A tour of hot topics

It is not just personal data that crosses borders. In late June, the International Association of Privacy Professionals (IAPP) organised for its members to visit several European cities. It is the third such event in four years. This time the visit covered Berlin, Brussels and Paris. The IAPP is a ten year old American association of “professionals” of personal data protection. According to its website, the IAPP has more than 7,000 members in 52 countries. Its members are mainly from North America but the IAPP has just launched a European sub-group.

This “little” tour is important as it allows the representatives of large groups, especially those with a US parent, to gauge the European long-term regulation trends (as well as in some of the EU Member State that have more restrictive legislation).

Data protection is certainly a hot topic in Europe and this event has come just at the right time:

• Several aspects of the German Act significantly changed recently, e.g. the rules relating to data protection officers and notably the protection against redundancy, the notices for “data breach” and the clauses in outsourcing contracts. The rules relating to employees’ data are also due to change.

• In France, the bill on better protection of privacy in the digital age adopted by the Senate on 23 March 2010 will be submitted to the National Assembly. The bill aims to amend French law significantly on many points. The bill is available on-line on www.senat.fr/dossier-legislatif/ppl09-093.html. See hereafter Bill to amend French Data Protection Law.

• At the European level, the amendments to the telecoms package have provided the opportunity to introduce in Directive 2002/58 on Privacy and Electronic Communications the obligation to notify personal data breaches as well as requiring consent for cookies (directive 2009/136 and is available on www.euro-lex.europ.eu). Further, with the Lisbon Treaty, the protection of personal data became a fundamental right (see article 8 of the Charter of Fundamental Rights). By 2014, more global amendments of European legislation should be introduced. They should be based on the principles to be developed by the European Commission. Initially the intention was to release these principles in November 2010 but it is reported on the website of the French data protection authority that this has been delayed at the request of several European authorities until the later half of 2011 to have additional time to better address the impact of this revision. It is hoped that these amendments will provide an answer to some of the queries that arose during the public consultation launched last year by the European Commission on Directive 95/46 on Data Protection (and more specifically on “the new challenges for personal data in particular in the light of new technologies and globalizations”, on the ability of the “current legal framework” to meet these challenges and on future actions). These amendments are not expected to have an impact on the legislation as currently structured. However, it is not excluded that the wish for a deeper harmonisation with the Member States leads, at least partially, to adopt directly applicable rules.

In addition to presentations on current affairs particular to each country, the IAPP members were able to listen and put questions to representatives of each of the national authorities in charge of the protection of personal data, notably Mr Peter Schaar, president of the German federal commission, Ms Kirstin Bock, from the buoyant data protection authority of the Schleswig-Holstein German State (the authority is involved with the certification entity EuroPrise), Mr Peter Hustinx, president of the European Data Protection Supervisor (EDPS), Mr Willem Debeuckelaere, president of the Belgian authority and Mr Thomas Dautieu from the control department of the French authority (CNIL). Messrs Schaar, Hustinx and Debeuckelaere are members of the “article 29” working party which gathers representatives from the national authorities of the European Union Member States.

In Berlin, attendees met the president of the German association for data protection and data security (GDD) who introduced the main lines of the legislation changes.

In Brussels, attendees joined the round-table conference on behavioural marketing organised in the European Parliament by Ms Sophia Veld from the Committee on Civil Liberties, Justice and Home Affairs. Mr Debeuckelaere, who presented the opinion of the article 29 working party dated 22 June 2010, was present together with various stakeholders. The debates were very animated on the question of a mandatory “opt in” procedure for cookies (a suggestion of the article 29 working party). The question is far from being settled. The opinion of the article 29 working party is available on http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wcpdocs/2010_en.html .

In Paris, several seminars were organised jointly with the AFCDP (Association francaise des correspondants a la protection des donneees a caractere personnel – Correspondants Informatiques et Libertes (CIL), i.e. the French association of data protection correspondents). Thus, the members of the AFCDP were able to benefit from the experience of countries having already enacted legislation on the notification of “data breach” which allowed them to better understand what is at stake, the constraints and the unclear aspects of the French bill.

The question of the liability, notably of employees, CIL and other professionals dealing with personal data was addressed. This question particularly stood out thanks to the presentation of Google’s global privacy officer, condemned, together with two other Google officers, by the Milan Courts in first instance in a surprising decision.howthat personal data has become a commercial, an important issue on a commercial, political and human level.