Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com
Topics Updates on the key aspects of, and commentary on, the proposed GDPR Potential action against Google in France regarding delistings France's new controversial surveillance law ICO raid on company for breaching PECR ICO review of children's apps and websites Update on Russian internet privacy bill Update to Canada's PIPEDA Amendments to Dutch DPA - breach notification South Korean privacy commissioner requiring companies to undertake privacy assessments 09 July 2015 2
1. Updates on the key aspects of, and commentary on, the proposed GDPR
The Regulation Timeframe and Scope Where are we? January 2012 European Commission October 2012 European Parliament June 2015 European Council 09 July 2015 4
The Regulation Timeframe and Scope What next? 24 June 2015 Trialogue Agreement likely (although maybe not officially signed off) by the end of 2015 Entry into force Early 2018 Article 91 Entry into force and application 1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. 2. It shall apply from [two years from the date referred to in paragraph 1]. 09 July 2015 5
Proposed General Data Protection Regulation What are the key aspects of the Council s draft? The Regulation not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects The Regulation will make it easier for data controllers to rely on legitimate business interests as a lawful ground to process personal data where there is a relevant and appropriate connection between the data controller and the data subject Data processing agreements between data controllers and data processors will be required to contain extensive mandatory data protection clauses; for example controllers right to audit its processors and obligations on processors to assist with subject access requests and personal data breaches Member states may provide for additional special conditions for the processing of personal data for specific sectors and for the processing of special categories of data Codes of Conduct and Certifications will be developed to assist data controllers and processors demonstrate their compliance with the Regulation and also as a means to legitimise international data transfers 09 July 2015 6
Proposed General Data Protection Regulation What are the key aspects of the Council s draft? Codes of Conduct and Certifications will be developed to assist data controllers and processors demonstrate their compliance with the Regulation and also as a means to legitimise international data transfers Multinationals will benefit from a one stop shop, where the data protection authority in the member state where the controller or processor has their main establishment will be the lead authority in relation to data processing undertaken by that controller or processor Organisations may, or where required by applicable member state law, appoint a Data Protection Officer Data controllers and processors will be required to maintain a record of all of their data processing activities which must be made available for inspection Serious data breaches must be notified to the DPA, in most cases within 72 hours. Data breaches may also need to be notified to the affected individuals who may have the right to claim compensation The application for Binding Corporate Rules as a means to transfer personal data intragroup will be simplified Fines of up to 2% of annual worldwide turnover of the preceding annual year or EUR 1million may be imposed for non-compliance. DPAs will also have the power to carry out data protection audits 09 July 2015 7
EU General Data Protection Regulation Trilogue negotiations The European Council The European Commission The European Parliament 09 July 2015 8
2. Potential action against Google in France regarding de-listings
Potential action against Google in France regarding de-listings French Regulator puts Google on notice Right to be forgotten CJEU ruling of May 2014 Effective de-listings Powers of the CNIL 09 July 2015 10
3. France's new controversial surveillance law
France's new controversial surveillance law New surveillance law adopted in France Context Main provisions of the law Important controversy Opinion of the CNIL 09 July 2015 12
4. ICO raid on company for breaching PECR
ICO raid on company for breach of PECR Nuisance calls 24 June 2015 Receipt of 7,000 complaints ICO raid on south Manchester call centre and related office believed to contain automatic dialler Suspected of making 100,000 calls a day Mis-sold pensions, pension reviews, PPI, debt management, delayed flight compensation 09 July 2015 14
ICO raid on company for breach of PECR Privacy and Electronic Communications Regulations Privacy regulations in relation to electronic communications Specific rules on: Marketing calls, emails, texts and faxes; Cookies (and similar technologies); Keeping communications services secure; Customer privacy as regards traffic and location data, itemised billing, line identification and directory listings 09 July 2015 15
ICO raid on company for breach of PECR Electronic and telephone marketing Section 11(3) DPA 1998: Direct marketing: the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. PECR cover marketing by phone, fax, email or any other type of electronic mail Regulation 21 PECR : direct marketing calls Applies only to unsolicited marketing messages Organisations require consent to send people marketing and the rules on calls are stricter 09 July 2015 16
ICO raid on company for breach of PECR Substantial damage or distress ICO s inspection powers and powers to impose fines under section 55A of the DPA With effect from 6 April 2015, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015 amended section 55A Removed the need to prove substantial damage or substantial distress to take enforcement action in relation to nuisance calls Potential for fine of up to 500,000 09 July 2015 17
5. ICO review of children's apps and websites
ICO review of children's apps and websites Review of websites and apps used by children Part of an international project to consider privacy concerns around the type of personal information services collect The same approach will be taken by 28 other privacy enforcement authorities from around the world The ICO will look at 50 websites and apps Focus on what information they collect from children, how that is explained, and what parental permission is sought. Combined report in the autumn The ICO will consider action against any website or app that it finds is in breach of the DPA 09 July 2015 19
6. Update on Russian internet privacy bill
Russia Data Privacy Bill Right to be forgotten Right to remove links from search results Untrustworthy, in violation of the law, no longer relevant Law takes effect on January 1, 2016 We did not invent the bicycle here parliamentarian Leonid Levin 09 July 2015 21
Russia Data Privacy Bill Right to be forgotten EU Right to be Forgotten - EU Right to be forgotten - Russia Outdated Irrelevant Public interest information can not be removed Justification is required Link to the exact web page has to be provided 2% of worldwide turnover (new Regulation) Untrustworthy In violation of the law No longer relevant (3 years ) Public interest information can be removed No justification to remove data is required No exact link is required 45 000 EUR 09 July 2015 22
7. Update to Canada's PIPEDA
Update to Canada s PIPEDA Digital Privacy Act Key PIPEDA provisions remain unchanged Security breach notification Real risk of significant harm Bodily harm, damage to reputation or relationships, loss of employment, financial loss, identity theft and etc. Sensitivity of data and likelihood Record keeping of all breaches Fine up to 100 000 CAN USD 09 July 2015 24
8. Amendments to Dutch DPA - breach notification
Amendments to Dutch DPA Breach notification and increased fines Dutch Data Protection Act (Wet bescherming persoonsgegevens) Changes likely to come in to force in January 2016 09 July 2015 26
Amendments to Dutch DPA Breach Notification Notification to the DPA of personal data breaches that have or are likely to have serious adverse consequences Notification to affected individuals where breach likely to have negative impact on privacy unless compromised personal data is encrypted or otherwise unintelligible for the unauthorised party Maintenance of record of breaches notified to DPA Issue of data breach notification addressed in contracts with data processors 09 July 2015 27
Amendments to Dutch DPA Increased fines Current fining powers = limited EUR 810, 000 or 10% of annual net turnover EUR 20,250 for non-eu entities processing personal data in the Netherlands without having appointed a local representative. EUR 810,000 personal liability - directors and managers 09 July 2015 28
9. South Korean privacy commissioner requiring companies to undertake privacy assessments
South Korean privacy commissioner requiring companies to undertake privacy assessments 15 June 2015 Announcement by the Korean Communications Commission 165 online businesses required to conduct a privacy self-assessment Covers data protection compliance throughout the data processing life cycle. Checklist questions relate to: data collection, data transfer to third parties, data security and destruction of data The businesses have from 15 June 2015 to 31 July 2015 to complete the Assessment. 09 July 2015 30
section 28 of PIPEDA to provide that every Janine.Regan@crsblaw.com organization that knowingly contravenes Alexia.Zuber@crsblaw.com the new sections of PIPEDA requiring Viktoria.Protokova@crsblaw.com organizations to record and report Simon.Holdsworth@crsblaw.com breaches of security safeguards or obstructs the Commissioner in the investigation of a complaint or in conducting an audit will now be liable for fines of up to $100,000 for indictable offences, or for fines of up to $10,000 for offences punishable on summary conviction. breaches that affect them won t go into force until sometime in the future charlesrussellspeechlys.com