1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Europe under Review : Part 2 of 8 – Data Collection

As the next in our series of “back to privacy basics”, we look the rules regarding collection and processing of personal data.

As we will do throughout this series, we take a look at the current position and what is current best practice for an organisation.  We will also briefly consider what the new Data Protection Regulation may mean in this area.

Data Collection

Data protection law requires all processing of personal data to be fair and lawful. Translating from data protection jargon this means ‘transparency’ and ‘legitimacy’.

For the processing to be “fair” or “transparent”, companies should ensure that certain, clear information is provided to individuals in advance of processing it.  Specifically, data controllers need to ensure that individuals are, so far as practicable, told:

  • who the data controller is
  • why the personal information is being processed
  • any further information which is necessary, having regard to the specific circumstances, to enable the processing in respect of the relevant individual, to be fair.

In practice this means clear and specific information being provided in privacy policies, marketing consents, employee handbooks, online policies etc.

In terms of ‘legitimacy’ (or “lawfulness”) the purpose for which the information is collected is key.  Data protection law will only permit its collection and subsequent processing if organisations can demonstrate the processing is for one of a defined list of conditions for processing.  This aims to ensure that personal data is only used for legitimate reasons.

For many organisations, the key purposes that it will be able to rely upon or are those for which it has collected the individual’s consent; where the processing is necessary in connection with contracted goods / services provided to the individual; and where required by law.

Organisations may also collect and process information where it is in the organisation’s “legitimate interests” to do so.  But this is a balancing act.  The collection and processing will not be permitted where the individual’s fundamental rights under data protection law override the interests of the organisation.

Best Practice

Organisations should ensure that sufficient notices are given to individuals whose personal information is collected.  This will involve employees, customers, business contacts, and any other correspondents.  And don’t forget about the information requirements for the use of cookies on websites.

Before undertaking any data collection, or embarking on a product development that will involve significant data collection, conduct a Privacy Readiness Assessment or Privacy Impact Assessment to identify personal data being collected and establish legitimate grounds for collection and processing.

Position under draft Data Protection Regulation

One of the real bug-bears of privacy regulators is the practice of treating privacy notices as “small print”, burying away details of processing.  Privacy notices should be seen as a way of being upfront and assuring customers of an organisation’s good privacy practices.

Expect this trend to continue should the draft Regulation pass into law in its current state.  The draft Regulation places a greater emphasis on enhanced transparency and requires that a much more extensive privacy notice is given to individuals.  The proposal is that a standard ‘privacy graphic’ is used with organisations being required to specify details of where the processing varies from the norm.

The well known conditions for processing will, fundamentally, remain the same.  This is definitely a case of ‘no news is good news’ for many organisations who rely on ‘legitimate interests’ (or private sector organisations anyway).  However, privacy notices will likely need to specify the legitimate interests in advance so this is an extra overhead.

The bad news for public authorities is that they will no longer be able to rely on this ground.

Next up in our series is the topic of data accuracy and proportionality.

Europe under Review : Part 2 of 8 – Data Collection

European Court of Justice declares Data Retention Directive invalid

The Data Retention Directive requires public electronic communications providers to retain certain communications data (essentially traffic data) to help in the fight against serious crime.  It applies to telcos and ISPs and came into force in 2006 after a number of terrorist attacks in mainland Europe added impetus to efforts to harmonise EU member state laws.  However, in  a ruling published yesterday, the ECJ has concluded that the Directive “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data” and declared it invalid.

How has this come about?

This is not the first time that the Directive has come under scrutiny.  The European Commission looked at the Directive in 2011 and had a number of criticisms (particularly as to the balance between the privacy of individuals and security).

In this latest development, the ECJ was asked to consider whether the Directive complied with the EU Charter of Fundamental Rights which sets out individuals’ rights to a private life and the protection of personal data.  The request came from the Irish and Austrian national courts which have before them a number of actions disputing the validity of corresponding national measures (as the Directive was implemented in EU member states through national laws).

What were the Court’s concerns?

The ECJ is of the view that, whilst the content of communications is not retained, the data that is retained could reveal potentially precise information about individuals’ private lives, and that the use of their data (when they have not been informed of that use) is “likely to generate in the persons concerned a feeling that their private lives are subject to constant surveillance“.

Therefore, the ECJ concluded that, although, data retention is appropriate in the fight against serious crime, the Directive is disproportionate.  The ECJ was particularly concerned at:

  1. The generality of the Directive – it covers all individuals and electronic communications without exception
  2. The lack of objective criteria for, and procedures regulating, access to and use of the data,
  3. The minimum data retention period of 6 months not taking into account the type of data or its usefulness
  4. Data retention being permitted for up to 2 years when there are no objective criteria to determine what data retention period is necessary in the circumstances
  5. The insufficient safeguards against possible abuse,  and unlawful access or use, of data
  6. The absence of a requirement to keep the data in the EU so that compliance with the rules can be ensured.

So what does this mean?

Well, in view of the continuing Snowden revelations and increased focus on protecting personal information, we can be sure that this will add fuel to the fire of the on-going surveillance v privacy debate.  It would also seem to suggest that surveillance for security purposes will have to move in the direction of more targeted action and stringent controls to be acceptable. So we expect big changes in the practical steps telcos and ISPs are required to take to retain communications data and make it available to law enforcement agencies.

However, in the short term, the ruling is likely to have little practical effect.  The ECJ has suspended the effect of the ruling until measures to remedy the invalidity are adopted, which, as the new Data Protection Regulation shows, could take some time!  So, things are likely to continue as they are for now.  In the meantime, the British Government and European Commission have both already said that they are assessing the impact of the ruling. Telcos and ISPs hang fire for now.

European Court of Justice declares Data Retention Directive invalid

Canada’s Digital Privacy Rethink: Fines, Enforceable Compliance Agreements and More!

On April 8, 2014, Canada’s government introduced Bill S-4, the Digital Privacy Act, in the Senate. Bill S-4 is the federal government’s latest attempt to reform the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). It would be a mistake to say that it is largely recycled from the government’s last attempt to reform PIPEDA in 2011 through Bill C-12, which died on the order paper. Here’s what’s different, what’s been dropped, and what seems to be largely the same. Caveat: This is a first read!

What’s different?

  • Fines for Failure to Record and Report Breaches. First the big news: The government is proposing that it would be a criminal offence for an organization to knowingly fails to keep prescribed records for breaches (see below) or to knowingly fail to report breaches in compliance with PIPEDA (also below). These offences would be punishable by fines of CAD$100,000 (indictable offence) and CAD $10,000 (summary conviction). To facilitate this provision, the Commissioner may disclose breach records and reports to law enforcement or the Public Prosecution Service of Canada  for investigation and prosecution.
  • Records of Breaches. Organizations must keep and maintain records of any breaches of security safeguards and provide those records to the Commissioner on request.
  • Altered the Test for Breach Reporting. The test for reporting a breach of security safeguards to the Office of the Privacy Commissioner of Canada in Bill C-12 involved an analysis of whether the breach was “material” having regard to a non-exhaustive list of factors. The government has changed its approach and adopted a test that appears to be based on the test in Alberta — that is, an organization must report a breach to the Commissioner and notify individuals if it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”. The listed factors for what constitutes a real risk of significant harm (sensitivity of the personal information and probability of misuse) are the same as for a “material breach” under C-12, but the factors also include the possibility of additional prescribed criteria.
  • Confidentiality of Breach Reports and Records. Unlike Alberta, the Commissioner to make a disclosure of breach reports and records for prosecution, these reports will remain confidential. In Alberta, the Commissioner must make a breach notification order. If the order requires individual notification, it is always public.
  • Compliance Agreements. The government is granting the Commissioner additional powers to enter into enforceable compliance agreements with organizations. These compliance agreements may include any terms that the Commissioner considers necessary to ensure compliance with PIPEDA. If the organization does not fulfil the terms of the compliance agreement to the satisfaction of the Commissioner, the Commissioner may seek a mandatory order from the Federal Court to require compliance with the agreement. This resolves an enforcement conundrum that the Commissioner previously because of limitation periods on seeking court orders following the conclusion of an investigation. This provision will significantly enhance the jurisdiction of the Commissioner provided that organizations determine that it is better to enter into agreements than to start to litigated. It is important to note that compliance agreement does not provide immunity to the organization from an action by an individual for compensation or from prosecution for an offence.
  • Broadening Regulatory Powers. The government has modernized and broadened the regulatory powers of the Executive Branch. This may result in more flexibility to pass clarifying regulations as issues arise under PIPEDA.

What’s Missing?

  • Gag Order Provisions. It appears that the government has dropped the provisions in Bill C-12 that restricted the ability of organizations to be transparent with individuals when they provided information to law enforcement and other government institutions (even absent a court order).
  • Lawful Authority Clarification. The government also appears to have dropped the provisions clarifying that an organization need not inquire into the lawful authority of law enforcement seeking information without a warrant or production order and has also dropped the provisions clarifying the meaning of lawful authority. No doubt the government feels the pending proposed amendments to the Criminal Code granting organizations immunity from voluntarily collecting and disclosing information is sufficient to overcome any lingering doubts of organizations regarding the parameters for responding to pre-warrant requests for information.

What’s largely recycled?

  • Conditions for Valid Consent. The requirement for informed consent has been reintroduced.
  • Work Product Information Exceptions. Exceptions for the collection, use and disclosure of work product information have been reintroduced.
  • Disclosure of Information in a Business Transaction. The provisions in Bill C-12 enacted to facilitate the sharing of personal information in the course of the due diligence process and the completion of business transactions for the purchase and sale of a business have been largely recycled.
  • Business Contact Information. As with Bill C-12, the government has introduced an exemption from the requirement for consent for the collection, use and disclosure of business contact information when used solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession. However, the government has tweaked the definition of business contact information. Business contact information is now “any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment”, including the usual data elements such as name or title, work address, work telephone number, work fax number or work email address. Previously, the definition began with this list of data elements and ended with a “basket clause”.
  • Financial Abuse Exceptions. Regrettably, the ham-fisted exception for disclosure without consent to deal with the plague of financial abuse (particularly of the elderly) have been reintroduced. The provisions permit disclosure to a government institution (which is not controversial) and also to next of kin or an authorized representative (neither of which is defined) irrespective of the competency of the individual. The government appears to have been deaf to the decades of provincial experience with substitute consent.

Now, the only question is whether the government will fare better getting this Bill passed than it has previously.


Canada’s Digital Privacy Rethink: Fines, Enforceable Compliance Agreements and More!

Digital Privacy Act to Reform Canadian Privacy Laws

On Friday, April 4, 2014, the Hon. James Moore, Canadian Minister of Industry, announced the launch of “Digital Canada 150.”

As part of the Digital Canada 150, the Government of Canada intends to introduce a Digital Privacy Act in Parliament this coming week to reform Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). The Minister’s announcement was short on details. It is expected, however, that the Digital Privacy Act may include some of the following reforms that were previously attempted by the government:

  • Mandatory data breach reporting to the Office of the Privacy Commissioner of Canada and individual breach notification requirements.
  • Clarification that organizations may disclose personal information when requested by police without verifying the lawful authority of the requester to make the request. (This provision was controversial when previously introduced. A different approach has been taken in Bill C-13, which is also before Parliament. That Bill would amend the Criminal Code to provide criminal and civil immunity to organizations that preserve and disclose data to law enforcement agencies, among others.)
  • An exemption that would allow an organization to disclose (without the consent of the individual and whether or not the individual is competent) personal information to the individuals’ next of kin, an authorized representative or law enforcement if the organization had reasonable grounds to believe the individual may be the victim of financial abuse.
  • Exemption from PIPEDA for the collection, use or disclosure of an individual’s business contact information when used for the purposes of communicating with that individual about their business.
  • Clarification that consent is not required for the collection, use and disclosure of employee work product information.
  • Provisions to facilitate the transfer of personal information without the need for consent when selling or acquiring a business.
  • New investigatory provisions for the Commissioner.

It is not clear whether we might also see new order making powers and administrative monetary penalties for egregious breaches of PIPEDA. Although these tools have been previously requested by the Office of the Privacy Commissioner, the government has not acceded to those requests to date.

Privacy law reforms are only one piece of the Digital Canada 150 initiative. A central plank in the Digital Canada 150 strategy is to have high-speed Internet at 5 megabits per second available to 98% of Canadians. The government will inject CAD $300 million to bring that effort to fruition. In addition, the government has announced that it will cap domestic wireless roaming rates. The government will continue to pursue passage of laws relating to cyberbullying and the regulation of virtual currency that have already been introduced into Parliament.

For our international readers, an explanation might be required as to why the government is branding its initiative “Digital Canada 150″. This is a reference to the 150th anniversary of the founding of Canada through Confederation in 1867. The building of a transcontinental rail road is a central theme in the history of nation-building in Canada. Under Confederation in 1867, two of Canada’s Maritime provinces were promised railway links to Ontario and Quebec. When British Columbia (on the far west coast) joined in 1871, there was a condition that the railway be completed across the continent. Evidently, what the rail road was to the history of Canada, the government believes high speed broadband will be to the future.

Digital Privacy Act to Reform Canadian Privacy Laws

Europe under Review: Part 1 of 8 – Registration

Over the next few weeks we will be going back to data privacy basics in our eight part “Europe under Review” blog series. We will be comparing current data privacy laws and best practice in the UK with the proposed new state of play under the draft Data Protection Regulation. We kick off our first blog in the series with the topic of registration.

Current position

In the UK, there is a general obligation on data controllers to register details about their processing of personal information with the Information Commissioner’s Office (ICO).  This is also known as “notification” and is a public register. Failure to register with the ICO, or processing personal data outside the scope of a registration, is a criminal offence. Certain organisations are exempt.  For example, not-for-profit organisations and organisations that only process personal data for staff administration, for their own advertising, marketing and public relations and running their accounts don’t have to register. The registration process with the ICO has recently changed with a new simpler format. The new format consists of template “nature of work” descriptions, which can be chosen by an organisation when doing their filing.

The rules in other EU member states vary significantly. So registrations are generally required in France and Spain but not in Germany provided a data protection officer has been appointed.

Best Practice

Keep your registration with the ICO under review and make any necessary amendments as soon as possible. An organisation that has a presence in various EU member states should ensure that it has in place all local data protection registrations where required. Best practice is to ensure that someone within the organisation takes ownership of managing the local registrations.  This is usually best handled centrally.

Position under draft Data Protection Regulation

Under the draft Regulation there will be no requirement to register or notify with a data protection supervisory authority anywhere in the EU. Instead, organisations will be required to maintain certain documentation internally (this will be discussed in more detail under the “Privacy Governance” blog piece later in this series).

Clearly, removing the requirement to register is good news for organisations.  Let’s admit it: registration serves little purpose in practice!  So does this also reduce the administrative burden?  Not really!  Given the other proposed changes, the overall effect is to “internalise” the bureaucracy in that organisations will in future need to maintain new detailed documentation and records of all their processing ready for regulatory inspection.  So the overhead is likely to go up in net terms.  This is also bad news for data protection supervisory authorities (such as the ICO), as they will lose a major revenue stream (the registration fees). As a consequence, data protection authorities may be further stretched in resource, unless funding is made available from elsewhere.

Keep an eye out next week for Part 2 of “Europe under Review” on the topic of data collection…

Europe under Review: Part 1 of 8 – Registration