You Are Viewing International

Review of the Safe Harbor soon?

Posted by fgilbert on March 27th, 2014

In a short statement following the EU-US summit held in Brussels earlier this week, Herman Van Rompuy, President of the European Council, announced on March 27, 2014, that the United States and the European Union have agreed to take steps to address concerns caused by last year’s revelations on the USA NSA surveillance programs, and restore trust.

He indicated that, with respect to commercial use of personal data, the United States “have agreed to a review of the so-called Safe Harbour framework” to ensure transparency and legal certainty. In addition, with respect to government access to personal data, the parties will “negotiate an umbrella agreement on data protection by this summer, based on equal treatment of EU and US citizens.”

The full text of Mr. Van Rampuy’s statement is available at


Draft EU Privacy Regulation Amendments Approved

Posted by fgilbert on October 22nd, 2013


The European Union Committee on Civil Liberties, Justice, and Home Affairs, also known as the “LIBE Committee” approved amendments to the draft of the EU Data Protection Regulation on October 21, 2013.

The good news is that the “right to be forgotten” has been replaced with a “right of erasure” which is more narrowly phrased.

The bad news is … most of the other amendments. The revised draft would define a stronger and more stringent data protection regime, which is likely to create additional hurdles for US companies doing business in the European Union, or in need of transferring data out of the EU/EEA to the United States or to subsidiaries worldwide.

In particular, the revised draft increases significantly the maximum fine that might result from violation of the new law. The 2012 draft regulation set a maximum fine of 1,000,000 Euros or 2% of a company’s worldwide income and adopted a tiered approach. With the revised draft, fines could reach up to 100,000,000 Euros or up to 5% of a company’s annual worldwide income, whichever is greater.  This is a significant jump.

The next step is the review and approval of the amended text by the European Union Council and the European Commission. After that, the final text of the proposed Regulation would be submitted to the European Parliament for a final discussion and vote. This vote is not likely to take place before May 2014. If an agreement is not reached before the Parliament closes down for the election of new MPs, the negotiation over the Regulation could continue in the next session of the EU Parliament. In this case, more delay might be likely if there were a change in the composition of the Parliament.

The text of the approved amendment is available here.

Global Privacy and Security Law treatise, Supplement #12

Posted by fgilbert on October 4th, 2013

Supplement #12 to our two-volume treatise Global Privacy and Security Law has been shipped to our subscribers!!

29 chapters have been updated. The most significant changes are described below.


  • Chapter 17 – Canada: The Federal Privacy Commissioner of Canada has issued several reports, including reports requesting amendments to PIPEDAs. The update also provides information regarding several court cases and decisions that affect data privacy and security.
  • Chapter 24 – Dominican Republic: In the Dominican Republic, the Constitutional Court has issued a decision on the publication of criminal records in public access registers.
  • Chapter 65 – United States of America: The United States chapter has been significantly reorganized and supplemented to take into account the evolution of the American legal and regulatory landscape since the first publication of the Global Privacy and Security Law treatise in 2009, the driving role played by the Federal Trade Commission, and the recent interest in the laws that regulate US government access to data. In addition, the chapter includes an analysis of the new Health Information Rules (developed under HIPAA and the HITECH Act), which came into force at the end of September 2013, and the new Children’s Online Information Protection Rule (developed under COPPA), which came into effect on July 1, 2013.


  • Chapter 19 – China: In March 2012, China’s Ministry of Industry and Information Technology issued “Several Provisions” that regulate the telecommunications market, these provisions supersede the Administrative Provisions on Internet Information Services for soliciting public opinions (issued on July 2011). The chapter has been updated with information regarding definitions, rules, and regulations for ISP’s under “Several Provisions.”
  • Chapter 38 – Japan: The update provides a status of the enforcement of the Data Protection Law.
  • Chapter 10 – APEC: Asia continues its progress in the development of a privacy framework that is less stringent than the one currently in effect in the European Union. In the recent months, the Crossborder Privacy Rules, an initiative intended to reduce barriers to information flows, has made progress. The United States has already been approved to participate in the CBPR System, and the Federal Trade Commission as its first enforcement authority. Mexico recently obtained its approval and in June 2013, Japan applied to participate.


  • Chapter 26 – Estonia: In Estonia, the Employee Information section has been updated to include information on recording telephone calls. Clarification has also been provided regarding the rules for employee consent.
  • Chapter 28 – France: This update provides a brief summary of the CNIL 33rd activity report for 2012. The section on video surveillance is supplemented with information about a recent case in Paris. A new section has also been added regarding Illegal Downloading, which describes the requirements for employers to monitor Internet usage of their employees.
  • Chapter 32 – Hungary: The update describes the recent recommendation by the Hungarian Data Protection and Freedom of Information Agency on video surveillance in the workplace and other developments regarding data processors ability to subcontract work to other processors.  The Agency has also been vested with a new function, that of auditor for data controllers.
  • Chapter 33 – Iceland: Two new sections have been added regarding International Treaties and Agreements to which Iceland is party and about data protection guaranties found in the Constitution of the Republic of Iceland. The chapter has also been supplemented with information regarding the status of implementation of Article 5(3) of the 2009 Directive regarding the use of cookies.
  • Chapter 40 – Liechtenstein: The update includes information regarding International Treaties and Agreements to which Liechtenstein is party and information regarding data protection in the country’s Constitution. The update also provides information regarding the status of implementation of Article 5(3) of the 2009 Directive.
  • Chapter 41 – Lithuania: Two new subsections on the exchange of personal data for evaluation of solvency and debt management and on video surveillance have been added to the Data Protection Law section.
  • Chapter 46 – Netherlands: The update to the Netherlands chapter provides an overview of the Article 29 opinion on the definition of “personal information,” “purpose limitation” and “use limitation.” The chapter also describes the status of the 2009 cookie directive implementation. Netherlands appears to be leaning towards a less strict interpretation of the 2009 provisions. The Netherlands Data Protection Commissioner has published guidelines for the security of personal data, which provides a checklist of appropriate measures. Finally, the chapter provides an in depth analysis of the whistle blowing provisions that apply to civil servants.
  • Chapter 47 – Norway: The 2009 Directive has not yet been implemented but the Norwegian Parliament has submitted a plan on its implementation. A new section on health information has been added, and the section on electronic communications has been supplemented with information regarding traffic data. Also described in this updated is the Supreme Court’s ruling on a case involving the collection of employee GPS location data by a waste company.
  • Chapter 50 – Portugal: An update on the implementation of the 2009 Directive with respect to cookies and security breach disclosure requirements is included in this supplement.
  • Chapter 51 – Romania: The update to the Romania chapter focuses on the implementation of the 2009 amendment to the 2002 e-Privacy Directive into the Data Protection Law regarding the use of cookies.
  • Chapter 54 – Slovakia: The chapter describes recent reports of the Office for Personal Data Protection regarding the processing of biometric data, its investigation of e-shops, and the requirements to notify data subjects when performing video surveillance.
  • Chapter 55 – Slovenia: The Electronic Communications Act came into force, implementing Article 5(3) of the 2009 amendment to the 2002 ePrivacy Directive.
  • Chapter 59 – Sweden: The update to the Sweden chapter describes a 2012 case involving surveillance cameras in a high school. An update on the ePhone case is also included.
  • Croatia: In addition to the above, to take into account the arrival of Croatia in the European Union as its 28th member state, several chapters have been slightly modified.  Supplement # 13 to the Global Privacy and Security Law treatise will contain a new chapter, which will analyze Croatia’s data protection laws in the same way as the other laws of other countries have been described and analyzed.

Middle East – Africa

If you are a subscriber, and you have not yet received your copy please let me know.

Foreign Laws on Government Access to Data

Posted by fgilbert on April 11th, 2013

Companies and individuals who upload their files in the cloud often ask (or should ask) the question: “Where are my files and who can have access to them?”

In a prior article, we analyzed the laws that regulate US government access to data. In this article we will review their equivalent in three countries on three continents. What may be surprising to some is that most countries grant their law enforcement or intelligence services extensive powers that are similar to, and at times more substantial than, those of their U.S. counterparts.


In Canada, Part II of the Security Intelligence Service Act allows designated judges from the Federal Court to issue warrants authorizing the interception of communications and obtainment ofany information, record, document or thing. The judge may issue a warrant authorizing the persons to whom it is directed to intercept any communication or obtain any information, record, document or thing and, for that purpose:

To enter any place or open or obtain access to any thing;

  • To search for, remove or return; or examine, take extracts from or make copies of; or record in any other manner the information, record, document or thing; or
  • To install, maintain or remove any thing.

The National Defense Act gives the Minister of National Defense powers that are similar to those granted by the U.S. Foreign Intelligence Surveillance Act,such as the power to authorize the Communications Security Establishment to intercept communications for the purpose of obtaining foreign intelligence. The Minister may only issue an authorization if satisfied of the following:

  1. The interception will be directed at foreign entities located outside Canada;
  2. The information to be obtained could not reasonably be obtained by other means;
  3. The expected foreign intelligence value of the information that would be derived from the interception justifies it; and
  4. Satisfactory measures are in place to protect the privacy of Canadians and to ensure that private communications will only be used or retained if they are essential to international affairs, defense or security.

Further, several provisions of PIPEDA, the Canadian federal law that governs the protection of personal data, allow national security policies to take precedence over privacy rights. For example, PIPEDA allows an organization to collect, use or disclose an individuals’ personal data without the knowledge or consent of the individualin connection with an investigation, or if the information relates to national security, the defense of Canada, international affairs or an investigation, orto comply with a warrant or subpoena.

PIPEDA also contains an exception regarding individuals’ right of access to information about them held by organizations,when the organization has disclosed personal information to governmental agencies as described above. If an individual requests that the organizationinform him or her about a disclosure of information made to the intelligence services, the organization must notify the government agency (in writing andwithout delay) to which the disclosure was initially made and cannot respond to the individual until it has received the government agency’s response.


In India, the 2008 amendments to the Information Technology Act of 2000 gives extensive powers of investigation to the Indian government for combatting terrorism. For example, the Information Technology Act allows any agency of the Central or State Government to intercept, monitor or decrypt any information transmitted, received or storedthrough any computer resource, when it is necessary or expedient to do so in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign states or public order.

In addition, it gives the police the power to enter any public place and search and arrest, without a warrant, any person suspectedof having committed, or of committing or about to commit, any act prohibited by the Information Technology Act.

United Kingdom

The United Kingdom’s Regulation of Investigatory Powers Act 2000 (RIPA) defines the powers of public agencies to carry out surveillance and investigations, intercept and use communications, conduct other related investigations, and follow people and use human intelligence sources.

The law allows public agencies to take part in such activities for national security and for detecting crime, preventing disorder, public safety and public health. RIPA allows the interception of communications, use of communications data, following people and the use of covert human intelligence sources. It may require individuals or companies to supply decrypted information that has been previously encrypted. Failure to disclose this information may be subject to up to two years in jail.

The broad powers of intelligence services

All countries have the same general needs for information and concerns over secrecy. In the global fight against terrorism, espionage and money laundering, among others, intelligence services have been granted significant powers in most countries. They frequently cooperate with each other across borders as a result.

If a cloud service provider (CSP) receives a request from an intelligence service or other law enforcement authority of the country in which it is located, in the manner prescribed by applicable law, it does not have many choices beyond providing access to the company’s data, unless the CSP opts to fight the request and argue that the request is illegal, does not conform to the legal requirements or is too broad.

The problem of the prerogatives and powers granted to United States intelligence services may  be less serious than in other countries, because U.S. laws generally contain strict and detailed rules, provide transparency and require law enforcement agencies to make numerous disclosures of their activities. U.S. laws also include many control measures (e.g., annual reports), detailed procedures (e.g., warrant or a court order)and procedural rules. In countries such as India, access to servers by judicial police or intelligence services is less regulated. This lack of transparency may cause the public to be unaware of the extent of the government’s surveillance capabilities.


Wherever their data are stored or hosted by a third party, cloud service users should remain aware of the possibility that a government can obtain access to the data, especially when there are overarching reasons, such as national security or the prosecution or prevention of serious crimes. This has always been the case, even when data were stored on server farms in the same city. The cloud changes the dynamic, because the data may beheld in a server located anywhere in the world, which makes them accessible by more governments under many more laws.

When CSPs operate within the jurisdiction of a country, they must understand and abide by the rules in effect in that country. Concurrently, they have an obligation to their customers to respond to government and other requests for access to data in their custody in a responsible manner. They must evaluate the request for access to determine whether it conforms to the requirements of the applicable law and, when possible and permitted, inform the customer that their data was accessed.

To be able to address such requests in an appropriate manner, they should implement processes and procedures to analyze government and third-party requests for access and to respond to these requests in accordance with the applicable laws. Before engaging a CSP, customers should perform due diligence and inquire about the existence of these processes and procedures, as a way to evaluate the CSP’s level of awareness of these laws and complex issues.

Originally published in on 27 Feb 2013



Proposed EU Data Protection Regulation – January 25, 2012 Draft: What US Companies Need to Know

Posted by fgilbert on January 27th, 2012

If the vision of Ms. Reding, Vice-President of the European Commission, as expressed in the January 25, 2012 data protection package is implemented in a form substantially similar to that which was presented in the package, by 2015, the European Union will be operating under a single data protection law that applies directly to all entities and individuals in the Member States and will have removed much of the administrative burden that are currently costing billions of Euros to companies. The saving would allow companies to reinvest in more meaningful, efficient, data protection practices that are better adapted to the uses of personal data, the new technologies and the 21st century way of life.

The series of legislative texts and documents that were published on January 25, 2012 by the European Commission are intended to redefine the legal framework for the protection of personal data throughout the European Economic Area. Ms. Reding’s vision is to have a Regulation address the general privacy issues, and a Directive address the special issues associated with criminal investigations.

The publication of these drafts signal a very important shift in the way data protection will be handled in the future throughout the European Union. The proposed rules would create more obligations for companies and more rights for individuals, while some of the current administrative burdens and complexities would be removed. This is consistent with the plan of action that was presented in late 2010 in Communication 609. What is new, and a paradigm shift, is that there will be one single data protection law throughout the European Union, and companies will not longer have to suffer from the fragmentationresulting from the fact that the 27 Member States interpreted and implemented differently the principles set forth in Directive 95/46/EC.

A single set of rules on data protection, valid across the EU would make it easier for companies to know the rules. Unnecessary administrative burdens, such as notification requirements for companies, would be removed. Instead, the proposed Regulation provides for increased responsibility and accountability for those processing personal data. In the new regime, organizations would only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people would be able to refer to thedata protection authority in their country, even when their data are processed by a company based outside the EU.

US companies that do business in or with the European Economic Area must start preparing for this dramatic change in the data protection landscape. Some of the provisions will require the development of written policies and procedures, documentation, and applications as necessary to comply with the new rules. Security breaches will have to be disclosed, and incident response plans will have be created accordingly. The development of these new structures will require significant investment and resources. IT and IS departments in companies will need to obtain greater, more significant budgets in order to finance the staff, training, policies, procedures and technologies that will be needed to implement the new provisions.

The Foundation Documents

The proposed data protection package contains two important legislative texts:

The draft Regulation and draft Directive will now be discussed by the European Parliament and EU Member States meeting in the Council of Ministers. Thus, there will be more opportunities for discussion, changes, and modifications of the current provisions, and there is currently no certainty that the provisions as stated in the January 25, 2012 draft will remain.

However, given the energy, speed, and determination with which the reform of the EU data protection regime has been handled, it is likely that a final vote will take place sooner than later. Once in their final form and formally adopted by the European Parliament, the rules are expected to take effect two years later. Thus, it is likely that, by the end of 2014, or early 2015, the European Economic Area will be subject to a new, improved, but stricter data protection regime.

This article discusses only the Proposed Regulation.

A Regulation, Not a Directive

The European Union is over 50 years old. For a long time, the Union has functioned as a group of countries operating under a set of rules that attempted to be consistent with each other, in order to ease the flow of people and goods among the Member States. This was achieved by implementing on a piecemeal basis the principles of numerous directives, with each Member State, in fact, retaining a lot of independence and autonomy. While this strategy allowed to slowly create a sense of unity among countries that had different cultures, history and personalities, it ended up creating a patchwork of national laws that had some resemblance but also their own personality. A difficult setting for companies operating in several Member States.

The ratification of the Treaty of Lisbon in late 2009 was a very important milestone in the morphing of the European Union as a united power.  It marked a very important step in the evolution of the Union, creating deep changes in its rules of operation, removing the three-pillar system that fragmented the operations, and moving the federation into a closer, tighter structure. With the Treaty of Lisbon, the European Union moved towards more cohesion, more consistency, and more unity.

With this background in mind, it is logical that the European Commission found that a “Regulation,” as opposed to a “Directive,” was the most appropriate legal instrument to define the new framework for the protection of personal data in the European Union in connection with the processing of these data by companies and government agencies in their day-to-day operations. Due to the legal nature of a regulation under EU law, the proposed data protection Regulation will establish a single rule that applies directly and uniformly.

EU regulations are the most direct form of EU law. A regulation is directly binding upon the Member States and is directly applicable within the Member States. As soon as a regulation is passed, it automatically becomes part of the national legal system of each Member State. There is no need for the creation of a new legislative text.

EU directives, on the other end, are used to bring different national laws in-line with each other. They prescribe only an end result that must be achieved in every Member State. The form and methods of implementing the principles set forth in a directive are a matter for each Member State to decide for itself. Once a directive is passed at the European Union level, each Member State must implement or “transpose” the directive into its legal system, but can do so in its own words. A directive only takes effect through national legislation that implements the measures.

The current data protection regime, which is based on a series of directives – Directive 96/45/EC, Directive 2002/558/EC (as amended) and Directive 2006/2006/24/EC – has proved to be very cumbersome due to the significant discrepancies between the interpretations or implementations of the directive that were made in the various Member State data protection laws. There is currently a patchwork of 27 rules in 27 countries. This fragmentation creates a significant burden on businesses which are forced to act as chameleon, and adapt to the different privacy rules of the countries in which they operate.

Conversely, a regulation is directly applicable, as is, in the Member States. By adopting a Regulation for data protection matters, the EU will equip each of its Member States with the same legal instrument that applies uniformly to all companies, all organizations, and all individuals. The choice of a regulation for the new general regime for personal data protection should provide greater legal certainty by introducing a harmonized set of core rules that will be exactly the same in each Member State. Of course, each country’s government agencies and judicial system are still likely to have their own interpretation of the same text, but the discrepancies between these interpretations should be less significant than those that are currently found among the Member State data protection laws.

Overview of the Draft Regulation

The 119-page draft Regulation lays out the proposed new rules. Among the most significant changes, the Proposed Regulation would shift the consent requirement to that of an “explicit” consent. It would introduce some new concepts that were not in Directive 95/46/EC, such as the concept of breach of security, the protection of the information of children, the use of binding corporate rules, the special status of data regarding health, and the requirement for a data protection officer. It would require companies to conduct privacy impact assessments, to implement “Privacy by Design” rules, and to ensure “Privacy by Default” in their application. Individuals would have greater rights, such as the “Right to be Forgotten” and the “Right to Data Portability.” Some of the key components of the Proposed Regulation are discussed below.

–  New, Expanded Data Protection Principles

Articles 5 through 10 would incorporate the general principles governing personal data processing that were laid out in Article 6 of Directive 95/46/EC and add new elements such as: transparency principle, comprehensive responsibility and liability of the controller, and clarification of the data minimization principle.

One of the significant differences with Directive 95/46/EC is that the notion of consent is strengthened. Currently, in most EU Member States, consent is implied in many circumstances. An individual who uses a website is assumed to have agreed to the privacy policy of that website. Under the new regime, when consent is the basis for the legitimacy of the processing, it will have to be “specific, informed, and explicit.” The controller would have to bear the burden of proving that the data subjects have given their consent to the processing of their personal data for specified purposes. For companies, this means that they may have to find ways to keep track of the consent received from their customers, users, visitors and other data subjects, or will be forced to ask again for this consent.

–  Special Categories of Processing

The rules that apply to special categories of processing would be found in Articles 80 through 85. The special categories would include processing of personal data for:

  • Journalistic purposes;
  • Health purposes;
  • Use in the employment context;
  • Historical, statistical or scientific purposes;
  • Use by individuals bound by a duty of professional secrecy;
  • Public interest.

There are also provisions to protect the rights of a child. A “child” is currently defined as an individual under 13 (Article 8). In addition, the definition of “sensitive data” would be expanded to include genetic data and criminal convictions or related security measures. (Article 9).

–  Transparency and Better Communications

Article 11 of the proposed Regulation would introduce the obligation for transparent and easily accessible and understandable information, while Article 12 would require the controller to provide procedures and a mechanism for exercising the data subject’s rights, including means for electronic requests, requiring that response to the data subject’s request be made within a defined deadline, and the motivation of refusals. Companies will welcome the fact that the rule for handling requests for access or deletion will be the same in all Member States. In the current regime, the time frames for responding to such requests are different, with some Member States requiring action within very short periods of time, and others allowing two months to respond.

–  Rights of the Data Subjects

Articles 14 through 20 would define the rights of the data subjects. In addition to the right of information, right of access, and right of rectification, which exist in the current regime, the Proposed Regulation introduces the “right to be forgotten” as part of the right to erasure. The right to be forgotten includes the right to obtain erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service. It also integrates the right to have the processing restricted in certain cases.

Article 18 would introduce the data subject’s right to data portability, that is, to transfer data from one automated processing system to, and into, another, without being prevented from doing so by the controller. As a precondition, it provides the right to obtain from the controller those data in a commonly used format. The right to object to the processing of personal data would be supplemented by a right not to be subject to measures based on profiling.

The “right to be forgotten” and the “right to portability” reflect the pressure of the current times, and respond to the needs of customers of social networks who have found, to their detriment, that the ease of use of a social network and the access to the service for no fee was tied to a price:  that their personal data could be used in forms or formats that they had not expected, and that the service provider would resist a user’s attempt to move to another service.

–  Obligations of Controllers and Processors

Articles 22 through 29 would define the obligations of the controllers and processors, as well as those of the joint controllers and the representatives of controllers that are established outside of the European Union. Article 22 addresses the accountability of the controllers. These would include for example, the obligation to keep documents, to implement data security measures, and to designate a data protection officer. Article 23 would set out the obligations of the controller to ensure data protection by design and by default.

Articles 24 and 25 address some of the issues raised by outsourcing, offshoring and cloud computing. While these provisions do not indicate whether outsourcers are joint data controllers, they acknowledge the fact that there may be more than one data controller. Under Article 24, joint data controllers would be required to determine their own responsibility for compliance with the Proposed Regulation. If they fail to do so, they would be held jointly responsible. Article 25 would require data controllers that are not established in the European Union and that direct data processing activities at EU residents, or monitor their behavior, to appoint a designated representative in the European Union.

–  Supervision of Data Controllers or Processors by Data Protection Authority

Article 28 would introduce the obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, instead of a general notification to the data protection supervisory authority, as is currently the case under Articles 18 and 19 of Directive 95/46/EC. This provision reflects one of the new guiding principles in the EU Data Protection reform:  that of accountability. In exchange for removing the cumbersome requirement for notification of the data controllers’ personal data handling practices, the new framework require that data controllers be “accountable.” They must create their own structures, and document them thoroughly, must be prepared to respond to any inquiry from the Data Protection Authority and to promptly produce the set of rules with which they have committed to comply.

Article 28 identifies a long list of documents that would have to be created and maintained by data controllers and data processors. This information is somewhat similar to the information that is currently provided in notifications to the data protection authorities―for example, the categories of data and data subjects affected, or the categories of recipients. There are also new requirements such as the obligation to keep track of the transfers to third countries, or to keep track of the time limits for the erasure of the different categories of data.

In the case of data controllers or data processors with operations in multiple countries, Article 51 would create the concept of the “main establishment.” The data protection supervisory authority of the country where the data processor or data controller has its “main establishment” would be competent for the supervision of the processing activities of that processor or controller in all Member States under the mutual assistance and cooperation provisions that are set forth in the Proposed Regulation.

–  Data Security

Articles 30 through 32 focus on the security of the personal data. In addition to the security requirements already found in Article 17 of Directive 95/46/EC and extending these obligations to the data processors, the Proposed Regulation introduces an obligation to provide notification of personal data breaches. In case of a breach of security, a data controller would be required to inform the supervisory authority within 24 hours, if feasible. In addition, if the breach is “likely to adversely affect the protection of the personal data or the privacy of the data subject,” the data controller will be required to notify the data subjects, without undue delay, after it has notified the supervisory authority of the breach.

–  Data Protection Impact Assessment

Article 33 would require controllers and processors to carry out a data protection impact assessment if the proposed processing is likely to present specific risks to the rights and freedoms of the data subjects by virtue of its nature, scope, or purposes. Examples of these activities include: monitoring publicly accessible areas, use of the personal data of children, use of genetic data or biometric data, processing information on an individual’s sex life, the use of information regarding health or race, or an evaluation having the effect of profiling or predicting behaviors.

–  Data Protection Officer

Articles 35 through 37 would require the appointment of a data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations that require regular and systematic monitoring. Under the current data protection regime, several EU Member States, such as Germany, require organizations to hire a Data Protection Officer, who is responsible for the company’s compliance with the national data protection. Article 36 identifies the roles and responsibilities of the data protection officer and Article 37 defines the core tasks of the data protection officer.

–  Crossborder Data Transfers

Articles 40 through 45 would define the conditions of, and restrictions to, data transfers to third countries or international organizations, including onward transfers. For transfers to third countries that have not been deemed to provide “adequate protection,” Article 42 would require that the data controller or data processor adduce appropriate safeguards, such as through standard data protection clauses, binding corporate rules, or contractual clauses. It should be noted, in particular, that:

  • Standard data protection clauses may also be adopted by a supervisory authority and be declared generally valid by the Commission;
  • Binding corporate rules are specifically introduced (currently they are only accepted in about 17 Member States);
  • The use of contractual clauses is subject to prior authorization by supervisory authorities.

Binding corporate rules would take a prominent place in the Proposed Regulation. Their required content is outlined in Article 43. Article 44 spells out and clarifies the derogations for a data transfer, based on the existing provisions of Article 26 of Directive 95/46/EC. In addition, a data transfer may, under limited circumstances, be justified on a legitimate interest of the controller or processor, but only after having assessed and documented the circumstances of the proposed transfer.

–  European Data Protection Board

The “European Data Protection Board” would be the new name for the “Article 29 Working Party.” Like its predecessor, the new Board will consist of the European Data Protection Supervisor and the heads of the supervisory authority of each Member State. Articles 65 and 66 clarify the independence of the European Data Protection Board and describe its role and responsibilities.

–  Remedies and Sanctions

Articles 73 through 79 would address remedies, liability, and sanctions. Article 73 would grant data subjects the right to lodge a complaint with a supervisory authority (which is similar to the right under Article 28 of Directive 95/46/EC). It also would allow consumer organizations and similar associations to file complaints on behalf of a data subject or, in case of a personal data breach, on their own behalf.

Article 75 would grant individuals a private right of action. It would grant individuals the right to seek a judicial remedy against a controller or processor in a court of the Member State where the defendant is established or where the data subject is residing. Articles 78 and 79 would require Member States to lay down rules on penalties, to sanction infringements of the Proposed Regulation, and to ensure their implementation. In addition, each supervisory authority must sanction administrative offenses and impose fines.

The Proposed Regulation introduces significant sanctions for violation of the law. Organizations would be exposed to penalties of up to 1 million Euros or up to 2% of the global annual turnover of an enterprise. This is much more than the penalties currently in place throughout the European Union. Apart from a few cases, the level of fines that have been assessed against companies that violated a country’s data protection laws has been low. The Proposed Regulation signals an intent to pursue more aggressively the infringers and to equip the enforcement agencies with substantial tools to ensure compliance with the law.


The terms of the Proposed Regulation are not really a surprise. For several months, Viviane Reding, Vice-President of the European Commission, and other representatives of the European Union have provided numerous descriptions of their vision for the new regime, including through a draft of the documents published in December 2011, which differs slightly from the January 25, 2012 version. It is nevertheless exciting to see, at long last, the materialization of these descriptions, outlines, and wish lists.

Altogether, if the current provisions subsist in the final draft, the new Regulation will increase the rights of the individuals and the powers of the supervisory authorities. While the Regulation would create additional obligations and accountability requirements for organizations, the adoption of a single rule throughout the European Union would help simplify the information governance, procedures, record keeping, and other requirements for companies.

Finally, it should also be remembered that Directive 95/46/EC has been a significant driving force in the adoption of data protection laws throughout the world. In addition to the 30 members of the European Economic Area, numerous other countries, such as Switzerland, Peru, Uruguay, Morocco, Tunisia, or the Dubai Emirate (in the Dubai International Financial District) have adopted data protection laws that follow closely the terms of Directive 95/46/EC. It remains to be seen what effect the adoption of the Regulation will have on the data protection laws of these other countries.

Peru Adopts New Data Protection Law

Posted by fgilbert on July 6th, 2011

On July 2, 2011, Peru adopted its first “Law on the Protection of Personal Data.” The law was published in the country’s official gazette of July 3, 2011 as Law No. 29733. Inspired from the Spanish data protection law and the APEC Privacy Framework, this new law is intended to bring Peru to a level of data protection that would be satisfactory to the European Union member states and other countries that have adopted similar data protection regimes.

Scope of the Law

The law applies to personal data that are held or intended to be held in personal data banks for processing within the country. The important criterion for determining whether the law applies is:  where the processing occurs.

The law regulates personal data held in electronic or other form. “Personal Data” is defined as any information about a natural person that identifies, or allows identifying, the person through reasonable means. The law distinguishes “personal data” and “sensitive data.” The definition of “sensitive data” covers traditional items such as data relating to race or ethnicity, health and sexual life, political opinion, religious or philosophical beliefs, and union membership as well as items less frequently found in similar laws:  biometric data and income.

Like many other countries, Peru excludes from the scope of the data protection law data that are held for personal purposes, or in connection with family life, as well as data that are held by public administrations but only to the extent that the data are used for criminal investigation or enforcement, public safety or national defense.

Data Protection Authority

The law establishes a national data protection authority, the Autoridad Nacional de Protección de Datos Personales, which is overseen by the Ministry of Justice. Among other things, the Autoridad manages the country’s national register of personal data protection. It has extensive powers, which are generally similar to those of the other data protection supervisory authorities in other countries.

Eight Principles

Title I of the law identifies eight “guiding principles”:

  • Legality – The processing of personal data must be conducted in accordance with the law. The use of fraudulent, unfair, or illegal means for collecting personal data is prohibited.
  • Consent – The processing of personal data requires the prior informed, explicit consent of the individual (with exceptions).
  • Finality – Personal data may be collected only for a specified, explicit, and lawful purpose.
  • Proportionality – The data collected must be adequate, relevant, and not excessive in view of the purpose for which they are collected.
  • Quality – The data must be accurate, current, and appropriate for the purpose for which they are collected. They must be retained only as long as necessary to fulfill the purpose of the processing.
  • Security – Appropriate technical, organizational, and contractual measures must be taken to ensure the security of the personal data.
  • Enforcement – There must be appropriate administrative and judicial measures to allow individuals to claim and enforce their rights.
  • Restriction to Crossborder Transfers – The transfer of personal data across borders requires that the recipient ensure an adequate level of protection for personal data, or at least a level of protection comparable to those that are set forth in the relevant international standards.

Rights of Individuals

Like many other laws, the Peruvian Data Protection Law grants to individuals numerous rights, including the right to information, right of access, right of correction, right of opposition, right not to be subject to a decision based solely on automated processing of personal data.

In addition, the law grants data subjects the “right to protection,” which allows data subject to appeal to the Autoridad Nacional de Protección de Datos Personales, the country’s data protection authority in case of a violation of their rights, or to the judiciary, in the case of an action in Habeas Data. The law also provides for a “right to compensation”, which provides for the compensation of individuals by the entity that is responsible for the data, in the event of a violation of the law. The amount of the compensation is not specified in the law.

Registration Requirement

The law establishes a registration requirement, which is similar to that which is in force in the European Union. The National Authority for Data Protection will be responsible for managing and keeping the National Register of Data Protection.

Enforcement and Sanctions

The Autoridad Nacional de Protección de Datos Personales, is the primary organ vested with the power to enforce the law. The law distinguishes three categories of violations:  minor, serious, and very serious.

Acting in contravention to the guiding principles, breaching confidentiality obligations, preventing individuals from exercising their rights constitute serious offenses. Creating databases without complying with the required formalities, providing false or incomplete documents, failure to comply with the registration requirements constitute very serious offenses.

The penalties are set in “tax units” or unidad impositiva tributaria. (UIT) The fines range from .5 tax units for minor offenses to 100 UIT for the most serious offenses. The UIT is a standard measure used in Peru for calculating tax payments and fines. One UIT is PEN3,600, i.e., approximately US$ 1,300. There is annual cap; it is equal to 10% of the gross annual income received by the organization.

Next Steps

It will take time before the law is fully implemented. First, the national data protection supervisory authority must be established. Then regulations must be drafted to fully explain the processes and procedures that are expected from the covered entities.

Text of the Law

The full text of the law (in Spanish) can be found at:

New UK Cookie Rule Tough to Swallow

Posted by fgilbert on May 10th, 2011

The United Kingdom’s Information Commissioner’s Office (ICO) has published an “advice” that explains the new rule for the use of cookie technologies for websites and mobile applications that are subject to the UK laws. As of May 26, 2011, companies will no longer be permitted to rely on consent implied from browser settings. They must obtain the user’s prior affirmative consent to the use of most cookies.

The ICO’s Advice invites companies to promptly conduct an audit of their practices, assess the different types of cookies to determine how intrusive they may be, and identify workable solutions to obtain users’ consent. The ICO makes it clear that it expects companies to come up with a plan of action that shows that they have considered their obligations and that they have a realistic plan to respond to the new requirements and achieve compliance.

According to the ICO’s press release, this Advice was published in order to prompt organizations to start thinking about the practical steps that they need to take to respond to this new requirement. The ICO intends to provide additional guidance as innovative ways to acquire users’ consent are developed.

The New Rule, in Brief

The new Cookie Rule requires that UK website and mobile applications obtain their visitors’ affirmative consent to the use of cookies. This rule results from the implementation of the 2009 Amendment to the 2002 EU’s Privacy and Electronic Communications Directive into the UK laws. It will amend Regulation 6 of the Privacy and Electronic Communication Regulations 2003 (PECR).

Businesses and other entities will be permitted to use cookie technologies only if the user of the site or application (a) has received clear and comprehensive information about the purpose for the cookie in question; and (b) has given his or her consent to the use of the cookie. Once a user has consented to the use of a particular cookie, there is no need to ask permission each time the website needs to access that cookie. Cookies that are “strictly necessary” for the service requested by the user are not subject to the prior consent requirement.

The new rule requires that website obtain informed, affirmative consent to the use of almost any cookies that it would wish to install on a user’s machine or mobile device. The restriction applies both to the installation of the cookie and the subsequent access to the information stored on the cookie. Except for a small category of cookies that are “strictly necessary” for the proper operation of a site, or for providing a service requested by the user, such as shopping-cart type feature, all other cookies, including those that are used for analytics purposes require prior specific consent. Of course, flash cookies are also subject to the notice and consent requirement.

Until browser technology has made progress, it will not longer be possible to rely on browser setting as a method to show user’s consent. Even though the rule allows consent to be signified by the users amending or setting controls on their browsers, the ICO’s Advice clearly states that given the current state of technology, using browser settings is NOT a satisfactory method for expressing consent. The ICO’s Advice discusses several methods that might be used to implement the notice and consent requirement.

The ICO envisions a sliding-scale approach, where the cookies that have the potential to be the most intrusive require the most specific and detailed notice. The ICO also suggests a tailored approach as opposed to the “one-size-fits-all” approach, commonly used currently in website privacy policies. The different models for expressing consent proposed by the ICO tend to be specific to a particular type of cookies, and the particular circumstances of its use.

The Basic Requirement

The previous rule on using cookies by UK entities – which was set out in Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) – required that users be informed about the existence of cookies, and be given the opportunity to refuse the storage of, or access to, the cookie information stored on their computers. Most companies provided the relevant information in their website privacy statement, and informed their users that, by changing their browser settings, they could arrange to block cookies.

Under the new rule, companies must still provide clear and comprehensive information about the use of cookies. However, the cookies may only be placed on a machine or device after the user has given his affirmative consent.

The Exceptions

  • Repeated uses: The consent need not be given each time. Under the new rule, if the same information is stored or accessed by the same entity, regarding the same user, on more than one occasion, the consent need to be obtained only once.
  • Transmission of communications: Notice and consent are not required for a limited number of cookie categories. Cookies that are required for the sole purpose of carrying out the transmission of communications over an electronic networks are exempt from the notice and consent requirement.
  • Cookies that are “strictly necessary” : Cookies that are “strictly necessary” for the provision of a service requested by the user are also exempt from the notice and consent requirement. According to the ICO’s Advice, “strictly necessary” means that the use of the cookie must relate to the service explicitly requested by the user. The exception is narrow. It would apply, for example, to a cookie that is used in ecommerce applications when a user has selected goods to purchase and clicks the ‘add to basket’ or ‘proceed to checkout’ button, to ensure that the site remembers what was chosen, and post the information on the check-out page. On the other hand, as explained by the ICO, the exception would not apply, for example, to cookies used to track users to make the website more attractive because it remembers the users’ preferences, or cookies are used to collect statistical information about the use of the website.

Browser Settings Not An Approved Method

The rule allows consent to be signified by the user amending or setting controls on his or her browser, or by using another application or program to signify consent. However, the ICO does not agree that using browser settings is currently a satisfactory method to express consent.

The ICO recommends that organizations refrain from using browsers as a means for obtained consent because currently most browser settings are not sophisticated enough to allow a website to assume that the user has consented to the use of cookies. In addition, mobile application and other technologies do not rely on browsers.

How to Implement the New Rule

The ICO anticipates a phased approach to the implementation of these changes, and recommends that companies use the following steps:

  • Identify what types of cookies are used and why: Companies should conduct an audit of their website to determine what cookies or data files are used and for which purposes. This would allow identifying which cookies are strictly necessary and might not need consent.
  • Assess how intrusive these cookies are: The most intrusive cookies should be addressed first. For example, cookies that involve creating detailed profiles of an individual’s browsing activity are intrusive – the more privacy intrusive an activity, the more priority should be given to getting meaningful consent.
  • Identify the best solution for obtaining consent: For each category of cookies or uses, the best method for gaining consent should be identified. The most privacy intrusive activities will require that the most information be provided to the user.

Suggested Methods for Obtaining Consent

The ICO’s Advice provides a detailed analysis of the different methods available to obtain the user’s consent. It recommends more specific, targeted approach. Cookies used for analytics purposes and cookies shared with third parties are likely to cause the most significant problems.

1 – Pop ups and similar techniques

Pop-ups may be used to ask for consent. However, this practice may be annoying if numerous cookies are used. Thus, the ICO cautions that the use pop ups or ‘splash pages’ may become frustrating if too frequent.

2 – Terms and conditions

Consent could be obtained when a user first registers or signs up. In this case, the ICO recommends to make users aware of the changes and specifically that the changes refer to the use of cookies, then asking them to tick a box to indicate that they consent to the new terms. Specific information should be provided.

3 – Settings-led consent

Some cookies are deployed when a user chooses how the site works for them each time they visit the site; for example, a particular language, the size of the text displayed on the screen, the color scheme, or a “personalized greeting”.

In these cases, consent could be gained as part of the process by which the user confirms what she wants to do or how she wants the site to work. At that time, the user should be told that by allowing the website to remember her choice, she is also consenting to set the cookie.

4 – Feature-led consent

In the same manner as above where the user conducts a specific activity, there are circumstances were tracking technologies are stored when a user chooses to use a particular feature of the site such as watching a video clip, or when the site remembers what the user did on previous visits, in order to personalize the content that the user is served.

In these cases, the user is often invited to open a link, click a button or agree to the functionality being ‘switched on’. The ICO suggests to ask for the user’s consent to set a cookie at this point.

As for prior example, it should be made clear to the user that by choosing to take a particular action, certain things will happen that will be interpreted as the user’s consent. If the anticipated use of tracking technology is complex or intrusive, it will be important to provide more specific information. In particular, as discussed below, users should be told whether some features are provided by a third party.

5 – Analytics and other functional uses

Many websites collect information about access to, and use of the site, and time spent on a page. While the ICO acknowledges that cookies used for analytics purposes might not appear to be as intrusive as others that might track a user across multiple sites, it nevertheless requires consent.

In this case, the ICO’s Advice suggests that companies should make information about the use of analytics cookies more prominent, particularly in the period immediately following implementation of the new Regulations. In addition, the ICO also suggests that website should give more details about the use of these cookies, such as a list of cookies used with a description of how they work – so that users can make an informed choice about what they will allow.

If the information collected about website use is passed to a third party this information sharing must be made absolutely clear to the user. Any options available should be prominently displayed and not hidden away.

6 – Third party cookies

Finally, the ICO’s Advice addresses the use of third party cookies. When a website displays content from a third party from an advertising network or a streaming video service, this third party may send its own cookies to the user. While the process of obtaining consent for these cookies may be more complex, the ICO opines that nevertheless the user must be made aware of what is being collected and by whom. This is a challenging area for which the ICO expects that more research will be needed to find workable solutions.

How about the Remainder of the European Union?

The remainder of the European Union is also required to implement the new rules on the use of cookies that were outlined in the 2009 Amendment to the 2002 ePrivacy Directive.There is currently a lot of confusion throughout the European Union on how to interpret and implement this 2009 Amendment. The Advice published by the United Kingdom’s Information Commissioner’s Office clarifies the very confusing and controversial amendment.

It is highly likely that the ICO’s Advice will serve as guidance or a model to other data protection authorities who have been facing the same issues and need to implement the 2009 Amendment into their national laws. Thus companies that may not be subject to the UK laws, but otherwise do business in the European Union should read and understand the ICO’s Advice, as a way to prepare for their obligations to comply with the national laws of the countries where they operate.


The amendment to the UK rules comes into force on 26 May 2011. As a result of the implementation of this amendment into the UK laws, companies that operate websites in the UK must obtain informed consent from visitors to their websites and mobile applications in order to store and retrieve information on users’ computers through cookies or similar tracking technologies. Companies must provide clear and comprehensive information about the purpose for each cookie; and obtain the prior explicit consent to the use of the cookie. Until browser technology has made progress, browser settings can no longer be used as a method for expressing consent. While the ICO envisions a “sliding scale” approach, where the cookies that have the potential to be the most intrusive require the most specific and detailed notice, it also expects companies to delve promptly into implementation of the rule.

At a minimum, companies should promptly update their website privacy statements to clearly and conspicuously explain how cookies are used. In a second phase, companies should conduct an audit of their practices, assess the different types of cookies to determine how intrusive they may be, and identify workable solutions to obtain the requested consent.

The ICO has indicated clearly that it intends to enforce the new rule. While it concedes that full implementation will take time, the ICO wants companies to make every effort to start working on their use of cookie, and be prepared to provide tangible proof of their efforts to comply with the new rules.

Mexico’s New Federal Law on the Protection of Personal Data

Posted by fgilbert on August 17th, 2010


Mexico’s New Federal Law on the Protection of Personal Data

Mexico’s new Ley Federal de Protección de Datos Personales en Posesión de los Particulares (Federal Law on the Protection of Personal Data Possessed by Private Persons) became effective on July 6, 2010. The Law is “of public order,” which means that contract provisions that conflict with it are unenforceable.

The Federal Institute for Access to Information and Data Protection (IFAI) is charged with issuing regulations and enforcing the Law. The regulations are expected to be issued within one year, and the Law will not be enforced until January 2012.

While the Law incorporates many principles found in the major privacy drivers such as the OECD Privacy Guidelines and the 1995 EU Data Protection Directive, it clearly opts to follow the guidance in the APEC Privacy Framework. This choice is especially evident with the provisions that address “accountability,” and the departure from the prohibition from data transfers to countries that do not offer an adequate level of privacy protection, which has been the hallmark of 1995 EU Data Protection Directive. Instead, for crossborder data transfers, the Mexican Law requires notice and consent of the data subjects, and makes the data controller responsible for ensuring that the recipient of the data abide by the same principles as those that are set forth in the sender’s privacy policy.

Scope of the Data Protection Law

The entities that are subject to the Law are individuals or legal persons that process personal data, other than credit information companies. In addition, like most other countries’ data protection laws, Mexico’s Law excludes from its scope individuals who collect, store, and use personal data for personal purposes.

The Law regulates the processing of personal data. The definition of the term “processing” encompasses a broad range of activities that include collection, use, disclosure, storage, access, management, transfer and disposal of personal data.

Protected Information

The Law applies to personal data that are processed, transferred, or disposed by private persons or entities. “Personal data” includes any information pertaining to an identified or identifiable natural person.

More stringent provisions apply to the handling of sensitive data, that is, those data that pertain to the race or ethnicity, health, genetic information, religion, philosophical and moral beliefs, union membership, political opinions and sexual preference of an individual. Further, even though financial and economic data are not included in the definition of “sensitive data,” their processing requires the express consent of the data subject.

Obligations of the Data Controller

The Law identifies restrictions to the collection and use of personal data. Most provisions apply to “data controllers,” the individuals or private corporations that determine how and by whom, personal data are processed.

Data controllers must collect and process personal data in a lawful manner. The data must be relevant, necessary, accurate, and updated for the purposes for which they were collected.

Data controllers may process personal data only for the purposes stated in their privacy notice unless the data subject consents to a new use of the data for a purpose that is not compatible with or analogous to the purpose that is set out in the privacy notice. Data controllers may keep the data only as long as necessary in order to fulfill the purposes for which the data were collected, and must delete any data that are no longer necessary for these purposes.

Conditions to the Collection and Processing

The general rule is that data controllers must obtain the consent of the data subjects in order to process their personal data. The consent may be expressed or implied. In the case of sensitive data, or financial and economic data, the expressed and written consent of the data subject is required.

There are several cases where the data subject’s consent is not required for the processing of personal data to be lawful. For example, consent is not required when the collection and processing of the data is provided by law or is necessary to comply with obligations derived from a legal relationship between the data subject and the data controller. There are other exceptions for data that have been anonymized, are included in publicly available sources, or are needed for medical care, prevention, diagnosis, or medical treatment while the data subject is unable to provide his consent.

Security and Breach of Security

Data controllers must have in place appropriate administrative, technical, and physical safeguards in order to ensure that personal data are protected from loss, damage, alteration, destruction, and unauthorized access or use. The safeguards must be at least as secure as those that the data controller uses to manage its own data. Further, data controllers must keep data in a manner that allows the prompt exercise of the data subjects’ rights.

In the case of a breach of security, the Data Protection Law requires that the data subjects be notified of the breach if the breach significantly affects the concerned data subjects’ economic or moral rights. The Law does not require that other entities or government agencies be notified as well.

Obligation to Inform the Data Subjects

Data controllers are required to give data subjects a privacy notice that identifies among other things, the entity that collects the data, what personal data are collected from them, the purposes of the collection and processing of their personal data and the proposed transfers of personal data. In addition, the notice must indicate the options and means that data subjects may use in order to control the use and disclosure of their personal data and the means by which they can exercise their rights of access, rectification, cancellation, or opposition.

The notice must be provided to the data subject when the data are collected, unless the data were not collected directly from the data subject. The notice can be in printed form, electronic form, or other format. Special provisions apply when personal data are collected through mobile phones or text messages.


In keeping with the APEC Privacy Framework, the Mexican Data Protection Law stresses accountability. Data controllers are held accountable for the personal that data they hold, even if a third party processes the data. They must ensure that the third party complies with all data protection provisions stated in the Law.

Data controllers, subcontractors, and any other parties that have access to personal data must ensure the protection of the confidentiality and security of the personal data, even after their relationship with the data subject is terminated, or in the case of subcontractors and third parties, after the relationship with the data controller is terminated.

Crossborder Transfer of Personal Data

On the issue of crossborder transfers of personal data, the Mexican Law significantly diverges from the principles set forth in the 1995 EU Data Protection Directive. Instead of requiring data controllers to ensure that, when data are transferred to a third country, the receiving country provide an adequate level of protection, the Mexican Law makes the data exporter responsible for ensuring the protection of the data.

Specifically, the transfer of personal data to a third country requires several components:

  • The data controller must inform the data subjects of the proposed transfer, and the data subject must consent to the transfer;
  • A data controller that intends to transfer personal data to a third country, other than to a subcontractor, must identify the purposes for which the data are transferred to the third party, and must inform the third party of the restrictions that are set forth in the data controller’s privacy notice; and
  • The third party that receives the data must assume the same obligations as those that apply to the data controller.

There are several exceptions were consent is not required. These exceptions include where the transfer is made to a subsidiary or affiliate, or to a parent company or an associated company that operates under the same processes and internal policies; and where the transfer is in the interest of the data subject in connection with a contract that has been, or is to be concluded between the data controller and a third party. Another exception allows for the crossborder transfer of personal data when necessary for the maintenance or fulfillment of a legal relationship between the data subject and data controller.

Rights of the Data Subjects

Data subjects have the right to consent to the processing of their personal data (unless an exception applies), and to be informed of how and by whom their personal data will be processed.

In addition, data subjects have the rights of “access, rectification, cancellation, and opposition” or ARCO rights. The right of access and rectification grants them the ability to access their personal data in the hands of data controllers, and have inaccurate or incomplete data pertaining to them rectified.

The right of cancellation allows individuals to require that their data be blocked in the database, which has the same effect as if the data were erased from the data controller’s database. If the data have been transmitted to a third party, the data controller must bring the correction or cancellation request to the third party’s attention.

The right of opposition entitles individuals to object to the processing of their personal data, with a valid reason.

Data Protection Official Required

The Law requires data controllers to designate a data protection official within their organization. The data protection official will be responsible for processing data subject requests for access, and for promoting the personal data protection within the organization.

Self-Regulation Schemes

Organizations are allowed to use binding self-regulation schemes or codes of conduct. These schemes need to measure the effectiveness of the protection that the organization provides to personal data and address the consequences and remedies for violations of the rules. The self-regulation schemes should also contain rules and standards that harmonize the data processing performed by the parties and facilitate the exercise of data subjects’ rights.


If a data controller does not solve a matter after receiving a complaint from an individual, the individual can submit his complaint to the IFAI for the dispute to be resolved. If the IFAI identifies a violation of the Data Protection Law, it will notify the data controller of its findings. The data controller has 15 days to respond and provide evidence proving that it has not breached the Law. The IFAI will make a decision within 50 days after the date on which the process began.

The Law provides for significant fines (up to $1.2 million) for violations such as collecting or transferring personal data without the consent of the data subject where such consent is required, or collecting data in a misleading or fraudulent manner. If sensitive data are involved, the penalties will be doubled. In the case of continued violations, an additional fine will be imposed.

In addition, the Law provides for imprisonment from three months to three years for data controllers who, for profit, cause a security breach of the database in their custody. The processing of personal data by deception or by taking advantage of a data subject’s mistake or the mistake of an authorized person may be sanctioned by six months to five year prison terms if done for profit.

Violators may also be liable for the payment of damages to the affected individual to compensate for harms or damages to the individual’s property or rights that result from the lack of compliance with the obligations of the data controller or its subcontractors.

Action Items

The new Data Protection Law of Mexico finds its roots and inspiration in many of the seminal documents that are the foundation of the global privacy and data protection framework. Thus, companies that have global operations and a global privacy program in place should be able to find numerous common elements with their existing structures. However, idiosyncrasies in the Law will also need to be addressed.

While the Law will not be enforced until January 2012, it is time for companies doing business in Mexico or with Mexico-based entities to begin evaluating their new obligations and start planning accordingly. The first step should be to conduct a survey of the personal data that the company collects or processes in Mexico, and of the purposes for which these data are collected. In addition, companies should start evaluating whether the collection or processing of these data meet the adequacy and relevancy requirements of the new Law, so that unneeded data can be weeded out from existing database. Companies should also start planning how they will respond to their obligation to provide individuals with access to their personal data, and the ability to have their data corrected or blocked.

Further, caution will be needed when trying to make the Mexican Law requirements fit within a global privacy program where they have to coexist with other laws that might be more restrictive. This is in particular the case for cross-border data transfers, where the Mexican law does not clearly and fully meet the restrictions and requirement for “adequate protection” that are set forth in the national laws that follow the principles of the 1995 EU Data Protection Directive. Thus, the processing of personal data that originate from EU and other countries that follow the Directive will continue to meet the hurdles of establishing the existence of the adequate protection.

Remaining in Safe Waters

Posted by fgilbert on June 7th, 2010

How to Ensure Continued Compliance with The Safe Harbor Requirements

The Safe Harbor created by the US Department of Commerce and the European Commission provides a convenient way for US companies with limited global transactions to address the “adequacy” requirement under the national laws of the European Union Member States. Being self-certified under the US Department of Commerce Safe Harbor allows them to reduce the amount of red tape that usually accompanies the transfer of personal data to the United States and from a European Union Member State, and EEA Member State or Switzerland.

However, the initial self-certification filing is only one of many obligations. In order for the self-certification to remain valid, the company must re-certify each year of its compliance with the Safe Harbor Principles and pay the related fee to the Department of Commerce. When a company wishes to renew its self-certification, it must go through the same due diligence as for the initial filing, and… much more.

Initial Self-Certification

Self-certification of a company’s compliance with the Safe Harbor Principles is a multiple step process. In order to prepare for the filing of the required documents with the US Department of Commerce, the company must go through a comprehensive analysis and evaluation that is necessary and appropriate to self-certify that its privacy policies and procedure comply with the Safe Harbor Principles

In its self-certification papers, the company represents that it does have the policies and procedures described in these documents. An “omission” or a misrepresentation exposes the entity to severe penalties for breach of Section 5 of the FTC Act, which prohibits unfair or deceptive practices.

Re-certification Process

Many companies are unaware of the extensive requirements and commitments that attach to the filing of the re-certification documents. These documents must be signed and approved by a corporate officer of the company (typically the CEO or the General Counsel), and must attest and verify that the company is complying with specific requirements. Thus, it is very important to pay attention to the many legal requirements that are associated with the recertification process.

Like for the initial filing, an error in the re-certification documents exposes the entity to enforcement action and severe penalties. The “error” could be found a “misrepresentation” and the company might be sued under Section 5 of the FTC Act for unfair or deceptive practices.

Annual Verification

The documents that are to be filed with the US Department of Commerce as part of the renewal of the certification must verify the following:

  • The published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented, and accessible;
  • The privacy policy conforms to the Safe Harbor Principles;
  • Individuals are informed of how complaints are handled, and the independent mechanisms through which they may pursue complaints;
  • The organization has in place procedures for training employees in its implementation, and disciplining them for failure to follow it;
  • The organization has in place internal procedures for periodically conducting objective reviews of compliance with the above.

Audit or Assessment

In order to be comfortable signing this statement, it is prudent that an “audit” or “privacy assessment” or “compliance review” be conducted. This audit should allow to verify and be satisfied that the statements and commitments made in the privacy policy are accurate, that appropriate training is conducted, and that a dispute resolution procedure in place.

Companies may elect to conduct this audit internally. Law firms and consulting firms that focus on information privacy and security matters also conduct these audits.

Companies should not wait until the last minute to conduct or have conducted this audit. They must plan sufficient time to address any of the deficiencies that the audit might have identified. Otherwise, the representations made in their self-certification renewal papers would be inaccurate, misleading, or fraudulent.

Record Keeping

In addition, to the representations listed above, the Department of Commerce requires companies to retain appropriate records on the implementation of their safe harbor privacy practices. In other words, not only must a company represent that it has in place the required processes, procedures and policy, but it must also have a written record that documents the investigation conducted, the deficiencies identified, and the actions taken.

These records are to be made available upon request in case of an investigation or a complaint about non-compliance, or investigation about unfair and deceptive practices by a law enforcement agency – most likely the Federal Trade Commission.

FTC Enforcement – Twenty-Year Injunction

The FTC has already conducted enforcement actions and has prosecuted businesses for their misrepresentations in connection with Safe Harbor self-certification. These companies were charged for falsely claiming that they held current certification under the Safe Harbor program. See, for example, this consent agreement (pdf):

The consent decrees with each of these businesses include reporting requirements, whereby marketing and advertizing documents claiming compliance with the Safe Harbor principles must be filed with the Commission. In addition, each company is enjoined for 20 years from misrepresenting in any manner that it complies with or adheres to any privacy, security, or other compliance program sponsored by the US government or any other entity.

For more information

For additional information on the Safe Harbor, see Chapter 9 of Francoise Gilbert’s two-volume treatise Global Privacy and Security Law

Coming Soon to the European Union: Security Breach Disclosure Requirements

Posted by fgilbert on May 30th, 2010
Directive 2002/58/EC (or “e-Privacy Directive”), which defines the restrictions that apply to the protection of personal data in the context of wire or Internet communications, was amended in late 2009. This amendment establishes the first mandatory security breach disclosure regime for the European Union and will soon be reflected in the national laws of the EU and EEA Member States.
While this new security breach disclosure regime affects only providers of a publicly available electronic communication services, it is likely that it will be the foundation for defining a security breach disclosure framework that applies to other personal data holders.
For example, when amending their national laws, some of the EU Member States may opt to apply this security breach disclosure regime to the entire spectrum of data controllers and data processors, rather than limiting it to the smaller subset of electronic communication service providers that are subject to the ePrivacy Directive. Further, when the 1995 EU Data Protection Directive is revised, it should be expected, as well, that the security breach provisions of the ePrivacy Directive (as amended), at a minimum, will serve as a starting point.
The amendments must be implemented in each of the national laws of the Member States of the European Union and the European Economic Area by June 2011.

1. 2009/136/EC Directive

Directive 2009/136/EC entered into force on December 19, 2009. This directive amends and supplements the ePrivacy Directive, i.e., Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector.

The ePrivacy Directive provides a framework for responding to unsolicited commercial messages, the use of fax and similar technologies for telemarketing purposes, and defines the rules for the use of cookies, traffic data, location data, and public directories. With the 2009 Directive, existing provisions are amended to provide more protection for personal data. In addition, a new framework for the disclosure of a breach of security of data held by electronic communications networks and services is defined. While these provisions resemble those of the state security breach disclosure laws that have been adopted in the United States since 2003, there are significant nuances and discrepancies with the American model.

2. Security Measures

a.  2002 Draft

The 2002 version of the ePrivacy Directive requires covered entities to ensure adequate security. These provisions have been enhanced by the 2009 Amendment.
Under Article 4(1) of the e-Privacy Directive, Member States’ national laws must require publicly available electronic communications service providers to take appropriate technical and organizational measures to safeguard the security of their services. If necessary, these security measures must be taken in conjunction with the providers of the public communications network with respect to network security.
These security measures must take into account the developments in technologies, the new risks created by new types of attacks, and the cost of implementing the measures in relation to the risks. Security is appraised in light of Article 17 of 1995 Data Protection Directive.
Article 17 of the 1995 Data Protection Directive requires the implementation of “appropriate technical and organizational measures” to protect personal data against accidental or unlawful destruction, accidental loss, alteration, or unauthorized disclosure of, or access to personal data. In addition, when the processing is carried out by a subcontractor, the data controller must:
  • Conduct due diligence before entering into a contract with this third party;
  • Require in a written agreement that the third party act only on instructions from the data controller and use security measures to protect personal data; and
  • Verify compliance with adequate and relevant security measures for so long as the data processor holds personal data on behalf of the data controller.

b. 2009 Additional Requirement

The 2009 Directive supplements Article 4(1) of the ePrivacy Directive with specific and precise instructions. The new Article 4(1a) directs that the security measures must:
  • Ensure that personal data can be accessed only by authorized personnel for legally authorized purposes;
  • Protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure, and;
  • Ensure the implementation of a security policy with respect to the processing of personal data.
In addition, the 2009 Amendment grants the relevant national authorities the ability to audit the measures taken by providers of publicly available electronic communication services and to issue recommendations about best practices concerning the level of security that these measures should achieve.

3. Notice of Risk of Breach of Security

The concept of disclosure of a breach of security already existed in the 2002 version of the e-Privacy Directive. Covered entities, however, only had to notify their customers of a “risk of breach of security.” This requirement was usually fulfilled by adding a provision in the entities’ terms of service, which stated that wire or electronic communications are not secure or confidential and instructed the customers to use other communications means when transferring sensitive or valuable data. The 2009 Amendment preserves the original version of Article 4(2) of the ePrivacy Directive, but it supplements it with a more specific requirement for the disclosure of the breach of security.
Under Article 4(2) of the ePrivacy Directive, Member States’ national laws must require providers of publicly available electronic communications services to inform subscribers of any special risks of a breach of the security of the network. Such risks may especially occur for electronic communications services over an open network such as the Internet or analog mobile telephony. If the risk lies outside the scope of the measures to be taken by the service provider, the provider must also inform subscribers of any possible remedies, and of the likely costs involved.
The preamble of the 2002 version of the e-Privacy Directive notes that providers of publicly available electronic communications services over the Internet should inform users and subscribers of the measures that they can take to protect the security of their communications, such as by using specific types of software or encryption technologies. This requirement to inform the subscriber, however, does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service.

4. Breach of Security

The 2009 Amendment goes beyond the mere notion of warning of a “risk of breach of security.” It defines the framework for a breach disclosure requirement that is similar to – but different from – the provisions that are in effect in the United States.

 a. Personal Data Breach

  The 2009 Amendment introduces the notion of “personal data breach.” The term is defined in the new Article 2(h) of the amended ePrivacy Directive as:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed in connection with the provision of a publicly available communications service.”

b. Notice Requirements

Article 4(3), which is introduced by the 2009 Amendment, requires providers of publicly available electronic communications services to give “without undue delay” a notice of the breach to the competent national authority. In addition, if the breach is “likely to adversely affect” the personal data or the privacy of a subscriber or individual, the service provider must also notify the subscriber or individual of the breach of security “without undue delay.”
Thus, in most instances, two categories of notices must be given:
* One to the competent national authority, and
* The other to the subscriber or individual whose personal data or privacy is likely to be adversely affected.
It is not clear whether the subscriber, once informed, has to provide notice to all individuals affected, and who would bear the cost of making this notification.
There must be a “likely adverse effect.” According to the preamble, a breach should be considered as adversely affecting the data or privacy of a subscriber or an individual if it could result, for example, in identity theft or fraud, physical harm, significant humiliation or damage to reputation.
Thus, service providers would have to conduct a risk assessment, and presumably, would have to keep track of the assessment made and the grounds for their determination that a notice to subscribers or individuals was not warranted.
This assessment must be conducted in an expedited manner. The Preamble of the 2009 Directive stresses that the provider should notify the breach to the competent national authority as soon as it becomes aware that the breach has occurred.
The competent national authority is given an important role. It may force a disclosure. If the service provider has not already notified the subscriber or individual of the breach, the competent national authority may require the service provider to do so, after the competent national authority has evaluated the likely adverse effects of the breach.

c. Exemption

There is an exemption to the obligation to notify subscribers or individuals of a breach. This happens if the provider of publicly available electronic communications services has demonstrated to the satisfaction of the competent national authority that it has implemented appropriate technological protection measures, and that these measures were applied to the data concerned by the security breach.
However, the service provider nevertheless would have to notify the competent national authority. An important aspect of this safe harbor is that the exemption applies only if the service provider has demonstrated to the competent authority that there was no adverse effect.
It should be noted, in addition, that the 2009 Directive grants the national authority the ability to require the service provider to make the notification, even if the service provider determined that it was not necessary, if the national authority has determined that the incident is likely to have an adverse effect.
In order to be able to take advantage of the exemption, the technological protection measures must be such that they render the data unintelligible to any person who is not authorized to access these data. There is no suggestion for the measures to be taken, and no specific requirement for the use of encryption. It is sufficient if the data are “unintelligible.” It is likely that the national law implementing the Directive will interpret this term differently, which in turn might cause significant discrepancies between the applicable regimes in the Member States.

d. Content of the Notice

The Directive specifies the content of the two notices that must be given, i.e., the notice that is to be provided to the competent national authority and the notice that is to be sent to the affected subscribers or individuals. Both notices must include the following information:
  • A description of the nature of the breach;
  • The contact points where information about the breach can be obtained; and
  • Recommended measures to mitigate the possible adverse effects of the breach.
In addition, the notice to the competent national authority must describe:
  • The consequences of the breach, and
  • The measure proposed or already taken by the provider to address the breach.

e. Inventory

  Under new Article 4(4), the national laws implementing the amendment must require service providers to maintain an inventory of breaches that comprise the facts surrounding the breach, the effects of the breach, and the remedial action taken. The information must be sufficient to enable the competent national authorities to verify compliance with the notice requirements.

f. Guidelines and Implementing Measures

Given the novelty of the requirement for most European Union Member States, the 2009 amendment provides several means to facilitate the implementation of these provisions. These include, the use of guidelines and instructions concerning the circumstances in which providers are required to make the notification, the format of such notification and the manner in which the notification is to be made. The 2009 Directive also suggests that implementing measures may be drafted in the future in order to specify the circumstances, format, and procedures applicable to the information and notification requirements.

The comments in the Preamble recommend that the rules concerning the format and procedures applicable to the notification of security breaches, should take into account the circumstances of the breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law enforcement authorities in cases where early disclosure could unnecessarily hamper the investigation of the circumstances of a breach.
While the Directive itself does not provide for sanctions, it suggests that national laws may include appropriate sanctions for those who fail to make the required notification.

5. For More Information

For more information on the ePrivacy Directive and the 2009 Amendments, see Chapter 8 of Francoise Gilbert’s two-volume treatise Global Privacy & Security Law available through