Cadence, Cisco, CNC/Mastercam, Corel, Dassault Systèmes SolidWorks Corporation, DBA Lab S.p.A., Dell, HP, IBM, Intel, Intuit, Kaspersky Lab, Mamut, McAfee, Microsoft, Minitab, NedGraphics, O&O Software, PTC, Progress Software, Quark, Quest, Rosetta Stone, SAP, Scalable Software, Siemens, Sybase, Symantec, Synopsys, Tekla, and The MathWorks.

2 In this document, we have grouped our comments on the proposals made in the Communication into four broad categories: (1) Improving Harmonisation; (2) Strengthening User Security; (3) Facilitating Global Data Flows; and (4) Enhancing the Protection of Individuals Rights. While our response touches on a broad range of issues, our key comments include the following: Improving Harmonisation BSA would welcome greater harmonisation of data protection rules across the Member States. One possible tool for achieving this would be to replace the Data Protection Directive with a Regulation. Such a move must not lead to the introduction of sector-specific requirements or leave the door open to any future introduction of multiple sectorial Directives which would clearly prevent the emergence of a fully harmonised regime. We encourage the Commission to consider means of ensuring greater legal clarity with regard to the definition of personal data. We would be happy to work with the Commission on refining the scope and contours of the definition. To create greater legal certainty, both for users and for data controllers, BSA encourages the Commission to clarify the provisions on applicable law so that each data controller is subject to a single set of rules across the EU. While we are not opposed to further harmonisation of consent requirements, re-considering the opt-out rule for deployment of cookies will only serve to hinder the functioning of the Internet, without providing any added protection to users. Strengthening User Security BSA favours the creation of a breach notification system applicable to all businesses and organisations provided that it is carefully crafted to prevent the issuance of immaterial notices. We support Privacy by Design, which is already a guiding principle for our members in solution development. BSA views Privacy by Design as a process for ensuring that data protection is carefully considered in the design and implementation of products and services. We urge the Commission not to equate this principle with technology mandates, and also would ask the Commission to consider how Privacy by Design could be achieved through promotion of PETs. BSA believes the Data Protection Directive already includes sufficiently robust enforcement mechanisms. A new cause of action for civil society organisations would not meaningfully enhance security. 2

3 Facilitating Global Data Flows We support a review of the current process for model contract clauses with a view to speeding up assessment procedures and making these clauses more user friendly. BSA encourages the Commission to ensure that BCRs can be applied to data processors. Enhancing the Protection of Individuals Rights BSA is broadly in favour of an accountability principle, but further clarity is required regarding the precise meaning of the principle, how it would be implemented in practice, and how compliance would be assessed. We would welcome further dialogue on this issue to ensure that an accountability principle strengthens data protection by encouraging an outcome-oriented approach to protecting user privacy. We would welcome further clarification from the Commission on how it proposes to proceed in relation to data portability and the right to be forgotten. Any new measures in these areas should avoid technology mandates and be commercially reasonable. Prior to the introduction of any new measures, we would encourage the Commission to engage in further dialogue with stakeholders to define commercially viable means of achieving the Commission s goals. 1. Improving Harmonisation BSA welcomes the Commission s plans to further harmonise European data protection rules. Prior to the adoption of the Data Protection Directive, national privacy laws differed significantly, resulting in uneven protection for users and significant compliance burdens for businesses. While the Directive has created a more uniform system, BSA believes along with many others in industry that national implementations and applications of the Directive remain insufficiently harmonised. In the Communication, the Commission has suggested a number of actions to help create greater uniformity across the Member States. BSA would welcome the opportunity to engage in further discussions with the Commission on these issues, including with regard to the following points: Examining means to achieve further harmonisation of data protection rules at EU level (sec ). BSA would in principle favour further action by the EU to ensure greater consistency across Europe in the data protection area. The Communication is, however, vague on the specific measures that the Commission might propose to take; further clarification on the Commission s plans would be welcomed. One option the Commission might consider is the introduction of a Regulation to replace the Data Protection Directive. This could help ensure that data subjects 3

4 receive the same robust protections in every market, while at the same time eliminating unnecessary complications that arise for organisations as result of diverging implementations and interpretations of the Directive at Member State level. BSA believes, however, that any Regulation must not include sector-specific requirements or provide a basis for the introduction of sector-specific Regulations or Directives. Such an approach would inevitably lead to competing data protection frameworks, undermining harmonisation and putting at risk the functioning of the Internal Market. Fostering self-regulation (sec ). Self-regulatory mechanisms could play an important role in ensuring strong privacy protections, particularly as data is now routinely moving across jurisdictional boundaries, thereby complicating regulatory efforts by national authorities. But to date, very few industry codes have been developed pursuant to Article 27 of the Directive. We would therefore encourage the EU institutions to take a more active role in encouraging self-regulatory mechanisms. One means of doing so might be the introduction of incentives for companies to agree and adopt such arrangements. Definition of Personal Data (sec ). We agree with the Commission that a careful examination should be made of the scope of personal data. Right now, differences in interpretation are contributing to legal uncertainty with respect to a critical aspect of EU data protection law. Greater uniformity in applying the concept of personal data needs to be achieved. In particular, we believe it is important to recognise that in certain circumstances, organisations may have legitimate reasons for processing information relating to an individual in some manner that cannot simply be classified as personal data. For example, differing Member State views on the status of IP addresses makes it unclear if such addresses may be processed, including for security purposes. Many Member States also take the view that only government authorities may process IP addresses to protect IPRs because IP addresses are judicial data in this context. This effectively prevents IPR owners from protecting their fundamental rights in an Internet environment. One possible solution might be to introduce a context based concept of personal data, under which data would be deemed personal data only if the relevant controller can identify the individual to whom the data relate. This may be one way of ensuring that companies can process personal data for essential purposes, such as the filtering of inappropriate content to safeguard vulnerable citizens or the protection of intellectual property rights (IPRs), without triggering data protection rules that may hinder such processing. A context-based approach might also include a reasonableness test that would enable data controllers to determine when data protection rules are applicable. Another possibility would be the recognition of new categories of data -- anonymous data and pseudonymous data. The former would refer to data that could never be used to identify an 4

5 individual; the latter would cover data relating to an individual to which a pseudonym is attached, such as a code, alias or IP address. Pseudonymous data would be subject to a less stringent set of rules than personal data. Consideration could also be given to amending Article 8(5) of the Data Protection Directive to indicate that data processed to protect IPRs are not judicial data. Alternatively, a recital could be added clarifying the interpretation of Article 8(5). In conjunction with either of the foregoing changes, Article 7 could be amended to explicitly permit processing of personal data to protect the fundamental rights (including IPRs) of the organisation processing the data. We encourage the Commission to explicitly exclude business contact information from the definition of personal data. Companies must process business contact information (i.e., the personal name of each contact, along with the respective company name, office address, address and telephone number) for routine business purposes. For example, many cloud service providers utilise business contact information in connection with the authentication of users. As a consequence, an enterprise customer must often obtain consent for the processing of such data from each employee who will have access to the cloud service. Helpfully, the Spanish DPA has recognised that categorising business contact information as personal data creates unnecessary burdens for companies and has excluded such information from the scope of personal data in Spain. We believe commerce across the EU would benefit from a similar Europe-wide exception. We also ask the Commission to carefully examine the scope of processing. The current definition is very broad and can capture operations that only involve the use of personal data in an incidental manner, such as application maintenance and upkeep of IT infrastructure. The Commission might consider, in consultation with industry, excluding certain specific activities such as these from the scope of processing. Finally, we would encourage the Commission to avoid expanding the scope of personal data to apply in a blanket manner to other forms of data, such as location data. The existing definition is broad and flexible and covers any data that is relating to an identified or identifiable person. Location data that is not related to a person (e.g., that relates to a wi-fi router) does not raise privacy concerns, but location data that is connected to an identifiable person is already covered by the current rules. Protecting sensitive data (sec ). We encourage the Commission to engage in close consultation with stakeholders on any proposal to classify additional types of data as sensitive. Certain categories of data unquestionably merit enhanced protection given their nature. However, 5

6 because categorising data as sensitive can create challenges in relation to the processing of such data, it is important to ensure that data is categorised in this way only where essential. The Commission and stakeholders should work together to ensure that any extension of the scope of sensitive data is the best means of addressing a particular challenge to privacy. Simplification of the DPA notification system (sec ). We support the Commission s proposal to examine simplifying and better harmonising the DPA notice regime, and applaud the decision to consider a uniform EUwide registration form that would replace individual Member State forms. If it is decided to proceed with developing such a form, we would encourage the Commission to seek industry input on its requirements. In conjunction with the introduction of a single registration form, we also would support the establishment of a mutual recognition system under which notification in one Member State would constitute notice in all Member States. We envisage that under such a system, Member State authorities would have access to a common data base of registrations. This would enable DPAs to efficiently obtain the information they need on processing operations while eliminating redundant filings. The development of parallel EU and Member State notification systems should, however, be avoided. Clarifying the rules on applicable law (sec ). BSA welcomes the Commission s plans to examine how to revise and clarify the existing provisions on applicable law. Under the current system, companies that are present in a number of Member States often find that they are subject to several different -- and diverging -- data protection regimes. These divergent regimes result in uneven protections for users, and significant compliance costs for enterprises. To create greater legal certainty, both for users and for data controllers, BSA encourages the Commission to clarify the provisions on applicable law so that each data controller is subject to a single set of rules across the EU. We note that under the e-commerce Directive, the country of origin principle has proven to be a highly successful means of determining applicable law. In the context of the Data Protection Directive, the applicable law rules might be improved by introducing a similar country of origin principle -- the country of origin could be the Member State where the main establishment of the data controller is located, as was recently suggested by the Article 29 Working Party in its Opinion on Applicable Law. BSA notes that there are unresolved issues relating to applicable law with respect to data processors, as well as to data controllers based outside the EU -- further clarification in these areas would also be welcomed. We also note that resolving uncertainty regarding applicable law will be important particularly for facilitating the continued development of cloud computing services. For instance, in a cloud computing scenario, the main establishment of a provider of cloud services in Europe could be in the Member State where the provider s physical location of its data centre is physically located in the EU. We believe there are a number of possible solutions to the applicable law difficulties arising under the Data Protection Directive and we look forward to working with policy makers on this important issue. 6

7 Strengthening the role of the Article 29 Working Party in coordinating the work of DPAs (sec. 2.5). Bolstering the role of the Working Party could help ensure more harmonised enforcement and interpretation of data protection rules across the EU and we agree that studying this issue makes sense. We also welcome the Commission s call for the Working Party to become more transparent. One means of achieving greater transparency might be the establishment of a Permanent Stakeholders Group (PSG) composed of representatives of a broad cross-section of stakeholders (industry, consumers, academia, etc.) and selected by the European Commission. Potential opt-in for consent to deployment of cookies (sec ). The Communication indicates that the Commission will examine means of clarifying and strengthening rules on consent. While we are not opposed to further harmonisation in this area, we are concerned by the suggestion that the Commission might re-visit the opt-out rule for deployment of cookies or similar technologies used for legitimate purposes reaffirmed in the revisions to the e-privacy Directive in Cookies are essential for the functioning of many web pages and ensure an optimal experience for users online; an opt-out regime for their deployment strikes the right balance between protecting individual rights and ensuring the smooth functioning of the many online services on which users rely. A possible mandatory requirement to appoint data protection officers and harmonising rules relating to their tasks and competences (sec ). The Communication suggests that the Commission is considering requiring private sector enterprises to appoint a Data Protection Officer. While BSA has favoured the introduction of incentives to encourage the appointment of DPOs, a mandatory requirement might not be the ideal solution. As explained earlier, prescriptive requirements may prove too burdensome and not achievable for many companies, especially European SMEs who have limited resources and staff. (In this regard, we assume that the Commission is contemplating the appointment of a single DPO to oversee compliance across an enterprise, and does not intend to require that a DPO be appointed in every Member State where a company acts as a data controller). We would also welcome clarification from the Commission on how it would propose to harmonise the rules relating to the duties of DPOs. 2. Strengthening User Security BSA believes that ensuring users data security and preventing the misuse of personal data are important to fostering trust and confidence in the online experience. But the tremendous increase in the scope of data now online, and the increase in data flows due to globalisation and the Internet, raise challenges to keeping data secure that could not have been foreseen when the Data Protection Directive was adopted in BSA believes that effective data protection requires effective cyber security, and encourages the Commission to recognise this in the legislation and ensure that the regime takes account of the needs of cyber security services. 7

8 In the Communication, the Commission has made a number of significant proposals intended to enhance data security. We would welcome the opportunity to engage in further dialogue with the Commission on the following points: Introduction of breach notification requirements (sec ). BSA favours the creation of a breach notification system applicable to all businesses and organisations. Such a requirement should help incentivise entities to ensure robust protection for personal data, while enabling data subjects to take action to protect themselves in the event their data is compromised. Any proposal should, however, be carefully crafted to prevent the issuance of immaterial notices, principally by ensuring that notice is only required where there is a serious risk of harm to the user and by excluding from the notice obligation data that has been rendered unusable, unreadable or indecipherable to an unauthorised third party through practices or methods, such as encryption, redaction, access controls or other such practices or methods, which are widely accepted as effective industry practices or industry standards. Furthermore, we do not believe notice should be required when internal company policies on access to personal data are accidentally violated by employees as such incidents do not present a risk to user privacy. Privacy by Design (sec ). We support the principle of Privacy by Design, which already guides our members development processes. BSA would, however, appreciate further clarification from the Commission regarding how it proposes to define and integrate the principle of Privacy by Design into the data protection framework. We believe that Privacy by Design should be understood as a process for ensuring that data protection is carefully considered in the design and implementation of products and services. If this principle were instead used as a basis for imposing design mandates on particular technologies, it would hinder, rather than promote, user privacy and security. Requirements to design or configure technologies in certain ways can freeze the development of alternative approaches and solutions that can better protect individuals rights. We also encourage the Commission to consider how Privacy by Design could be achieved through promotion of PETs. BSA believes that self-regulatory mechanisms are likely to be the most effective means of implementing Privacy by Design, as self-regulation enables flexible responses to new technological innovations. Compliance with a mandatory Privacy by Design provision that is implemented in different ways in each Member State would disrupt the Internal Market and dramatically increase the cost of designing and producing ICT products. Indeed, compliance with 27 different sets of rules on Privacy by Design might not be possible for many businesses, particularly SMEs. The possible establishment of EU certification schemes for privacycompliant processes, technologies, products and services (sec ). We welcome private sector efforts to develop useful tools such as privacy seals and trust marks for aiding consumers in identifying online businesses and services that maintain high privacy standards. We would 8

9 also welcome Commission efforts to support voluntary, industry-led efforts in this area with reasonable cost structures that will not disadvantage SMEs. Mandatory certification schemes can, in contrast, create barriers to innovation and impose additional, unreasonable costs on organisations that are required to accredit their products under such schemes. Any scheme, if introduced, must be structured so that similarly situated products and services are assessed on an equal footing and certain technologies are not favoured over others. A system under which use of certain certified solutions by data controllers would be viewed as evidence of compliance with data protection rules could have a devastating impact on the incentives of ICT providers to develop innovative new security products. Potentially granting civil society organisations a third-party cause of action for breaches of privacy rules (sec ). The Data Protection Directive provides that citizens must have a cause of action to remedy violations of their data protection rights, and that Data Protection Authorities must have extensive enforcement powers. Consequently, the creation of a third-party cause of action for breaches of privacy rules would not meaningfully enhance security, and could contribute to unnecessary litigation. Indeed, we are not aware of any empirical evidence suggesting that a third-party cause of action would address a particular security problem or that the public supports such an initiative. We would encourage the Commission to conduct a thorough impact assessment and a full dialogue with all interested stakeholders before proceeding. 3. Facilitating Global Data Flows BSA welcomes the Commission s plans to improve and streamline procedures for transferring data out of the EU (sec ). With increasing globalisation and the advent of new technologies such as cloud computing, it is essential to both technology users and providers that European firms are able to transfer data efficiently and cost-effectively on a worldwide basis as long as they ensure robust safeguards for the processing of that data. We believe that far too few countries have been found to provide an adequate level of data protection to make adequacy a viable basis for transferring data abroad for most organisations, given that data is already flowing around the world and beyond the borders of the EU at the click of a button. It is certainly important, however, for the EU and other major markets to have consistent approaches to data protection and international transfers. Indeed, global data flows will soon be the norm and it is crucial that the EU be able to interoperate with third country regimes. One difficulty in the adequacy process is an apparent focus on the existence of formal rules rather than an assessment of the actual real-world protections extended to personal data by the country under scrutiny. We would encourage the Commission to explore firstly the continued relevance of the adequacy principle as a basis for international transfers and to explore the possibility of streamlining this procedure by focusing the analysis on the outcomes sought by a particular country s legislation. 9

10 In addition, we encourage the Commission to: Harmonise and simplify model contract procedures. Model contract clauses focus on a data controller s responsibility to ensure adequate safeguards for personal data as it moves around the world. While this is welcome, there are shortcomings with this system. Unfortunately some Member States continue to insist on reviewing such clauses even if the Commission s standard clauses are used without amendment, which leads to unacceptable delays in the implementation of international transfers. The model clause provisions are also inflexible and often cannot be changed without triggering regulatory review. Finally, the model clauses are difficult to use in organisations with many subsidiaries. We would welcome the opportunity to engage in further dialogue with the Commission on how to address these issues. In particular, we would ask the Commission to consider including a provision in the Data Protection Directive clarifying that the use of model contract clauses which have not been amended precludes the need for any Member State approvals in relation to a transfer using such clauses. Ensure that BCRs can be applied to data processors. Modern computing services such as strategic outsourcing and cloud computing, however, have led to the routine use by many companies of IT service providers that process personal data on behalf of their customers. Such data processors are not yet covered by BCRs. As a result, transferring data to such processors may necessitate complex contractual arrangements. By adapting BCRs to accommodate the real-world ways in which data is handled in today s Information Society, the EU can ensure that enterprises - - and their customers -- are able to fully reap the efficiencies of new Internet-enabled services. 4. Enhancing the Protection of Individuals Rights Accountability principle (sec ). BSA is broadly in favour of an accountability principle. We strongly support robust data protection and believe data controllers must be held responsible for the security of data entrusted to them. We are also strongly in favour of any measure that would reduce administrative burdens on data controllers. We note, however, that there are differing views on what accountability means, how such a principle would be implemented in practice, and how compliance would be assessed. Some believe that accountability should be understood as a principle that would move data protection away from prescriptive requirements and instead emphasise actual results. Under such an approach, a data controller would be responsible for understanding the risks to a data subject that arise from a particular processing and for mitigating those risks. Data controllers might rely less on compliance with specific rules, and instead be required to adopt and implement more customised, circumstance-specific policies that align with general principles or practices set forth in EU 10

11 legislation. At the same time, the burden of proof would likely be reversed and be borne by data controllers rather than regulators. BSA believes that an approach focused on outcomes could strengthen data protection for users while reducing compliance burdens on data controllers, however, we note that the financial and administrative effect of a reversal of the burden of proof is unclear. Others, however, see an accountability principle as imposing additional requirements on data controllers to demonstrate compliance with data protection rules. While much would depend on the specifics of any such proposal, we are concerned that increasing the administrative obligations of data controllers would prove to be a costly exercise that would simply create more boxes for controllers to tick without meaningfully enhancing the protection of individuals private data. BSA would have significant concerns with this approach. As yet, we are unclear on which approach the Commission is planning to take. We would welcome further dialogue on this issue to ensure that an accountability principle strengthens data protection by encouraging an approach that emphasises actual results over adherence to prescriptive requirements. Data portability (sec ). BSA would welcome further details from the Commission on how it would propose to proceed in this area. A number of industry leaders already provide users with the ability to retrieve their data; we are thus uncertain that the establishment of a right to data portability is necessary. Among the challenges here, the Commission will need to draw a clear line to the extent possible between data that is in fact user data (i.e. data created and uploaded by the user), and data that is generated or collected by the service provider. We would also encourage the Commission to ensure that any data portability measures are not implemented in the form of technical mandates that could hinder innovation. Right to be forgotten (sec ). We believe users should have a significant degree of choice and control over their data wherever technically feasible. The Data Protection Directive already includes important rights and principles relating to the legitimate and proportional use of data, as well as the erasure of data. Therefore, we are not certain if a new right is necessary in this area, and would request that the Commission clearly describe the scope of the contemplated right. While the timely deletion of obsolete data can help to protect the privacy of data subjects, this requirement should not subject data controllers to obligations that they are ultimately incapable of satisfying. Any obligations in this regard should require only that data controllers make technologically and commercially reasonable efforts to erase such data. 11

Online Security, Traffic Data and IP Addresses. Review of the Regulatory Framework for Electronic Communications

Online Security, Traffic Data and IP Addresses. Review of the Regulatory Framework for Electronic Communications Brussels, October 8 th 2008 Online Security, Traffic Data and IP Addresses Review of the Regulatory Framework for Electronic Communications Francisco Mingorance Senior Director Government Affairs franciscom@bsa.org

More information

BSA Submission to European Commission Online Consultation on Cloud Computing. IPM reference number: 319291818061524311

BSA Submission to European Commission Online Consultation on Cloud Computing. IPM reference number: 319291818061524311 BSA Submission to European Commission Online Consultation on Cloud Computing Thomas Boué Director Government Affairs, EMEA thomasb@bsa.org www.bsa.org Avenue des Arts 44 1040 Brussels T +32 2 274 1315

More information

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 2 September 2015 Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 We support the efforts of EU legislators to create a harmonised data protection

More information

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012 The reform of the EU Data Protection framework - Building trust in a digital and global world 9/10 October 2012 Questionnaire addressed to national Parliaments Please, find attached a number of questions

More information

European Privacy Reporter

European Privacy Reporter Is this email not displaying correctly? Try the web version or print version. ISSUE 02 European Privacy Reporter An Update on Legal Developments in European Privacy and Data Protection November 2012 In

More information

BCS, The Chartered Institute for IT Consultation Response to:

BCS, The Chartered Institute for IT Consultation Response to: BCS, The Chartered Institute for IT Consultation Response to: A Comprehensive Approach to Personal Data Protection in the European Union Dated: 15 January 2011 BCS The Chartered Institute for IT First

More information

Comments and proposals on the Chapter IV of the General Data Protection Regulation

Comments and proposals on the Chapter IV of the General Data Protection Regulation Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

Privacy and Transparency for Consumer Trust and Consumer Centrality

Privacy and Transparency for Consumer Trust and Consumer Centrality 1 1 2 2 Ecommerce Europe is the association representing around 5000+ companies selling products and/or services online to consumers in Europe. Ecommerce Europe is a major stakeholder in policy issues

More information

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I.

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I. International Chamber of Commerce The world business organization Policy Statement Employee privacy, data protection and human resources Prepared by the Commission on E-Business, IT and Telecoms I. Introduction

More information

Data Protection Ensuring high level of privacy while promoting business innovation and competition

Data Protection Ensuring high level of privacy while promoting business innovation and competition Data Protection Ensuring high level of privacy while promoting business innovation and competition Tele2 AB, Skeppsbron 18 P.O Box 2094, SE-103 13 STOCKHOLM, SWEDEN Tel +46 8 5620 0000, Fax +46 8 5620

More information

EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE. on a common framework for electronic signatures

EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE. on a common framework for electronic signatures COMMISSION OF THE EUROPEAN COMMUNITIES Brussels, 29.04.1999 COM(1999) 195 fmal 98/0191(COD) Amended proposal for a EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE on a common framework for electronic signatures

More information

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation Position Paper Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation Our reference: SMC-DAT-12-064 Date: 3 September 2012 Related documents: Proposal for

More information

Microsoft response to the Ministry of Justice Call for Evidence on EU Data Protection Proposal - Regulation COM(2012)11.

Microsoft response to the Ministry of Justice Call for Evidence on EU Data Protection Proposal - Regulation COM(2012)11. Microsoft response to the Ministry of Justice Call for Evidence on EU Data Protection Proposal - Regulation COM(2012)11 6 th March 2012 Executive Summary Microsoft welcomes the very idea of a Regulation

More information

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS EUROPEAN COMMISSION Brussels, XXX [ ](2011) XXX draft COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

More information

Data transfers in the Cloud

Data transfers in the Cloud Data transfers in the Cloud Rapporteur: Emmanuelle Bartoli Meeting date: 28 th March 2014 1 The purpose of this document is to explore options for how contracts between Cloud providers and consumers and

More information

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations Brussels, October 2015 INTRODUCTION On behalf of the European

More information

How To Respect The Agreement On Trade In Cyberspace

How To Respect The Agreement On Trade In Cyberspace CHAPTER 14 ELECTRONIC COMMERCE Article 14.1: Definitions For the purposes of this Chapter: computing facilities means computer servers and storage devices for processing or storing information for commercial

More information

Application of Data Protection Concepts to Cloud Computing

Application of Data Protection Concepts to Cloud Computing Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective

More information

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation 1. Introduction Initial Discussion Paper The data protection officer ( DPO )

More information

Position Paper e-regulation

Position Paper e-regulation Position Paper e-regulation Ecommerce Europe s Proposal for Sustainable Growth of E-commerce in Europe www.ecommerce-europe.eu POSITION PAPER 3 Table of contents 1 Introduction 4 5.1.4 Harmonisation and

More information

Accountability: Data Governance for the Evolving Digital Marketplace 1

Accountability: Data Governance for the Evolving Digital Marketplace 1 Accountability: Data Governance for the Evolving Digital Marketplace 1 1 For the past three years, the Centre for Information Policy Leadership at Hunton & Williams LLP has served as secretariat for the

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Position Paper. Orgalime response to the Public consultation on the. collaborative economy - Digital Single Market Strategy follow up assessment

Position Paper. Orgalime response to the Public consultation on the. collaborative economy - Digital Single Market Strategy follow up assessment Position Paper Brussels, 23 December 2015 Orgalime response to the Public consultation on the regulatory environment for platforms, online intermediaries, data and cloud computing and the collaborative

More information

Factsheet on the Right to be

Factsheet on the Right to be 101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against

More information

AmCham EU position on the General Data Protection Regulation

AmCham EU position on the General Data Protection Regulation AmCham EU position on the General Data Protection Regulation 11 July 2012 American Chamber of Commerce to the European Union Avenue des Arts/Kunstlaan 53, 1000 Brussels, Belgium Telephone 32-2-513 68 92

More information

12 January 2011. Register of Interest Representatives Identification number in the register: 52646912360-95

12 January 2011. Register of Interest Representatives Identification number in the register: 52646912360-95 Z E N T R A L E R K R E D I T A U S S C H U S S MITGLIEDER: BUNDESVERBAND DER DEUTSCHEN VOLKSBANKEN UND RAIFFEISENBANKEN E.V. BERLIN BUNDESVERBAND DEUTSCHER BANKEN E.V. BERLIN BUNDESVERBAND ÖFFENTLICHER

More information

REFORM OF STATUTORY AUDIT

REFORM OF STATUTORY AUDIT EU BRIEFING 14 MARCH 2012 REFORM OF STATUTORY AUDIT Assessing the legislative proposals This briefing sets out our initial assessment of the legislative proposals to reform statutory audit published by

More information

BEREC Monitoring quality of Internet access services in the context of Net Neutrality

BEREC Monitoring quality of Internet access services in the context of Net Neutrality BEREC Monitoring quality of Internet access services in the context of Net Neutrality BEUC statement Contact: Guillermo Beltrà - digital@beuc.eu Ref.: BEUC-X-2014-029 28/04/2014 BUREAU EUROPÉEN DES UNIONS

More information

Cloud Computing. Introduction

Cloud Computing. Introduction Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

Proposal for a Regulation of the European Parliament and of the Council on interchange fees for card-based payment transactions

Proposal for a Regulation of the European Parliament and of the Council on interchange fees for card-based payment transactions Proposal for a Regulation of the European Parliament and of the Council on interchange fees for card-based payment transactions About MasterCard MasterCard is a payments technology company that enables

More information

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL EUROPEAN COMMISSION Brussels, 9.12.2015 COM(2015) 627 final 2015/0284 (COD) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on ensuring the cross-border portability of online content

More information

Jan Philipp Albrecht Rapporteur, Committee on Civil Liberties, Justice and Home Affairs European Parliament

Jan Philipp Albrecht Rapporteur, Committee on Civil Liberties, Justice and Home Affairs European Parliament September 5, 2012 Jan Philipp Albrecht Rapporteur, Committee on Civil Liberties, Justice and Home Affairs European Parliament Lara Comi Rapporteur, Committee on Internal market and Consumer Protection

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Public Consultation regarding Data Sharing and Governance Bill. Contribution of Office of the Data Protection Commissioner

Public Consultation regarding Data Sharing and Governance Bill. Contribution of Office of the Data Protection Commissioner Submission of the Office of the Data Protection Commissioner (DPC) on the data-sharing and Governance Bill: - Policy Proposals (dated the 1 st of August 2014) Public Consultation regarding Data Sharing

More information

Privacy Policy. February, 2015 Page: 1

Privacy Policy. February, 2015 Page: 1 February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met

More information

Working Document 02/2013 providing guidance on obtaining consent for cookies

Working Document 02/2013 providing guidance on obtaining consent for cookies ARTICLE 29 DATA PROTECTION WORKING PARTY 1676/13/EN WP 208 Working Document 02/2013 providing guidance on obtaining consent for cookies Adopted on 2 October 2013 This Working Party was set up under Article

More information

Under European law teleradiology is both a health service and an information society service.

Under European law teleradiology is both a health service and an information society service. ESR statement on the European Commission Staff Working Document on the applicability of the existing EU legal framework to telemedicine services (SWD 2012/413). The European Society of Radiology (ESR)

More information

RE: ITI s Comments on Korea s Revised Proposed Bill for the Development of Cloud Computing and Protection of Users

RE: ITI s Comments on Korea s Revised Proposed Bill for the Development of Cloud Computing and Protection of Users July 3, 2013 Jung-tae Kim Director Smart Network & Communications Policy Division Ministry of Science, ICT, and Future Planning (MSIP) Via e-mail to: kchu@msip.go.kr RE: ITI s Comments on Korea s Revised

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

Data protection at the cost of economic growth?

Data protection at the cost of economic growth? Data protection at the cost of economic growth? Elina Pyykkö* ECRI Commentary No. 11/November 2012 The Data Protection Regulation proposed by the European Commission contains important elements to facilitate

More information

Data Security Council of India (DSCI) Response to

Data Security Council of India (DSCI) Response to Data Security Council of India (DSCI) Response to A Comprehensive Approach on Personal Data Protection in the European Union Communication from the Commission to the European Parliament, The Council, The

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

COCIR contribution to the public consultation on Personal Data Protection in the EU 1

COCIR contribution to the public consultation on Personal Data Protection in the EU 1 COCIR contribution to the public consultation on Personal Data Protection in the EU 1 European Coordination Committee of the Radiological, Electromedical and Healthcare IT Industry Bd. A. Reyers 80, 1030

More information

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

Contact: Kostas Rossoglou and Nuria Rodríguez digital@beuc.eu

Contact: Kostas Rossoglou and Nuria Rodríguez digital@beuc.eu Data Protection Proposal for a Regulation BEUC Position Paper Contact: Kostas Rossoglou and Nuria Rodríguez digital@beuc.eu Ref.: X/2012/039-27/07/2012 BUREAU EUROPÉEN DES UNIONS DE CONSOMMATEURS AISBL

More information

Comments of Microsoft

Comments of Microsoft Multistakeholder Process to Develop Consumer Data Privacy Codes of Conduct Docket No. 120214135-2135-01 Comments of Microsoft In Response to a Request for Public Comments 77 Fed. Reg. 43, Page 13098 March

More information

BSA GLOBAL CYBERSECURITY FRAMEWORK

BSA GLOBAL CYBERSECURITY FRAMEWORK 2010 BSA GLOBAL CYBERSECURITY FRAMEWORK BSA GLOBAL CYBERSECURITY FRAMEWORK Over the last 20 years, consumers, businesses and governments 1 around the world have moved online to conduct business, and access

More information

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq. EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update By Stephen H. LaCount, Esq. Overview The European Union Data Protection Directive 95/46/EC ( Directive ) went effective in

More information

Increase transparency & control for user (personal) data Strenghten applicability of EU law - limit abuse of jurisdiction ( forum shopping )

Increase transparency & control for user (personal) data Strenghten applicability of EU law - limit abuse of jurisdiction ( forum shopping ) Privowny welcomes the opportunity to respond to the European Commission DG JUSTs consultation on the review of the data protection framework. Privowny is at the forefront of technology, introducing a new

More information

Data Protection and Cloud Computing: an Overview of the Legal Issues

Data Protection and Cloud Computing: an Overview of the Legal Issues Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,

More information

slaughter and may The new EU Data Protection Regulation revolution or evolution?

slaughter and may The new EU Data Protection Regulation revolution or evolution? slaughter and may The new EU Data Protection Regulation revolution or evolution? BRIEFING April 2012 Reform of Europe s data protection regime moved one step closer this January with the publication of

More information

(a) the kind of data and the harm that could result if any of those things should occur;

(a) the kind of data and the harm that could result if any of those things should occur; Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data

More information

RE: ITI Comments on Korea s Proposed Bill for the Development of Cloud Computing and Protection of Users

RE: ITI Comments on Korea s Proposed Bill for the Development of Cloud Computing and Protection of Users August 19, 2012 Korean Communications Commission Via e-mail to: ycs@kcc.go.kr RE: ITI Comments on Korea s Proposed Bill for the Development of Cloud Computing and Protection of Users Dear Director Yang:

More information

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini Personal data and cloud computing, the cloud now has a standard by Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting Last

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 00658/13/EN WP 204 Explanatory Document on the Processor Binding Corporate Rules Adopted on 19 April 2013 This Working Party was set up under Article 29 of Directive

More information

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, 2000. CEO EDS Corporation

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, 2000. CEO EDS Corporation GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, 2000 Issue Chair: Issue Sherpa: Dick Brown CEO EDS Corporation Bill Poulos EDS Corporation Tel: (202) 637-6708

More information

engagement will not only ensure the best possible law, but will also promote the law s successful implementation.

engagement will not only ensure the best possible law, but will also promote the law s successful implementation. US-China Business Council Comments on The Draft Cybersecurity Law On behalf of the approximately 210 members of the US-China Business Council (USCBC), we appreciate the opportunity to provide comments

More information

Privacy and Data Protection

Privacy and Data Protection Hewlett-Packard Company 3000 Hanover Street Palo Alto, CA 94304 hp.com HP Policy Position Privacy and Data Protection Current Global State of Privacy and Data Protection The rapid expansion and pervasiveness

More information

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM On 25 January 2012, the European Commission published a proposal to reform the European data protection legal regime. One

More information

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof, 28.8.2014 Official Journal of the European Union L 257/73 REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic

More information

Guidelines on Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment

Guidelines on Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment Guidelines on Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment ("Cookie Order") 2nd version, April 2013 Preface...3 1. Introduction...5

More information

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing: Contracting and Compliance Issues for In-House Counsel International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,

More information

EUROPEAN DATA PROTECTION SUPERVISOR

EUROPEAN DATA PROTECTION SUPERVISOR C 47/6 Official Journal of the European Union 25.2.2010 EUROPEAN DATA PROTECTION SUPERVISOR Opinion of the European Data Protection Supervisor on the Communication from the Commission on an Action Plan

More information

The EBF would like to take the opportunity to note few general remarks on key issues as follows:

The EBF would like to take the opportunity to note few general remarks on key issues as follows: Ref.:EBF_001314 Brussels, 17 June 2013 Launched in 1960, the European Banking Federation is the voice of the European banking sector from the European Union and European Free Trade Association countries.

More information

Organisation de Coopération et de Développement Economiques Organisation for Economic Co-operation and Development

Organisation de Coopération et de Développement Economiques Organisation for Economic Co-operation and Development Organisation de Coopération et de Développement Economiques Organisation for Economic Co-operation and Development RECOMMENDATION OF THE OECD COUNCIL CONCERNING GUIDELINES FOR CONSUMER PROTECTION IN THE

More information

GSK Public policy positions

GSK Public policy positions Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

Privacy in the Cloud A Microsoft Perspective

Privacy in the Cloud A Microsoft Perspective A Microsoft Perspective November 2010 The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication. Because Microsoft

More information

Trusted Cloud Europe

Trusted Cloud Europe Trusted Cloud Europe Response of BSA The Software Alliance Overall comments BSA welcomes the Commission s efforts to promote the uptake of cloud computing. Our members share the goal of achieving a single

More information

Institute for Judicial and Legal Studies

Institute for Judicial and Legal Studies Institute for Judicial and Legal Studies «The Data Protection Reform for Mauritius» Presented by Mrs Drudeisha Madhub (Data Protection Commissioner) Email: pmo-dpo@mail.gov.mu Tel:+230 201 36 04 Helpdesk:+230

More information

The impact of Internet content regulation. Prepared by the Commission on E-Business, IT and Telecoms

The impact of Internet content regulation. Prepared by the Commission on E-Business, IT and Telecoms International Chamber of Commerce The world business organization Policy Statement The impact of Internet content regulation Prepared by the Commission on E-Business, IT and Telecoms Introduction Internet

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

Insurance Europe response to the Commission Staff Working Document on Consumer Protection in third-pillar retirement products.

Insurance Europe response to the Commission Staff Working Document on Consumer Protection in third-pillar retirement products. Position Paper Insurance Europe response to the Commission Staff Working Document on Consumer Protection in third-pillar retirement products. Our reference: LIF-PEN-13-052 Date: 19 July 2013 Referring

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

Microsoft appreciates the opportunity to respond to the Cloud Computing Consumer Protocol: ACS Discussion Paper July 2013 (the protocol).

Microsoft appreciates the opportunity to respond to the Cloud Computing Consumer Protocol: ACS Discussion Paper July 2013 (the protocol). Microsoft Submission to ACS Cloud Protocol Discussion Paper General Comments Microsoft appreciates the opportunity to respond to the Cloud Computing Consumer Protocol: ACS Discussion Paper July 2013 (the

More information

Cloud Computing Security Considerations

Cloud Computing Security Considerations Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

More information

January 28, 2011. Re: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework Comment, Docket No.

January 28, 2011. Re: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework Comment, Docket No. 475 Anton Boulevard Costa Mesa, CA 92626 www.experian.com January 28, 2011 Via Email: privacynoi2010@ntia.doc.gov National Telecommunications and Information Administration U.S. Department of Commerce

More information

I. Personal data and its use in the business to business environment.

I. Personal data and its use in the business to business environment. RESPONSE FROM THE DIRECT MARKETING ASSOCIATION (UK) LTD. TO THE EUROPEAN COMMISSION'S CONSULTATION ON THE IMPLEMENTATION OF DIRECTIVE 95/46 EC ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING

More information

18 Square de Meeûs B-1050 Bruxelles +32 2 513 39 69 Fax +32 2 513 26 43 e-mail : info@efama.org www.efama.org

18 Square de Meeûs B-1050 Bruxelles +32 2 513 39 69 Fax +32 2 513 26 43 e-mail : info@efama.org www.efama.org EFAMA REPLY TO THE CONSULTATION PAPER ON CESR S TECHNICAL ADVICE TO THE EUROPEAN COMMISSION ON LEVEL 2 MEASURES RELATING TO MERGERS OF UCITS, MASTER-FEEDER UCITS STRUCTURES AND CROSS- BORDER NOTIFICATION

More information

The Commission proposal is in the left column, our suggestions in the right column. Recital 46. deleted

The Commission proposal is in the left column, our suggestions in the right column. Recital 46. deleted EDRi amendments on the proposed Regulation laying down measures concerning the European single market for electronic communications and to achieve a Connected Continent, and amending Directives 2002/20/EC,

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 2588/15/EN WP 232 Opinion 02/2015 on C-SIG Code of Conduct on Cloud Computing Adopted on 22 September 2015 This Working Party was set up under Article 29 of Directive

More information

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined

More information

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service Data protection in a swirl of change Overview 1 Data protection issues in cloud computing 2 Consent for mobile applications Security Seminar 2014: Privacy Radboud University Nijmegen 3 The WhatsApp case

More information

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation June 19, 2012 Practice Group(s): Health Care Life Sciences Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation By Mathias Schulze Steinen and Daniela Bohn

More information

NATIONAL INSURANCE BROKERS ASSOCIATION OF AUSTRALIA (NIBA) Submission to WorkCover Western Australia. Legislative Review 2013

NATIONAL INSURANCE BROKERS ASSOCIATION OF AUSTRALIA (NIBA) Submission to WorkCover Western Australia. Legislative Review 2013 NATIONAL INSURANCE BROKERS ASSOCIATION OF AUSTRALIA (NIBA) ABOUT NIBA Submission to WorkCover Western Australia Legislative Review 2013 February 2014 NIBA is the peak body of the insurance broking profession

More information

ACS CLOUD COMPUTING CONSUMER PROTOCOL. Response from AIIA

ACS CLOUD COMPUTING CONSUMER PROTOCOL. Response from AIIA ACS CLOUD COMPUTING CONSUMER PROTOCOL Response from AIIA AUGUST 2013 INTRODUCTION The Australian Information Industry Association (AIIA) is the peak national body representing multinational and domestic

More information

Initial appraisal of a European Commission Impact Assessment

Initial appraisal of a European Commission Impact Assessment Initial appraisal of a European Commission Impact Assessment European Commission proposal for a Directive on the harmonisation of laws of the Member States to the making available on the market of radio

More information

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA: UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online

More information

COMMISSION STAFF WORKING PAPER EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document. Proposal for a

COMMISSION STAFF WORKING PAPER EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document. Proposal for a EUROPEAN COMMISSION Brussels, XXX SEC(2011) 1227 COMMISSION STAFF WORKING PAPER EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT Accompanying the document Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT

More information

INTERNATIONAL PHARMACEUTICAL PRIVACY CONSORTIUM COMMENTS IN RESPONSE TO THE CALL FOR EVIDENCE ON EU DATA PROTECTION PROPOSALS

INTERNATIONAL PHARMACEUTICAL PRIVACY CONSORTIUM COMMENTS IN RESPONSE TO THE CALL FOR EVIDENCE ON EU DATA PROTECTION PROPOSALS INTERNATIONAL PHARMACEUTICAL PRIVACY CONSORTIUM COMMENTS IN RESPONSE TO THE CALL FOR EVIDENCE ON EU DATA PROTECTION PROPOSALS I. INTRODUCTION The International Pharmaceutical Privacy Consortium (IPPC)

More information

The Copyright and Innovation Consultation in Adobe Systems Inc.

The Copyright and Innovation Consultation in Adobe Systems Inc. Adobe Systems Incorporated Response to the Copyright and Innovation Consultation paper for the Department of Jobs, Enterprise and Innovation About Adobe Systems Incorporated Adobe is the global leader

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

RESTREINT UE/EU RESTRICTED

RESTREINT UE/EU RESTRICTED COUNCIL OF THE EUROPEAN UNION Brussels, 9 April 2014 8761/14 RESTREINT UE/EU RESTRICTED JAI 220 USA 9 DATAPROTECT 56 RELEX 319 NOTE from : Commission Services to : JHA Counsellors No. prev. doc. : 5999/12

More information