Saturday May 19 , 2012

Categories

All Categories
China
European Union
France
Peru
South Africa
U.K.
Multinational

Subscribe

   Mail

 

   RSS

What the January 25, 2012 Draft of the Proposed EU Data Protection Reform Means for Companies Doing Business with or in the EU

European Union

January 27, 2012 - Francoise Gilbert

The comprehensive proposed data protection package that the European Commission unveiled on January 25, 2012 provides a sneak preview of the plans for the European Commission for the reform of the data protection rules in the European Union. It the draft legislative texts are adopted in a form substantially similar to that which was presented in the package, by 2015, the European Union will be operating under a single data protection law that applies directly to all entities and individuals in the Member States. In addition, much of the administrative burden that are currently costing billions of Euros to companies will have been removed. The savings would allow companies to allocate their data protection budget to more meaningful, efficient, data protection practices that are better adapted to the uses of personal data, the new technologies and the 21st century way of life.

Read more: What the January 25, 2012 Draft of the Proposed EU Data Protection Reform Means for Companies Doing Business with or in the EU

 

EU Data Protection Overhaul - New Draft Regulation

European Union

Francoise Gilbert

Note: This post is superseded by the post above, due to the publication of a new draft of the proposed legislative texts.

The European Commission has just published drafts of the two documents that will form the new legal framework for the protection of personal data throughout the European Economic Area. The draft documents are intended to provide a last opportunity for comments. The final version is expected to be published during the first quarter of 2012, and will come into force two years after publication. Thus, the new rules are currently not expected to be effective before the middle of 2014.

The proposed new legal framework consists of two legislative proposals: a proposal for a General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which will supersede Directive 95/46/EC; and a proposal for a Police and Criminal Justice Data Protection Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. This article discusses only the Regulation.

Read more: EU Data Protection Overhaul - New Draft Regulation

 

France - Protection of Personal Data and Cloud Computing

France

Alain Bensoussan
 
In order to consider all potential solutions, both from a legal and technical standpoint, and to guarantee a high level of personal data protection, the French data protection authority, the CNIL, recently launched a Call for Contributions from all stakeholders (clients, providers, consultants) on cloud computing.
 
The CNIL’s Call for Contributions dealt with many issues related to cloud computing, including:
 
-      Definition of cloud computing;
-      Role of stakeholders;
-      Applicable law;
-      Regulation of data transfers;
-      Security of data.

Read more: France - Protection of Personal Data and Cloud Computing

 

Meet the New CNIL Chairwoman

France

Alain Bensoussan
 
The CNIL’s new Chairwoman, Isabelle Falque-Pierrotin, presents her priorities, both in French and in English in a video posted online, that can be viewed here.
 
Ms. Falque-Pierrotin was elected on September 21st, 2011, after CNIL’s previous Chairman, Mr. Alex Türk, who was also a member of the French Senate, proactively resigned to comply with a recent legal provision that will soon prohibit the CNIL’s Chairman from holding any other elected office or public position.
 
In the video, the new boss of the French data protection regulator stresses that in an evolving and global environment, CNIL must innovate and become more open to resolutely step into the digital world. She firmly believes that cooperation with the private sector is important and thinks “the EU revision [of the data protection framework] will be a wonderful occasion to demonstrate that we are able to have a competitive protection but also a modernized protection” of personal data.

Read more: Meet the New CNIL Chairwoman

 

Upcoming New, Streamlined BCR Regime to be Unveiled in Early 2012

European Union

Francoise Gilbert
 
Very exciting news were provided at the IAPP EU Conference in Paris, which I have the pleasure of attending.
 
While we had hoped that Viviane Reding, the EU Vice President, would give an overview of the upcoming new EU Data Privacy Regulation, in her keynote address, she focused on what is being planned for the overhaul of the BCR regime.
After noting that, as result of the use of cloud computing services, data are being moved everywhere in the world. 

Ms. Reding encouraged companies to adopt global binding rules that govern the protection of personal information throughout the global enterprise, and to file applications for the approval of BCRs reflecting these global privacy rules.
 
When talking about the upcoming publication of the new Data Privacy Regulation in early 2012, Ms. Reding stated: "My reform will make binding corporate rules binding within companies, but also with respect to third parties. This implies that the rules provide for the necessary legal mechanisms to apply to all entities involved."

  
 

Read more: Upcoming New, Streamlined BCR Regime to be Unveiled in Early 2012

 

French Court Suspends US Company's Whistleblowing System

France

Alain Bensoussan
 
Whistleblowing systems have been a hot issue in France for several years. In a ruling dated September 23, 2011, the Court of Appeals of Caen confirmed a lower court’s decision to suspend the whistleblowing system of a U.S. company on the grounds that it did not comply with French whistleblowing law. In light of this ruling, U.S companies are advised to audit the compliance of their whistleblowing systems with French data protection law.
 
France’s whistleblowing rules
 
Normally, companies have to apply for the authorization of the French data protection authority, the CNIL, before setting up a whistleblowing system in France. But obtaining the CNIL’s authorization may be a long process.
 
In an effort to ease the burden on companies and cut through red tape, the CNIL adopted in 2005 a document, known as the Single Authorization No. AU-004. If a whistleblowing system meets all the requirements laid down in the Single Authorization, a company can avoid going through the standard, cumbersome authorization process and is eligible for a simplified procedure: it only has to submit a declaration of conformity to certify that its system complies with the Single Authorization.

Read more: French Court Suspends US Company's Whistleblowing System

 

CNIL's Data Security Guide Now Available in English!

France

Alain Bensoussan

The French data protection authority, the CNIL, recently published a translated version of its Guide on Personal Data Security.
 
The Guide is designed to help data controllers meet their obligations under French law regarding the security of the personal data they collect, use and maintain.
 
The French Data Protection Act N°78-17 of January 6,1978, requires data controllers to take “all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties” (Art. 34 of the Act). Failure to guarantee the security of the data is punished by five years’ imprisonment and a €300,000 fine (Article 226-17-1 of the Penal Code).
 
This Guide should be of interest not only to controllers established in France but more generally, to any entity that directly or indirectly uses IT systems in France.

Read more: CNIL's Data Security Guide Now Available in English!

 

CNIL Issues Data Protection Guide for Health Professionals

France

Alain Bensoussan

French data protection authority, the CNIL, recently published a Guide for Heath Professionals (Guide des professionnels de santé), available online (view here in French).

The first pages of this Guide remind the core principles of the French Data Protection Act, the missions of the CNIL and the role of data protection officers (“CIL”).

The second part is divided into practical, easy-to-read fact sheets designed to give health professionals the basic information and guidelines they need when processing personal and health data.

Read more: CNIL Issues Data Protection Guide for Health Professionals

 

How to Submit a Complaint to the EDPS

European Union

Alain Bensoussan

On June 15, 2011, Peter Hustinx, European Data Protection Supervisor (EDPS), and Giovanni Buttarelli, Assistant Supervisor, presented their Annual Report of activities for 2010 (read full report here). This Report covers the sixth full year of activity of the EDPS as a new, independent supervisory body. Peter Hustinx, the EDPS, said it "is fully in line with the need to increase our efforts to ensure a more effective protection of privacy and personal data in a changing world which is increasingly global, Internet driven and dependent on the wide spread use of ICTs in all areas of life."

This report is a good opportunity to get to know the European guardian of personal data protection. Do you know that you can lodge a complaint to the EDPS?

What is the EDPS?

The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to:

(i) protecting personal data and privacy; and

(ii) promoting good practice in the EU institutions and bodies.

The EDPS’ general objective is to ensure that the European institutions and bodies respect the right to privacy when they process personal data and develop new policies.

Read more: How to Submit a Complaint to the EDPS

 

First Multimodal Biometric System Authorized in France

France

Alain Bensoussan

The CNIL has given its green light to a multimodal biometric system. Striking the right balance between security and the protection of privacy and personal data, the French data protection watchdog decided that the security measures taken satisfactorily protected personal data and that the multimodal biometric system was “adapted and proportionate to the purpose pursued”. This is the first time that a multimodal biometric system is authorized in France.
Purposes of biometric recognition systems
On May 12, 2011, the French data protection authority, the CNIL, authorized for the first time a company to deploy a multimodal biometric system combining finger vein and fingerprint recognition to control access to its workplace premises (CNIL Deliberation No. 2011-141 of May 12, 2011, in French).

Vauban Systems, an information security consulting firm, had applied for an authorization, in compliance with Article 25-I-8° of the French Data Protection Act, which provides that automatic processing comprising biometric data necessary for the verification of an individual’s identity may be carried out only after the CNIL’s authorization. 

A biometric system is designed to identify individuals based on their physical, biological or even behavioral features. Biometric data is data produced by the human body, positively identifying individuals and enabling to trace them. Vein pattern is a more reliable and secure biometric method than fingerprints, which may be lifted and reproduced unbeknownst to the individual.

Read more: First Multimodal Biometric System Authorized in France

 

More Articles...

Page 1 of 2