BNA International X World Data Protection Report
International Information for International Businesses Monthly news and analysis of data protection and privacy issues from around the world
Volume 9, Number 5May 2009
Commentary New EU code of conduct for computerised reservations systems On March 29, News 2009, Regulation (EC) No 80/2009 of the European Parliament and the Council World Anti-Doping Agency (dated January14, 2009) on aCode of Conduct for computerised reservation adopts revised data systems (CRS) entered into force. The Regulation, which repeals Council Regu- protection standard At a lation (EEC) No 2299/89 of July 24, 1989, aims to ensure transparent and com- meeting in Montreal on May parable terms of competition in the market for distribution of travel services 9, the Executive Committee of through computerised reservation systems. Page 5 the World Anti-Doping Agency (WADA) adopted arevised Germany: Employment law consequences of violations of IT-security Establish- International Standard for the ing and maintaining IT-security is amanagement obligation. Here IT-security as Protection of Privacy to re- amanagement task (I), the role of IT-security within the employee relationship place the Standard which en- (II), possible general reactions to violations of IT-security (III) and particular tered into force on January1, examples of how violations of IT-security can be sanctioned (IV) are outlined. 2009. Page 15 Page 6
United States: HIPAA privacy and security changes in the American Recovery UK: ICO review recommends and Reinvestment Act On February17, 2009, President Obama signed into law an overhaul of the EU Data H.R. 1, the American Recoveryand Reinvestment Act (the ‘‘ARRA’’). This Protection Directive The ICO memorandum outlines significant changes and additions to the landscape of fed- has published its review com- eral privacy and security law set forth in Subtitle Dofthe ARRA. Page 11 menting on the strengths and weaknesses of the EU Data Switzerland authorises Safe Harbor Framework for personal data transfers to Protection Directive. RAND the United States The new US–Swiss Safe Harbor Framework (‘‘US–Swiss Safe Europe was commissioned to Harbor’’), effective February16, 2009, facilitates transfer of personal data from conduct the review last year. companies in Switzerland to companies in the United States. Page 27 Page 16
E-Discovery: US and EU conflicts The Article 29 Working Party has recently con- Wikipedia becomes latest sidered the issue of the application of the EU data protection Directive (95/ company to opt out of Phorm 46/EC the ‘‘Directive’’) to the transfer of data outside of the EU for the pur- Wikipedia becomes the latest poses of pre-trial discoveryobligations abroad; in particular in the US. The con- company to request an opt-out flict between amultinational’sobligations to give discoveryordisclosure under from the scanning and profil- US civil procedure rules when litigating in the US and its obligations (through ing of its domains by Phorm’s any EU presence) to comply with the requirements under the Directive has been Webwise services. Page 38 aconcern for some time. The Working Party’spaper will be helpful to those seeking to comply with both sets of obligations. Page 19
BNA International Inc., asubsidiary of The Bureau of National Affairs, Inc., U.S.A. World Data Protection Report
Publishing Director: Editors: Commissioning Editor: Shelley Malhotra Andrea Naylor Jacqueline Gazey and Nicola McKilligan Production Manager: Nitesh Vaghadia
Submissions by Authors: The Editors of World Data Protection Report invite readers to submit for publication articles that address issues arising out of the regulation of data protection, either on anational or transnational level. Articles with an appeal to an international audience aremost welcomed. Prospective authors should contact Andrea Naylor,World Data Protection Report, BNA International Inc, 29th Floor,Millbank Tower,21-24 Millbank, London SW1P4QP,U.K. Tel. (+44) (0)20 7559 4800; fax (+44) (0)20 7559 4880; or e-mail: [email protected]. If submitting an article by mail please include an electronic copy of the article in arecognised software.
World Data Protection Report is published monthly by BNA International Inc., a subsidiaryofThe Bureau of National Affairs, Inc., Washington, D.C., U.S.A. Administrative Welcome to May’sWDPR which once again brings you all the headquarters: 29th Floor,Millbank Tower, latest European and Global data privacy news. For May’sedi- 21-24 Millbank, London SW1P 4QP,England. tion we also carryanoverview of the European Commission Tel. (+44) (0)20 7559 4801; Fax (+44) (0)20 guidelines for SMEs on personal data transfers to countries out- 7559 4840; e-mail [email protected]. In side the EEA by Dominic Hodgkinson. We also have averyspe- the U.S. call toll-free on: 1-800-727-3116. cial report on the employment law consequences of violations Subscription price: U.K. and rest of world of IT-security by Bernhard Trappehl and regular contributor, £725; Eurozone a1, 175; U.S. and Canada Michael Schmidl. U.S. $1,245. Additional copies of this publication areavailable to existing As ever,Ihope you enjoy this edition. subscribers at half price when they are Nicola McKilligan sent in the same envelope as astandard subscription. Co-editor
Reproduction or distribution of this publication by any means, including mechanical or electronic, without the express permission of The Bureau of National Affairs, Inc. is prohibited except as follows: 1) Subscribers may reproduce, for local internal distribution only,the highlights, topical summaryand table of contents pages unless those pages aresold separately; 2) Subscribers who have registered with the Copyright Clearance Cen- ter and who pay the $1.00 per page per copy fee may reproduce portions of this publication, but not entireissues. The Copyright Clearance Center is located at 222 Rosewood Drive, Danvers, Massachusetts (USA) 01923; tel. (508) 750-8400. Permission to reproduce BNA International Inc. material may be requested by calling +44 (0)20 7559 4821; fax +44 (0)20 7559 4848 or e-mail: [email protected]
Website: www.bnai.com ISSN 1473-3579
Please contact us with your opinions or suggestions or if you would like to write for us, by phone on: +44 (0)7720 774224 or by email at [email protected], or [email protected]
2 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Topical Summary Topical Summary
Legislation and Guidance Switzerland authorises Safe Harbor Framework New EU code of conduct for computerised reser- for personal data transfers to the United vations systems ...... 5 States; What is personal data? part 2 ...... 27 Employment law consequences of violations of EC launches infringement proceedings against IT-security ...... 6 UK government ...... 29 New data protection laws for India ...... 10 Cloud computing and data protection ...... 32 HIPAA privacy and security changes in the Information as an asset ...... 34 American Recoveryand Reinvestment Act .11 Wikipedia becomes latest company to opt out of World Anti-Doping Agency adopts revised data phorm; Phorm launches site to set record protection standard; Could the controversial straight; Privacy concerns over scans at home- ‘Do Not Call’ register be replaced? ...... 15 less shelters; Poll reveals consumer concerns Data protection commissioner issues data breach about their privacy during economic down- guidance; Swedish ISPs will erase users’ data turn; Czech government admits data breach to protect privacy; ICO review recommends an involving overhaul of the EU data protection directive; EU leaders ...... 38 FTC releases proposed breach notification Facebook under scrutiny; Greek DPAputs atem- rule for e-health data ...... 16 poraryban on Streetview; Privacy concerns FTC delays enforcement of Red Flags Rule; Gov- follow Streetview to Budapest; Survey shows ernment research shows privacy notices risks to data held on PSDs; Government drops should be in atable format ...... 17 plans for communications database ...... 39 Government to retain DNA despite ECHR rul- Personal Data ing; Accenture and Atmel gain approval for binding corporate rules; Federal government EC guidelines for data transfers to countries out- increases DNA collection; LexisNexis suffers side EEA: use with caution ...... 18 data security breach; UBS cites Swiss privacy E-Discovery: US and EU conflicts ...... 19 laws as part of its refusal to release Why employee consent might not do data to US ...... 40 the trick ...... 25 CountryChecklist
CANADA GERMANY Could the controversial ‘Do Not Call’ register be Employment law consequences of violations of replaced? ...... 15 IT-security ...... 6 CANADA GERMANY Privacy concerns over scans at homeless shelters; Why employee consent might not do the Poll reveals consumer concerns about their trick ...... 25 privacy during economic downturn ...... 38 GREECE CZECH REPUBLIC Greek DPAputs atemporaryban on Czech government admits data breach involving Streetview ...... 39 EU leaders ...... 38 HUNGARY DENMARK Privacy concerns follow Streetview to Facebook under scrutiny ...... 39 Budapest ...... 39 EUROPEAN UNION INDIA New EU code of conduct for computerised reser- New data protection laws for India ...... 10 vations systems ...... 5 IRELAND EUROPEAN UNION Data protection commissioner issues data breach EC guidelines for data transfers to countries out- guidance ...... 16 side EEA: use with caution ...... 18 NEW ZEALAND EUROPEAN UNION Survey shows risks to data held on PSDs ...... 39 E-Discovery: US and EU conflicts ...... 19 SWEDEN EUROPEAN UNION Swedish ISPs will erase users’ data to protect Cloud computing and data protection ...... 32 privacy ...... 16
05/09 World Data Protection Report BNA ISSN 1473-3579 3 Topical Summary SWITZERLAND UNITED STATES Switzerland authorises Safe Harbor Framework HIPAA privacy and security changes in the for personal data transfers to the American Recoveryand Reinvestment Act .11 United States ...... 27 SWITZERLAND UNITED STATES UBS cites Swiss privacy laws as part of its refusal FTC releases proposed breach notification rule to release data to US ...... 40 for e-health data ...... 16 UNITED KINGDOM ICO review recommends an overhaul of the EU UNITED STATES data protection directive ...... 16 FTC delays enforcement of Red Flags Rule .... 17 UNITED KINGDOM What is personal data? part 2 ...... 27 UNITED STATES Government research shows privacy notices UNITED KINGDOM should be in atable format ...... 17 EC launches infringement proceedings against UK government ...... 29 UNITED STATES UNITED KINGDOM E-Discovery: US and EU conflicts ...... 19 Cloud computing and data protection ...... 32 UNITED KINGDOM UNITED STATES Information as an asset ...... 34 Switzerland authorises Safe Harbor Framework for personal data transfers to the UNITED KINGDOM United States ...... 27 Government drops plans for communications database ...... 39 UNITED STATES UNITED KINGDOM Federal government increases DNA collection; LexisNexis suffers data security breach; UBS Government to retain DNA despite ECHR rul- cites Swiss privacy laws as part of its refusal to ing; Accenture and Atmel gain approval for release data to US ...... 40 binding corporate rules ...... 40
For more information on advertising and sponsorship opportunities with BNA International, please contact Charlotte Martinez at +442075594800 or email [email protected]
4 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579
Submissions by Authors: The editor of Tax Planning International Transfer Pricing invites readers to submit for publication articles that address issues arising from developments in international tax law, either on a national or transnational level. Articles with an appeal to an international audience are most welcome. Prospective authors should contact Lillian Adams, Editor, Tax Planning International Transfer Pricing, 29th Floor, Millbank Tower, 21-24 Millbank, London, SW1P 4QP; tel. +44 (0)20 7559 4800; fax +44 (0)20 7559 4880; or e-mail: [email protected]. Legislation and Guidance Legislation and Guidance New EU code of conduct for computerised reservations systems
By WimNauwelaerts, Attorney at Law,Hogan &Hartson, Protection of personal data LLP. As far as processing of personal data in the context of a CRS is concerned, the Regulation includes ten provi- On March 29, 2009, Regulation (EC) No 80/2009 of the sions that particularise and complement the principles European Parliament and the Council (dated January contained in EU Data Protection Directive 95/46/EC. 14, 2009) on aCode of Conduct for computerised reser- The main data protection requirements in these provi- vation systems (CRS) entered into force. ACRS is acom- sions can be summarised as follows: puterised system that permits subscribers, such as travel agencies, to locate travel information about flight sched- s Personal data collected in the course of the activities ules, seat availability and fares, with or without facilities of aCRS for purposes of making reservations or issu- to make reservations, issue tickets or make use of related ing tickets can only be processed in away compatible services. The Regulation, which repeals Council Regula- with such purposes; tion (EEC) No 2299/89 of July 24, 1989, aims to ensure transparent and comparable terms of competition in the s CRS system vendors will be viewed as data controllers, market for distribution of travel services through com- responsible for the processing of adata subject’sper- puterised reservation systems. The Regulation applies to sonal data; any type of CRS offered for use in the EU, provided that s Personal data can only be processed in so far as their it contains air-transport products involving passenger processing is necessaryfor the preparation or perfor- carriage. mance of acontract to which the data subject is a party;
System vendors’ rules of conduct s Sensitive data (revealing, for example, racial origin, religious beliefs or health status) can only be pro- The Regulation imposes certain obligations on system cessed on the basis of the data subject’sexplicit and vendors that are responsible for the operation or mar- informed consent; keting of aCRS. These obligations include, for example, ensuring that CRS contracts (with air carriers as well as s System vendors must ensure that identifiable booking CRS subscribers) do not contain unfair or unjustified information is stored offline within 72 hours of the conditions, and that users are free to avail themselves of booking. The maximum retention period for these alternative reservation systems. Furthermore, system data is three years and the data can only be used for vendors are not allowed to reserve specific CRS facilities handling billing disputes; for one or more participating carriers (including pos- sible parent carriers that control or participate in the s Upon request, CRS subscribers must inform consum- capital of the system vendor). System vendors should dis- ers of the name and address of the system vendor,the play participating carriers’ travel information in aneu- purposes of the processing, the duration of the reten- tral and comprehensive manner,without discrimination tion period, and the means available to data subjects or bias. The Regulation permits system vendors to re- to exercise their data access rights. Data subjects must lease CRS-related marketing, booking and sales data, in have free access to personal data relating to them; so far as the data are offered to all participating carriers with equal timelines and on anon-discriminatorybasis. s If system vendors operate other databases in addition With regard to these business data, the Regulation sub- to aCRS, technical and organisational measures must jects system vendors to what could be viewed as aconfi- be in place to ensure that data protection rules are dentiality duty: if the data result from the use of CRS fa- not circumvented as aresult of database interconnec- tions, and to ensure that personal data are only acces- cilities by subscribers established in the EU, the data sible for the specific purposes for which they were ini- cannot identify these subscribers (directly or indirectly), tially collected; unless there is an agreement to the contraryorsub- scriber identification is essential for billing purposes. s System vendors can release marketing, booking and sales data provided that they do not make it possible to identify (directly or indirectly) natural persons or, WimNauwelaerts can be contacted at: wnauwelaerts@ where applicable, the organisations or companies that hhlaw.com those natural persons represent. This last requirement raises the interesting question as to what extent corpo-
05/09 World Data Protection Report BNA ISSN 1473-3579 5 Legislation and Guidance
rate customers can invoke the Regulation’sdata pro- sanction infringements, including violations of the tection provisions. In principle, information relating Regulation’sprovisions on data protection and confi- to legal persons is not covered by EU Data Protection dentiality.Acting on acomplaint or on its own initiative, Directive 95/46/EC. However,the Regulation stipu- the Commission can require companies and companies’ lates that the data protection rights recognised in the Regulation are complementarytothe rights laid down associations to provide all necessaryinformation about by EU Data Protection Directive 95/46/EC. their compliance with the Regulation. If the provisions of the Regulation have been infringed, intentionally or Enforcement by the European Commission negligently,the Commission can impose fines of up to The Regulation empowers the European Commission 10 percent of acompany/association’stotal revenues in with broad authority to investigate and, where necessary, the preceding business year.
Employment law consequences of violations of IT-security
By Bernhard Trappehl and Michael Schmidl. rity in information technology (BSIG) is, in several re- spects, important for the task of creating IT-security as Establishing and maintaining IT-security is amanage- part of acompany’scorporate governance. Sec. 2(2) ment obligation. The legal framework points to acon- BSIG defines security in information technology as, ‘‘the stant monitoring obligation for management in order to compliance with security standards concerning the avail- make sure that measures once taken continue to be ad- ability,integrity or confidentiality of information by se- equate in achanging environment. Part of establishing curity provisions in IT-systems or components or when and maintaining adequate IT-security is to put guide- applying information technology systems or compo- lines for employees into place, to train them regularly nents’’. Measures of relevance for IT-security may also be and to make sure that the guidelines are actually re- seen in the annex to Sec. 9Federal Data Protection Act spected. The following article outlines IT-security as a (FDPA). Also Secs. 25a German Banking Act (KWG), 33 management task (I), the role of IT-security within the German Securities Trade Act (WpHG) and 109 German employee relationship (II), possible general reactions to Telecommunication Act (TKG) contain requirements violations of IT-security (III) and particular examples of for the IT-security for specific regulatorysituations. In how violations of IT-security can be sanctioned (IV). light of the fact that threats to IT-security also result from human behaviour,such norms may be seen as part I. IT-security as amanagement task of the law of IT-security and require the implementation of technical and organisational measures to prevent IT- risks based on inaccurate human intervention. Law of IT-security The existing law does not provide for astandardised Corporations definition of IT-security.There is no law regulating in a The duty to establish and maintain adequate IT-security definitive way all questions relating to IT-security.Anim- within acompany is atask of the management. The rel- portant aspect in this context is illustrated by the legal evant law for corporations is the Law of control and provisions on the security of information technology. transparency within the company (‘‘KonTraG’’) that The law on the creation of the Federal Bureau of Secu- came into effect on May 1, 1998. The KonTraG crystal- lised the requirements for the management of acorpo- ration concerning the security of the company and obli- Dr.Trappehl is apartner of Baker &McKenzie Partner- gates it to introduce corresponding prevention mea- schaft von Rechtsanwa˜lten, Wirtschaftspru¨ fern, Steuer- sures within the framework of the general task of risk beraternund Solicitors, Munich and member of the firm’s management. The corresponding duty is contained in Employment Group. Dr.Trappehl is admitted as an attorney specialising in labour and employment law.He Sec. 91 (2) AktG. It was introduced by the KonTraG and is also admitted as Abogado (Madrid). The author may obligates the board (i.e.all members of the board) as be contacted at: [email protected]. part of the duty of adiligent management, pursuant to Dr.Michael Schmidl, Maıˆtre en Droit, LL.M. Eur., is a Sec. 93 (1) first sentence AktG, to provide for adequate partnerofBaker &McKenzie Partnerschaft von measures especially implementing amonitoring system Rechtsanwa˜lten, Wirtschaftspru¨ fern, Steuerberaternund that would recognise early enough, such developments Solicitors, Munich and member of the firm’s Informa- that threaten the continuity of the company’sbusiness. tion Technology Group. Dr.Schmidl is aspecialised attor- ney for IT-Law and alecturer for Internet law at the Secs. 91, 93 AktG do not provide concrete specifications University of Augsburg. He may be contacted at: of duties serving as aguideline for CEOs and board [email protected]. members. Neither do the explanations of the scope of duties of the preamble of the KonTraG. But the Kon-
6 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance TraG made clear at least, that the ‘‘ordinarycare’’ofthe II. IT-security within the employment management also comprises detecting and fighting IT- relationship risks and that violating these duties may lead to the per- sonal liability of the corresponding manager (CEO and General statutoryobligations board members). As shown above, members of the management are the addressees of statutoryobligations in the field of estab- Other company forms lishing and maintaining IT-security.There are no com- parable statutoryprovisions directly obliging employees According to the prevailing opinion in Germany,the to keep certain security standards within the company. The existing general statutoryduties (i.e.obligations ap- KonTraG and the clarifications regarding the manage- plicable to everyone) to act, such as Sec. 17 of the Act ment’sduties in the area of establishing and maintain- Against Unfair Competition (UWG), Sec. 201ff., 203, ing IT-security effected by the KonTraG may be applied 206, 303a et seq.Penal Code are not tailored to the IT- to the form of limited company (GmbH) and as agen- security of companies in general. The norms may con- eral principle also to other company forms. Pursuant to tain prohibitions serving to reach the aims of IT-security Sec. 43 GmbH (limited liability company law) the direc- in certain situations. These norms, however,tailored to tors have to exercise the care of aprudent businessman. prevent certain specific violations, are no autonomous The measures required by the KonTraG for corporations legal basis to establish and maintain IT-security within concerning ageneral risk management and the reality the company.What brings to bear here is that criminal that the ‘‘ordinarycare’’ofthe company management laws or other norms prohibiting certain forms of behav- also comprises detecting and fighting IT-risks also apply iour are not suited as abasis for risk management and prevention in acompany.Such laws are addressed to ev- to the interpretation of the legal term of the ‘‘care of a erybody,not only employees, and function as ultima ra- prudent business man’’with the consequence that the tio rather than as subtle measures of risk management in violation of these duties may lead also, at the level of the acompany. GmbH, to the personal liability of responsible manage- ment. The described requirements also apply to partner- Security specific duties to act ships (OHG) and limited partnerships (KG) if no indi- There are isolated specific statutoryduties to act that do vidual person is liable. On this basis, OHG and KG are not tie in with the position as an employee in general obliged to implement and maintain IT-security within but with the assignment of acertain function. Pursuant the company.Equally,the elements of risk management to Sec. 4g (1) FDPA, the Data Protection Official has the and an early detection system have to be adequately con- task, for example, to work towards the compliance with sidered as parts of the security of the company. the FDPAand other provisions of data protection. This duty also comprises the examination as to whether there are adequate technical and organisational measures pur- General limitations suant to the annex to Sec. 9ofthe FDPAserving the technical data protection. Because of the FDPA’s objec- The measures required to establish and maintain the IT- tive to protect the individual against his right to privacy security have to be tailored to the specific company,its being impaired through the handling of his personal individual situation, its risk situation, and needs to be data (cf. Sec. 1(1) FDPA), this technical data protection checked at regular intervals. This principle applies to all however is to distinguish from IT-security in general company forms. Typically,the size of the company,its which does not lie within the scope of the data protec- structure and the exact branch of activity as well as pos- tion official and which serves in the broadest sense to sible changes of the layout and the scope of the business maintain the operability of the company and the com- must be considered. Acarte blanche for second-rate se- pany value incorporated therein. Based on this defini- curity measures cannot be deducted from this analysis. tion, the duties of the internal data protection official, Rather,itmust be possible to explain that, as aconcrete especially his duty to examine the existence and the ad- equacy of measures pursuant to the annex to Sec. 9 result of one of the factors added to the overall analysis FDPA, may be seen as apart of reaching and maintain- why in general or at repeated analysis, there are less risks ing IT-security,but are not ageneral specification of IT- and consequently why there is less need of risk manage- security. ment or prevention. Furthermore there are certain secu- rity standards that have to be complied with within every Fiduciaryduty and auxiliaryduties company for the simple reason, for example, in the Considering that there are no sufficient general and spe- form of measures of data backup (short-term storage of cial statutoryduties for employees towards their em- data, programs and configurations in away guarantee- ployer,the general fiduciaryduty of the employee to- ing access even in case of disaster), archiving (long-term wards his employer and auxiliaryduties resulting from storage of data even in case of migration of systems and the employment relationship come into consideration as data), virus protection (virus scanners and training of sources for legal duties to maintain IT-security within the employees) and emergency prevention (development of company.Independently of the function and position possible disaster recoveryscenarios and planning of the employee holds within the internal organisation and counter-measures). the duties he is contractually obliged to fulfil, he always
05/09 World Data Protection Report BNA ISSN 1473-3579 7 Legislation and Guidance meets several auxiliaryduties in the form of afiduciary ratio’’ in the case of arecurring violation. The termina- duty.These comprise, for example, the duty to keep tion for cause, in case of especially severe violations, as a business secrets, the prohibition to intentionally open rule only comes into perspective if the violation of duty virus-infected email-attachments as well as the prohibi- has reached the border of criminal behaviour or if avio- tion to make illegal copies by means of the company’s lation of the duty to keep IT-security leads to an irrevers- IT-systems. Additionally,the employee has the obligation ible and complete break down of mutual trust because not to damage the employer through his own control- of extraordinarycircumstances. lable behaviour even if such obligation merely results from the general prohibition of injuring third parties. Choice of appropriate measures With regards to the generality of the objective of optimal The individual measures are classified into different IT-security and the requirement of specific company de- ranks and have to be applied on the basis of an exami- cisions concerning the appropriate master plan, how- nation of proportionality.The admissible sanction can- ever,itisnot possible to establish afinal list of require- not be determined schematically,but has to consider ments on the basis of afiduciaryduty and auxiliarydu- various criteria as the case arises. Relevant are the (i) ties. character and severity of the breach of duty,(ii) former behaviour of the employer,(iii) seniority,(iv) age and Agreed measures perspectives of the employee on the employment mar- As aconsequence of the haziness of the objective of IT- ket, (v) impacts of the breach of duty on the operation- security and with regard to the nonexistence of suffi- ability of the company and (vi) acontributorynegli- cient legal duties, the definition of obligations and pro- gence of the employer.Moreover,general aspects such hibitions perfectly tailored to the situation of the spe- as fault, damage, recurrence, information and explana- cific company aiming to achieve and maintain optimal tion of the concerned person as well as the scope of se- IT-security is indispensable. The conforming specifica- curity specifications of the company have to be taken tion is regularly effected in the form of an IT-security- into consideration. It depends decisively on whether the guideline that the employee is committed to as soon as relevant know-how was transmitted to the employees re- the employment contract is concluded. If necessary, the sponsible for the IT-security within the company and obligation to comply with such aguideline may be im- whether any warnings of the persons responsible within posed later by means of an instruction. Especially con- the company such as, for example, asystem administra- sidering that alot of IT-security risks result from uncon- tor,were communicated in asufficient way.Equally,the scious misbehaviour of the employees (intentional mis- position of the employee within the company is relevant behaviour cannot be prevented anyway), the IT-security –the employer must be able to rely on the system ad- guideline may be characterised as the central element of ministrator who is responsible for the security of the sys- an IT-security concept. Exemplarily,the guideline of IT- tems to amuch higher degree of trust (and especially on security may contain provisions concerning the use of his behaviour adequate to security) than on the ordinary Internet and e-mail as well as the storage of private employee. Towards the former,the threshold for asanc- e-mails and the handling of e-mail-attachments, the han- tion is much lower and thus, much more severe sanc- dling of passwords, the downloading of programs and tions are possible. the installation of software, the use of USB-devices and the local storage of data on anotebook. Custom and practice as risk of IT-security Tolerance and non-prosecution of continuing violations III. Possibilities of reaction and risk of against an applicable guideline of IT-security within the establishment of custom and practice company may possibly lead to the constitution of custom and practice. This can inter alia suspend once estab- Validity of general principles of employment law lished prohibitions such as the prohibition of private use of Internet and e-mail. Custom and practice have the ef- If the employer does not want to ignore violations of (as fect of creating abasis of trust, which the employees may recommended on the basis of an established IT-security deduct from the employer’sleniency concerning the vio- guideline) duties of IT-security without any sanction, he lation of certain prohibitions. From the point of view of can react basically with an admonishment, warning, an the employer,italways has to be recognised that show- ordinarybehaviour-based termination (as the final ter- ing tolerance as the regular reaction to violations of mination is only ultima ratio it has to be examined if the guidelines of IT-security can suspend these as awhole. same purpose may be reached by means of atermina- Custom and practice may also lead to different rules tion for change of contract) or atermination for cause. within the company.Itisfor example conceivable that If the admonishment is chosen as the mildest form of a the private use of Internet and e-mail is tolerated in one sanction, it must be borne in mind that it cannot serve department but not in another.Custom and practice as areason for termination in case of arecurring viola- cannot be removed unilaterally.Depending on the legal tion. The warning reminds the employee of behaving in qualification of custom and practice, instruments to re- compliance with his contract. It has to point out the con- move custom and practice such as negative custom and sequences of further violations due to reasons of propor- practice, termination for change of contract or an tionality and is, seen apart from extreme exceptional amending works agreement are possible remedies. cases (when the employee could not expect that his be- Against this background it is aclear organisational duty haviour would be tolerated by the employer), the neces- of the employer not to let custom and practice emerge sarybasis for abehaviour-based termination as ‘‘ultima that suspends existing guidelines of IT-security.
8 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance IV.Selected particular cases employees are concerned. Before choosing the sanction it must be checked, if the employer undertook security Prohibited use of Internet and e-mail measures. If not, the termination might not be enforce- able because of contributorynegligence of the em- Violations of IT-security occur frequently in connection ployer.Ifthe employee overcomes existing security mea- with the prohibited private use of Internet and e-mail. It sures, damages the employer by transferring (no matter depends on the situation within the company,for ex- if paid or non paid) data (no matter if personal data or ample if the private use of communication facilities of not) or makes copies for private use, atermination for the company,nomatter of what sort, is contrarytothe cause of the employment relationship is admissible as a employment contract. In practice, limited private use of rule, for the reason that it is evident for the employee telephone and private use of Internet and e-mail are (independently of his intentions) that he acts contrary generally tolerated by the employer.The employer may, to the employment contract and misuses the trust of the however,determine the scope of use in his own discre- employer in aconsiderable way.Ifthe violation lies ex- tion and may for example block certain websites. In the clusively within the production of copies for private use, rare case of acomplete prohibition of private use of In- atermination for cause is admissible only in exceptional ternet and e-mail, the private use of Internet and e-mail cases (e.g.incase of copyright offences). (as well as the private use of the telephone) is asanction- able violation against duties of behaviour because it re- Misuse of passwords duces the contractually due working power and blocks company resources for their original purposes. However, Transferring passwords to non authorised persons or awarning is required in cases of private use of Internet persons outside of the company generally justifies an or- and e-mail, before a(ordinary) behaviour-based termi- dinary, and also in certain cases, atermination for cause, nation can be served, even if the possibility of termina- as the confidence of the employer in the regular keep- tion was generally announced before. ing of secrets important to the business is irrecoverably damaged. If the employee obtains passwords without au- Permitteduse of Internet and e-mail thorisation and if he accesses texts of his employer that are normally not accessible to him, an ordinarytermina- If the private use of Internet and e-mailisbasically per- tion or even atermination for cause may be justified. mitted or admissible due to custom and practice, the This only applies, however,ifthe limitation of compe- employee must not use it without any limitations. For ex- tences was sufficiently clear.Changing passwords for the ample, atermination without notice may come into con- computer system without authorisation resulting in para- sideration if the employee misuses the existing permis- lysing the company for alonger time can be sanctioned sion by continually sending private e-mails or using the with atermination for cause. In such cases, contributory Internet intensively in away that is obviously intolerable negligence of the employer might have to be considered for the employer.This is particularly the case if the pri- if the employer failed to implement measures providing vate use leads to ablatant reduction of the employee’s the possibility to overrun apassword or to annul the performance and thus to aviolation of contractual obli- password through the use of specialists. For less severe gations. The same applies if the abuse of the permission violations such as forgetting the password repeatedly, does not result from the intensity but from the sort of not changing the password despite corresponding private use, for example through the use (including the guidelines or using easily decodable passwords despite storage of the material on the company computer or de- considerable danger for the company,only awarning is signing awebsite on the company computer) of porno- possible and, when the violations are repeated, aregular graphic or right wing extremist content by means of the termination can be declared. IT-infrastructure of the company or the attempt to pro- mote fanatic or terrorist organisations. Aright to termi- Prohibited download and improper use of nation particularly exists if business interests of the com- technique pany are concerned. Child pornography is aspecial case, as pursuant to Sec. 184 (5) second sentence Penal The prohibited private download of programs from the Code the ‘‘possession’’assuch is punishable. In this case, Internet is aviolation of the contract but does not en- atermination for cause should be admissible as arule, title to terminate for cause (without notice) if there was even if, as always, it must be examined whether,excep- no prior warning. One might come to another result if tionally,the mutual trust could be reconstituted. the download leads to endangering the IT-infrastructure of the company with viruses. When handling technique Handling of data and the company’s software in general the adequate reaction depends in averyspe- cial way on the particular scope of duties. The system ad- Concerning the admissibility of measures of employ- ministrator has more specific duties to act (e.g.installing ment law against the prohibited access to data and soft- security-patches) than the ordinaryemployee as amere ware depends on whether the data contain business se- IT-user.The latter is likely to cause trouble because of crets, whether the data can be used in afashion detri- negligent behaviour (opening suspicious e-mails, errors mental to the employer or if there is an intention to in operating equipment, careless handling of pass- damage. Abehaviour-based termination, in certain cases words). As arule, awarning is the appropriate sanction. even without prior warning is admissible, if it was evi- If inappropriate handling of the company’sIT-systems dent to the employee that the employer did not want to repeatedly leads to system breakdowns and considerable disclose the business secrets, which is regularly the case hindrances for the company,because the employee is if sensitive personal data or salaryinformation of other not capable of using the IT-systems, abehaviour-based
05/09 World Data Protection Report BNA ISSN 1473-3579 9 Legislation and Guidance termination is not always possible as it requires that the 268 Penal Code) or the results of adata processing (Sec. employee can basically fulfil the requirements of the em- 270 Penal Code). As areason for termination without ployer but wilfully does not do so. Based on lacking sub- prior warning, one might consider the violation of com- jective skills, only aperson-based termination or atermi- pany or business secrets (Sec. 203 Penal Code, Sec. 17 nation for change of contract could be considered. This UWG). The question is whether it is sufficient as area- requires, however,that the employee’sperformance fails son for termination if an employee gets knowledge that the purpose as stated in the employment contract in a his colleague has unauthorised access to company and significant way; insignificant discrepancies are not suffi- business secrets and does not inform his employer.The cient. In particular,the employee must be granted an decision as to whether atermination may be justified will adequate period of time to adapt to the new conditions. largely depend on the employee’sposition within the Instead of aperson-based termination, the employee company.Inthe case of asenior employee/trusted posi- concerned has to be offered aworkplace corresponding tion as arule atermination (regular or for cause) may to his abilities as far as this is possible within the compa- be justified. Furthermore, atermination is admissible if ny’sorganisation. If such aworkplace is not available or the employee uses the company’sresources to commit not reasonable, the employer has to offer training to the crimes (e.g.espionage for third parties) as it is not ac- employee to correct the lacking of qualification in the ceptable for the employer to be involved in crimes using area of IT. his property.Also included would be copyright infringe- ments such as burning copies, using facilities of the em- Criminal offences ployer as aconsiderable breach of trust and criminal in- fringement pursuant to Sec. 106ff. Copyright Law does Criminal offences only justify atermination if the crimi- not need to be tolerated by the employer.Insofar ater- nal offences are either committed against the company mination based on copyright offences comes into con- or if outside the company with relevance to the com- sideration for example if the employee makes copies of pany.Ifthe guidelines of the IT-security are disregarded, the software used in the company for private use. the company’sinterests are always affected, whereby the company is violated as such. Any (intentional) infiltra- Conclusion tion of computer viruses is sufficient for atermination for cause, such as an intentional change of data in the IT-security becomes more and more important not only sense of Sec. 303 Penal Code can be effected, whereby as amanagement obligation but also for employees. Vio- the attempt as such is sufficient. Aprevious warning is lations of the same can have serious consequences for dispensable if the employer is compellingly dependant both managers and employees. For managers, personal on the use of the electronic data processing. Under cer- liability is possible. Employees might be subject to warn- tain circumstances computer sabotage in the sense of ings or even lose their jobs. In order to turn IT-security Sec. 303b Penal Code could come into consideration into a true employee obligation it is important, however,to within this context. The same applies if the employee have explicit rules and regulations in place and to train procures for himself, or another person, unauthorised employees regularly.Inlight of the erosive effects of cus- access to specially secured data not destined for him tom and practice in acompany it is also important to (Sec. 202a Penal Code), fakes technical records (Sec. sanction violations of IT-security. New data protection laws for India
By RobertBond, Partner and Head of IP,Technology and s Of particular interest to companies that outsource to Commercial andVinod Bange, Partner,Speechley Bircham India is that the legislation now makes acompany that LLP. handles ‘sensitive personal data’ liable to pay compen- sation if it is negligent in relation to security. s The Information Technology (Amendment) Act 2008 was published on February5,2009. Article 25 of the EU Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Coun- s The Act introduces legislation relating to use of elec- cil of October 24, 1995 on the protection of individuals tronic signatures. with regard to the processing of personal data and on the free movement of such data) states that personal s The legislation addresses the use of encryption and data cannot be transferred to any countryoutside the makes provisions for governmental interception. European Union that does not provide adequate laws for the protection of rights of individuals in relation to s Legislation creates acivil offence in respect of hacking their personal data. and creates more stringent legislation in respect of cy- ber terrorism and online pornography. Over the past few years the European Commission has ‘approved’ anumber of countries who are deemed to have adequate data protection laws including Argentina, RobertBond and Vinod Bange can be contacted at: Canada, Faroe Islands, Guernsey,Jersey,the Isle of Man [email protected] and vinod.bange@ and Switzerland, but despite India being asignificant re- speechlys.com cipient of personal data from Europe as part of its out- sourcing offerings India has no such approval.
10 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance
The European Commission does not regard India as will still be the need to meet the requirements of Ar- having satisfactorylaws providing protection for the ticles 25 and Article 26 (which address trans-border data rights of individuals in relation to personal data al- flows) of the EU Data Protection Directive. though it is still permissible to transfer personal data to India provided that the exporting company puts in place suitable contractual controls with the importing com- It is unlikely that the new legislation in India will fast- pany in India. Usually these controls are in the form of track the countryinto aposition of being an approved ‘approved model clauses’ by the European Commission countrybythe European Commission for data protec- or the use of Binding Corporate Rules. Notwithstanding tion purposes but it is amove in the right direction, es- the introduction of the new legislation in India and the pecially with the widely accepted view that the outsourc- greater obligations placed on companies in India with ing industryinIndia prides itself on the high levels of regard to the handling of ‘sensitive personal data’ there information security practices and controls adopted. HIPAA privacy and security changes in the American Recoveryand Reinvestment Act
By Brad M. Rostolsky,Associate, Gina M. Cavalier,Partner, ministrative, physical, and technical safeguards, as well Debra L. Hutchings Associate, Kerry A. Kearney Partner and as to develop implementing policies and procedures. As Mark S. Melodia Partner at Reed Smith LLP apractical matter,however,itisunclear whether these (www.reedsmith.com). provisions only apply vis-a`-vis the protected health infor- mation created or received from aCovered Entity,or On February17, 2009, President Obama signed into law whether they implicate other information of the Busi- H.R. 1, the American Recoveryand Reinvestment Act ness Associate. (the ‘‘ARRA’’).1 This memorandum outlines significant changes and additions to the landscape of federal pri- As ameans to assist Business Associates (as well as Cov- vacy and security law set forth in Subtitle Dofthe ARRA. ered Entities) with effectively addressing the require- In general, the privacy and security portions of the ments of the Security Rule, HHS is required to publish ARRA become effective 12 months after the enactment annual guidance on ‘‘the most effective and appropriate of the ARRA, which is approximately February2010. It technical safeguards for use in carrying out’’the require- is also important to note that the ARRA directs the Sec- ments of the Security Rule. Additionally,the ARRA re- retaryofthe US Department of Health &Human Ser- quires that Business Associate Agreements reflect the vices (‘‘HHS’’) to amend the HIPAA Privacy and Security new direct obligations of Business Associates. Finally, Rules to implement the legislative changes. As such, the adding enforcement teeth, the ARRA provides that Busi- effective dates associated with the rulemaking process ness Associates will be subject to civil and criminal pen- will vary. alties for violating the Security Rule. A. Applicability of HIPAA security and privacy rules extended to business associates 2. Privacy Rule The ARRA requires aBusiness Associate that ‘‘obtains or 1. Security Rule creates protected health information pursuant to awrit- ten contract’’totake direct responsibility for its uses and The HIPAA Security Rule’sinformation safeguards are disclosures of protected health information. As aresult not new considerations for Business Associates. Business of the new legislation, and regardless of the contractual Associate Agreements contractually obligate Business As- obligations of aBusiness Associate Agreement, the man- sociates to implement administrative, physical, and tech- ner in which Business Associates approach Privacy Rule nical safeguards to reasonably and appropriately protect requirements and obligations has been significantly al- electronic protected health information that the Busi- tered, although the extent of these changes will not be ness Associate creates or maintains on behalf of aCov- clear until regulations are promulgated. ered Entity.The ARRA, however,changes the funda- mental framework of the Security Rule in this regard. Specifically,Business Associates are now required to di- At aminimum, it is clear that Business Associates that rectly comply with the Security Rule’sprovisions on ad- violate the Privacy Rule obligations set forth in their Business Associate Agreements will be subject to HIPAA’s civil and criminal enforcement provisions. The statutorylanguage also appears to require aBusiness As- Brad M. Rostolsky,Associate, Gina M. Cavalier,Partner, sociate to take reasonable steps to cure aCovered Enti- Debra L. Hutchings Associate, Kerry A. Kearney Part- ty’sviolation of aBusiness Associate Agreement if the ner and Mark S. Melodia Partner at Reed Smith LLP can be contacted at: [email protected], Business Associate knows of apattern of activity or prac- [email protected], [email protected], tice of the Covered Entity that constitutes amaterial [email protected] and [email protected] breach or violation of the Covered Entity’sobligation under the Business Associate Agreement. If cure is not
05/09 World Data Protection Report BNA ISSN 1473-3579 11 Legislation and Guidance possible, and termination of the Business Associate is the breach, to prominent media outlets serving the re- not feasible, then the Business Associate must report the spective state or jurisdiction. The one exception to a problem to HHS. Covered Entity’sobligation to provide asecurity breach notification is if alaw enforcement official determines It is likely that the requirement that Business Associates’ that such anotification would impede acriminal investi- new privacy and security obligations be reflected in Busi- gation or cause damage to national security.HHS will ness Associate Agreements will, de facto,require the maintain awebsite that identifies Covered Entities in- amendment of current Business Associate Agreements. volved in abreach of unsecured protected health infor- Although the standard language typically found in Busi- mation for more than 500 individuals. ness Associate Agreements may be sufficient to address some of the increased privacy and security require- The ARRA defines unsecured protected health informa- ments, it may behoove Covered Entities and Business As- tion to mean ‘‘protected health information that is not sociates to review their current Business Associate Agree- secured through the use of atechnology or methodol- ments. Amendments to current Business Associate ogy specified by the Secretary[of HHS] in’’guidance Agreements will enable the parties to ensure that both that will be issued no later than 60 days after the enact- the Privacy and Security Rules are properly and thor- ment of the ARRA. In case the aforementioned guid- oughly addressed. Furthermore, it seems likely that Cov- ance is not issued by HHS on the date promised, the ered Entities will want the security breach notification ARRA provides the following default definition of unse- requirements discussed below to be set forth in detail in cured protected health information, which appears to Business Associate Agreements. essentially require encryption –‘‘protected health infor- mation that is not secured by atechnology standard that 3. Definition of Business Associate expanded renders protected health information unusable, unread- able, or indecipherable to unauthorised individuals and The ARRA expands the definition of ‘‘Business Associ- is developed or endorsed by astandards developing or- ate’’toany organisation that, with respect to aCovered ganisation that is accredited by the American National Entity,provides data transmission of protected health in- Standards Institute.’’ formation to aCovered Entity (or its Business Associate) if the organisation requires routine access to the pro- No later than 180 days after the enactment of the ARRA tected health information. Examples include aHealth (approximately August 2009), HHS shall promulgate in- Information Exchange Organisation, aRegional Health terim final regulations. The security breach notification Information Organisation, an E-prescribing Gateway,or provisions of the ARRA shall be effective 30 days after aVendor of Personal Health Records. (ARRA provisions the publication of these interim final regulations (ap- related to Vendors of Personal Health Records are de- proximately September 2009). Note: This is sooner than scribed below.) The new universe of entities will be the effective date for the ARRA generally. treated as ‘‘Business Associates’’, and must, among other things, enter into aBusiness Associate Agreement with 2. Business Associates Covered Entities. The breach notification requirements extend to Busi- ness Associates insofar as Business Associates must re- B. Notification standards for breaches of port discovered breaches of unsecured protected health ‘‘unsecured’’protected health information information to the Covered Entity following aBusiness Associate’sdiscoveryofabreach. If aBusiness Associate 1. Covered Entities fails to provide the required notice in atimely fashion, the Business Associate may be subject to direct enforce- Much like the security breach notification laws of many ment and penalties. Notification from aBusiness Associ- states, the ARRA imposes significant breach notification ate must include the identification of each individual obligations on aCovered Entity that ‘‘accesses, main- about whom the breached information pertains. Cov- tains, retains, modifies, records, stores, destroys, or oth- ered Entities will likely include specific notification tim- erwise holds, uses, or discloses unsecured protected ing requirements in Business Associate Agreements. health information.’’Thus, any such Covered Entity that knows or should reasonably have known that protected 3. Vendors of Personal Health Records health information has been acquired, accessed, used, or disclosed without authorisation, must provide notice The ARRA also imposes breach notification require- of the breach to individuals and designated entities ments on ‘‘Vendors of Personal Health Records’’. Under within aprescribed period of time. the ARRA, aVendor of Personal Health Records is any entity ‘‘other than acovered entity [as defined in the The ARRA includes detailed requirements regarding HIPAA regulations] that offers or maintains apersonal when, how,and to whom notifications of abreach must health record’’. The term ‘‘personal health record’’isde- be provided, but, generally,the notifications must be fined to be ‘‘an electronic record of [individually identi- provided to the individual about whom the information fiable health information (as defined in the Social Secu- pertains without unreasonable delay (and, in any event, rity Act)] on an individual that can be drawn from mul- no later than within 60 days of discoveryofthe breach). tiple sources and that is managed, shared, and In addition to notifying the individuals, notification controlled by or for the individual’’. must always be provided to HHS (immediately if the breach involves more than 500 individuals, or annually Vendors of Personal Health Records must notify the in- otherwise), and, depending on the scope or severity of dividual about whom the information pertains, as well as
12 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance the Federal Trade Commission (‘‘FTC’’) (which will in ACovered Entity must provide the new,broader,ac- turn notify HHS) upon discoveryofabreach of security counting upon request. For disclosures made by aCov- with respect to the individually identifiable health infor- ered Entity’sBusiness Associates, however,the Covered mation that is in apersonal health record. The ARRA Entity may provide an individual with alist of the Busi- defines ‘‘breach of security’’tomean any acquisition of ness Associates. If an individual is provided with such a the aforementioned information without the authorisa- list of Business Associates, then the Business Associates tion of the individual to whom the information pertains. must provide the accounting to the individual upon re- Third party service providers engaged by Vendors of Per- quest from the individual. Accountings made by Cov- sonal Health Records are treated similarly to Business ered Entities and Business Associates that use and main- Associates, and must notify the vendor of abreach of se- tain electronic health records must cover aperiod of curity. three years (as opposed to the six-year period required under HIPAA). For Vendors of Personal Health Records and third-party service providers, the requirements regarding when and These accounting provisions are effective as follows: how they must provide notifications of abreach of secu- rity are the same as for Covered Entities and Business As- s For Covered Entities, insofar as they acquired an elec- sociates, respectively.AVendor of Personal Health tronic health record as of January1,2009, the ac- Records or third-party service provider’sviolation of the counting requirement applies to disclosures made on notification requirements shall be considered an unfair or after January14, 2014. and deceptive act or practice in violation of FTC regula- s For Covered Entities insofar as they acquire an elec- tions. tronic health record after January1,2009, the provi- These provisions are intended to be temporaryand will sion will be effective for disclosures on the later of sunset if Congress enacts new legislation establishing January1,2011, or the date upon which the entity ac- specific security breach notification requirements for en- quires the electronic health record. tities that are not Covered Entities or Business Associates under HIPAA. The FTC is required to promulgate s HHS can impose alater effective date, but it can be implementing regulations within 180 days of the enact- no later than 2016 for the Covered Entities with an ment of the ARRA (approximately August 2009), which electronic health record as of January1,2009, and will likely clarify the definitions and requirements set 2013 for all other Covered Entities with an electronic forth in the ARRA. health record. 2. Access to protected health information in C. Enhanced privacy guidance and education electronic format initiative Expanding on the Privacy Rule’saccess provisions, Cov- Within six months after the enactment of the ARRA (ap- ered Entities that use or maintain an electronic health proximately August 2009), HHS is required to designate record with respect to the protected health information an individual in each HHS regional office to offer guid- of an individual must, per ARRA, provide access to such ance and education to Covered Entities, Business Associ- information by producing an electronic copy to the in- ates, and individuals on their ‘‘rights and responsibilities dividual (or arecipient designated by the individual). related to Federal privacy and security requirements for Individuals making such arequest may only be charged protected health information’’. Additionally,within one for aCovered Entity’slabour costs associated with pro- year after the enactment of the ARRA, the HHS Office viding the requested information. for Civil Rights is required to develop and maintain a multi-faceted national education initiative to enhance 3. Sale of electronic health records or protected public transparency regarding the uses of protected health information health information. The ARRA provides that aCovered Entity or Business D. Obligations related to electronic health Associate cannot directly or indirectly receive remunera- records tion in exchange for an individual’sprotected health in- formation (including such information stored in an 1. Accounting of protected information stored in electronic health record) except pursuant to avalid HIPAA authorisation that specifies the extent to which electronic health records the recipient may engage in further exchanges of the in- Although under the HIPAA Privacy Rule, Covered Enti- dividual’sinformation. ties are not required to account for uses and disclosures This prohibition does not apply to the exchange of the of protected health information for the purpose of treat- information if the purpose for the exchange is one of ment, payment, and health care operations, the ARRA the following: specifically eliminates this exception for Covered Enti- ties that use or maintain ‘‘electronic health records.’’ s Public health activities, as defined by the Privacy Rule The ARRA defines an ‘‘electronic health record’’to (45 C.F.R. §164.512(b)). mean ‘‘an electronic record of health-related informa- tion on an individual that is created, gathered, man- s Research purposes (as defined in 45 C.F.R. §§ 164.501, aged, and consulted by authorised health care clinicians 164.512(i)), subject to limitations on the remunera- and staff.’’ tion.
05/09 World Data Protection Report BNA ISSN 1473-3579 13 Legislation and Guidance s Treatment, unless HHS determines otherwise. 3. Marketing and fund-raising communications s Transfers in connection with the sale or merger of a The ARRA contains new restrictions on marketing com- Covered Entity. munications. Specifically,marketing communications to an individual from aCovered Entity or Business Associ- s Remuneration that is paid by the Covered Entity to a ate that were previously considered ‘‘health care opera- Business Associate related to the Business Associate’s tions’’(and therefore not curtailed by the Privacy Rule) services as to the exchange of protected health infor- are no longer considered health care operations (and mation. therefore no longer exempt from the Privacy Rule’sgen- eral prohibition against disclosure) if the Covered Entity s Providing an individual with acopy of the individual’s or Business Associate receives or has received direct or protected health information. indirect remuneration (as defined under federal fraud and abuse regulations) for making the communication, s Other situations, as determined by HHS. except where:
HHS is required to promulgate regulations implement- s The communication describes adrug or biologic that ing these provisions no later than 18 months after the is currently prescribed for the recipient, and the re- enactment of the ARRA (approximately August 2010). muneration received by the Covered Entity in ex- Furthermore, this provision of the ARRA applies only to change for the information is ‘‘reasonable’’(as will be an exchange of protected health information that oc- defined by HHS). curs at least six months after the regulations have been released. s The communication is made by the Covered Entity based on avalid HIPAA authorisation.
E. Enhanced ability of individuals to control s The communication is made by aBusiness Associate protected health information of the Covered Entity in accordance with awritten Business Associate Agreement. 1. Requested restrictions on or disclosures of Although fund-raising communications are still consid- protected health information ered ‘‘health care operations’’, such communications Prior to the enactment of the ARRA, aCovered Entity must clearly and conspicuously provide individuals with was not required to grant an individual’srequest to limit an opportunity to opt-out of receiving further fund- the use and disclosure of protected health information raising communications. The decision by an individual to carryout treatment, payment, or health care opera- to opt-out shall be considered arevocation of authorisa- tions. The ARRA, however,requires Covered Entities to tion under HIPAA. comply with an individual’srequest for such restrictions on disclosure if: F. Continued focus on enforcement activities Building on recent enforcement actions (settlements s The disclosure is made to ahealth plan for the pur- and informal compliance agreements) from the Office poses of carrying out payment or health care opera- of Civil Rights and the Centers for Medicare and Medic- tions (unless the use or disclosure is required by law); aid Services, the ARRA amends the relevant enforce- s The protected health information at issue pertains ment provisions of HIPAA by,among other things, re- only to ahealth care item or service for which the in- quiring HHS to ‘‘formally investigate any complaint of a dividual pays (1) out-of-pocket, and (2) in full. violation of [the Privacy and Security provisions of the ARRA] if apreliminaryinvestigation of the facts of the 2. ‘Minimum necessary’ standardfurther complaint indicate [that] such apossible violation [is] due to willful neglect’’. Notwithstanding this heightened explained focus on enforcement, the ARRA specifically permits the Under the Privacy Rule, aCovered Entity’suse and dis- Office for Civil Rights to utilise corrective action without closure of protected health information for purposes penalty as ameans to address civil infractions of the Pri- other than treatment, payment, and health care opera- vacy Rule. tions must be limited to the ‘‘minimum necessary’’ Except as separately provided in the ARRA, the amend- amount needed to accomplish the underlying purpose ments made to enforcement provisions shall be effective of the use or disclosure. To provide assistance to Cov- 24 months after the enactment of the ARRA (approxi- ered Entities in this regard, the ARRA directs HHS to is- mately February2011). sue guidance on what constitutes ‘‘minimum necessary’’ no later than 18 months after the enactment of the 1. State Attorneys General can initiate federal ARRA. Until the release of this guidance, the ARRA pro- action for HIPAA violationsonbehalf of state vides that uses and disclosures unrelated to treatment, residents payment, or health care operations must be in the form of alimited data set (as defined by the Privacy Rule), un- Furthermore, the ARRA authorises state Attorneys Gen- less aCovered Entity (or Business Associate) determines eral to initiate civil actions in the federal court (for in- that alimited data set is not ‘‘practicable’’for aparticu- junctive relief or monetarydamages) on behalf of astate lar use or disclosure, in which case the ‘‘minimum nec- resident when the Attorney General reasonably believes essary’’standard still applies. that the resident’sinterests have been threatened or ad-
14 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance versely affected by aperson or entity that violates application of this new tiered approach to civil monetary HIPAA. Additionally,the court may award the costs of penalties applies to violations that occur after the date the action and reasonable attorney fees to the state. of enactment of the ARRA. Prior to bringing any such claim, astate Attorney Gen- eral must provide HHS with prior written notice of in- NOTES 1 tent to file the action, after which HHS may intervene in P.L. No. 111-5. The text of the Act and the accompanying confer- the action. If HHS brings aHIPAA action against aper- ence report are available at http://thomas.loc.gov/home/approp/ app09.html#h1 son, then state Attorneys General may not bring an ac- tion against the person relative to the same HIPAA vio- This article first appeared in ReedSmith’s Life Sciences Health lation. IndustryClient Alert, March 2009.
2. Enforcement clarification regarding individuals The ARRA clarifies apoint of confusion regarding the News criminal enforcement of individuals for the wrongful ac- cess or disclosure of protected health information under HIPAA. The ARRA makes it clear that individuals (who INTERNATIONAL are not Covered Entities, but who may be employees of Covered Entities) fall within HIPAA’s enforcement pur- World Anti-Doping Agency adopts revised view. data protection standard
3. Increased to civil monetarypenalties At ameeting in Montreal on May 9, the Executive Com- With regard to civil monetarypenalties, the ARRA re- mittee of the World Anti-Doping Agency (WADA) places the manner in which such penalties are deter- adopted arevised International Standard for the Protec- mined with anew tiered approach: tion of Privacy to replace the Standard which entered into force on January1,2009. The revised standard fol- s Unknown violations (i.e., if aperson did not know,and lows an ongoing discussion between WADA and the EU by exercising reasonable due diligence would not have over data protection implications surrounding the known, that aviolation occurred): The penalty shall ‘whereabouts rule’ –(the need to track athletes’ move- be at least $100 for each violation not to exceed ments for drug testing). The revised standard takes ac- $25,000 for all such identical violations during acal- count of recommendations made by the Article 29 work- endar year,but may be no more than $50,000 for each ing Party in its document, the ‘Second opinion 4/2009 on violation, not to exceed $1.5 million for all such viola- the World Anti-Doping Agency (WADA) International Stan- tions of an identical requirement or prohibition dur- dard for the Protection of Privacy and Personal Information, on ing acalendar year. related provisions of the WADA Code and on other privacy is- sues in the context of the fight against doping in sportby s Violations as aresult of reasonable cause and not be- WADA and (national) anti-doping organizations’. cause of wilful neglect: The penalty shall be at least $1,000 for each violation, not to exceed $100,000 for Further discussions on data protection matters were due all such identical violations during acalendar year,but to take place at the EU Anti-Doping Conference held in may be no more than $50,000 for each violation, not Athens on May,13–15. to exceed $1.5 million for all such violations of an The revised standard will enter into force as of June 1, identical requirement or prohibition during acalen- 2009. dar year. The standard is available at: http://www.wada-ama.org/en/ s Violations as aresult of wilful neglect (and the viola- dynamic.ch2?pageCategory.id=807 tions have been corrected): The penalty shall be at least $10,000 for each violation, not to exceed Acopy of the Working Party’s Opinion is available at: http:// $250,000 for all such identical violations during acal- ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/ endar year,but may be no more than $50,000 for each wp162_en.pdf violation, not to exceed $1.5 million for all such viola- tions of an identical requirement or prohibition dur- ing acalendar year. CANADA s Violations because of wilful neglect (and that have not Could the controversial ‘Do Not Call’ been corrected): The penalty shall be at least $50,000 Register be replaced? for each violation, not to exceed $1.5 million for all such violations of an identical requirement or prohi- Anew anti-spam bill, the Electronic Commerce Protec- bition during acalendar year. tion Act, if passed, may result in achange of law asking individuals to opt-in rather than opt-out of receiving Also note that, within three years of the enactment of marketing calls. If so, it raises questions over the future the ARRA, HHS is required to publish regulations that of the heavily criticised ‘Do Not Call’ Register. establish amethodology that distributes aportion of col- lected civil monetarypenalties to the individuals Since the launch of the ‘Do Not Call’ Register six harmed by aCovered Entity’sact of wilful neglect. The months ago, six million Canadians have registered their
05/09 World Data Protection Report BNA ISSN 1473-3579 15 Legislation and Guidance name on the opt-out list. The Canadian Radio Television rective has harmonised data protection across the EU, Commission (CRTC) has, on average, received 20,000 there is ageneral consensus that it is too burdensome complaints per month. However,the CRTC has been and no longer addresses the current risks to personal in- heavily criticised for its lack of enforcement and com- formation brought about by advances in technology. plaint handling. It has issued only 70 warning letters to Information Commissioner,Richard Thomas, said: organisations flouting the regulations and imposed no financial penalties to date. Privacy advocates who have ‘‘The Directive is showing its age. Modern approaches been critical of the Register are strongly in favour of to regulation mean that laws must concentrate on the changing the legislation to require an opt-in to market- real risks that people face. ..,must avoid unnecessary ing calls. burdens, and must work well in practice. ..Organisa- tions must embed privacy by design and data protec- tion must become atop level corporate governance issue. ..Safeguarding personal information has be- IRELAND come amajor reputational issue for businesses and governments. They must be held accountable if Data Protection Commissioner issues things go wrong. This study is not meant to be an im- data breach guidance mediate blueprint for anew Directive.’’ Recommendations from the report include: The Data Protection Commissioner,Billy Hawkes, has is- sued interim guidance for organisations on how to deal s making the law and its aims clearer; with the data loss arising from security breaches. Mean- s while, the Working Group set up by the MinistryofJus- focusing on the accountability of organisations for tice is currently looking into whether there should be an protecting the personal information they process; amendment to the existing data protection legislation to adopting amore strategic approach to enforcement; account for security breaches. and s For more information about the Work Group, visit: http:// improving the mechanisms for transferring data out- www.justice.ie/en/JELR/Pages/WP09000015 side the EEA. The ICO is hoping that the study will stimulate adebate The Interim Guidelines are available from: http:// about how to modernise the Directive. www.dataprotection.ie/viewdoc.asp?DocID=901&ad=1 Acopy of the reportisavailable at: http://www.ico.gov.uk/ upload/documents/library/data_protection/detailed_ SWEDEN specialist_guides/review_of_eu_dp_directive.pdf Swedish ISPs will erase users’ data to Areportsummaryisalso available at: http:// protect privacy www.ico.gov.uk/upload/documents/library/data_protection/ detailed_specialist_guides/review_of_eu_dp_directive_ As the controversy surrounding the Swedish anti-piracy summary.pdf laws continue, three more ISPs say they will erase traffic data to protect their customers’ privacy. UNITED STATES The laws known as Ipred, which came into effect on April 1, 2009, allow copyright owners to ask ISPs to pro- FTC releases proposed breach notification vide information about customers illegally uploading or rule for e-health data downloading copyright protected material with acourt order.Although designed to protect against copyright Under the requirements of the American Recoveryand infringement, the laws caused astir amongst privacy ad- Reinvestment Act 2009 (ARRA), the Federal Trade Com- vocates and ISPs over this requirement to reveal cus- mission (FTC) has released arule for public comment tomer information. Since Ipred came into effect, there which requires organisations to notify customers if their has been a30percent drop in Internet traffic. information has been breached. The ARRA includes provisions to help advance the use of technology for processing health data and strengthening the privacy UNITED KINGDOM and security requirements for such data. In doing so, the ICO review recommends an overhaul of Act recognises the emergence of web-based services used to collect, store and manage sensitive health data. the EU Data Protection Directive (See also in this issue, HIPAA privacy and security changes in the American Recoveryand Reinvestment Act,byReed- The Information Commissioner’sOffice has published Smith.) its review commenting on the strengths and weaknesses The ARRA requires the FTC, alongside the Department of the EU Data Protection Directive. RAND Europe was of Health and Human Services, to conduct astudy on commissioned to conduct the review last year. the potential privacy,security and breach notification re- Their study has concluded that the Directive needs to be quirements for vendors of health information and any updated to reflect the global information society of the related organisations. The study and subsequent report 21st century. Whilst the report acknowledges that the Di- must be released by February2010. The proposed rule
16 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 New!
Legislation and Guidance
is an interim measure until the study and report have ment of the Red Flags Rule will allow industries and Intellectualbeen completed. In addition Propertyto security breach notifica- in Asiaassociations to share guidance with their members, tion requirements, there are also requirements govern- provide low-risk entities an opportunity to use the Over the last few decades, countries in and enforcement of IP rights;template whilstin developing their programs, and give Con- Asia inghavethe hadtiming, to revisetype theirand intellectualcontent of theindustrynotification focusand articles look into the gress time to consider the issue further.’’ propertyorganisations systems duemust to pressureinform thefromFTC if absoftwarereach occurs.industry in India, manufacturing majorThe tradingFTC partnersis accepting and multilateralpublic commentsissueson the in Hongrule un- Kong and China and the agreements such as the WTO-TRIPS importance of the pharmaceuticalFor more information and guidance about the Red Flags Rule, agreement.til June This1, Special2009 and Reportthese examinescommentsindustry.can be Thefiled countryat reportsread: http://www set out to .ftc.gov/bcp/edu/pubs/business/alerts/ thesehttps://secure.commentworks.com/ftc- changes, with regards to IP laws outline legislative developmentsalt050.shtm by,orvisit: http://www.ftc.gov/redflagsrule and thehealthbreachnotification position of the industry today, in examining some broader trends in law nine different countries, which have each making, IP administration and followedMore differentinformation levelsis availaof socioeconomicble from the FTCenforcement,at: http:// and the respectiveGovernment court research shows privacy development.www.ftc.gov systems. The concludingnotices articles ofshould the be in atable format Report examine recent cases that have Feature articles examine the main issues marked the development of IP legislation in theFTC area,delays such as branding,enforcement protectionof RedthroughoutFlags Asia. Astudy by the US government has found that customers Rule of financial institutions understand privacy notices when ISBN: 978-0-906524-63-3 they are displayed in atable rather than as solid text. The Federal Trade Commission (FTC) is to delay enforc- The Gramm-Leach-Bliley Act requires organisations pro- ing the Red Flag Rules until August 1, 2009. The delay viding financial services to provide privacy notices to its is to give financial institutions more time to develop customers. Researchers were commissioned by the US their identity theft prevention policiesMergersand procedures. government& Acquisitionsto examine the effectiveness of current pri- The FTC is also set to release atemplateISBN:for 978-0-906524-64-0organisa- vacy notices in conveying the relevant information to tions with alow risk of identity theft, forandexample, Intellectualthose customers. They questioned Property1000 people about privacy that know their customers personally. notices, giving them asample set of notices to review. The notice in table format was voted the best for com- FTC Chairman, Jon Leibowitz explainedMergersthe delay& Acquisitions,say- and IP you avoid the risks associated with the highlights the risks and opportunitiesmunicating the relevantintellectualinformation propertymost aspecteffectively of an M&A. ing, that arise in relation to Intellectual deal in the face of the unforgiving ‘‘Given the ongoing debate about whetherProperty’sCongress role in mergerThe andresearch and repordeadlinestisavailable and enormousfrom: http://www workloads.ftc.gov/ wrote this provision too broadly,dacquisitionelaying enforce- transactions.privac Localy/priv expertsacyinitiativcharacterizedes/Levy-Hast byak-Rep an M&Aort.pdf transaction. give you detailed insight into the Benefit from the knowledge and specific components of this specialist experience of the authors, and take area. The articles in this report give you advantage of their in-depth an overview of the relevant regional and understanding of intellectual property’s jurisdictional differences. They also role in merger and acquisition cover important business drivers such transaction to aid your business. as tax and information technology matters. You will gain insight into IP issues in M&A transactions in Australia, Hong This report will prepare you to take Kong, Europe, the United Kingdom and advantage of the opportunities and help the United States of America.
ISBN: 978-0-906524-65-7 Music and IP Music and IP looks closely at the useful both if you or your clients create intellectual property issues faced by the and supply content or if you buy and music industry. However the ideas, apply it in your work1 concerns and specifically the solutions discussed can be related to a wide range Refer to expert guidance on Digital of content including film, TV, fashion, Copyright, Digital Media Law, Piracy, advertising, design and more. This report Search Engine Liability, Collective Rights will provide you with valuable insight management, Term Extensions for Sound into practical models and interventions Recordings, Personality Rights and that balance the rights and duties of Infringement creators, owners and consumers. This is The protection of creative IP is vital to vital to ensure the financial, business and ensure that the artists are rewarded for artistic futures of the creative their work and to prevent the cycle of marketplace. You will find this report creativity grinding to a halt.
BNA International 29th Floor, Millbank Tower, 21-24 Millbank, London, SW1P 4QP Telephone: + 44 (0)20 7559 4801 Fax: + 44(0)20 7 559 4840 E-mail: [email protected] Web Site: www.bnai.com/tax
05/09 World Data Protection Report BNA ISSN 1473-3579 17 Personal Data Personal Data EC guidelines for data transfers to countries outside EEA: use with caution
By Dominic Hodgkinson, Solicitor and Correspondent, Calleja –Safe Harbor is ascheme set up by the US Federal Consulting Ltd. Trade Commission and the European Commission which US companies can join if they promise to ob- The European Commission has published aseries of serve data protection principles broadly equivalent to flowcharts and FAQs on the transfer of personal data those stipulated in the Directive; from the European Economic Area (EEA) to countries outside the EEA to assist small and medium sized enter- s apermitted method is used by the EEA-based entity prises (SMEs) to ensure that they transfer such personal transferring the data –these include appropriate con- data in accordance with EU data protection law. tractual clauses, Model Contract Clauses (MCC) and Binding Corporate Rules (BCR) for use between the EU data protection law,data transfer and the companies transferring and receiving the data; appro- Guidelines priate contractual clauses and MCC are for use be- tween EEA-based entities and unconnected third par- The Data Protection Directive (95/46/EC) regulates the ties while BCR are for use between companies in the use (and abuse) of individuals’ personal data. The Di- same group but they both have the same result –the rective includes aprohibition on transferring personal companies transferring and receiving the data under- data from inside the EEA to outside the EEA except take to ensure that the Directive is not infringed; where apermitted method is used. Generally,businesses can find the transfer regime com- s apermitted derogation applies –this includes, for ex- plex so the Commission (who are also in charge of en- ample, where the individual gives his clear,free and suring that each Member State implements and enforces specific consent. the Directive correctly) has published aseries of FAQs and flow-charts to help small and medium sized enter- Complexities not addressed by the prises determine whether they are caught by the Direc- Commission’s Guidelines document tive and if so, how they can transfer personal data in ac- cordance with the Directive. The Directive’sregime is more complex than the Guide- lines’ flow-charts and FAQindicate so SMEs should con- Guidelines’ round-up of the EU personal data sider the following when using the Guidelines: transfer regime s the Guidelines state on the front page that ‘‘they do not have any legal value and do not necessarily repre- The flow-charts and FAQs are intended to help compa- sent the position that the Commission may adopt in a nies identify: particular case’’; s whether they are dealing with personal data –the Di- s the Guidelines do not address the topical problem of rective only applies to personal data; ‘what is personal data?’ –asstated, the Directive only s whether the purpose of the transfer is compatible with applies to personal data; personal data is defined in the original purpose for which the personal data were the Directive as ‘any information relating to an identi- collected –ifnot the transfer is prohibited; fied or identifiable natural person’; this is averybroad definition and companies should take care to ensure s whether the data transfer is inside the EEA –this is ac- that they are not processing and transferring personal ceptable and the company need not consider the data data without knowing it; an example where this could transfer regime any further; happen is IP addresses which global and online com- panies may process and transfer as part of their busi- s whether the data transfer is from inside the EEA to a ness model –however,the Article 29 Working Party in countryoutside the EEA (a ‘third country’) –this will its paper ‘On the Concept of Personal Data’ (issued be acceptable only if: June 20, 2007) stated that IP addresses may be per- s the countryisa‘recognised third country’ –this sonal data and that the purpose for which such data is means that the Commission recognises that the coun- processed is arelevant factor in determining if the IP tryinquestion has adequate data protection laws –to address is personal data; date, only six countries1 have been recognised; s the Guidelines do not resolve the problem inherent to s the company to which the data are being transferred all Directives –while EU regulations are incorporated is aUScompany that is also amember of Safe Harbor into Member States’ legislation ‘as is’, there is no such
18 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data
harmonised method to incorporate directives into swer questions that SMEs without the benefit of aGen- Member States’ legislation; accordingly,each Member eral Counsel might ask. State incorporates directives into their legislation with However,the Guidelines do tend to gloss over the more slightly different rules and sanctions to any other complex areas of data protection and data transfer.Fur- Member State; as far as the Directive goes, for ex- thermore, because there is no harmonised method to in- ample, Spain requires companies to notify their use of corporate directives into each Member State’slegisla- Model Contract Clauses while the UK does not, tion, it follows that although the Guidelines are auseful France’ssanctions for infringement of the Directive overview of the EU regime they are clearly of limited use are heavier than the UK’s, Germany requires all com- to acompany whose business model incorporates mul- panies with more than nine employees to have adata tiple EU entities and multiple data transfer processes to protection officer and the notification regimes where third countries –such acompany should take legal ad- personal data is compromised in athird countrymay vice on aMember State by Member State basis to ensure differ from Member State to Member State –all of this that it is not infringing the data transfer regime appli- tends to devalue the usefulness of any EU overview; cable to each individual Member State. s the Guideline’sround-up of Binding Corporate Rules The Commission would no doubt reply that the Guide- for use between companies in the same group does lines are not for the use of such an intricate organisation not properly convey the complexity,time and cost that –the document clearly states that they are intended to are entailed in securing the appropriate approvals be- ‘particularly’ assist SMEs’ understanding of the regime. fore acompany can use the BCRs as apermitted But therein lies the problem –the Guidelines gloss over method to transfer personal data to agroup company the complexities of data protection so should be used based in athird country. with caution by SMEs. The FAQs are available at: http://ec.europa.eu/justice_ Conclusion home/fsj/privacy/docs/international_transfers_faq/ international_transfers_faq.pdf The EU data protection and data transfer regime is not asimple regime. The Commission’sGuidelines docu- NOTES ment is apositive move by the Commission to trytoan- 1 Argentina, Canada, Switzerland, Guernsey,Isle of Man, Jersey E-Discovery: US and EU conflicts
By Renzo Marchini, Pierre-M Louis, Anthony Paronneau, pean approaches to the movement of data. The US ap- Jonathan Schur and Jean-Yves Steyt, DechertLLP. proach to pre-trial disclosure (or ‘discovery’, to give it its American term) in litigation is one area where aconflict The Article 29 Working Party1 has recently considered arises3 ,and is increasingly prominent. The most recent the issue of the application of the EU data protection Di- Federal Rules of Civil Procedure, in common with their rective (95/46/EC the ‘‘Directive’’) to the transfer of previous incarnations, allow aparty to litigation to serve data outside of the EU for the purposes of pre-trial dis- on another party arequest that they be allowed to in- coveryobligations abroad; in particular in the US. The spect any information which is in that party’spossession, conflict between amultinational’sobligations to give dis- custody or control. This information need only be ‘‘rel- coveryordisclosure under US civil procedure rules evant to any party’sclaim or defence’’, and US case law when litigating in the US and its obligations (through has developed this further: the common law duty of any EU presence) to comply with the requirements un- companies to preserve information in contemplation of der the Directive has been aconcern for some time. The litigation extends even to information that, while not Working Party’spaper2 (published in February) will be relevant in itself, may lead to the discoveryofadmissible helpful to those seeking to comply with both sets of ob- evidence. The key point is whether it is ‘‘reasonably ligations. likely’’tobethe subject of discoveryinlitigation. The conflict which arises for multinational companies The common law US system and the civil code systems with operations in both the USA and the EU is the ap- on which the law of most members of the EU is based parent inconsistency between the American and Euro- do not approach litigation and its attendant obligations in the same way,and this has resulted in adisconnect between the requirements of the US courts for litigants Renzo Marchini (solicitor,London), Anthony Paronneau to provide information (which might contain personal (avocat, Paris), Jonathan Schur (avocat and member data) and the requirements of EU Member State law re- of the Paris and New York Bars, Paris), Pierre-M Louis lating to the processing of personal data. The issue is (avocat, Brussels) and Jean-Yves Steyt (avocat and mem- particularly relevant for US companies who have subsid- ber of the Brussels, Amsterdam, and New York Bars, iaries in Europe who are in possession of documents rel- Brussels) can all be reached on +44 (0)20 7184 7000. The authors acknowledge the contributions of Philip evant to US litigation (and so discoverable as they are Yanella of the Philadelphia office and Edward Green of ‘‘controlled’’bythe US entity which is party to the litiga- the London office. tion). The US courts take discoveryextremely seriously and have so far not been entirely sympathetic to parties
05/09 World Data Protection Report BNA ISSN 1473-3579 19 Personal Data attempting to excuse afailure to comply with discovery ence of any blocking statute is only one factor to be con- requirements on the grounds of EU restrictions, even sidered by the court and would not generally provide a when those restrictions have been supplemented by so- defence in itself. It is important to note that the US called ‘‘blocking statutes’’and the potential criminal courts consider that if the company is subject to US law penalties which some individual EU Member States pro- and possesses, controls, or has custody or even has au- vide. thorised access to the information from the US territory (via acomputer) wherever the data is ‘‘physically’’lo- These US discoveryrequirements are now specifically cated, US law applies without the need to respect any in- applied to electronic data, which is unsurprising since ternational convention such as the Hague Convention. according to the AdvisoryCommittee on Civil Rules in the US, 92 percent of all information generated today is in electronic form. The ease with which electronic data The Working Party points out that the US courts require may now be transferred means that it may be held in Eu- abalancing exercise to be carried out with the aim that rope and still subject to the discoveryrequirements of aparty’srequest for production of information located US law. abroad should only be allowed after weighing up anum- ber of issues including the importance of the informa- The Directive and the issues raised tion requested, the degree of specificity,whether the in- formation originated in the US, whether there are alter- While the US sector-specific approach to privacy law of- native means of securing the information, and whether fers protection to specific classes of data such as medical non-compliance would undermine the interests of the information or financial information, the definitions in US or compliance with the request would undermine the Directive extend protection to averywide notion of the interests of aforeign sovereign nation. ‘‘personal data’’(any information ‘‘relating to’’aniden- tified or identifiable individual). The Directive applies whenever an entity ‘‘processes’’personal data, and ‘‘pro- Hague Convention cessing’’covers any set of operations performed on that data including (irrespective of atransfer outside of Eu- Requests for information may in many Member States rope) disclosing the information to an adversaryinthe be made through the standard procedure set out in the event of litigation. Hague Convention on the taking of evidence abroad in civil and commercial matters. The Working Party clearly Legitimising condition advances the view that evidence should be obtained only through this process. The US by contrast sees the pro- One of the fundamental tenets of the Directive, and the cess as optional as opposed to mandatory. first issue to be considered in connection with adiscov- eryexercise involving the US, is that any processing of personal data is only permitted if one of the conditions Moreover,aswill be seen below,some Member States set out in Article 7isfulfilled in relation to that process- have expressly provided that they will not execute ‘‘let- ing. ters of request’’which are issued by foreign (in our case, US) courts for the purposes of obtaining pre-trial discov- Transfers of personal data eryofdocuments. The last, and most often discussed, issue for US discov- erywhich arises under the Directive is Article 25(1), Recommendation of the Article 29 Working which prohibits the transfer of personal data to any Party countryorterritoryoutside the EU (a ‘third country’) unless the third country‘‘ensures an adequate level of pro- The stated aim of the recent Working Party paper5 is to tection’’ for the rights and freedoms of those individuals provide guidance to EU data controllers in dealing with whose personal data is being transferred. The US gener- requests to transfer personal data to another jurisdiction ally does not offer such alevel of protection (at least, to for use in civil litigation. Whilst it recognises that the Di- European eyes). rective does not prohibit such transfers, it does adopt a cautious approach while at the same time recognising EU blocking statutes and other restrictions, the need to reconcile the two systems. and the US attitude The Working Party takes the view that discoveryshould if possible be restricted to anonymised (or pseud- Some (mainly civil law) EU jurisdictions have laws (so- onymised) data. Anonymisation (if not pseudonymisa- called ‘‘blocking statutes’’) which apart from data pro- tion) neatly circumvents the restrictions on the process- tection law also restrict cross border disclosure. There is ing of personal data by ensuring that no personal data little uniformity in how these laws operate, the relevant (by the Directive’sdefinition) is being processed6 .How- laws in France are summarised below.They can lead to ever,this will often not be possible and so other ways to criminal sanctions if breached. legitimise the transfer must be found. The Working The US courts have so far not accepted such provisions Party makes it clear that the data controller has aduty as providing adefence against discoveryinrelation to to limit the discoveryofpersonal data to that which is US litigation. AUScourt may order aperson subject to objectively relevant to the issues being litigated. This fil- its jurisdiction to produce evidence even if the informa- tering should be carried out locally before any transfer tion is not located in the United States4 ,and the exist- takes place.
20 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data
Legitimacy the purposes for which the data will be processed. The Working Party notes therefore, that general notice about As mentioned, irrespective of transfers outside of Eu- the possibility of the data being processed for litigation rope, aground for disclosure per se needs to be found as should be given. Should the data actually be processed set out in Article 7ofthe Directive. The Working Party for litigation purposes, the subject should be informed helpfully considers in detail these potential grounds for of this, together with their right to object to any process- the processing. ing (set out under Article 14). The Directive provides an The most obvious to consider first is Article 7(a) –the exception where there is a‘‘substantial risk’’that notify- consent of the data subject. However,the Directive defi- ing the data subject would jeopardise the ability of the nition of consent contains the requirement that it be litigating party to investigate properly,aswell as any ex- ‘‘freely given specific and informed’’. ceptions in the laws of individual Member States. The Working Party certainly feels that it is not generally Data security possible for employees to give consent for their em- ployer to transfer the data because of fear of asanction In accordance with Article 17 of the Directive, data con- from the employer if they refuse; as such, any consent trollers must take all reasonable precautions to ensure from an employee is not –they say –likely to be ‘‘freely the security of personal data. Transfers for the purposes given’’7 .Likewise, to be ‘‘specific’’and ‘‘informed’’a of discoverytherefore require the extension of this re- particular act of processing must be envisaged (and thus quirement to the parties who will be handling the data ageneral consent obtained, say in an employment or –generally the law firms involved. Somewhat surpris- other contract, would not suffice). ingly,perhaps, the Working Party seems to take the view that litigants can impose security standards on foreign As such, the Working Party considers that in most cases courts: ‘‘This would also include arequirement for sufficient consent is unlikely to provide agood basis for process- security measures to be placed upon the courtservice in the rel- ing. evant jurisdiction as much of the personal data relevant to the case would be held by the courts for the purposes of determining The basis for processing under Article 7(c), compliance the outcomeofthe case.’’ with alegal obligation, is also regarded by the Working Party as less reliable than it may appear.Compliance It is perhaps unrealistic to expect aUSlitigant to obtain, with aforeign legal obligation (in this case, the US code say,anundertaking from aUScourt as to appropriate on civil procedure) may not qualify as sufficient legal ob- security! ligation to legitimise data processing; the ‘‘legal obliga- tion’’(most likely8 )has to be one imposed by aMem- Transfers to thirdcountries ber State. As mentioned above, Article 25(1) of the Directive gen- However,insome Member States there may be alegal erally prohibits the transfer of personal data to acoun- obligation, which as an internal obligation would qualify try(including the US) which does not ensure an ad- under 7(c), to comply with an Order of Court in an- equate level of protection. other jurisdiction seeking discovery. Aprominent ex- An issue under this Article will obviously arise as aresult ample of this would be arequirement under the Hague of the transfer from the EU entity to its US affiliate Convention. which is engaged in the litigation (or to legal represen- The final basis for processing data which the Working tatives if the EU entity is directly engaged in the litiga- Party considers is Article 7(f), allowing compliance with tion). However,itwill also arise as aresult of the disclo- adiscoveryrequest if it is necessaryfor the purposes of sure by the US affiliate to the litigation opponent or alegitimate interest pursued either by the data control- even simply to aconsultancy providing e-discoveryser- ler or by the third party to whom the data is disclosed vices. (as long as the legitimate interest is not overridden by Where the third countryisnot generally considered to the rights of the data subject). This results in a‘‘balance provide the proper level of protection, an adequate level of interests’’test, looking at proportionality,the rel- of protection can equally be assured by some other well evance of the personal data to the litigation, and the po- established grounds, and the Working Party recom- tential consequences for the data subject. Using this as a mends that the data only be transferred to the US on basis will be easier if the data being transferred has been one the following grounds: carefully filtered for relevance; and given the require- ment of ‘‘necessity’’itshould be easier to fulfil that test 1. Where the recipient is part of the US Safe Harbor if data is pseudonymised9 .Aswill be seen below,itisin- Scheme10 ; deed this condition which is most likely to apply in any Member State. 2. Where the recipient has entered into atransfer con- tract with the EU company transferring the data Transparency which provides for adequate safeguards (such as the EU model contracts11 ); or Articles 10 and 11 of the Directive require information to be given to data subjects when their personal data is 3. Where the recipient is amember of agroup which has processed respectively when collected directly from the in place aset of ‘‘binding corporate rules’’which have individual (Article 10) or from athird party (Article 11). been approved by the relevant data protection au- The information to be provided includes in either case thorities.
05/09 World Data Protection Report BNA ISSN 1473-3579 21 Personal Data
These mechanics, however,asiswell known and often Furthermore, contrarytothe usual situation in common criticised, generally do not allow further onward trans- law countries, non-compliance with an order to produce fers and so do not obviously deal with the ability of the aspecific document does not constitute acontempt of US litigating entity to give discoverytoits opponent. court nor can it lead to the imposition of afine, but it Taking these three mechanics in turn: first, the Safe Har- can lead to the payment of damages (art.882 BJC). How- bor ‘‘onward transfer’’requirement stipulates that an ever,asaless efficient alternative the requesting party onward transfer (i.e.the discoveryitself) can only hap- may request the Court to also order aperiodic payment pen if the opponent is part of Safe Harbor or agrees to penalty (‘‘astreinte’’)toensure the production of the rel- sign acontract! Next, the US litigating entity may have evant document. If aparty decides not to produce the signed acontroller-to-controller set of clauses with its document notwithstanding the order,the Court may,in EU exporting affiliate. The original set of clauses only addition, take the failure to comply with its order into allows onward transfers either on consent of the data consideration during its decision-making process, by de- subjects or on the further recipient themselves signing ducing all relevant consequences therefrom. up to the clauses. Lastly,binding corporate rules are sim- ply inappropriate given that it is unlikely that the oppo- With regard to foreign procedures, Belgium does not nent in the US litigation will be in the same group. (unlike some other civil law countries) have ageneral blocking statute preventing documents being trans- The Working Party state that ‘‘[w]here asignificant amount ferred abroad for the purposes of pre-trial discovery. of data is to be transferred the use of Binding Corporate Rules However,specific regulations may contain alimited pro- or Safe Harbor should be considered’’ but do not discuss how hibition to disclose information as part of legal proceed- the difficulties just mentioned can be overcome. They ings abroad. This is for example the case of the Act of might perhaps be imagining that the adversarytothe 15 September 2006 on the Protection of Economic litigation may agree to joining Safe Harbor or signing Competition, which gives the Government (technically, model contracts. This may well be true if the problem is the King) the possibility of adopting measures that pro- amutual one, but otherwise seems unrealistic. And the hibit companies transferring, under certain conditions, US courts are unlikely to compel the adversarytoper- certain non publicly available information to foreign fect such mechanics. governmental entities. Asimilar prohibition is contained in the Act of 27 March 1969 on the Regulation of Sea All is not lost, however,for the EU entity that wants to and Air Traffic. comply with US discoverylaws! Article 26(1)(d) provides apotential derogation from the Article 25 requirements In line with applicable EU law,the Belgian Data Protec- where the transfer is necessaryfor the ‘‘establishment, tion Act of 8December 1992 (‘‘BDPA’’) and its imple- exercise or defence of legal claims’’. Whilst this ground menting Royal Decrees restrict the transfer of evidence, is somewhat relegated in importance by the Working such as emails, that contain personal data. Party,itdoes seem to present the only realistic ground in the Directive (subject to the detail of national imple- Taking the main issues which arise under the Directive mentations) under which atransfer can take place. As and are mentioned above in turn: will be seen below,this is an important consideration s It is likely to be possible to legitimise the disclosure of certainly in the UK and France; in the latter jurisdiction data under the Belgian equivalent of either of two after navigating the blocking statute issues. grounds. It might be possible to obtain the informed consent of the data subject (art. 5.a BDPA, the Belgian Individual Member States equivalent of Article 7(a) of the Directive). Alterna- As previously noted, the problem is exacerbated by the tively,and generally as aresult of the Working Party’s fact that Member States have adopted different ap- criticism of the consent route mentioned above, adis- proaches to cross-border transfers of personal data, both closing litigant might be more likely to seek to rely on under the Data Protection Directive and under the the Belgian equivalent of the ‘‘balance of interest’’test Hague Convention and in addition the variance in ap- in Article 7(f) of the Directive (namely,art. 5.f BDPA). proaches to the issue of blocking statutes. In this section s The provision during pre-trial discoveryofthe special we set out the position in asample of Member States categories of data mentioned in Article 8ofthe Direc- (both common law and civil law jurisdictions). tive (‘‘sensitive’’data), such as health data, is possible Belgium under the ‘‘defence of legal claims’’exception under article 7.i BDPAprovided that it must be ‘‘necessary Discoverydoes not exist as such in Belgium, except for for the establishment, exercise or defence of legal the ‘‘discoverylite’’procedure laid down in articles 877 claims’’. Belgian law will also require abalance of the and following of the Belgian Judicial Code (‘‘BJC’’). Pur- conflicting interests to be struck by the controller. suant to these provisions, the Court may,atthe request of aparty,enjoin another party in the case or even a s The Directive prohibition to transfer personal data to third party to produce aspecific, identified document countries that do not ensure an adequate level of pro- sustaining specified issues. This decision is left to the dis- tection is implemented in article 21 §1BDPA. The ex- cretion of the Court and cannot be appealed (art. 880 emption to this prohibition laid down in article BJC). Apart from this narrow exception, US-style ‘‘fish- 26(1)(d) of the Directive (when necessaryfor ‘‘the es- ing expeditions’’are therefore not possible before aBel- tablishment, exercise or defence of legal claims’’)has been gian Court. literally transposed in article 22 §1,4BDPA.
22 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data s The information requirements under articles 10 and of legal claims’’,which is of course the equivalent to Ar- 11 of the Directive were implemented by articles 9and ticle 26(1)(d) of the Directive). 10 BDPA. Article 9§2BDPA, read in combination with article 30 of the Royal Decree of 13 February s However,Article 32 of the 1978 Law still requires in- 2001, provides an exemption from these information formation (including the purpose for which the per- requirements when it is impossible or if it would re- sonal data is collected) to be given to data subjects quire ‘‘disproportionate efforts’’toinform the data when their personal data is processed when collected subject(s). An opinion given by the Belgian Privacy or prior to their transfer,subject to certain limited ex- Commission in 1999 (Opinion 25/99, p.5), states that ceptions which are not helpful in civil pre-trial discov- 15 it may be disproportionate (subject to the specific cir- ery . cumstances) when alarge number of data subjects are Until recently,potential criminal sanctions associated involved. However,this consideration has to be seen with the breach of blocking statute provisions were in the context of the sensitivity of the personal data at viewed as theoretical16 as no person had ever been pros- stake. ecuted under the 1980 Law.OnDecember 12, 2007, the 17 France French Supreme Court applied the provisions of the 1980 Law and ordered aFrench attorney to pay afine of France has always been reluctant to allow what it views a10,000 for violation of the blocking statute. In this case, as denials of its territorial sovereignty and treats discov- at the request of aUSlawyer,aFrench attorney had eryasnomore than real fishing expeditions. The fact sought from aformer board member of adefendant in- that this could occur at apre-trial stage renders discov- formation regarding how board decisions were taken, eryeven more unacceptable. As aconsequence, and without using the means for gathering evidence pro- when trying to respond to perceived abuses mainly origi- vided by the Hague Convention. According to certain nating from the United States, France enacted, in July authors, this case shows the willingness of the French Su- 1980, Law n80-538 (the ‘‘1980 Law’’) which provides preme Court to apply the provisions of the 1980 Law that‘‘subjecttotreaties or international agreements and the strictly,and perhaps in the hope of forcing US courts to laws and regulations in force, it is prohibited for any person to reconsider their position. request, seek or communicate, in writing, orally,orotherwise, economic, commercial, industrial, financial or technical docu- The Netherlands ments, or information leading to the constitutionofevidence Discoveryasknown in common law does not exist in with aview to foreign judicial or administrative proceedings or general in the Netherlands due to the reluctance to al- in the context of such procedures’’ 12 –its ‘‘blocking statute’’. low ‘‘fishing expeditions’’. However,asinBelgium, a Cross border data transfers for production in aUSjudi- party may request aCourt to require the production of cial or administrative proceeding violate the 1980 Law aspecific document by another party in the case or by a and create potential criminal liability,unless an excep- third party who has such document at its disposal or in tion applies. There is no exception for voluntarycompli- its custody18 .The court has an element of discretion ance (even with the consent of all data subjects with re- here and the possibility is not always available. spect to the transfer of their personal data), nor for dis- closure of documents intended to defend against a With regard to foreign procedures, the Netherlands do claim. not have ageneral blocking statute preventing docu- ments to be transferred abroad for the purposes of pre- The 1980 Law is intended to force US litigants to use the trial discovery, although limited prohibitions may exist provisions of the Hague Convention, thus the excep- in specific fields19 . tions for ‘‘treaties or international agreements’’.Inthe event that the Hague Convention procedures cannot be fol- In accordance with EU law,the Dutch Personal Data lowed, it may still possible to refer to other international Protection Act of 6July 2000 (‘‘PDPA’’) and related treaties or agency-to-agency agreements as abasis for an regulations restrict the transfer of evidence that contain exemption request to the French authorities or to work personal data (including emails). Dealing with the issues out ad-hoc arrangements with the French authorities13 . which arise under the Directive: In such cases, the provisions of Law n78-17 (the ‘‘1978 s Law’’) which implemented in France the principles of As in other Member States, the disclosure to athird the Directive would have to be complied with. Dealing party of personal data for the purposes of legal pro- with the issues which arise under the Directive: ceedings is possible under the PDPAifthe data sub- ject has unambiguously given his consent20 or under s Under Article 7ofthe 1978 Law,itispossible to legiti- the Directive ‘‘balance of interest’’test21 . mise the disclosure of personal data14 without the consent of the data subjects. The most relevant one s However,inaccordance with the Directive, under ar- (as in Belgium) is Article 7(5) the equivalent of the ticle 16 of the PDPA, the processing of the ‘‘sensitive’’ ‘‘balance of interest’’test in Article 7(f) of the Direc- personal data is subject to astricter regime. As con- tive. firmed by the ‘‘Guidelines for personal data process- ing’’ofthe Dutch MinistryofJustice, processing of s It is also possible to transfer personal data abroad. Ar- this data is prohibited unless aspecific exemption ap- ticle 69 of the 1978 Law contains alitigation exemp- plies, and these include where the processing is neces- tion when the transfer of personal data is necessaryor saryfor the establishment, exercise or defence of a legally required for ‘‘the establishment, exercise or defence right in law.
05/09 World Data Protection Report BNA ISSN 1473-3579 23 Personal Data s When discoveryinvolves transfer abroad to acountry MadoffSecurities International Ltd [2009] EWHC 442 which does not ensure an adequate level of protec- (Ch), the joint provisional liquidators of an English tion, the Directive prohibition can also be dealt with company forming part of Bernard Madoff’s alleged by an applicable litigation exemption22 . Ponzi scheme empire applied to the court for directions allowing the transfer of data to the American trustee in s The Dutch equivalents of the information require- bankruptcy concerned with the liquidation of Madoff’s 23 ments set out in articles 10 and 11 of the Directive American company25 .The transfer could potentially do not apply if it appears to be impossible to provide have contravened the eighth data protection principle the required information to the data subject or if it (i.e.Article 25). However,the judge considered that the would involve adisproportionate effort to provide need to unravel the details of such amassive fraud 24 it .Afurther exemption exists under article 43 meant that the transfers of information would be justi- PDPA; the information requirements may be dis- fied ‘‘for reasons of substantial public interest’’accord- pensed with to protect aperson’soranentity’srights. ing to the exception in Sch 4para 4(1) of the DPA(i.e. the equivalent of ‘‘public interest grounds’’inArticle United Kingdom 26(d)). In addition, the likelihood of legal proceedings In the UK, the Data Protection Act 1998 (‘‘DPA’’) has in the unravelling of the fraud meant that the exemp- implemented the principles of the Directive, adding (as tions for legal proceedings and legal rights in Schedule permitted by the Directive) some additional provisions 4para 5also applied (also reflecting aderogation in Ar- which make cross-border discoveryeasier.Exemptions ticle 26(d)). The judge therefore granted an order per- for transfers for the purposes of legal proceedings have mitting the transfer of specified personal information to been added to the rules on cross-border transfers and the US. many of the other data protection principles, making it It is worth noting, however,that the judge refused to more likely that transfers to the US for the purpose of grant the second part of the requested order,which discoverywill be permitted and reducing the likelihood would have given the joint provisional liquidators the that it will be necessarytoinform the data subject of power to disclose further unspecified information as such transfers. they considered it necessary. It was not the court’sinten- Taking the main issues which arise under the Directive tion, he remarked, to make blanket orders without and mentioned above in turn: knowing what was being authorised. s As with France and Belgium, it is likely to be possible Comments, practical tips and concluding to legitimise the disclosure of data under the UK remarks equivalent of Article 7(f); namely,paragraph 6of Schedule 2ofthe DPA. The UK courts are clearly Some of the guidelines will be viewed with concern by comfortable with the discoveryprocess (albeit it is US litigators and seem to show no real understanding of rather wider in the US than in the UK). the reality of conducting litigation in the US. s The information requirements under Articles 10 and For example, take the idea that the transparency re- 11 of the Directive to inform the data subject of the quirements in the Directive imply that specific notice purposes for which their data will be disclosed, and should be given to individuals that their personal data is potentially to whom the disclosure will be made are being disclosed as part of discoverytoanadversary. It is implemented as part of the first of the ‘‘data protec- not inconceivable that in, say,acontractual dispute the tion principles’’set out in Schedule 1ofthe Act and US courts would require afull disclosure of email ex- in particular in the interpretative paragraphs 1to3of changes involving the litigating parties and not uncom- Part II of that Schedule. However,UKlaw contains a monly this may run into the thousands. Given the width 26 wide exemption which would be applicable to these of the definition of ‘‘personal data’’ such aquantity of requirements. In particular,s.35(2) of the DPAcon- emails is likely to contain the personal data of many in- tains an exemption from the requirement to comply dividuals (all senders, receivers (including those to with certain of the data protection principles (includ- whom it has been copied), and potentially all individu- ing the first principle relevant here) where adisclo- als simply mentioned). The Working Party’sview would sure is necessaryinconnection with legal proceedings, have the parties identify all those individuals, identify for the purpose of obtaining legal advice, or for the precisely whether any individual’spersonal data is in fact purposes of establishing, exercising or defending legal included, and then would require that anotice given to rights. them (once they have been located) of the fact of dis- coverytoaparticular adversary. Moreover,they are to be s Likewise, Article 25 of the Directive is implemented in given aright to object! Clearly,impractical and unrealis- the UK as the eighth ‘‘data protection principle’’. The tic. Whether this is aproblem or not will depend upon UK has in Schedule 4ofthe DPAset out anumber of the country, the litigation exemptions available in the exemptions to this principle including where the UK and the exemptions in Belgium and the Netherlands transfer is for use in legal proceedings and in cases of (all mentioned above) may well apply in this scenario27 , ‘‘substantial public interest’’. but it seems not in France. Arecent case before the English courts has demon- In short, whilst the working document is welcome as strated how these exemptions work in practice in rela- showing an awareness of the problems, at aDirective tion to the transfer of personal data to the US. In Re level at least there is little that the Working Party say
24 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data which is helpful in navigating them. The issue is prima- eign rules to circumvent the EU rules laid down in Directive 95/46/EC’’.See rily one of implementation in the various Member ‘‘Opinion 1/2006 on the application of EU data protection rules to in- States. As shown from the position in the UK and France ternal whistleblowing schemes in the fields of accounting, internal ac- counting controls, auditing matters, fight against bribery, banking and (once the blocking statute issue has been navigated), it financial crime’’WP117 of February1,2006. Similar sentiments have is certainly open to Member States to have wide litiga- been expressed in other contexts. tion exemptions which remove agreat deal of the con- 9 If data is (properly) anonymised, of course, the Directive would sim- flict which might otherwise have existed. Indeed when ply not apply as the data would no longer be ‘‘personal data’’. there is ablocking statute that will inevitably provide a 10 http://www.export.gov/safeharbor/eg_main_018236.asp greater hurdle. 11 The US litigating entity will likely be adata controller and so it could sign one of the two sets of approved controller to controller Finally,the Working Party does recognise that this is clauses in the Annex to Decision 2001/497/EC. only the beginning of adebate; they expressly invite a 12 The sanctions provided for the non-complianceofthe prohibition public consultation and dialogue with interested parties are imprisonment up to six months and/or afine up to a18,000 (Ar- (although nothing formal appears to be suggested). ticle 3ofthe 1980 Law). 13 This interpretation is confirmed in the response of the French Min- NOTES ister of Justice dated September 28, 2005 to the French Data Protec- 1 The Article 29 Working Party (set up as its name suggests under Ar- tion Authority,inrelation to the transfer of data to the United States ticle 29 of Directive 95/46) is the group of each of the data protection in the context of discoveryprocedures. authorities of the (now) 27 Member States who meet to issue opinions 14 Article 7ofthe 1978 Law. and attempt to ensure as far as they can aharmonious interpretation 15 Article 32 does not apply to the processing of personal data whose of directive issues by the regulators. purpose is to prevent, investigate or prove criminal offences. 2 Working Document 1/2009 on pre-trial discoveryfor cross border 16 PartenreedereiM/S ‘‘Heidberg2 vGrosvenor Grain and Feed Co [1993]2 civil litigation (WP 158 of February11, 2009). Lloyd’sRep 324. 3 Another area which presents asimilar compliance problem is in the 17 C.Cass., December 12, 2007, n07-83228 (Executive Life). whistleblowing requirements of the US Sarbanes-Oxley legislation, and 18 the attitude to such requirements by some European Member States. The Dutch Code of Civil Procedure (especially art. 843a). See Working Party Opinion 1/2006. 19 For example in the case of the former article 39 of the Dutch Law 4 The Restatement (Third) of Foreign Relations Law of the United on Economic Competition. States no. 442. 20 Article 8.a, PDPA 5 See note 2. 21 Article 8.f, PDPA 6 As to whether pseudonymisation can lead to the disapplication of 22 Article 77.1.d PDPA the Directive rules, see the Article 29 Working Party paper Opinion 23 Articles 33 and 34 PDPA 4/2007 on the concept of personal data (WP 136 of June 20, 2007). 24 Article 34.5 PDPA 7 See further Working Party paper 114 (‘‘Working document on a 25 common interpretationofArticle 26(1) of Directive 95/46/EC’’) Under s. 112 of the UK Insolvency Act 1986 aliquidator can apply where at paragraph 2.1 they state: ‘‘Valid consent in such acontext to the court ‘‘to determine any question arising’’. means that the employee must have areal opportunity to withhold his 26 At least as expounded by the Working Party in WP 136 (cited at consent without suffering any harm, or to withdraw it subsequently if footnote 6). he changes his mind.’’ 27 Even if the UK didn’thave this exemption, one suspects that this 8 This is not dealt with in any length in this opinion but in its opin- issue would be less of aconcern in the UK given that, as the law pres- ion on whistleblowing hotlines imposed by Sarbanes-Oxley the Work- ently stands following the judgment of the UK Court of Appeal in Du- ing Party said ‘‘...an obligation imposed by aforeign legal statute .....may rant vFinancial Services Authority ([2003] EWCA Civ 1746), the UK not qualify as alegal obligation by virtue of which data processing in the EU takes anarrower view of the definition of ‘‘personal data’’than the would be made legitimate. Any other interpretationwould make it easy for for- Working Party propounds in WP 136. Why employee consent might not do the trick
By Dr.Michael Schmidl, Maıˆtre en Droit, LL.M. Eur. tionship, that apermission is needed prior to any collec- tion, processing (this includes transfers) or use of per- It does notmatter whether one tries to come to grips sonal data can be found everywhere. with European privacy legislation by means of reading The laws implementing the Directive, in Germany the the European Data Protection Directive 95/46/EC (‘‘Di- Federal Data Protection Act (‘‘FDPA’’), provide for statu- rective’’) or by studying the various EU Member States’ torypermissions and also consent in order to justify the privacy laws implementing the Directive. necessarycollection, processing or use of personal data.
The basic rule, also applicable in the employment rela- As regards statutorypermissions the collection, process- ing or use of personal data is inter alia admissible,
Dr Schmidl is apartner of Baker &McKenzie Partner- s if this is necessaryfor the performance of the employ- schaft von Rechtsanwa˜lten, Solicitors und Steuerberatern, ment contract (cf. Sec. 28 (1) 1st sentence no. 1 Munich and member of the firm’s Information Technol- FDPA); or ogy Group. Dr.Schmidl is aspecialised attorney for IT-Law and alecturer for Internet law at the University of Augsburg. The author may be contacted at: s if the employer/a third party has alegitimate interest [email protected]. in the collection, processing or use and the interest of the employer prevails after aweighing of interests or
05/09 World Data Protection Report BNA ISSN 1473-3579 25 Personal Data
(in the case of athird party’sinterest) there is no rea- endanger the execution of the employment contract, son to assume aconflicting interest of the employee if he does not give or revoke his declaration of con- (cf.Sec. 28 (1) 1st sentence no. 2/(3) no. 1FDPA). sent;
For transfers of personal data to recipients outside the 3. In case employees revoke their declaration of consent, EU/EEA according to Secs. 4b, 4c FDPAthere is the ad- which they are free to do at any time, all measures un- ditional requirement for the data exporter (i.e. usually dertaken on the basis of such declaration of consent the employer) to make sure that the recipient provides have to be discontinued or the measures have to be for an adequate level of data protection (e.g., by signing designed so as to avoid those employees who have re- an adequate Model Contract) or is located in ajurisdic- voked their declarations of consent or who have con- tion, which the European Commission has found to pro- sented in the first place. What becomes necessaryis vide an adequate level of protection. (i) acomplex and expensive differentiation between employees who have consented, who have consented Faced with these requirements and the related analyses but then withdrawn consent and those who have not (necessity for performance of employment relationship, consented at all and (ii) aprivacy compliance concept legitimate interest, weighing of interests etc.) companies in line with the statutoryjustifications for all the cases quite frequently turn to employee consent, which seems mentioned under (i); to be acomparably simple solution for both levels of pri- vacy compliance, i.e. the admissibility of the measure as 4. Aprivacy infrastructure based on consent is not flex- such and the creation of an adequate level of data pro- ible and consent has to be asked for again in cases of tection. areorganisation or other significant structural changes of the group structure. Employee consent, worded in the broadest possibly form, is then asked for already on the occasion of the Ignoring the limitations (1) and (2) above leads to con- conclusion of the employment contract, for example in sent being null and void –measures carried out on such the form of an attachment to the contract, or at alater basis are most likely illegal and subject to fines of up to stage, when the need for international data transfers a 250,000 per case (cf.Sec. 43 FDPA) and potentially arises for the first time. even criminal law sanctions (cf.Sec. 44 FDPA). The same applies to the continuation of processing measures after On such basis, the collection, processing and use, even consent has been revoked or the carrying out of such of sensitive data, is deemed to be possible without any measures despite the employees’ refusal to consent (see restrictions. limitation (3)). It is important to underline that em- This approach, however,ignores the following limita- ployee consent cannot be made voluntarybyexpressly tions for employee consent that might lead to the ab- making reference to the possibility of not giving or re- sence of avalid justification mechanism and entail sub- voking consent. According to the German data protec- stantial organisational, financial and penal risks: tion authorities even such express information does not change the fact that the employee will always be under 1. The consent of the employee is normally not given afactual pressure to give his consent or alternatively risk voluntarily.Ittherefore can only come into consider- not getting the job or losing it in the case of revocation. ation in exceptional cases in order to justify the col- lection or the processing of personal data (cf. Work- In conclusion, one should use the instrument of the em- ing Paper No. 114 of the Article 29 Working Group of ployee’sconsent in exceptional cases only.Statutorypro- November 25, 2005); visions provide possibilities for almost all measures. In the meantime the German data protection authorities 2. In the case where the collection, processing and use even offer asolution for the transfer of sensitive data. It of data is admissible because it is necessaryfor the ex- is of key importance for the application of statutoryper- ecution of the employment contract, it is misleading missions to provide thorough information to the em- and inadmissible to obtain the consent of the em- ployees, especially when they work in complex matrix ployee additionally (cf. Working Paper No. 48 of the structures with matrix managers in other group entities Article 29 Working Group of September 13, 2001) – (more will be published on this, especially asample no- the employee might be led to believe that he would tification, in one of the following editions).
26 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data Switzerland authorises Safe Harbor Framework for personal data transfers to the United States
By Mauricio F. Paez, Partner,Joseph J. Bernasky and organisations seeking to transfer personal data from Gwendolynne M. Chen, Jones Day. Switzerland to the United States now have an alternative means to do so under the DPA. The new US–Swiss Safe Harbor Framework (‘‘US–Swiss Safe Harbor’’), effective February16, 2009, facilitates Similar to the existing Safe Harbor structure between transfer of personal data from companies in Switzerland the European Union and the United States (‘‘US–EU to companies in the United States. Safe Harbor’’), the US–Swiss Safe Harbor allows US Previously,the Swiss Data Protection Act (‘‘DPA’’) per- companies to self-certify to the US Department of Com- mitted only the transfer of ‘personal data’ from Switzer- merce that they will uphold the same seven data protec- land to jurisdictions that the Federal Data Protection tion principles contained in the US–EU Safe Harbor and Information Commissioner (‘‘FDPIC’’) deemed to Framework: Notice, Choice, Onward Transfer,Security, provide an adequate level of data protection. In order to Data Integrity,Access, and Enforcement. Applicants may transfer personal data from Switzerland to jurisdictions certify to the US–Swiss Safe Harbor alone or along with that the FDPIC did not deem to provide an adequate the US–EU Safe Harbor on the same Certification Form level of data protection, the exporting and importing or- by selecting Switzerland as acountryfrom which they re- ganisations were required to sign an agreement guaran- ceive personal data. Switzerland will recognise certified teeing that the importing organisation would provide companies as meeting its required standard of data pro- the ‘appropriate’ level of data protection required un- tection and allow transfer and access to Swiss personal der Swiss law.The FDPIC has found the following con- data by these companies. The US–Swiss Safe Harbor also tractual agreements to provide an appropriate level of provides for special dispute resolution boards in cases of protection: data protection breaches and permits the US Federal Trade Commission to take action against certified com- 1. Standard Contractual Clauses of the European Union; panies in cases of egregious or repeated data protection infringement. These remedies are in addition to pos- 2. The Council of Europe’smodel contract for safe- sible private actions. guarding an appropriate level of data protection in transborder data transfers; and The significant overlap in substantive requirements and certification procedures for both the US–Swiss and 3. The FDPIC’smodel contract for the outsourcing of US–EU Safe Harbors will likely benefit entities seeking data processing abroad. to streamline compliance policies and procedures for The parties would then submit the agreement to the FD- transferring data from both the European Union and PIC for inspection and approval prior to any transfer of Switzerland to the United States. One notable distinc- personal data outside of Switzerland. tion, however,isthat the Swiss DPAdefines ‘personal data’ to include all information relating to natural and With the implementation of the US–Swiss Safe Harbor, legal persons, e.g.,companies, associations, etc.Bycon- trast, both the US–Swiss Safe Harbor and the US–EU Safe Harbor cover only personal data of natural persons. Mauricio F. Paez, Joseph J. Bernasky and Gwendolynne Thus, organisations seeking to transfer other types of M. Chen can be contacted at: [email protected], data from Switzerland may still need to enter into cross- [email protected] and [email protected] border data transfer agreements and seek approval from the FDPIC. What is personal data? Part2
By Peter Church, Professional SupportLawyer,and Georgina sonal data under the Act. This earlier guidance which at- Kon, Associate, Linklaters. tempted to reconcile the inconsistent approaches adopted by the English courts and other European regu- lators met with mixed reactions. (As reported in the No- The Information Commissioner recently issued guid- vember 2008 issue of WDPR.) ance on what constitutes ‘data’ for the purpose of the UK Data Protection Act 1998. However,the latest guidance should cover safer ground. It follows his earlier guidance on when such ‘data’ is per- There has been aless heated debate at aEuropean level as Member States have more discretion over the defini- tion and the Article 29 Working Party has yet to issue substantive guidance on this point. In addition, most in- Peter Church and Georgina Kon can be contacted at: formation is now stored on computer,which makes it au- [email protected] and georgina.kon@ tomatically ‘data’, so difficult questions are less common linklaters.com in practice. However,issues remain, especially for or- ganisations that store substantial amounts of informa-
05/09 World Data Protection Report BNA ISSN 1473-3579 27 Personal Data tion offline, for example on microfiche. This article con- What is ‘data’? siders the impact of the new guidance for these organi- sations. Y 1. Is the information, or is it intended to be, processed What is ‘data’? automatically? N Information is only subject to the Act if it constitutes ‘data’. This definition is divided into four categories: 2. Is the information part of a N filing system? s information processed, or intended to be processed, Y wholly or partly by automatic means (e.g.onacom- puter); 3. Is the information recorded as part of a ‘relevant filing system’ or with the intention it s information processed, or intended to be processed, should form part of a ‘relevant filing system’? that forms part of a‘relevant filing system’;
Y 4. Does the filing system use s information in an accessible record (e.g.health namesof individuals (or other records, educational records and the like); and identifier) as the file name? N s information held by aUKpublic authority,the so- 5. Does the system use criteria N called category(e) data. relating to individuals to structure the system? What does the guidance say? Y The guidance consists of aset of eight questions in the Y 6. Is the information indexed to form of aflow chart, as set out. Unsurprisingly,itfocuses allow ready access to specific on the definition of ‘relevant filing system’ as this raises information about individuals? the most difficult issues in practice, with four of the N eight questions addressing this point. The questions work through the requirements of the rel- 6a. Does the system only hold Y a single category of information? N evant filing system definition, namely: s whether the system uses the names of individuals or other criteria relating to individuals to structure the system; and Y 7. Is the information part of an accessible record? s if so, whether the system is indexed to allow ready ac- N cess to specific information about individuals or whether it only contains one categoryofinformation. Y 8. Is the information held by a public authority? What about Durant? N Yes. No. So far so good. Questions as to whether information is The information is The information is not ‘data’ or not rarely arise and if they do, the flowchart ‘data’. ‘data’. provides auseful summaryofthe issues to address. How- ever,other comments in the guidance are difficult to reconcile with English courts’ approach to personal data and, in particular,the Court of Appeal’sdecision in Du- 1 rant vFinancial Services Authority [2003] EWCA Civ 1746. tion of the Data Protection Act 1998 )which, for example, advocated a‘‘temp test’’todetermine if information was The most prominent example relates to the cost and ef- ‘data’ i.e.whether atemporaryworker would be able to fort in extracting the information. The guidance states, extract the information without any particular knowl- ‘‘accessing the required information may on occasion be time edge of the background and with only ashort induction. consuming and demand ahigh level of resource [However,] the Similarly the bald statement that ‘‘veryfew manual files key consideration is not the time and effortinvolved but whether will be coveredbythe provisions of the [Act]’’ is gone. Argu- there is asystem in place that allows the organisation to find ably this was an overly restrictive approach to the defini- information ...without searching through everyitem in every tion of ‘data’. Time will tell if the current guidance is record’’. perhaps over liberal. This is hard to square with aview in Durant that the fil- The guidance on what is ‘data’ is available at: ing system in question must provide ‘‘easy access to the per- sonal data in question’’ and that it must be ‘‘of sufficient so- http://www.ico.gov.uk/upload/documents/library/data_ phisticationtoprovide the same or similar ready accessibility as protection/detailed_specialist_guides/what_is_data_for_the_ acomputerised filing system’’.The Court of Appeal came to purposes_of_the_dpa.pdf this conclusion on the basis that the legislation must act in aproportionate manner and that the Act is intended NOTES to protect the privacy of personal data, not mere docu- 1 http://www.ico.gov.uk/upload/documents/library/data_ ments. protection/detailed_specialist_guides/the_durant_case_and_its_ impact_on_the_interpretation_of_the_data_protection_act.pdf This latest guidance also moves away from some of the statements made by the Information Commissioner in This article first appeared in Linklater’s Technology,Media 2006 (see The ‘Durant Case’ and its impact on the interpreta- &Telecommunications newsletter,Issue 50.
28 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data EC launches infringement proceedings against UK government
By Oliver Bray,Partner,and TomCadwaladr,Trainee protects against ‘phishing’ and improves the relevance Solicitor, IP and Technology Group, Reynolds Porter of advertising based on the interests of the user.Webwise Chamberlain LLP. is the customer facing web feature whilst OIX is the ad- vertising exchange platform. The running and opera- The European Commission has announced that it is tak- tion of these products have been explained in detail in ing legal action against the UK government for failing in previous WDPR articles (see ISP data ‘pimping’ –Phorm its duty to properly implement EU e-privacy and data under fire over privacy concerns for targeted advertising tech- protection rules protecting the privacy of online com- nology,April 2008 and Information Commissioner’s Office munications. While the announcement does not set out opinion on Phorm’s targeted advertising technology,June the exact nature of the alleged infringement, it would 2008, Oliver Bray and Simon Griffiths). It is claimed by appear that the UK is to be accused of failing to protect BT that Webwise mirrors auser’srequest to visit aweb- Internet users against the unlawful interception of com- site at the moment he requests to enter it. This mirrored munications data, specifically with regard to the profil- data is profiled and anonymised to erase any trace link- ing of user behaviour for the controversial online behav- ing the data to the user, e.g.the IP address. At the same ioural advertising (OBA) service based on Phorm’sdeep time arandomly generated ID is allocated to the user packet tracking technology. and held on their computer in the form of acookie. This ID and anonymised data is sent to aPhorm man- Background aged server,which categorises the data so that it can be linked with relevant advertising through its OIX prod- The announcement refers specifically to the two secret uct. The result is that advertising targeted to the user ap- trials conducted in 2006 and 2007 by British Telecom pears on his computer screen. (BT) using technology to profile Internet use by users without their consent. Following asubstantial number of complaints from users, the Information Commissioner’s What is the case against the UK Office (ICO) launched an investigation into the trials. government? The ICO indicated, on the assurances given to it by This method of advertising is certainly pioneering and is Phorm, that there had been no breach of any UK laws transforming the industry. However,its future appears by BT or Phorm, the provider of the tracking technol- uncertain following the Commission’srecent move to ogy.However,the Commission has taken averydifferent take the UK government to the ECJ. At the time of writ- view and having completed its own enquiries into the ing, the Commission had not made the detail of its case ICO’sinvestigations of the trials, has decided to bring against the UK government public. However,itisex- proceedings against the UK government in the Euro- pected that its case will focus on the UK government’s pean Court of Justice for allowing the trials to operate alleged failure to maintain the confidentiality of com- and for failing to take action. EU Commissioner for In- munications of users subscribed to BT’sconsumer formation Society and Media, Vivian Reding, has made broadband service during the trials of 2006 and 2007. the Commission’smotive clear –reform of UK law is Under Article 1(1) of the ePrivacy Directive, Member needed to bring it closer in line with the ePrivacy Direc- States are required to ensure the confidentiality of com- tive (2002/58/EC). As she said in astatement released munications and related traffic data by prohibiting un- on April 14, 2009, lawful interception and surveillance unless users have ‘‘we have been following the Phorm case for some consented. During the trials, BT did not seek consent time and have concluded that there are problems in from any of the thousands of users concerned. Further, the way the UK has implemented parts of EU rules on under Article 2(h) of the Data Protection Directive (95/ the confidentially of communications. ..Icall on the 46/EC) users’ consent must be ‘‘freely given specific and UK authorities to change their national laws and en- informed’’. sure that national authorities are duly empowered and have proper sanctions at their disposal to enforce The ICO completed its investigations into the BT trials EU legislation’’. and found that UK data protection law had not been breached. As aresult, it decided not to take any further Phorm–the stimulus for EC intervention action. Notably it confirmed that it did not consider there to have been abreach of the ePrivacy and Elec- Phorm developed the products used by BT to conduct tronic Communications (EC Directive) Regulations the ‘secret trials’. Phorm maintains that the technology 2003 (the Regulations), which were introduced to implement the ePrivacy Directive. However,the Com- mission alleges that this was inadequately implemented. Oliver Bray and TomCadwaladr can be contacted at Vivian Reding has said European rules on privacy are [email protected] and [email protected] ‘‘crystal clear’’and that ‘‘Europeans must have the right to control how their personal information is used’’.
05/09 World Data Protection Report BNA ISSN 1473-3579 29 Personal Data
Under the Regulations it is unlawful to use an electronic wider co-ordinated move by the Commission to crack communications network to store information, or to down on Deep Packet Inspection. gain access to information stored, in the terminal equip- ment of auser of that terminal equipment unless he is The Commission is certainly not alone in its view.There given ‘‘clear and comprehensive information’’astothe are many critics of Phorm’stechnology,including Tim purposes for the storage or access to the information Berners-Lee, director of the World Wide WebConsor- and is offered the opportunity to refuse such storage or tium which oversees the development of the Web. He access. This provision mirrors the requirement on Mem- has recently said that aline must be drawn where third ber States in Article 1(3) of the ePrivacy Directive and parties are using data gathered by systems such as goes further than the Data Protection Act 1998 as it cov- Phorm’sfor political ends or commercial interests. He ers not only the processing of data but also cookies has said that ‘‘there’sagap between running asuccess- which store information under the Phorm system. The ful Internet service and looking inside data packets’’. Commission is likely to allege that such clear and com- prehensive information was not given to users during Further,BTistrialling Webwise again, albeit this time the BT trials in 2006 and 2007. with users’ consent. Critics, however,have taken issue with the fact that the proposed system will be on an opt- Following the news that the Commission had com- out rather than an opt-in basis so that users and websites menced proceedings against the UK government, the will have their respective data monitored and ‘mirrored’ ICO issued astatement saying that the, unless they opt out of the service. ‘‘infringement proceedings from the EU appear to re- late to the interception of communications, which is UK government’s position not part of the ICO’sremit. Interception of commu- nications is covered by the Regulation of Investigatory At the time of writing, aseries of email exchanges dat- Powers Act. ..’’ ing back to August 2007 between the UK government’s The Commission has expressed its concern over the lack Home Office and Phorm, were claimed by the BBC to of an independent regulatorybody responsible for have been revealed under the Freedom of Information monitoring the interception of communications in the Act 2000. The BBC claim that these emails show, UK and it is expected that this will form part of its case. amongst other things, the Home Office asking Phorm whether it would be ‘‘comforted’’byits position, what Under s1ofthe Regulation of InvestigatoryPowers Act Phorm thought about advice being drawn up by the 2000 (RIPA) it is an offence to intercept any communi- Home Office at the time and specific references being cation in the course of transmission without lawful au- made to Phorm’stechnology. thority.However,interception is permitted where it is unintentional or where there are reasonable grounds The BBC claims that in an email dated August 2007, a for believing that the user has agreed to the intercep- Home Office official wrote to Phorm’slegal representa- tion. The UK government has not made it clear whether tive stating that his or her personal view accorded with it considers this Act to have been contravened during Phorm’slegal representative’sview and that ‘‘...even if the BT trials. The Commission is expected to allege un- it is ‘interception’, which Iamdoubtful of, it is lawfully lawful interception took place which the UK failed to authorised under section 3byvirtue of the user’scon- notice. sent obtained in signing up to the ISPs terms and condi- tions.’’ At the time of writing, the UK had less than two months to reply to the Commission’sletter of formal notice. The In alater email dated January22, 2008, the BBC claim UK must adopt aposition on the points of fact and of that the Home Office wrote to Phorm asking it to ‘‘re- law.Inthe event that the UK’sobservations are unsatis- view’’anattached document and let the Home Office factoryoritfails to respond at all, the Commission may know what it thought about it. In the same month, the then address areasoned opinion to the UK setting out BBC claims that the Home Office thanked Phorm for why it considers there to have been an infringement of changes to its draft paper and that such changes and de- Community law and obliging the UK to comply within a letions made by Phorm can be seen through the course specified timeframe (usually two months). Afailure to of the disclosed email correspondence. do so may result in the Commission referring the matter to the ECJ for final adjudication. The revealing of these emails has led many to publicly question the UK government’sposition over behavioural It appears that Ms Reding’sposition to ‘‘not shy away advertising technology.BBC News has quoted Baroness from taking action’’against Member States is strongly Miller,Liberal Democrat for Home Affairs, to have said supported in Brussels. In akeynote speech to around that ‘‘the fact the Home Office asks the verycompany table on online data collection, targeting and profiling they are worried is actually falling outside the laws held in Brussels at the end of March calling on Member whether the draft interpretation of the law is correct is States to act against lack of transparency and ‘‘commer- completely bizarre’’. In reply the Home Office has told cial discrimination’’, Consumer Commissioner Meglena the BBC that it did not consider that it had given ‘‘any Kuneva said that ‘‘the current situation with regard to advice to Phorm directly relating to possible criminal li- privacy,profiling and targeting is not satisfactory’’. The ability for the operation of their advertising platform in current case being brought against the UK is part of a the UK’’. Despite the Home Office’sclear denial of any
30 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data wrongdoing it is expected that the Commission will raise fails to protect its citizens’ online privacy.Atthe time of difficult questions on this in its case against the UK gov- writing, the All-Party ParliamentaryGroup on Commu- ernment. nications had just announced that it would be investigat- ing online traffic, including the specific issue of Deep There is afurther question mark over the neutrality of Packet Inspection and behavioural advertising. The gov- the UK government’sposition based on its previous sup- ernment’sreaction to the outcome of this investigation port for acommunications database. It has previously will be eagerly awaited by both the industryand the considered, only now to withdraw on privacy grounds Commission. plans for the creation of such adatabase, which would intercept and record everywebsite visited and email The use of Phorm’stechnology remains ahighly conten- header sent and received by everyISP user in the UK us- tious issue amongst users. We can expect more major In- ing anot too dissimilar Deep Packet Inspection method ternet names to follow Amazon and Wikipedia’slead of as Phorm. In its recent report, Database State,The Joseph publicly opting out of the Phorm technology monitor- Rowntree Reform Trust, chaired by Lord Shutt of Greet- ing its sites to avert any fall in its visitor numbers. At- land, classified the proposed communications database tempts at self-regulation in this area have come under as ared database signalling that ‘‘...it is almost certainly attack from the privacy lobby,most notably the recently illegal under [human rights or] data protection law and published Internet Advertising Bureau’s(IAB) Good should be scrapped or substantially redesigned’’. This Practice Principles for Online Behavioural Advertising classification placed the proposed database in the same which anumber of major businesses have signed up to, categoryasthe controversial National DNA Database. including Google and Microsoft. The report went on to say that ‘‘the public are neither served nor protected by the increasingly complex and The IAB’sprinciples are based on three commitments: intrusive holdings of personal information invading ev- notice, user choice and education. Firstly,they require eryaspect of our lives’’. The fact that the UK govern- that each signatoryprovides clear and unambiguous no- ment originally proposed acommunications database tice to users that data is being collected for the purposes based on data obtained through acomparable method of behavioural advertising. Secondly,they require that as that employed by the Phorm system led privacy each signatoryprovides an approved means for declin- groups to question its neutrality when turning its atten- ing behavioural advertising, interestingly the IAB has ap- tion to BT’sWebwise. proved Webwise as an example of an ‘‘approved means’’. Finally,they require that each signatorymake informa- This is not the first time that the UK government has tion available and accessible to users to educate them on locked horns with the Commission over data protection behavioural advertising. Privacy groups have argued that laws. The Commission previously threatened proceed- the principles are limited in effect as they are by their ings in 2004 against the UK for failing to properly imple- nature voluntaryand therefore hold no legal force. Fur- ment almost athird of the Data Protection Directive. In ther,privacy campaigners claim that the principles fail response, the UK government publicly stated that it had to make any real steps forward as users are still required ‘‘properly implemented the Data Protection Directive to delete their cookies or actively inform their ISP that via the Data Protection Act 1998 and other relevant pro- they wish to ‘opt out’ to decline behavioural advertising. visions of UK law’’. Further,the ICO issued apress re- lease on July 7, last year,declaring that the said Directive Meanwhile on second reading, following recommenda- was in need of reform implying that the onus was on the tions by the European Parliament’sInternal Market and Commission to modernise its creation. Consumer Protection Committees, proposed amend- The advertising and communications industries will be ments to the ePrivacy Directive look set to include are- hoping that the UK government does not capitulate on quirement that cookies may only be used where users the question of OBA. The Incorporated Society of Brit- have consented to their use (i.e.anopt-in rather than ish Advertisers, for example, has said that concerns over the current opt-out requirement). It is proposed that the Phorm technology ‘‘can and should be addressed by the reference to ‘‘electronic communication networks’’ the UK’ssuccessful system of advertising self-regulation’’ in Article 5(3) is removed thereby broadening its scope although some may consider this disingenuous as the to cover cases where cookies are sent and received on a privacy of communications would stretch the remit of user’scomputer via external storage media. advertising regulators, self-regulating or otherwise. It should also be remembered that Phorm is not the Comment –what can we expect? only company to supply such behavioural advertising sys- tems to ISPs, others include NebuAd and Front Porch. At this point it is unclear as to the specific case that the The outcome of the current proceedings against the UK Commission is putting to the UK government. It is, how- and the reaction of Member States generally to the ever,almost certain that whatever it may be, the Com- Commission’scall to action could shape the future of mission will not shrink from its objective. Ms Reding and online behavioural advertising. Ultimately,OBA provid- Ms Kuneva have both stated emphatically that the Com- ers may need to cede greater control to the user in or- mission will take action against any Member State which der to operate lawfully.
05/09 World Data Protection Report BNA ISSN 1473-3579 31 Personal Data Cloud computing and data protection
By Hazel Grant, Partner,and Tessa Finlayson, Trainee nies. This document is not intended to form formal Solicitor,Bird &Bird. guidance, but rather initiate debate on what such aguid- ance document should, or indeed could, contain while Cloud computing raises difficult data protection issues. cloud computing and its practices are still verymuch in In this article we highlight just three of these issues evolution. Interestingly,Microsoft, Amazon.com, Google which are relevant for businesses looking to use cloud and Salesforce.com declined to take part in the Mani- computing: festo, indicating that industryagreement may not be s Responsibility for data protection compliance; close. s Data security; and s Data location. Responsibility for data protection compliance There will be many other commercial issues such as the Where abusiness is located in the UK, it will be subject risk of lock-in to the service, the service levels offered to the Data Protection Act 1998 (the Act) when han- and long term viability of the service offering. dling personal data. As aresult if that business decides to use cloud computing it will need to ensure that the cloud computing services comply with the Act. Most What is cloud computing and how is it cloud computing relationships are complex and involve regulated? the transfer of data across multiple jurisdictions. As the Cloud computing is away of providing services over the data controller,the customer is solely responsible for Internet. Service providers make available web servers compliance with the Act. This includes the obligation to that can accept and store data from users to provide the ensure that the customer retains close control over its services. Users access the services using their web brows- personal data, even when the data is being processed by ers. Some services are free; others are provided on apay- athird party on the customer’sbehalf. It is likely that the as-you-use or subscription basis. cloud computing service provider will consider itself to be adata processor for the purposes of the Act. The re- The social networking site Facebook implements cloud lationship envisaged by the Act between data controller computing. Auser can log on to the Facebook site and data processor,isasimpler and cleaner one. Not through aweb browser in order to send messages, chat the type of relationship which is likely to exist in acloud and share files. Microsoft Hotmail is awidely accessible computing service, where the customer is veryunlikely email service which operates as acloud computing facil- to know if and when the data is moved, how it is stored, ity. who has access and the security measures in place. It is Cloud computing is not just limited to consumer use, quite possible therefore that the basic decision on who and can be attractive to SMEs or to larger organisations. is responsible for data protection compliance will be in The ‘cloud’ can be an external, public cloud such as Fa- dispute, with customers or data protection regulators be- cebook or Hotmail, or an internal, private cloud within lieving that service providers are at least partly respon- one organisation. So, cloud computing is rapidly grow- sible and acting as data controllers. ing both on an individual basis and amongst commercial entities. It offers aflexible and easily accessible alterna- Whatever the decision on the status of the service pro- tive to conventional IT outsourcing and has the poten- vider,prevention is better than cure. So using services tial to offer vast cost savings in the provision of IT infra- which do not suffer data losses or unauthorised disclo- structures. sures will reduce the risk of individual complaint and in- vestigation by the data protection regulators. Therefore There is currently little regulation specific to cloud com- it is essential that customers choose reputable and effec- puting. Data protection regulation will be relevant tive service providers who are able to offer the necessary where the services are used to handle personal data. assurances that their services will meet the requirements The ‘Open Cloud Manifesto’ (available at http:// of the Act. Contracts for cloud computing services www.opencloudmanifesto.org published in Spring 2009) should address compliance with the Act (covering the provides high level principles that providers should ad- obligation to process in accordance with the customer’s here to. The Manifesto was created by IBM, Cisco, SAP, instructions and ensure adequate technical and organi- EMC and anumber of other leading technology compa- sational security measures) and identify the extent to which aservice provider will recover lost data or cover the cost of re-inputting data. While obtaining such assur- ances may increase the service costs, this will be money Hazel Grant and Tessa Finlayson can be contacted at: [email protected] and Tessa.Finlayson@ well spent as it will improve the security of the data and twobirds.com the protection available to the customer in the event of data losses or unauthorised disclosures.
32 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data Data security stricted to aspecified geographic location, see, for ex- ample, Amazon WebService’sAvailability Zones). When negotiating the contract for cloud computing ser- vices, customers should particularly consider the follow- Under the Act, transfers of personal data outside the Eu- ing: ropean Economic Area (the EEA) are prohibited, unless s Gain as much information as possible about the likely adequate protection is shown. (The EEA includes all third parties that may potentially access the data in or- countries in the European Union, together with Iceland, der to ensure that they are fulfilling their obligations Liechtenstein and Norway). Therefore, where acloud as data controller.The nature of cloud computing computing service is provided within the EEA there will means that many third parties may access the data be no issue. Equally,ifthe service is provided within the across anumber of jurisdictions; approved jurisdictions only there will be no data protec- tion issue (i.e. within Argentina, Guernsey,Isle of Man, s Obtain warranties from the service provider as to the Jersey and Switzerland together with Canada and the treatment of personal data processed within the USA in certain circumstances). However these scenarios cloud; are unlikely.Inreality,the customer will need to address asituation where the personal data may be sent to any s Seek an independent security audit of the service pro- number of servers in any number of jurisdictions world- vider and ensure adequate ongoing audit rights; wide. s Aim to set out their own security policy surrounding As adata controller,the customer again has responsibil- data and have the service provider agree to that where ity to ensure that this part of the Act is complied with possible; and that adequate protection is given to the data which s Ensure that the service provider is willing and able to is held within the cloud computing service. Without comply with any relevant sector-specific regulation, for knowing the jurisdictions where the data may be sent, it example within the healthcare industry; will be difficult to do this. In practice, unless the service provider will commit to using aspecific geographic re- s Consider whether they wish their applications to be gion, the customer will take some risk. hosted on hardware that is specific to them, however this may significantly limit the financial benefits of Customers may consider using the consent of individu- cloud computing; als to permit the transfer outside the EEA. However,us- ing consent is difficult. (How would it show that consent s Ensure that there is continuous physical security at the was freely given, specific and informed? What if the con- service provider’spremises and that physical entryto sent is withdrawn?) those premises is limited to authorised personnel only; In practice therefore customers are likely to look to a s Ensure that they have rights to change the way their contractual situation, using the EU approved standard data is treated should new legislation or circumstances contractual clauses for data processors established in require it; and third countries (both the EU drafted and approved clauses (Commission Decision 2002/16/EC) and the s Ensure that all of the service provider’spersonnel with ICC version, once the ICC version is approved by the access to the data have been security vetted; and en- EU). Under these clauses the data processor (the service sure that there is asufficient and effective system of provider) commits to comply with EU-equivalent data back-ups should there be asecurity breach. protection standards. In many jurisdictions (but not the UK) there are notification or registration requirements Location of the data whereby the contracts once completed must be sent to the local data protection regulator.Inaddition, amend- Customers will need to be aware that local laws may ap- ments to the contracts can negate the protection and ply to the data held on servers within the cloud. This therefore result in the contract not fulfilling its purpose raises, for example, concerns about access to data in the of showing adequate protection. Therefore this solution US under the Patriot Act or US litigation. However the can be restrictive and time-consuming. more obvious data protection issue relates to the distrib- uted nature of the data within the cloud computing ser- vice. Conclusion In order to benefit from optimised use of infrastructure Many business users are looking for ways to increase ef- and resources, cloud computing assumes that data will ficiency and reduce the costs of their operation. Cloud be moved geographically.Therefore it would be rare to computing is recognised by businesses, particularly see acontract for cloud computing where the customer SMEs, as acost-effective way to gain access to complex is guaranteed that their data would not be transferred IT and communications facilities. The challenge for outside aspecified countryorregion. (Although we may businesses and service providers is to ensure data protec- start to see cloud computing services which are re- tion responsibilities are not forgotten.
05/09 World Data Protection Report BNA ISSN 1473-3579 33 Personal Data Information as an asset
By Andrea Simmons, Managing Director,Simmons http://www.cambridge-news.co.uk/cn_news_home/ Professional Services Ltd. displayarticle.asp?id=412764 Without sending ourselves into aspiral of philosophical Information as an asset debate about an appropriate meaning of ‘information’, In recent times, almost everyvendor report, technology contextually,itisintrinsically understood as many things related (and other) industryinitiative, professional ICT to many people. Information can be available, necessary, membership publication and relevant organisational shared (exchanged), lost, accessed or destroyed. As an policy statement issued, have at their heart the kernel asset, information can be appreciated as important, vital, that is ‘information’. Many of these often weighty tomes critical, useful –and clearly profitable. In the wrong articulate: hands, or handled carelessly,itcan be also be hugely risky –just ask Bob Quick.1 In the words of the Assistant s The increasing importance of information (yet IBM Information Commissioner,itcan be considered to be research shows knowledge workers spend up to 30% ‘toxic’.2 As with physical laws, for everyaction there is of their time searching for data and are unsuccessful an equal and opposite reaction.3 30% of the time, while Gartner claim up to 25% of the Worse still, there is a‘‘dark economy’’exploiting our data is inaccurate or missing); carelessness with information. For example, live s The increased time spent on statutoryreporting; ‘crimeservers’ (Crime as aService) can be found on the Internet offering current black-market value prices for s The need to share information with external parties; the most common types of stolen data, including ‘dumps’ –copies of the magnetic stripe information on s Evidence that good use of information directly corre- the back of acredit card –generally obtained from a lates with better performance (and that lack of infor- compromised retailer and used to make fake credit mation sharing can have terrible consequences (e.g. cards. High profile cases in the UK such as the Soham mur- ders, Harold Shipman, and currently in the news, the So if information can be seen to be conversely volatile case of the child abuse and resulting death of Baby P and valuable, surely it deserves the same priority and etc.); protection as other business assets. Given the level of on- going data breach that we have seen in the UK over the s that investment in the information culture is already past couple of years (Table 1refers to some of the more delivering value for money. high profile data breaches which have occurred within Case study government during this period), it is necessaryfor every organisation to get to grips with finding out: There have been three high-profile data loss incidents at Adden- brook’sHospital in recent months. s what information they have; In April 2008, afemale member of stafflost printed informa- s why they have it (in the context of Data Protection, for tion on types of medical tests to be undertaken by 1,252 pa- example, this is described in terms of the Fairness tients, along with their NHS numbers, while she was travelling Principle, the First Principle – i.e. what is the original on public transport. purpose of the data collection and intended use); In November 2008, Haverhill resident Nicola Marsh received s with whom it is shared – i.e.where it flows –both letters containing medical records of two other patients from Ad- within and without the organisation; denbrooke’s. s where it is stored –‘at rest’ (on servers, on memory Early in 2009, an Addenbrooke’s member of stafflost an unen- sticks, laptops etc.,paper documents etc.), ‘in transit’ crypted memorystick containing the medical details of 741 pa- (on the move).4 tients –itwas left ‘‘in an unattended vehicle’’ and found by a car wash attendant.The attendant ‘‘was able to access the con- Information assets can be categorised as follows: tents to establish ownership’’. The information was downloaded s personal data (name, address details etc. –often re- without the permission of Addenbrooke’s and the Trust reported ferred to as ‘personally identifiable information’ PII) the loss. s financial management/data The Information Commissioner’s Office has ordered Addenbro- oke’s to sign aformal undertaking that it will process informa- s operational management information tion in line with the Data Protection Act, with immediate effect. s personnel management
s regulated information (health information, financial Andrea Simmons can be contacted at: info@ data, government classified, etc.) simmonsprofessionalservices.co.uk s proprietaryinformation/intellectual property
34 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data s trade secrets way of the Freedom of Information Act Statute) –which is equally separate from the work many public sector s patents bodies are doing to provide A–Z directorylistings of all available information through their online services. s copyrights Producing an IAR has been seen by many as part of a s trademarks number of competing agendas that public sector organi- sations have had to juggle on any given day,budgets are Information asset owners always stretched when it comes to the information Nuggets of gold are being buried everyday5 –and users agenda issues –and yet the costs of mop up after need to appreciate that they can be both owners as well breaches can be seen to have been disproportionate to as custodians of important organisational information.6 the investment in preventative strategies and innovative Responsibility and accountability extends to all employ- information management programmes of activity.Carry- ees as well as the extended enterprise including consult- ing out arobust IAR creation should have included refer- ants, contractors, sub-contractors, part-time employees, ence to aperceived value of the information assets iden- temporaryemployees, interns, teaming partners, and as- tified. This was intended to acknowledge its onward sociates. However,not unsurprisingly,risk management wider sale and/or re-use so that the public sector could needs to be in the mindset of everyuser,atsome level, recoup at minimum the original creation cost plus some for anumber of reasons. administrative expenses. The exercise alone would have at least started the intellectual discussion around the Appointing Information Asset Owners has already been value of information assets. This is something that the identified as amandatoryminimum measure required Ordnance Survey9 appears to have worked out well. across UK central government departments.7 Significant efforts have thus been made across the pub- Information Asset Owner (IAO) lic sector to identify information sources and resources, IAOs are senior individuals involved in running the relevant but this has not been tackled, in all cases, as part of a business. Their role is to understand what information is held, robust ‘information governance’ led programme of ac- what is added and what is removed, how information is moved, tivity.Therefore, the available resultant benefits from and who has access and why.Asaresult they are able to un- the outputs have not all been fully realised. derstand and address risks to the information, and ensure that information is fully used within the law for the public good, The value of information and provide written input to the Senior Information Risk Owner (SIRO) annually on the security and use of their asset. The idea of information asset profiling is to gather as much information as is necessarytosupport any particular or- The veryfirst key aspect of the role of an IAO is to ‘‘lead ganisational process and seek abetter grasp of the pro- and foster aculture that values, protects and uses infor- tection requirements –itshould not be seen as acum- mation for the public good’’. This has been amandatory bersome overhead. requirement since mid 2008, so should we really be talk- ing about this as something new,difficult or surprising Protecting information assets needs to consist of identi- in mid 2009? fying, valuating, classifying, and labelling in an effort to guard against unauthorised access, use, disclosure, This appears to need asignificant cultural shift to em- modification, destruction, or denial.10 The relevant bed information successfully,but it also needs to be sup- ISO27001 control is found in area 7–Asset Manage- ported by an awareness, education and training pro- ment and existed in its predecessor,BS7799, since 1995. gramme to ensure that those who are appointed as the IAO know what their duties are and how to communi- ISO27001: cate with organisational staff. 7.1 clearly identify all the assets, maintain an inventory, iden- Information Asset Registers (IARs) tify owners; acceptable use should be documented and imple- mented Central government departments have all been tasked with producing Information Asset Registers in response 7.2 classify the information ‘‘in terms of its value, legal require- to arequirement that would ultimately fulfil the needs ments, sensitivity and criticality to the organisation’’ and have of the EU Directive implemented in the UK under the adocumented and implemented procedure for document label- Regulations on the Re-use of Public Sector Information ling and handling in accordance with the adopted classifica- (RPSI)8 .RPSI recognised the enormous value of public tion scheme. sector information (PSI) and the contribution PSI could make to stimulating the development and growth of Eu- It is the purpose of InformationSecurity to identify the rope’sinformation industry, especially as part of the threats against, the risks and the associated potential wider ‘information protection’ agenda. damage to, and the safeguarding of Information As- sets.11 However,the (non mandatory)requirement to produce an IAR crossed over with existing mandatory public sec- The meaning of Information Security is based on three tor work required to produce aPublication Scheme (by fundamental tenets, represented as the ‘CIA’below:
05/09 World Data Protection Report BNA ISSN 1473-3579 35 Personal Data s Confidentiality:Protecting information from unautho- data minimisation –only keeping the information rised disclosure or intelligible interception. Ensuring needed because it has value for delivering aservice. And that information is accessible only to those authorised yet these kinds of issues have already been highlighted to have access. through work done by,for example, the Audit Commis- sion when it set out its Key Lines of Enquiry(KLOES) in s Integrity: Safeguarding the accuracy and complete- 2007 in relation to Data Quality Standards.13 ness of information and processing methods and com- puter software. There is also the consideration of value loss associated with inaccurate data, data breaches and compromised s Availability: Ensuring that authorised users have ac- databases, which raises the question of how to value the cess to information, vital services and associated as- information, or collect the associated costs. Deprival sets when required. value is acomplementaryapproach asking what would be the cost to the organisation if it did not have certain Again, these are not new concepts but are represented information, and may be the key to unlocking the prob- within this context in order to ensure that they are not lem of how to value information. This latter will depend lost –they need to be seen as intrinsic elements of the on replacement value (if it can in fact be replaced) and its one whole ‘information’ agenda. Once the information recoverable value.This could include compliance cost value assets have been identified, arisk assessment is under- –the cost of complying with statutoryregulations, post taken to ensure that the CIA elements are adequately breach rectification etc.The exchange value should be cov- addressed. Thereafter,the appropriately controlled in- ered under the RPSI, in terms of public sector informa- formation asset can then be adequately valued as its tion re-use. The valuation methods will differ as the con- value can include the cost of the controls in place to text of the valuation changes. protect it. Valuing assets is not new and has been around, conceptually at least, for over adecade –and All of these elements contribute to an area of cost that yet it has still not been effectively embedded as to be would need to be factored into the consideration of the recognised as appropriate for inclusion in accounting ultimate value of an information asset –but this is not to terms. set out astall that makes it ultimately too difficult to do. In reality,for information to be taken seriously as an as- Financial standards need to be brought up to date in or- set,itneeds to be factored into the annual accounts. But der to incorporate, and adequately address, the informa- an information asset can only be put on the balance tion needs of organisations. sheet if avalue can be demonstrated with reasonable certainty –and this needs to involve everyone in the or- Conclusion ganisation. Changing the culture of an organisation is usually necessaryfor ensuring that information is valued En route to the Information Age, our journey has been as an asset by everyone. from IT Security,where our focus has been on the data – protecting our networks at afirewall level, and then with Information as an asset does not diminish in value anti virus products. Subsequently,when this failed to through usage, but may do so through time. Informa- solve all of our security needs, we set about embracing tion assets all have one or more of the following charac- the need for an information security management frame- teristics: work to be put in place (ultimately ISO27001). s They are recognised to be of value to the organisation; Information Assurance was agovernment-led agenda in- tended to restore public confidence in the ability of the s They are not easily replaceable without cost, skill, public sector to protect their data. So far,success has time, resources or acombination; been limited, and Government is not trusted. Information 14 s They form apart of the organisation’scorporate iden- Governance is the ultimate goal which leads to the tity,without which the organisation may be threat- proper linkage with corporate governance and thus the ened; full realisation of information as part of the corporate agenda and reporting structure –ascan be evidenced al- s Their classification would normally be Protected, Re- ready in the health sector where it is part of the report- stricted, Secret or TopSecret. ing framework. Tangentially, data minimisation and the management of We have to get to grips with this in spite of aneed for retention and replication of data have been topics of dis- greater understanding as there remain great rewards to cussion in recent times –(e.g.see the Database State re- be gained from better,more secure and controlled, in- port12 .Remember the ‘dark economy’ –what’sredun- formation sharing and usage across the public sector dant data to you (and thus appears to be of no value), and beyond. may in fact be of profitable value on the black market. MPs and politicians need to listen to those information The Children’sDatabase is an example of personal in- management, security,assurance and governance ex- formation being collected for the best of motives that perts who have been long describing and articulating nevertheless risked having the worst of outcomes, with the challenge in terms of the requirement to value in- front-line staff being presented with too many false posi- formation assets and protect them accordingly –and tives. Government seems to undervalue the concept of move this agenda forward proactively.
36 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data
Table 1: Data breaches roll call Date Area Headline/Issue
February 20, 2007 Her Majesty’s DWPstruggles to uncovercause of public data breach Government Department for Work and Pensions discovered that it accidentally sent bank, national insurance and (HMG) personal details to the wrong people –how did its systems and processes allowthis confirmation on up to 26,000 people be compromised? November 20, 2007 HMG UK families put on fraud alert (Oct 07) Government (HM Revenue and Customs) admits personal details of 25 million child benefit recipients are lost. Twocomputer discs holding the personal details of all families in the UK with achild under 16 have gone missing. December 1, 2007 HMG Fresh benefit data lapse admitted An ex-contractor at the Department for Work and Pensions had twodiscs with thousands of benefit claimants’details for more than ayear,the DWPsays. (Discs held in unencrypted form). Athird party contractor error. December 12, 2007 HMG Adeadly new data blunder “Blundering civil servants sent personal details of violent criminals about to be freed from jail to the wrong address. Documents with names, birth dates, criminal histories and addresses of more than 40 murderers, rapists and paedophiles should have gone to apolice HQ…..” December 12, 2007 DVLA Driverand Vehicle Licensing Agencydata bungle No 2 Twodiscs with names and addresses of 7685 drivers have gone missing in the post. They were sent from the DVLA in Northern Ireland to the DVLA in Swansea –but disappeared at aCoventry depot. Thediscs also had car details and were not encrypted. Earlier in December the DVLA sent 100 forms with details of driving offences to the wrong addresses. December 17, 2007 HMG Millions of L-driverdetails lost Private details of 3million learner drivers are missing, the Government admits. December 23, 2007 NHS Nine NHS Trusts lose patient data Thousands of patients affected as National Health Service Tr usts admit losing records. June 30, 2008 HMG NI numbers of 140,000 on tax envelopes HM Revenue and Customs admits more than 140,000 tax forms were posted with the recipients’national insurance numbers visible on the envelope. August 21, 2008 HMG Home Office contractor loses memory stickcontaining personal details of UK criminals Home Office says acontractor lost amemory stickcontaining details of the UK’s most prolific criminals (84,000 of them….). Again, athird party contractor error . August 28, 2008 Police Gangland witness files found dumped in skip Secret police documents exposing the personal details of witnesses in a£17 million drugs trial found in a recycling bin –HMCourts Services to investigate. September 7, 2008 HMG New lost data blunder puts thousands at risk Government admits that the livesof5,000 staff have been put at risk in anew Government missing data scandal …. EDS…. One year since the disk wasactually lost….and no-one noticed…. (Confidentiality,Availability) October 10, 2008 MoD Ministry of Defence computer hard drive missing This mayhavecontained the details of up to 1.7 million potential recruits for the armed forces. The information was‘unlikely’tohavebeen encrypted. October 16, 2008 DVLA Youcan’t fine my son…these are his ashes Bungling civil servants insisted on prosecuting adead teenager –sohis mother took the boy’sashes to court to prove he wasnolonger alive.The DVLA wanted to put xxxx in the dockafter claiming he had failed to notify them that he had sold avehicle. But not only had he never owned the vehicle, he had been dead for nearly twoyears…. (Integrity). Whydid this even have to go to court? November 2, 2008 HMG Probe into data left in car park (DWP) An inquiry has been launched after amemory stickwith user names and passwords for akey government computer system wasfound in apub car park. This affected the Government Gateway and the error wason the part of athird party contractor.
NOTES 8 RPSI –http://www.opsi.gov.uk/si/si2005/20051515 9 1 Inadvertent information disclosure http://www.guardian.co.uk/uk/ Ordnance Survey http://www.ordnancesurvey.co.uk/oswebsite/ 2009/apr/09/bob-quick-terror-raids-leak 10 See Information Asset Profiling http://www.cert.org/archive/pdf/ 2 Information as a‘toxic liability’ –http://news.bbc.co.uk/2/hi/uk_ 05tn021.pdf news/7575766.stm 11 See all these resources for more information: 3 Newton’slaws of motion –http://en.wikipedia.org/wiki/Newton’s_ http://www.yourwindow.to/information-security/gl_ laws_of_motion informationasset.htm 4 Verizon Data Breach Report 2009 http://www.verizonbusiness.com/ http://www.berr.gov.uk/administration/foi/information-asset- resources/security/reports/2009_databreach_rp.pdf register/page19080.html 5 Information nuggets –http://www.bearingpoint.com/Solutions/ http://www.techsoup.org/learningcenter/techplan/archives/ Information+Management/Information+Asset+Management page9763.cfm 6 Read Information Asset Profiling, Author James F. Stevens 2005, Information as an Organizational Asset –Creating aculture that val- CMU/SEI-2005-TN-021, ues data, By: Marc Osten and Diane Remin, December 14, 2001 http://www.cert.org/archive/pdf/05tn021.pdf –for agreat expose on InfoSecurity Professional Magazine, Issue Number 5, An (ISC)2 Digi- the differences between the two (and the need for both) as well as fur- tal Publication, http://www.isc2.org ther details regarding information asset identification. 12 The Database State Report can be found here: http:// 7 Cabinet Office MandatoryRoles –see http:// www.jrrt.org.uk/uploads/database-state.pdf www.cabinetoffice.gov.uk/media/45149/guidance_on_mandatory_ 13 And yet search on the KLOE document for ‘retention’, ‘destruc- roles.pdf. Also, for amore detailed expose of requirements regarding tion’ or ‘duplication’ and they do not appear as data quality related Information Asset Protection read ASIS GDL IAP 05 2007, Informa- concepts: http://www.audit-commission.gov.uk/reports/NATIONAL- tion Asset Protection (IAP) Guideline, Copyright 2007 by ASIS Inter- REPORT.asp?CategoryID=&ProdID=F4E13DD0-2808-4f3a-98FF- national, ISBN 978-1-887056-70-0 358AF9010155
05/09 World Data Protection Report BNA ISSN 1473-3579 37 Personal Data
14 See https://www.igt.connectingforhealth.nhs.uk/ for an explana- Although no complaints have been received to date, the tion of the Information Governance toolkit in the NHS –which is a system has raised privacy concerns about the growth in longstanding reporting tool, recently updated to reflect the govern- ment’sInformation Assurance Framework agenda. The wider public popularity of such biometric security systems. sector will need to be producing an Information Governance State- ment of Compliance in order to prove that they have their informa- tion under appropriate control and security,sothat they can connect If acomplaint is made, the Commissioner may not have to the government secure network. the authority to intervene as privacy legislation applies only when personal information is used for commercial purposes.
News Poll reveals consumer concerns about their privacy during economic downturn
INTERNATIONAL Anew poll conducted by the Privacy Commissioner re- Wikipedia becomes latest company to opt veals that Canadians are worried about the effects of the economic downturn on their privacy.Concerns stem out of Phorm from how corporate cost-cutting may see results in less stringent measures for privacy security. Wikipedia becomes the latest company to request an opt-out from the scanning and profiling of its domains Commenting on the poll, Privacy Commissioner,Jen- by Phorm’sWebwise services. Wikipedia has contacted nifer Stoddart said, ‘‘The risks to personal information Phorm asking it not to record anything about URLs may be higher than ever during an economic downturn from domains controlled by Wikipedia. The company because criminals will undoubtedly be looking for ways has asked that its domains are excluded arguing that to exploit vulnerabilities’’. third party profiling of its website users’ behaviour,isan invasion of their privacy.Last month, Amazon made a The poll also revealed that people are not doing enough similar request. (See also in this issue EC launches in- to protect themselves from the risk of identity theft. The fringement proceedings against UK government,byOliver Privacy Commissioner has been calling for the govern- Bray and TomCadwaladr.) ment to develop acomprehensive strategy for dealing Acopy of the email sent to Phormisavailable on the Wikipe- with identity theft. dia blog: http://techblog.wikimedia.org/2009/04/wikimedia- opting-out-of-phorm/ The poll also looked at other privacy issues including matters relating to national security,data security Phormlaunches site to set record breaches and new technologies. straight The resultsand the final reportare available at: http:// Phorm has launched anew website to set the record www.priv.gc.ca/information/survey/2009/ekos_2009_01_ straight about its behavioural advertising services follow- e.cfm ing what it describes as asmear campaign and misrepre- sentation of the company.The ‘stopphoulplay’ website aims to counter the alleged smears against the company CZECH REPUBLIC found in the press and online blogs. Czech government admits data breach The website is available at: http://www.stopphoulplay.com/ involving EU leaders
CANADA The Czech government has confirmed that the personal Privacy concerns over scans at homeless information relating to European Union leaders was mishandled during an EU–US summit held in Prague at shelters the beginning of April 2009.
The Alberta Privacy Commissioner,Frank Work, has The information was found by aFinnish national on a raised concern about the use of ahandprint security sys- computer in aCzech hotel after the summit. It included tem at Calgary’sDrop-In Centre. The system is being passport numbers, flight details, blood groups, allergies tested because three members of staff were attacked. of approximately 200 participants including prime min- Centre officials want such asystem to keep out drug isters and presidents. No information about the Ameri- dealers and gang members who in the past have simply can participants was found. The Czech government given afalse name to gain entrytothe centre. The Com- which currently holds the EU Presidency chose to play missioner is concerned about how the information down the affair,attributing the incident to human error. stored on adatabase will be used and kept securely and The file was removed from the computer and the Czech whether it could be disclosed to third parties such as the government said that steps would be taken to prevent police. such an incident from happening again.
38 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data DENMARK NEW ZEALAND Facebook under scrutiny Survey shows risks to data held on PSDs
The Danish Data Protection Authority is looking into Asurvey of the main government departments has re- whether Facebook meets the requirements of Danish vealed that there are fundamental security risks to per- data protection legislation. The investigation follows sonal information held on portable storage devices complaints that users of the social networking site have (PSDs). to relinquish many of their rights when they create a The findings revealed: profile. The Authority has sent Facebook alist of ques- tions it wants answered which include: s 35 out of the 37 agencies which responded made PSDs available for staff use; s How Facebook adheres to the requirements of Danish data protection legislation; s nearly two-thirds of agencies allowed staff to use their own PSDs for work purposes; s Whether Facebook is registered in an EU country; s only nine agencies had mandatoryencryption for s What information Facebook shares with third parties; PSDs; s How may adead person’sprofile be removed from the s 62 percent of those surveyed kept aPSD register; site once they have passed away? s only 22 percent of those surveyed would be able to track the data transferred onto PSDs; GREECE s 75 percent had policies governing the use of PSDs but only half of these included information on how to de- Greek DPAputs atemporaryban on lete content; Streetview s 70 percent had incident reporting procedures for the loss/theft of aPSD but these did not address personal The Hellenic Data Protection Authority (HDPA) has PSDs used for work. temporarily banned Streetview from collecting images until Google provides additional privacy safeguards. The Commenting on the survey,Privacy Commissioner, HDPAwants Google to provide information on how the Marie Shroff voiced these concerns, images taken will be stored and processed and protected ‘‘We are particularly [worried] about the use of per- against misuse. Furthermore, it wants to know how sonal PSDs in the workplace because it is so easy to Google plans to inform the public that its vehicles are lose one, or to accidentally disclose sensitive informa- mounted with cameras, taking photos. tion by,for example, lending aUSB stick to a friend. ...If you are using your own personal PSD for In an unofficial translation of the statement, the HDPA work, then you are more likely to accidentally take said, that corporate information with you when you ‘‘Simply marking the car is not considered an ad- change jobs. Government agencies have aresponsibil- equate form of notification. The authority has re- ity to tryand prevent that sort of thing.’’ served judgment on the legality of the service pend- The survey is the first of its kind undertaken in New Zea- ing the submission of additional information, and un- land and is based on asimilar survey undertaken by the til that time will not allow (Google) to start gathering Victorian Privacy Commissioner.Itdid not cover the pri- photographs’’ vate sector.The Australian Privacy Commissioner has For further information visit: http://www.dpa.gr also undertaken asimilar survey on PSDs the results of which were released this month. HUNGARY More information about the survey is available at: http:// www.privacy.org.nz Privacy concerns follow Streetview to Budapest UNITED KINGDOM While the Greek Data Protection Authority has issued a Government drops plans for temporaryban on Google capturing images for its communications database Streetview service, the Hungarian Data Protection Com- missioner,Andras Jori, has expressed concerns about The government has dropped plans to create the con- Streetview’sarrival in Budapest. Google cars arrived to troversial communications database citing privacy as the scan the streets of Budapest at the beginning of May. reason. The database would have been used to store Jori, who is also amember of the EU’sData Protection emails, web use and phone calls. Working Group has said that he will monitor Streetview carefully.His concerns surround the legal basis for man- The proposed Communications Database was heavily aging personal information processed for use as part of criticised by privacy advocates and the Information Streetview’simages. Commissioner’sOffice which referred to it as a‘step too
05/09 World Data Protection Report BNA ISSN 1473-3579 39 Personal Data far’. The Home Office has launched aconsultation pa- formation within their own group but outside Europe per,‘Protection of the Public in aChanging Communi- and who want to use binding corporate rules to do cations Environment’ and is looking for responses to that. Using binding corporate rules is aresponsible questions based on the various options outlined in the approach to handling people’spersonal informa- document. tion.’’ Atmel Group of companies was authorised on April 22, Commenting on the reasons for dropping the database, 2009 to transfer employee personal information from Home Secretary, Jacqui Smith, wrote, the UK to outside the EEA on the basis of their BCRs. ‘‘Iknow that the balance between privacy and security Approval to the Accenture Group of Companies was is adelicate one, which is why this consultation explic- given on April 30, 2009. itly rules out the option of setting up asingle store of information for use in relation to communications For more information about binding corporate rules, visit: data.’’ http://www.ico.gov.uk/upload/documents/library/data_ The consultation paper is available at: http:// protection/detailed_specialist_guides/ico_bcr_faqs_v1.1.pdf www.homeoffice.gov.uk/documents/cons-2009- communications-data?view=Binary UNITED STATES Government to retain DNA despite ECHR Federal government increases DNA ruling collection
The UK government is considering keeping DNA for up US law enforcement agencies are expanding their port- to 12 years despite aruling last year by the European folio of DNA samples to include DNA collected from Court of Human Rights which stipulated that the ‘‘blan- people who have been arrested or detained but not con- ket and indiscriminate’’retention of DNA samples was victed. As of May,the FBI will collect DNA samples from unfair and a‘‘disproportionate interference’’with the individuals awaiting trials and collect samples from im- right to ‘respect for private life’. migrants who have been detained. 15 US states already It is conducting aconsultation exercise over its propos- operate such practices. The FBI database already holds als which include: 6.7 million DNA profiles. Critics of the move are voicing privacy concerns about the need to keep samples from s Automatically deleting DNA profiles of those arrested individuals who are not convicted of acrime. but not convicted of serious violent or sexual crimes after 12 years; LexisNexis suffers data security breach s Automatically deleting profiles of those arrested but not convicted of all other crimes after six years. LexisNexis has warned 32,000 people that their personal information may have been accessed as part of acredit The Home Office is looking for comments on the con- card fraud scheme. Databases held at LexisNexis in New sultation document entitled, ‘Keeping the right people York and acompany called Investigative Professionals on the DNA Database’ by August 7, 2009. based in Santa Fe were accessed. Although the fraud- sters had access to over 32,000 customer records, ap- Acopy of the consultation is available at: http:// proximately 300 people’sdata was used fraudulently. press.homeoffice.gov.uk/press-releases/new-proposals-for-dna- The information, which included names, dates of birth database and social security numbers, was used to set up fake credit cards. Accentureand Atmel gain approval for binding corporate rules UBS cites Swiss privacy laws as partof its refusal to release data to US The Information Commissioner’sOffice has approved the transfer of personal information from the UK to out- UBS AG has cited Swiss privacy laws as part of its refusal side the EEA under Binding Corporate Rules (BCR) for to hand over information about American customers to both Accenture and Atmel. The ICO has made it clear the US Internal Revenue Service when the company that both organisations have aglobal infrastructure filed papers with aMiami federal court. This is part of which provides an adequate level of protection for such an ongoing legal battle between UBS, the US Justice De- transfers of data. The ICO has been assessing the ad- partment and the IRS after the IRS won acourt case last equacy of both Accenture and Atmel’sBCRs alongside year.The outcome of that case ordered UBS to hand its European counterparts who will issue their authorisa- over the names of UBS American customers who may tions for transfers of data in due course. have avoided paying income tax in the US. Deputy Information Commissioner,David Smith said, UBS is arguing that forcing it to hand over client infor- ‘‘Accenture and Atmel should be commended for mation is forcing it to violate Swiss privacy laws that pre- their commitment to the concept of binding corpo- vent organisations from disclosing personal information rate rules and their respect for the privacy of individu- pertaining to bank accounts to third parties. The IRS are als. The ICO welcomes approaches from multi- claiming access to the information under aUS–Swiss national organisations that need to share personal in- TaxTreaty.Ahearing in Miami is scheduled for July.
40 05/09 Copyright 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579