The prospects for data breach laws in 22 European countries Stewart Dresner, Chief Executive Privacy Laws & Business Wednesday, 4 November 2009 16 30-17 45: PARALLEL SESSION A: Ooopsss!!!!! Where did I leave my computer? Prevention and reaction in light of security breaches 31 st International Conference of Data Protection and Privacy Commissioners, Madrid 1
2
The prospects for data breach laws in 22 European countries: Contents 1. Privacy Laws & Business s knowledge base and contacts 2. Rationale and scope for data breach research 3. The research method 4. Common themes 5. Current data breach laws and demand for new laws 6. Results: DPAs views and preferred policies 7. Advantages and disadvantages of a data breach law for DPAs, companies and individuals* 8. Recommendations by DPAs and companies* 9. Privacy Laws & Business s conclusions 10. What next? * Slides available on request 3
4
5
6
Privacy Laws & Business 23 rd Annual International Conference July 5 th 7 th 2010 St John s College Cambridge United Kingdom 7
8
EPON Data Protection Commissioner Roundtables Madrid, Spain (2003) Rome, Italy (2003) Czech Republic, Hungary and Poland in Prague (2004) Paris, France (2005) Berlin, Germany (2005) Dublin, Ireland (2006) Russia, Greece, Portugal in London (2006) Stockholm, Sweden (2007) Helsinki, Finland (2007) Brussels, Belgium (2007) Hague, Netherlands (2007) Madrid, Spain (2008) Luxembourg (2008) Warsaw, Poland (2008) Zurich, Switzerland (2009) Rome, Italy (2009) 9
IPON Roundtables Argentina s DP Commissioner/Australia s DP Commissioner in Montreux, Switzerland - 2005 Binding Corporate Rules, Washington DC - 2006 European HR issues in Washington DC - 2006 Canadian HR issues in Toronto - 2007 Asia-Pacific Briefing, London - 2007 Asia-Pacific Conference, Strasbourg 2008 Madrid, November 3 rd 2009 Employee surveillance in Europe: Balancing privacy rights and management control 10
11
12
EPON/IPON Participants include: Accenture Arnold & Porter Barclays Bank Boeing BP BT Citigroup CSC Deutsche Bank ebay Eli Lilly ExxonMobil FIFA Fujitsu General Electric General Motors Google Halliburton HBOS IBM IMS Health Intel Johnson & Johnson Kodak Lloyds Register Manpower Nestle Novartis Oracle Pfizer PwC Procter & Gamble Schering-Plough Sony Total Walt Disney Western Union Wyeth 13
EPON/IPON Meeting Hosts
Other PL&B Services Consulting Data Protection Audits Recruitment Advice on job descriptions Interim managers Training 15
Rationale for data breach research USA: data breach laws in most states. Have these US laws set a trend for Europe or are current data protection laws enough? US laws role in helping raise awareness Lack of research linking data breaches to ID theft, credit card fraud etc. But a consensus that increased data losses should be tackled DP and privacy laws in the EU and US cover data security Is there a need for specific provisions on action to be taken when data is lost or stolen? 16
Scope & Geographical Context 27 EU member states All other countries within the European Economic Area: Norway, Iceland, Liechtenstein Switzerland Jersey, Guernsey, Isle of Man 17
Research Timeline 1 2008 January: Questionnaire by email to DPAs Follow-up telephone calls and emails Responses from: Czech Republic, Denmark, Finland, Guernsey, Hungary, Iceland, Ireland, Jersey, Slovak Republic, Sweden & United Kingdom European Privacy Officers Network members survey and results February: Report in PL&B s International newsletter (available on request) March: Detailed report for DPAs and feedback 18
Research Timeline 2 April: Target larger/more experienced countries DPAs May-June: Responses from Italy, Spain, Portugal, Poland, Luxembourg, France and Belgium July: Presentation of results at PL&B s Annual Conference, Cambridge Aug-Nov: Drafting report Jan-Mar 2009: Responses from Austr, Germ, Neths Feb-April 2009: DPAs check reports. Updates April/May 2009: Conference and Report published 19
Research Methods Email responses from most countries. Face-to-face interviews (Italy, Portugal, Luxembourg) Telephone interviews (Jersey, Guernsey, Germany) Other Methods National expert s comments in Switzerland (David Rosenthal, Special Counsel, IT & Telecommunications, Homburger, Zurich) 20
Questions to DPAs 16 questions covering the following areas: 1. Current laws 2. Demand for data breach laws 3. Purpose and scope of legislation 4. Regulatory options and preferred policies 21
Common themes 1. Definitions what is a data breach? 2. Breach notification: How, when and who should companies notify? 3. Lack of research particularly on impact of data breaches on individuals 4. Always a risk attached to the processing of personal data 5. Criminal liability for organisations? 22
Current data breach laws Data protection legislation in all European countries but only general application of this legislation to the unauthorised access, loss or theft of personal data Data breaches covered by DP laws, criminal & civil codes and additional e-communication legislation Some reporting requirements and guidance but no specific mention in law of action to be taken, except Specific data breach law in Germany (2009) where individuals suffer considerable damage and for specific data: professional secrecy, criminal or administrative offences and bank or credit card data 23
Demand for data breach laws Increase in reported data breach incidents Hot topic for the media and growing political interest. Differing pressures in different countries - more in the Netherlands, less in Portugal Trend for data controllers to contact the authorities where data has been inappropriately released No Europe-wide demand for a specific data breach law as current legislation is sometimes enough 24
DPAs views on purpose and scope of specific data breach rules 1. Harmonisation within the EU but national implementation to reflect national needs 2. Any new data breach provisions to include: data controllers and data processors the public and private sectors 3. Problems with breach notification in the US discourage Europe e.g. over-notification and inconsistency of reporting rules 4. Responsibilities and tasks must be stated clearly 25
Regulatory Options Agreement that some form of a data breach regulation would be a good idea. Four options or a combination: 1. Insert data breach provisions into existing related legislation 2. EU Member States insert mandatory breach notification requirement as a specific national law 3. Amend EU e-comms or general DP Directive 4. Practical Guidelines by the EU Art. 29 Data Protection Working Party 26
Driving factors behind a separate data breach law 1. Increase the protection of personal data 2. Make organisations more accountable for data security 3. Force organisations to improve security standards 4. Restore individuals confidence in data controllers 27
DPAs views on possible data breach laws Some consistency is needed across Europe in this area EU should regulate first DPAs favouring amending their current data protection or other law to cover data breaches (UK, Jersey, Finland, Poland, Portugal, Luxembourg, Italy, Netherlands and Germany) 28
DPAs Preferred Policies 1 1. More human and financial resources 2. Notification of data breaches. 3. Orders from DPAs to data controllers and processors to act in a specific way in response to a data breach. 4. Discretion to impose sanctions and appropriate fines 5. Compensation to individuals (in conjunction with civil law provisions) 6. Power to conduct audits when necessary 7. Power to publicly name and shame organisations 29
DPAs Preferred Policies 2 8. Support new provisions covering both the public and private sectors (All) 9. Favouring new provisions to cover both data processors and controllers (All DPAs apart from UK, Ireland, Guernsey, Germany and the Netherlands) 10. Want companies to notify them of data breaches (UK,Jersey, Czech Republic, Guernsey, Ireland, Finland, France, Portugal, Luxembourg, Italy, and Germany) 11. Favouring companies paying compensation to individuals where appropriate (Poland, UK, Finland, France, Italy, and Austria) 11. Offering data breach guidance (UK and Ireland) 12. Some form of redress for data subjects 30
PL&B s Conclusions The ideal is a synthesis of DPAs and companies views which are also practical for data subjects. A data breach plan should be: 1. proportionate 2. an alert to a DPA when there is substantive rather than a procedural problem 3. have more emphasis on a remedy to a problem, and 4. less emphasis on sanctions. 31
What next? EU Level 1. Extension of EU e-communications directive to include data breach legislation for ISPs, other sectors? 2. Amend general EU Data Protection Directive? 3. Practical guidelines by the EU Art.29 Working Party? National Level 1. Modest amendments to national laws e.g. Luxembourg amending DP code to include responsibilities of processors as well as controllers Company Level 1. Broader breach management programmes 2. Continuing improvement of internal systems e.g. reporting mechanisms 32
Report from Privacy Laws & Business Data Breach Dossier on request Questions? Research Director and Editor: Stewart Dresner Researcher: Amy Norcup 33
Contact details Stewart Dresner, Chief Executive Adèle Kendler, Project Manager Privacy Laws & Business 2nd floor, Monument House, 215, Marsh Road, Pinner, Middlesex,HA5 5NE, United Kingdom Tel: + 44 208 868 9200 Fax: + 44 208 868 5215 www.privacylaws.com 34
35