got privacy? Musings on the state of Privacy in a connected world.
By Raul Mendez, LLM Information Technology Law, Digital Privacy Professional
On April 5th, 2011, Article 29 Data Protection Working Party adopted WP 184. The Document is a summary of the Member States’ adoption of Directive 2009/136/EC (personal data breach provisions).
The document has three goals:
1) The Working Party wished to obtain a broad picture of the manner in which the directive has been transposed and the possible differences of approach by all the Member States. This exercise may even be a way to align the laws of all the Member States;
2) To help DPA’s to take note of the way jurisdictions have chosen to implement the Directive and possibly encourage the development of internal rules and ways in which data breaches will be notified;
3) To advice as to future policy in the area of data breach reporting.
The Working Party finds it imperative, under the third goal, to promote the future policy developments in the area of data breaches. The Working Party feels the development of policy should emphasize two areas
a) Under Article 4(5), the Commission is given the power to enact technical measures for the implementation of the directive. This is a newly created power under the authority of the Lisbon treaty. The Working Party anticipates the Commission will exercise its power only in some well defined areas.
b) To incorporate the e-Privacy Directive in the review of the new Privacy Directive amending Directive 95/46.
PERSONAL DATA BREACH UNDER THE E-PRIVACY DIRECTIVE
The e-Privacy Directive is the very first directive which requires the reporting of data breaches in the European Union for providers of publicly available electronic communications services. (In this area, the EU should look at the way data breaches are handled and regulated in the USA).
The Data Breach notification requirements do not apply to data controllers, unless, they are also providers of publicly available electronic communications services. One also may argue that data controller activities and electronic communication activities should be considered independently from each other.
The e-Privacy Directive’s core elements are simple.
- It includes the definition of data breach.
- The required legal thresholds for the reporting of breaches to users and governments,
- Content and time for notification
- The exemption of notification requirements when the data is protected by technological devices such as encryption.
The core elements do not seem to be a preoccupation for the Working Party. Rather, the Working Party believes there are three areas which will be problematic.
1) The scope of the application of the obligation is the first identified problematic area. Even though the Directive shall be applied to publicly available electronic communication services, the Directive does not require Member States to extend the requirements to all types of data and sectors of data handling industry. The Directive rather encourages Member States to extend the application of the core principles to all types of data handling and sectors (including data controllers).
2) The issuance of guidelines is also indentified as problematic because the classification of data, the definition of thresholds and the manner in which breaches are reported are open to interpretation by the Member States. However, this could be easily solved if the Commission issues implementation guidelines. The Commission’s guidelines will always trump over all guidelines adopted by the Member States.
3) Technological protection measures which will exempt the report of a breach to users are again open to interpretation by all Member States. Just like the guidelines, the problem could be solved if the Commission issues a list of appropriate technologies.
STATUS OF THE TRANSPOSITION
According to the Working Party (as of the 5th of April), none of the Member States appear to have adopted the legislation yet. The Working Party also points out that a significant number of Member States are unlikely to meet the transposition due date of May 25th. Those who have drafted legislation, report that the wording of proposed legislation closely resembles the Directive’s.
SUGGESTIONS
The Working Party also makes several suggestions for the future:
A) The scope of the obligation to report breaches should apply to data controllers under the new Privacy Directive.
B) When creating or implementing breach notifications, under the new Privacy Directive, the core elements applied to communication providers should also be applied to data controllers.
C) Regulations should be drafted; although, the actual enactment of the e-Privacy directive has yet to take place in all Member States. The drafting should take into consideration six areas proposed by the Working party. The areas mostly deal with the harmonization and exercise of regulations by the commission
Lastly, the Working party exhorts the Commission to apply the e-Privacy directive breach requirements to data controllers as well.
If you would like to contact Raul, either email raulmendez1@earthlink.net or call 206.264.0849.
On April 5th, 2011, Article 29 Data Protection Working Party adopted WP 184. The Document is a summary of the Member States’ adoption of Directive 2009/136/EC (personal data breach provisions).
The document has three goals:
1) The Working Party wished to obtain a broad picture of the manner in which the directive has been transposed and the possible differences of approach by all the Member States. This exercise may even be a way to align the laws of all the Member States;
2) To help DPA’s to take note of the way jurisdictions have chosen to implement the Directive and possibly encourage the development of internal rules and ways in which data breaches will be notified;
3) To advice as to future policy in the area of data breach reporting.
The Working Party finds it imperative, under the third goal, to promote the future policy developments in the area of data breaches. The Working Party feels the development of policy should emphasize two areas
a) Under Article 4(5), the Commission is given the power to enact technical measures for the implementation of the directive. This is a newly created power under the authority of the Lisbon treaty. The Working Party anticipates the Commission will exercise its power only in some well defined areas.
b) To incorporate the e-Privacy Directive in the review of the new Privacy Directive amending Directive 95/46.
PERSONAL DATA BREACH UNDER THE E-PRIVACY DIRECTIVE
The e-Privacy Directive is the very first directive which requires the reporting of data breaches in the European Union for providers of publicly available electronic communications services. (In this area, the EU should look at the way data breaches are handled and regulated in the USA).
The Data Breach notification requirements do not apply to data controllers, unless, they are also providers of publicly available electronic communications services. One also may argue that data controller activities and electronic communication activities should be considered independently from each other.
The e-Privacy Directive’s core elements are simple.
- It includes the definition of data breach.
- The required legal thresholds for the reporting of breaches to users and governments,
- Content and time for notification
- The exemption of notification requirements when the data is protected by technological devices such as encryption.
The core elements do not seem to be a preoccupation for the Working Party. Rather, the Working Party believes there are three areas which will be problematic.
1) The scope of the application of the obligation is the first identified problematic area. Even though the Directive shall be applied to publicly available electronic communication services, the Directive does not require Member States to extend the requirements to all types of data and sectors of data handling industry. The Directive rather encourages Member States to extend the application of the core principles to all types of data handling and sectors (including data controllers).
2) The issuance of guidelines is also indentified as problematic because the classification of data, the definition of thresholds and the manner in which breaches are reported are open to interpretation by the Member States. However, this could be easily solved if the Commission issues implementation guidelines. The Commission’s guidelines will always trump over all guidelines adopted by the Member States.
3) Technological protection measures which will exempt the report of a breach to users are again open to interpretation by all Member States. Just like the guidelines, the problem could be solved if the Commission issues a list of appropriate technologies.
STATUS OF THE TRANSPOSITION
According to the Working Party (as of the 5th of April), none of the Member States appear to have adopted the legislation yet. The Working Party also points out that a significant number of Member States are unlikely to meet the transposition due date of May 25th. Those who have drafted legislation, report that the wording of proposed legislation closely resembles the Directive’s.
SUGGESTIONS
The Working Party also makes several suggestions for the future:
A) The scope of the obligation to report breaches should apply to data controllers under the new Privacy Directive.
B) When creating or implementing breach notifications, under the new Privacy Directive, the core elements applied to communication providers should also be applied to data controllers.
C) Regulations should be drafted; although, the actual enactment of the e-Privacy directive has yet to take place in all Member States. The drafting should take into consideration six areas proposed by the Working party. The areas mostly deal with the harmonization and exercise of regulations by the commission
Lastly, the Working party exhorts the Commission to apply the e-Privacy directive breach requirements to data controllers as well.
If you would like to contact Raul, either email raulmendez1@earthlink.net or call 206.264.0849.
Add Comment
By Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.
The Bavarian Lager case could possibly represent the biggest hurdle in achieving transparency for European Union institutions.
If transparency is to be achieved, the Access to Documents Regulation[1] must be amended. The amended regulation should take into consideration the Opinion issued by the European Data Privacy Supervisor (EDPS) on June of 2008. [2]
TRANSPARENCY
Article 255 of the Treaty establishing the European Community, as amended by the treaty of Amsterdam gave any resident or citizen of the Member States the right to access all documents from the parliament, the Commission and the Council. This right was set to be regulated by Regulation (EC) No 1049/2001.[3]
There were two additional important features included in Regulation1049/2001:
1) The EU institutions are assigned the same rights and obligations as the member state’s Institutions have in the context of access to all documents;
2) The EDPS, an independent Officer, is created. His duties include the monitoring and the implementation of access to European Union documents.
It is fit to recognize that before 2001, the EU institutions were not required to have an open records regulation.
THE AMENDMENT
By 2007, a body of law had been formed. The agencies also gained the necessary experience in handling document requests.
The Commission then proposed the rewording of the regulation. The aim was to require more transparency. The intention was an effort to have a better informed society with better processes.
The EDPS issued an opinion regarding the changes. The EDPS disagreed with the wording of several parts of the regulation. The opinion was partially based on the body of law that had been developed so far.
POWER TO INTERVENE
One of the rights the EDPS has is the power to intervene in any privacy related lawsuit. The EDPS has intervened in Bavarian Lager and in at least 13 other cases.
Thus, the EDPS has been highly influential in the interpretation of the law. It is the position of the EDPS that the standard used, when evaluating the release on information against the Data Protection Directives, should be one of harm of privacy rather than the requirement of necessity for the release of the data. The standard set by the court creates a big hurdle for applicants.
IMPORTANCE OF TRANSPARENCY
Transparency was provided by the Amsterdam Treaty amendments. Before the inception of the treaty, the European Union Institutions were exempted from the release of information requirements.
Transparency is a right that must be protected. It is a corner stone of a good government.
HOW TRANSPARENCY HAS BEEN SUCCESSFUL IN SWEDEN
In Sweden, Governmental Agencies are required to release any document in their possession, free of charge, when requested. These documents include electronic data bases or documents’ meta-data.
If agencies are of the opinion that the data should not be released, there is a court mandated review. The request and objection to the release are reviewed by a special court which applies the right to access in a broad and liberal manner. If the court finds for the applicant, the decision is final and it may not be appealed.
The system has allowed for a better Government. Agencies can be scrutinized and held accountable for their actions. Sweden’s system has allowed the citizenry to discover wrongful actions and cover ups. Transparency allows citizens to feel more confident in trusting their government.
The European Union should follow Sweden’s lead. The review of the regulations has to be revisited. The Commission is currently assessing the language and possibly the rewording the regulation.[4] Balance between privacy and transparency has to be achieved, and there must be consistency.
If you would like to contact Raul please use either 206-264-0849 or raulmendez1@earthlink.net.
[1] Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ 2001 L 145, p. 43).
[2] Opinion of 30 June 2008 on the Proposal for a Regulation regarding public access to European Parliament, Council and Commission documents, OJ C 2, 7.01.2009, p. 7
[3]Regulation (EC) No 1049/2001 regarding public access to European Parliament, Council and Commission documents, which became applicable on 3 December 2001.
[4]http://www.edps.europa.eu/EDPSWEB/edps/EDPS?lang=en (last visited on July 6th, 2010)
The Bavarian Lager case could possibly represent the biggest hurdle in achieving transparency for European Union institutions.
If transparency is to be achieved, the Access to Documents Regulation[1] must be amended. The amended regulation should take into consideration the Opinion issued by the European Data Privacy Supervisor (EDPS) on June of 2008. [2]
TRANSPARENCY
Article 255 of the Treaty establishing the European Community, as amended by the treaty of Amsterdam gave any resident or citizen of the Member States the right to access all documents from the parliament, the Commission and the Council. This right was set to be regulated by Regulation (EC) No 1049/2001.[3]
There were two additional important features included in Regulation1049/2001:
1) The EU institutions are assigned the same rights and obligations as the member state’s Institutions have in the context of access to all documents;
2) The EDPS, an independent Officer, is created. His duties include the monitoring and the implementation of access to European Union documents.
It is fit to recognize that before 2001, the EU institutions were not required to have an open records regulation.
THE AMENDMENT
By 2007, a body of law had been formed. The agencies also gained the necessary experience in handling document requests.
The Commission then proposed the rewording of the regulation. The aim was to require more transparency. The intention was an effort to have a better informed society with better processes.
The EDPS issued an opinion regarding the changes. The EDPS disagreed with the wording of several parts of the regulation. The opinion was partially based on the body of law that had been developed so far.
POWER TO INTERVENE
One of the rights the EDPS has is the power to intervene in any privacy related lawsuit. The EDPS has intervened in Bavarian Lager and in at least 13 other cases.
Thus, the EDPS has been highly influential in the interpretation of the law. It is the position of the EDPS that the standard used, when evaluating the release on information against the Data Protection Directives, should be one of harm of privacy rather than the requirement of necessity for the release of the data. The standard set by the court creates a big hurdle for applicants.
IMPORTANCE OF TRANSPARENCY
Transparency was provided by the Amsterdam Treaty amendments. Before the inception of the treaty, the European Union Institutions were exempted from the release of information requirements.
Transparency is a right that must be protected. It is a corner stone of a good government.
HOW TRANSPARENCY HAS BEEN SUCCESSFUL IN SWEDEN
In Sweden, Governmental Agencies are required to release any document in their possession, free of charge, when requested. These documents include electronic data bases or documents’ meta-data.
If agencies are of the opinion that the data should not be released, there is a court mandated review. The request and objection to the release are reviewed by a special court which applies the right to access in a broad and liberal manner. If the court finds for the applicant, the decision is final and it may not be appealed.
The system has allowed for a better Government. Agencies can be scrutinized and held accountable for their actions. Sweden’s system has allowed the citizenry to discover wrongful actions and cover ups. Transparency allows citizens to feel more confident in trusting their government.
The European Union should follow Sweden’s lead. The review of the regulations has to be revisited. The Commission is currently assessing the language and possibly the rewording the regulation.[4] Balance between privacy and transparency has to be achieved, and there must be consistency.
If you would like to contact Raul please use either 206-264-0849 or raulmendez1@earthlink.net.
[1] Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ 2001 L 145, p. 43).
[2] Opinion of 30 June 2008 on the Proposal for a Regulation regarding public access to European Parliament, Council and Commission documents, OJ C 2, 7.01.2009, p. 7
[3]Regulation (EC) No 1049/2001 regarding public access to European Parliament, Council and Commission documents, which became applicable on 3 December 2001.
[4]http://www.edps.europa.eu/EDPSWEB/edps/EDPS?lang=en (last visited on July 6th, 2010)
