In the European Union in the past year, a whole range of corporate risk and regulatory issues have been at the top of the agenda, but at the top of my list are data protection and information security.
In this report on risk issues for 2014, I will look at websites, privacy impact assessments, cloud computing and the EU Data Protection Regulation.
Focus on Websites in the EU
In the past five years or so, the European Commission and regulators that focus on consumer protection have carried out regular “sweeps” of websites in order to assess levels of compliance. This trend will continue, and businesses that sell or license content to consumers need to review their online terms and conditions as well as their compliance with other e-commerce rules such as the E-Privacy Directive, E-Commerce Regulations and Distance Selling Regulations.
For example, an EU-wide screening of 330 websites that sell digital content (such as books, music, films, videos and computer games) across the European Economic Area revealed some significant areas of non-compliance.
The European Commission “sweep” was intended to assess:
- If information on key characteristics of a piece of content was obvious and not hidden in small print
- If the provider’s contact details were made easily available to consumers, and if the website had in place fair and lawful terms and conditions
Of the 330 websites, 172 were found to be non-compliant; they were subsequently contacted by the European Commission with a view to ensuring that appropriate measures were taken to ensure compliance.
The typical areas of non-compliance were:
- Lack of mandatory information required by law, such as the name and address of the website owner, the method by which they could be contacted, and a complaints-and-dispute resolution mechanism
- Unclear or unfair legal terms and conditions
- Unclear or confusing information about rights of rescission—how purchases could be cancelled or returned
In addition to the above investigations, there have also been assessments of websites as to how well they complied with the cookies rules, based on member states’ relevant implementations of the E-Privacy Directive. There were also investigations into the impact of so-called “free” apps and games, in particular, those aimed at children.
These various regulatory investigations, combined with the increasing global attention to online services (for example, by the FTC), indicate that website compliance is an area of risk that will continue to be important during 2014.
Privacy Impact Assessments and Privacy by Design
In recent years, there has been an increase in the promotion of privacy impact assessments (PIAs) and privacy by design (PbD) by both data protection regulators and compliance officers as mechanisms to integrate data protection into systems.
A PIA is essentially a due diligence exercise that assesses the impact of new technologies on individuals’ privacy rights. PbD is the principle that privacy is taken into consideration at the outset of a new project, notably by implementing privacy by default in new technologies.
Data protection authorities in some parts of the world already require PIAs and PbD (for example, in Malaysia and Canada), and other authorities are recommending PIAs and PbD as a matter of good practice.
I anticipate that PIAs and PbD will become increasingly popular risk management tools.
The UK Information Commissioner (ICO) has published a handbook on how to conduct a PIA, along with a guidance document entitled “Privacy Enhancing Technologies’’ (PETs). The ICO’s view is that carrying out a PIA and implementing PETs are important steps toward full compliance with the Seventh Data Protection Principle of UK data protection law (the equivalent of Section 2C of the Data Protection Acts 1988 and 2003); this principle obligates data controllers to implement appropriate technological and organizational security measures to protect the personal data that they process.
Other EU data protection authorities have also issued guidance on these topics, though not necessarily using the specific terms “PIA” and “PbD.” And in no other field have so many such guidance documents been issued than in cloud computing. The French CNIL and the Italian Garante, for example, have issued guidance documents on how to use the cloud and comply with data protection obligations, encouraging organizations to carry out detailed PIAs in advance of engaging a cloud provider. The Spanish Agencia has issued a similar document aimed at law firms that wish to implement cloud computing systems. The common message in these guidance documents is that organizations should:
- Know what they do and want to do with personal data
- Assess the impact those processes and operations will have on individuals’ privacy and their own data protection compliance
- Implement appropriate measures to reduce or even eliminate such negative impacts
Nevertheless, perhaps the most active data protection authority in the promotion of the PbD principle is Ann Cavoukian, the Canadian Information and Privacy Commissioner. Ann is a passionate advocate for PbD, and the PbD publications she supports are essential for understanding how businesses can use PbD to their utmost advantage. For example, the “Report on the State of PbD,” given to the 33rd International Conference of Data Protection and Privacy Commissioners, contains valuable material to fully explain the new approach to PbD and its seven principles:
- Proactivity versus reactivity – Consider privacy at the outset of the project, not only as a reaction to a breach or other data protection issue
- Privacy as default setting – Make the protection of individuals’ privacy the primary concern
- Privacy embedded into design – Consider privacy when designing a new tool or technology
- Full functionality – Try to accommodate all interests in a harmonious way, instead of dismissing privacy in favor of innovation, or vice-versa
- End-to-end security – Consider the protection of personal data throughout the product life cycle
- Visibility and transparency – Be transparent about the adopted approach to privacy
- Respect for user privacy – Keep the product or service user-centric (i.e., keep the interests of the individuals in mind)
In order to use PIAs and PbD to maximum advantage, organizations should first recognize which parts of the business deal with personal data. The list will at least include Human Resources and IT. Once these areas are clearly identified, businesses should provide data protection training to key individuals who work in these areas.
It is counterproductive to attempt to implement appropriate PIA and PbD processes when the relevant teams are not aware of data protection principles and cannot, for example, identify what constitutes personal data and what constitutes a processing activity.
Organizations should also clearly identify:
- The data subjects whose personal data are processed by the relevant business areas
- Their privacy expectations
- How the business can fulfill such expectations in a commercially acceptable, yet compliant, manner. This may mean conducting risk assessment and risk management exercises, where the final decision may require endorsement by management.
Once organizations’ approach to privacy is clearly defined, the next step should be to create overarching procedures that should be followed from the outset of a project. These procedures should be designed by a multi-disciplinary team, including representatives from legal, IT and other relevant business areas.
Organizations should, as much as possible, automate such procedures. A “self-service” approach, whereby users can fill out a form describing the most relevant aspects of the intended project, is preferable to the organization deciding for the user. In reality, PIAs can take a considerable amount of time to produce, and if they are too complex, they will not be complied with.
Organizations should also remember to schedule subsequent audit procedures and regularly review the overarching PIA and PbD procedures to ensure that they reflect legislative developments, the business evolution and the evolution of privacy.
Unfortunately, many organizations have yet to fully consider the benefits of introducing PIAs and PbD into their internal processes. The fact is that we are still trying to tackle data protection issues using information management systems designed at a time when no data protection concerns existed.
However, with the evolution of regulation, we are starting to see some developments. If we consider the internal processes that organizations in England and Wales have to implement in order to comply with the UK Bribery Act of 2010, we start to see that the time is right to implement comprehensive internal procedures for other aspects of compliance. Preliminary due diligence is the key to commercially wise decisions, and privacy is becoming one of the main issues to tackle in such due diligence exercises. If applied in a timely and correct manner, PIA/PbD procedures will place the organizations that implement them at the forefront of innovation and give them a strong competitive edge.
Organizations should also be proactive in promoting their internal privacy-friendly procedures, even if they only operate on a B2B basis. For example, data processors that demonstrate to their customers how they have considered the customers’ data protection obligations in their products or services are likely to be in a better position than those who do not.
The issue of privacy is far from inconsequential, and implementing PIAs and PbD is one of the best decisions a business can make to take advantage of today’s privacy-concerned market.
In 1999, Scott McNealy, who co-founded Sun Microsystems, was quoted as saying “You have zero privacy anyway. Get over it.” Perhaps this is still true, but is not the better position “We have personal data rights. Get with it”?
Cloud Computing
The previous two years have seen the release of cloud computing guidance on both national and international levels—from the Article 29 Working Party (WP), the European Data Protection Supervisor (EDPS), the CNIL and the UK Information Commissioner (ICO).
What is the general approach of these guidance notes, and what are the main points from these guides that organizations should consider when entering into and negotiating cloud computing contracts?
- Commercial viability – Some organizations have complained that increased data protection regulation is stifling the development of cloud computing as a commoditized service, particularly because cloud customers are required to assess the technical and organizational security measures that a cloud provider has in place. The problem is that it is usually impossible, logistically, for public cloud providers to allow their customers the access required to conduct such assessments if they are to continue to offer an uninterrupted and low-cost cloud service. However, the published guidance is clear that there will be no lowering of data protection standards and that any imbalance in contractual power will not be considered as justification to accept clauses that do not comply with data protection law. That said, the guidance does offer a number of practical (albeit non-prescriptive) recommendations, such as the use and development of European privacy seals—for example, EuroPriSe. Further, the ICO suggests that cloud providers may consider appointing an independent third party to conduct a security audit of their services, which could then be provided to prospective cloud customers.
- Sub-processing – The guidance makes clear that cloud customers must consent to any sub-processing that the cloud provider may commission. Therefore, it is essential that a cloud provider’s terms and conditions explain the sub-processing that will take place and, in fact, they should name all sub-processors commissioned, together with the location of where the sub-processing may take place. In turn, the contract between the sub-processor and the cloud provider should reflect the stipulations of the contract between the cloud client and cloud provider.
- Data erasure and disposal – Whose obligation? The data controller will always be responsible for ensuring that personal data is not kept longer than is reasonably necessary. The guidance makes clear that cloud customers should therefore ensure that their contract with the cloud provider contains precise details for returning/destroying data once the service is concluded. The ICO recently fined the Scottish Borders Council £250,000 when it was discovered that one of the Council’s outsourcers disposed of old records using a supermarket recycling bin, highlighting the regulator’s intolerance of organizations that improperly and carelessly appoint data processors.
Although the use of cloud services undoubtedly offers customers great savings, failure to comply with data protection laws and ignoring the guidance as described above could engulf some or all of the economic benefits of cloud computing. Penalties for breach of data protection laws are making news headlines that effectively “name and shame” the cloud customer. In addition, if the draft EU General Data Protection Regulation passes in its current form, fines will increase dramatically to up to 2 percent of an organization’s global turnover.
The 2012 EU cloud opinions, and in particular the European Commission Memo of September 27, 2012, entitled “Unleashing the Potential of Cloud Computing in Europe,” were very influential. One consequence was the adoption of Opinion 03/2013 on Purpose Limitation by the Article 29 Data Protection Working Party on April 2, 2013. Among other things, this Opinion dealt with the data protection obligations that apply to open data and big data, major concerns of data management within the Cloud.
Among other things, the Opinion highlighted the information security risks in the cloud and the challenges of balancing technical innovation with data protection principles.
On September 19, 2013, the European Parliamentary Committee on Civil Liberties, Justice, and Home Affairs (LIBE) published its Opinion on “unleashing the potential of cloud computing in Europe.” While the Opinion recognizes the potential benefits of cloud computing for businesses, citizens, the public sector and the environment, it focuses almost entirely on the need for current and future EU laws to adequately protect individuals whose data is processed in the cloud, particularly laws concerning data protection.
In a call for general data protection principles to be recognized by and enforced against cloud providers, the Opinion also calls for cloud providers in a number of circumstances to be treated as “data controllers” jointly with the businesses that use the cloud services.
It is generally accepted that businesses that use cloud services to process, among other things, personal data are “data controllers” as defined by the Data Protection Directive (95/46/EC), but it has also been promulgated by cloud providers that they are mere providers of a service, and therefore are “data processors” as defined by the same Directive.
Under current EU legislation, the role of the cloud service provider needs to be determined on a case-by-case basis, as the Opinion highlights. Sometimes there is a contractual imbalance between the customer and the cloud provider, requiring the customer to then enter into contractual arrangements that impose standard services. In such cases, special attention must be given to ensure that the contract defines the purposes, conditions and means of the processing.
While the Opinion is not legally binding, it does place a duty upon a customer to ensure that it contractually binds a client provider to assume more liability than current terms and conditions usually provide.
Where a business user is the “data controller” and the cloud provider is the “data processor,” under current EU data protection laws, the “data processor” has no liability to comply with those laws, and all liability rests with the “data controller.” It is for this reason that businesses should focus their attention on negotiating better contractual arrangements with cloud providers until such time as the law is changed.
On October 15, 2013, much of the above opinion was mirrored in a European Commission memo entitled “What does the Commission mean by secure Cloud Computing services in Europe?” (MEMO/13/898)
The situation we now have is that cloud computing is here to stay, but technology has once again outstripped the law. The stable door is open and the proverbial horse has bolted. Where we are left now in the EU is trying to corral the horse and legally saddle the beast!
The Proposed European Data Protection Regulation
There have been calls for an overhaul of European Data Protection legislation for some time. The Data Protection Directive1 was introduced at a time before the widespread use of complex consumer technology, such as smartphones and tablets, and the advent of Web 2.0 and its associated exchange of information between individuals online. Further, the Directive predates widespread public awareness of the importance of privacy and the value of individuals’ personal information. As technology has advanced and practices have changed, the need for an overhaul of the law has become more apparent.
The Data Protection Regulation was drafted to address the shortcomings of the Directive. It also aims to escalate the importance of privacy to a corporate Board’s level of concern. The European Commission wishes to see data protection escalated to that same level, of comparable importance to corporate topics such as bribery, corruption and money laundering.
Calls for an overhaul to the European Data Protection Directive have increased in recent years. The first glimpse of the European Commission’s response came in November 2011 with the leaked draft of the proposed European Data Protection Regulation. The leaked draft was followed in January 2012 with the official draft Regulation, largely similar, though containing some significant changes. For example, the penalties of fines of up to 5 percent of worldwide annual turnover were reduced to 2 percent in the official draft. Likewise, the deadline for data controllers to notify the data protection authority of a breach softened—from a mandatory 24 hours since the data controller became aware of such a breach, to a more workable 72 hours “where possible.” Nonetheless, the official draft Regulation was substantially similar to its leaked predecessor.
The next significant step in the evolution of the Regulation came with the report published by LIBE, dated December 2012. The LIBE report advocated over 3,000 amendments to the draft Regulation, while largely retaining the structure.
On October 21, 2013, LIBE published its latest version of the Regulation, with a reinstatement of the 5 percent of worldwide annual turnover and changes to the requirements to appoint a Data Protection Officer (DPO).
The Regulation is a lengthy piece of legislation, at around three times the length of the Data Protection Directive. It is also significantly more prescriptive than its predecessor, which has attracted criticism from various quarters including European data protection Authorities. While the principles of the Regulation follow those of the Directive, it introduces widespread and significant changes to the data protection landscape.
A key feature of the Regulation is that it abolishes the registration requirements of the Directive. This has been widely heralded as a means of saving European business significant costs. Currently, data controllers must, subject to exemptions, register with the applicable data protection authorities in the jurisdictions in which they have entities established, described as notification. Organizations with entities established in various European Member States are required to notify the data protection
Authority of their processing activities. A separate notification is required for each entity established within that jurisdiction, which for large multinationals can mean hundreds of notifications across Europe with the various data protection authorities. Notifications frequently require updating when, for example, the data controller engages in a new type of processing activity, automates a manual process, or makes a corporate acquisition. For example, implementing a centralized hosted HR system or whistleblower hotline or acquiring a European group of companies will require the data controller to file a new notification—or update an existing notification—with the data protection authority of each country in which it is established. In the largest multinationals, this is almost a full-time job for the Data Protection Officer. The abolition of the requirement to notify the data protection authorities is likely to be welcomed by companies doing business in Europe.
In place of the requirement to notify, the Regulation will require most organizations to appoint a DPO. The pre-LIBE draft Regulation required organizations that employ more than 250 employees to appoint a DPO. However, a criticism of this approach was that organizations carrying out activities such as online profiling and Internet marketing were often small operations employing a handful of people, yet their activities present a significant privacy risk. Conversely, a large manufacturer operating in a business-to-business context may employ more than 250 people, but present a far smaller risk to the individuals whose data it processes. Post-LIBE, four categories of data controller will be required to appoint a DPO:
- Public authorities or bodies
- Organizations carrying out processing in relation to more than 5,000 data subjects per year
- Processing activities including regular and systematic monitoring or profiling of data subjects
- Data controllers whose core activities consist of processing special categories of data
The DPO must have appropriate expert knowledge of data protection law and practices, and should be designated for a term of at least four years. Further, he may only be dismissed if he no longer fully fits the conditions for the performance of his duties. In other words, a DPO cannot be dismissed for convenience. If a data controller decides not to appoint a DPO, it must communicate to the appropriate supervisory authority the reasons for this decision. In practice, data controllers are obligated to appoint a DPO unless there is a good reason for not doing so. In such a case, the data controller must announce its decision not to appoint a DPO to the data protection authority.
The principles under the Regulation remain largely similar to those under the Directive, however the LIBE Report introduced “labels” which should help data controllers understand the spirit of each principle. These include:
- The principle that personal data must be processed lawfully, fairly and in a transparent manner is described as the transparency principle in the Regulation.
- Purpose limitation describes the principle that any collection of personal data must only be for a specified explicit and legitimate purpose, and not for any further, incompatible purpose.
- The Directive required that data collected for a specified purpose should not be excessive; this principle has been extended under the Regulation. The data minimization principle requires that data controllers may only collect the minimum data necessary for a specified purpose. Many data controllers, particularly those involved in marketing activities, routinely collect more data than is strictly necessary for the underlying purpose in order to be able to build up a profile of the data subject, enabling more targeted marketing. These data controllers in particular will have to revisit their processes when the Regulation comes into force.
- Data integrity is the term used under the Regulation to describe the principle that requires data to be kept accurate and up to date, and any amendments or deletions requested by a data subject are to be observed.
- The principle that data should not be kept for longer than is necessary for the purposes for which it was collected is described as the storage minimization principle under the Regulation.
- Personal data must be processed in a way which allows data subjects to exercise their rights, described in the Regulation as the intervenability principle.
- The Regulation uses the term accountability to describe the principle that data controllers must ensure and be able to demonstrate compliance with the principles of the Regulation for all of their processing operations.
Significantly, the principles apply not only to the processing activities of data controllers but also to data processors.
As is the case under the Directive, the Regulation provides that the data subject’s consent may be relied upon by data controllers to provide a legal basis for processing. However, the Regulation addresses a number of widespread practices where the data subject’s consent was not genuinely freely given. Significant changes to the concept of consent include placing the burden of proof upon the data controller, where it has relied on the data subject’s consent to processing of their personal data for the specified purposes. The draft Regulation confirms expressly that data subjects have the right to withdraw consent at any time. Another key development is the express provision that consent cannot provide a legal basis for processing where there is a significant imbalance between the data controller and the data processor. The Regulation specifically mentions the employee/employer relationship as an example of a significant imbalance.
Many organizations will need to consider the way they use consent in their day-to-day business in relation to both their employees and their customers.
The Regulation introduces a new right for data subjects, namely the right to be forgotten and to erasure. The right to be forgotten enables data subjects to obtain from the data controller erasure of data which the data subject had provided to the data controller. This right requires that data controllers delete such material upon the request of the data subject, and instruct any third parties with whom they have shared the data to do the same.
However, the right to be forgotten has attracted significant criticism. While it is undoubtedly well intentioned, critics suggest it may be unworkable in practice. For example, companies involved in data-scraping activities, who collect information from a website without the website owner’s consent, may not be persuaded by the website owner to delete “scraped” content. It has also been suggested that public figures may use the right to remove information from public records such as newspaper archives, when in fact keeping the information relating to public figures in the public domain may be in the public interest.
The Data Protection Directive does not require data controllers to inform the data protection authority of a data breach. This absence puts the Directive at odds with many jurisdictions, particular in the U.S., where breach notification is commonplace in state law. The Regulation introduces a requirement to notify the data protection authority of a data breach within 72 hours of the data controller becoming aware of it. In cases where the breach is likely to adversely affect individuals’ privacy, data controllers are also required to inform the data subjects themselves. While the mandatory breach reporting obligations will be welcomed by many and will see European law on a par with the U.S. vis-à-vis breach notification rules, there is no de minimis limit. Accordingly, even the most trivial breaches would need to be reported to the data protection authority. There is an often repeated argument that this will generate countless reports, inundating data protection authorities and creating the risk that serious breaches may be lost among the myriad trivial ones.
Under the Directive, data controllers established in more than one European Member State are required to register with the data protection authority in each jurisdiction in which they are established, unless an exemption applies. Currently, each European data protection authority takes a slightly different approach to notification, leading to a patchwork of requirements across Europe. Any multinational attempting to comply with the various notification requirements of each of the relevant data protection authorities faces a significant challenge, often requiring input from legal counsel in each of the Member States. It is a costly and time-consuming exercise. The Regulation expressly addresses this issue by designating a lead authority for those organizations that operate in more than one Member State. The lead authority will be the data protection authority in the country where the data controller’s main establishment exists and will serve as the single point of contact. This is likely to be welcomed by organizations, as they would avoid having to manage the differing notification requirements of the various data protection authorities.
The current draft of the Data Protection Regulation introduces sanctions of up to 5 percent of worldwide annual turnover. For the largest companies, this could equate to huge fines of hundreds of millions of euros. The high level of potential sanctions is intended to escalate data protection from merely a corporate topic to one that it is discussed at the Board level, alongside issues such as anti-money laundering. Organizations already doing business in Europe will be aware that over the last few years, the potential penalties that may be levied by European data protection authorities have increased dramatically. At the same time, data protection authorities are generally moving toward a more enforcement-driven approach. For example, in the UK, the Information Commissioner can issue monetary penalty fines of up to £500,000 for non-compliant data controllers, and is pushing for powers to imprison individuals responsible for the worst breaches. The Spanish data protection authority reportedly issued fines totaling €19,500,000 in 2011 for non-compliant data controllers. There is an argument that, while these fines are large, they are not a sufficiently significant deterrent for the largest non-compliant companies. The potential sanctions under the Regulation would more likely ensure that data protection is a key compliance topic for organizations to consider.
There appears to be a perception, particularly in the U.S., that the Regulation is unlikely to actually come into force. However, the Regulation is likely to be approved in the current European Parliament and if so, would probably come into force in approximately two years, sometime in 2016. As a Regulation, it will take effect immediately, unlike the Directive, which operates through national implementing legislation. The Regulation, therefore, will likely be more uniform in its application than the Directive.
It would be prudent for companies preparing for the introduction of the Regulation to ensure that they are compliant with the current laws, since the principles of the Regulation are very similar to those of the Directive. However, the potential consequences of non-compliance with the Regulation are far more serious. If there was ever a perception among companies that compliance is a “nice to have” rather than a necessity, the Regulation appears ready to consign that perception to history.
The full LRN Risk Forecast Report can be accessed at: http://pages.lrn.com/risk-forecast-report-2014
Footnotes
1 This is also known as Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.