Guest Post: The International Association of Privacy Professionals’ First Europe Data Protection Congress

Guest Post: The International Association of Privacy Professionals’ First Europe Data Protection Congress

Please find guest post below by Monique Altheim, Esq., CIPP, an EDiscovery and Privacy attorney. Also, be sure to check out her other writings on eDiscoveryMap.com!

The International Association of Privacy Professionals’ First Europe Data Protection Congress

By: Monique Altheim

I recently attended the International Association of Privacy Professionals’ (IAPP) very first Europe Data Protection Congress in Paris on November 29 and 30.

The attendee list was impressive:

  • Privacy professionals, employed by Fortune 500 companies from a wide variety of industries, like Hewlett-Packard, Lockheed Martin, Citigroup, Oracle, Western Union, Microsoft, IBM, Dell, Google, Yahoo, Estee Lauder, Pfizer, Johnson & Johnson, Eli Lilly, Merck, Mc Donald’s, Procter & Gamble and Disney. Even Facebook was represented.
  • Vendors, like Lexis Nexis, Nymity, Iron Mountain and ADP.
  • Partners of the international law firms Bird & Bird, Covington & Burling, Hogan Lovells, Morrisen & Foerster, Sidley Austin, Osborne Clarke, Field Fisher Waterhouse and Pearl Cohen Zedek Latzer.
  • Partners of the national law firms Cabinet Gelly (France), Van Bael & Bellis (Belgium), Bristows (UK), Panetta & Associati (Italy), Houthoff Buruma (Netherlands), Coelho Ribeiro E Associados (Portugal and Spain), Baker & Daniels (USA), and Hunton & Williams (USA).
  • Privacy Consultants like Brian Tretick of Athena (USA) and Anne Wilkes of ACW Privacy Consulting Ltd. (UK).
  • Representatives of the European Data Protection Supervisor, of the French Data Protection Authority (DPA) (the CNIL), of the Spanish DPA, of the British DPA (the ICO) and of the European Commission.
  • The IAPP staff, headed by executive director Trevor Hughes.
  • One lone privacy advocate, Tara Taubman of Open Rights Group (UK).

The timing of this conference could not have been more opportune, as it took place in the wake of a ground breaking Communication by the European Commission on November 4, announcing a global overhaul of the current EU Data Protection framework.

In this communication, the European Commission announced that fifteen years after the original 1995 Data Protection Directive was enacted, the original twofold objective of protecting the fundamental right to data protection as well as of achieving the free flow of data in the internal European market is still valid.

However, two factors have caused the 1995 Directive to have become too outdated to guarantee these two objectives : The rapid technological advances and the globalisation in the ways information is collected, stored and transferred.

These dramatic changes were reflected in some of the topics debated during the breakout sessions:

  • Cloud Computing: Peter Fleisher of Google pointed out that the current Directive is totally inadequate for cloud computing, since many of the Directive’s legal concepts rely on data being located in one particular place. However, Google has servers in the US, in Ireland, in Belgium and is building new ones in Finland and Austria. Google’s data are always duplicated in multiple locations and are constantly moving around from one location to another. Concepts for dealing with trans-border transfers of data, like Safe Harbor, BCR, and Model Contracts all rely on knowing the location of the data and were not created with the “cloud” in mind. Fleisher suggested that in the long run only the adoption of global standards would provide a solution for the “location” conondrum.
  • Cross-Border Discovery and Investigations: Seth Berman of Stroz Friedberg pointed to the same problems concerning the difficulties of dealing with a location-based concept as a basis for determing the applicability of the Directive. If the data are located in the European Union, then the Directive is applicable and cross-border discovery of these data has to conform to its legal requirements.But where are the data located when they are in the “cloud”? Is the Directive applicable for discovery of updates on Facebook posted by a Europen Citizen? But are these data “located” in the EU? The Directive was not drafted with social media in mind, and new concepts need to replace the old, pre-cloud/pre-social media notions of data location.
  • Data Breach Notification: In the context of strengthening the individual’s rights, the Commission has declared in its communication: “It is also important for individuals to be informed when their data are accidentally or unlawfully destroyed, lost, altered, accessed by or disclosed to unauthorised persons. The recent revision of the e-Privacy Directive introduced a mandatory personal data breach notification covering, however, only the telecommunications sector. Given that risks of data breaches also exist in other sectors (e.g. the financial sector), the Commission will examine the modalities for extending the obligation to notify personal data breaches to other sectors in line with the Commission declaration on data breach notification made before the European Parliament in 2009 in the context of the reform of the Regulatory Framework for Electronic Communications. This examination will not affect the provisions of the e-Privacy Directive, which must be transposed into national laws by 25  May 2011. A consistent and coherent approach on this matter will have to be ensured. The Commission will examine the modalities for the introduction in the general legal framework of a general personal data breach notification, including the addressees of such notifications and the criteria for triggering the obligation to notify.”

This panel, presided over by Ruth Boardman, partner at Bird & Bird, stressed the fact, that for once the European Union had been inspired by the US initiatives in Breach Notification Legislation.

Again, it is the exponential growth in personal data holdings and the increased outsourcing of data to third countries and to the “cloud” that have caused increased data breach scandals and have required changes in the Directive. Some EU member states, like Germany, already have enacted a national general data breach law (Section 42 a FDPA- September 2009), but most others will have to implement their national laws once the new legal framework is in place.

Other important suggestions for consideration in reframing the Directive by the Commission are : The right to be forgotten, Privacy by Design, greater transparancy in internet related data collections, data portability rights, achieving more harmonization among the vastly different implementaions into national laws by the member states, the requirement of mandatory privacy officers in companies and organizations, the requirement of privacy impact assessments upon introducing new systems and technologies in companies and organizations, and strengthening as well as harmonizing enforcement of the Directive.

Concluding the panel on the revision of the 1995 Directive, Henriette Tielemans of Covington & Burling asked the European Commission representative Thomas Zerdeck: “Will the new baby be a directive or a regulation?” to which Thomas, in his usual style, replied: “This is way too complex. You will find out in 2011.”

The European Commission has opened a public consultation period (from November 4, 2010, to January 15,2011) to obtain views on its ideas for addressing new challenges to personal data protection in order to ensure an effective and comprehensive protection to individuals’ personal data within the EU.

They welcome contributions from citizens, organisations (i.e., Non-Governmental Organisations, businesses) and public authorities.

Thus all stake holders have a chance to be part of this sweeping overhaul of the European Union Data Protection framework.

http://ec.europa.eu/justice/news/consulting_public/news_consulting_0006_en.htm

Leave a Reply


Privacy Calendar

Oct
24
Fri
9:00 am Web Privacy & Transparency Confe... @ Princeton University
Web Privacy & Transparency Confe... @ Princeton University
Oct 24 @ 9:00 am – 4:00 pm
On Friday, October 24, 2014, the Center for Information Technology Policy (CITP) at Princeton University is hosting a public conference on Web Privacy and Transparency. It will explore the quickly emerging area of computer science research that[...]
Oct
29
Wed
4:00 pm Big Data and Privacy: Navigating... @ Schulze Hall
Big Data and Privacy: Navigating... @ Schulze Hall
Oct 29 @ 4:00 pm – 7:00 pm
The rapid emergence of “big data” has created many benefits and risks for businesses today. As data is collected, stored, analyzed, and deployed for various business purposes, it is particularly important to develop responsible data[...]
Oct
30
Thu
9:00 am The Privacy Act @40: A Celebrati... @ Georgetown Law
The Privacy Act @40: A Celebrati... @ Georgetown Law
Oct 30 @ 9:00 am – 5:30 pm
The Privacy Act @40 A Celebration and Appraisal on the 40th Anniversary of the Privacy Act and the 1974 Amendments to the Freedom of Information Act October 30, 2014 Agenda 9 – 9:15 a.m. Welcome[...]
Nov
7
Fri
all-day George Washington Law Review 201... @ George Washington University Law School
George Washington Law Review 201... @ George Washington University Law School
Nov 7 – Nov 8 all-day
Save the date for the GW Law Review‘s Annual Symposium, The FTC at 100: Centennial Commemorations and Proposals for Progress, which will be held on Saturday, November 8, 2014, in Washington, DC. This year’s symposium, hosted in[...]
Nov
11
Tue
10:15 am You Are Here: GPS Location Track... @ Mauna Lani Bay Hotel & Bungalows
You Are Here: GPS Location Track... @ Mauna Lani Bay Hotel & Bungalows
Nov 11 @ 10:15 am
EFF Staff Attorney Hanni Fakhoury will present twice at the Oregon Criminal Defense Lawyers Association’s Annual Sunny Climate Seminar. He will give a presentation on government location tracking issues and then participate in a panel[...]
Nov
12
Wed
all-day PCLOB Public Meeting on “Definin... @ Washington Marriott Hotel
PCLOB Public Meeting on “Definin... @ Washington Marriott Hotel
Nov 12 all-day
The Privacy and Civil Liberties Oversight Board will conduct a public meeting with industry representatives, academics, technologists, government personnel, and members of the advocacy community, on the topic: “Defining Privacy.”   While the Board will[...]
Nov
20
Thu
all-day W3C Workshop on Privacy and User... @ Berlin, Germany
W3C Workshop on Privacy and User... @ Berlin, Germany
Nov 20 – Nov 21 all-day
The Workshop on User Centric App Controls intents to further the discussion among stakeholders of the mobile web platform, including researchers, developers and service providers. This workshop serves to investigate strategies toward better privacy protection[...]

View Calendar