1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Europe under Review : Part 2 of 8 – Data Collection

As the next in our series of “back to privacy basics”, we look the rules regarding collection and processing of personal data.

As we will do throughout this series, we take a look at the current position and what is current best practice for an organisation.  We will also briefly consider what the new Data Protection Regulation may mean in this area.

Data Collection

Data protection law requires all processing of personal data to be fair and lawful. Translating from data protection jargon this means ‘transparency’ and ‘legitimacy’.

For the processing to be “fair” or “transparent”, companies should ensure that certain, clear information is provided to individuals in advance of processing it.  Specifically, data controllers need to ensure that individuals are, so far as practicable, told:

  • who the data controller is
  • why the personal information is being processed
  • any further information which is necessary, having regard to the specific circumstances, to enable the processing in respect of the relevant individual, to be fair.

In practice this means clear and specific information being provided in privacy policies, marketing consents, employee handbooks, online policies etc.

In terms of ‘legitimacy’ (or “lawfulness”) the purpose for which the information is collected is key.  Data protection law will only permit its collection and subsequent processing if organisations can demonstrate the processing is for one of a defined list of conditions for processing.  This aims to ensure that personal data is only used for legitimate reasons.

For many organisations, the key purposes that it will be able to rely upon or are those for which it has collected the individual’s consent; where the processing is necessary in connection with contracted goods / services provided to the individual; and where required by law.

Organisations may also collect and process information where it is in the organisation’s “legitimate interests” to do so.  But this is a balancing act.  The collection and processing will not be permitted where the individual’s fundamental rights under data protection law override the interests of the organisation.

Best Practice

Organisations should ensure that sufficient notices are given to individuals whose personal information is collected.  This will involve employees, customers, business contacts, and any other correspondents.  And don’t forget about the information requirements for the use of cookies on websites.

Before undertaking any data collection, or embarking on a product development that will involve significant data collection, conduct a Privacy Readiness Assessment or Privacy Impact Assessment to identify personal data being collected and establish legitimate grounds for collection and processing.

Position under draft Data Protection Regulation

One of the real bug-bears of privacy regulators is the practice of treating privacy notices as “small print”, burying away details of processing.  Privacy notices should be seen as a way of being upfront and assuring customers of an organisation’s good privacy practices.

Expect this trend to continue should the draft Regulation pass into law in its current state.  The draft Regulation places a greater emphasis on enhanced transparency and requires that a much more extensive privacy notice is given to individuals.  The proposal is that a standard ‘privacy graphic’ is used with organisations being required to specify details of where the processing varies from the norm.

The well known conditions for processing will, fundamentally, remain the same.  This is definitely a case of ‘no news is good news’ for many organisations who rely on ‘legitimate interests’ (or private sector organisations anyway).  However, privacy notices will likely need to specify the legitimate interests in advance so this is an extra overhead.

The bad news for public authorities is that they will no longer be able to rely on this ground.

Next up in our series is the topic of data accuracy and proportionality.

Europe under Review : Part 2 of 8 – Data Collection

European Court of Justice declares Data Retention Directive invalid

The Data Retention Directive requires public electronic communications providers to retain certain communications data (essentially traffic data) to help in the fight against serious crime.  It applies to telcos and ISPs and came into force in 2006 after a number of terrorist attacks in mainland Europe added impetus to efforts to harmonise EU member state laws.  However, in  a ruling published yesterday, the ECJ has concluded that the Directive “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data” and declared it invalid.

How has this come about?

This is not the first time that the Directive has come under scrutiny.  The European Commission looked at the Directive in 2011 and had a number of criticisms (particularly as to the balance between the privacy of individuals and security).

In this latest development, the ECJ was asked to consider whether the Directive complied with the EU Charter of Fundamental Rights which sets out individuals’ rights to a private life and the protection of personal data.  The request came from the Irish and Austrian national courts which have before them a number of actions disputing the validity of corresponding national measures (as the Directive was implemented in EU member states through national laws).

What were the Court’s concerns?

The ECJ is of the view that, whilst the content of communications is not retained, the data that is retained could reveal potentially precise information about individuals’ private lives, and that the use of their data (when they have not been informed of that use) is “likely to generate in the persons concerned a feeling that their private lives are subject to constant surveillance“.

Therefore, the ECJ concluded that, although, data retention is appropriate in the fight against serious crime, the Directive is disproportionate.  The ECJ was particularly concerned at:

  1. The generality of the Directive – it covers all individuals and electronic communications without exception
  2. The lack of objective criteria for, and procedures regulating, access to and use of the data,
  3. The minimum data retention period of 6 months not taking into account the type of data or its usefulness
  4. Data retention being permitted for up to 2 years when there are no objective criteria to determine what data retention period is necessary in the circumstances
  5. The insufficient safeguards against possible abuse,  and unlawful access or use, of data
  6. The absence of a requirement to keep the data in the EU so that compliance with the rules can be ensured.

So what does this mean?

Well, in view of the continuing Snowden revelations and increased focus on protecting personal information, we can be sure that this will add fuel to the fire of the on-going surveillance v privacy debate.  It would also seem to suggest that surveillance for security purposes will have to move in the direction of more targeted action and stringent controls to be acceptable. So we expect big changes in the practical steps telcos and ISPs are required to take to retain communications data and make it available to law enforcement agencies.

However, in the short term, the ruling is likely to have little practical effect.  The ECJ has suspended the effect of the ruling until measures to remedy the invalidity are adopted, which, as the new Data Protection Regulation shows, could take some time!  So, things are likely to continue as they are for now.  In the meantime, the British Government and European Commission have both already said that they are assessing the impact of the ruling. Telcos and ISPs hang fire for now.

European Court of Justice declares Data Retention Directive invalid

Europe under Review: Part 1 of 8 – Registration

Over the next few weeks we will be going back to data privacy basics in our eight part “Europe under Review” blog series. We will be comparing current data privacy laws and best practice in the UK with the proposed new state of play under the draft Data Protection Regulation. We kick off our first blog in the series with the topic of registration.

Current position

In the UK, there is a general obligation on data controllers to register details about their processing of personal information with the Information Commissioner’s Office (ICO).  This is also known as “notification” and is a public register. Failure to register with the ICO, or processing personal data outside the scope of a registration, is a criminal offence. Certain organisations are exempt.  For example, not-for-profit organisations and organisations that only process personal data for staff administration, for their own advertising, marketing and public relations and running their accounts don’t have to register. The registration process with the ICO has recently changed with a new simpler format. The new format consists of template “nature of work” descriptions, which can be chosen by an organisation when doing their filing.

The rules in other EU member states vary significantly. So registrations are generally required in France and Spain but not in Germany provided a data protection officer has been appointed.

Best Practice

Keep your registration with the ICO under review and make any necessary amendments as soon as possible. An organisation that has a presence in various EU member states should ensure that it has in place all local data protection registrations where required. Best practice is to ensure that someone within the organisation takes ownership of managing the local registrations.  This is usually best handled centrally.

Position under draft Data Protection Regulation

Under the draft Regulation there will be no requirement to register or notify with a data protection supervisory authority anywhere in the EU. Instead, organisations will be required to maintain certain documentation internally (this will be discussed in more detail under the “Privacy Governance” blog piece later in this series).

Clearly, removing the requirement to register is good news for organisations.  Let’s admit it: registration serves little purpose in practice!  So does this also reduce the administrative burden?  Not really!  Given the other proposed changes, the overall effect is to “internalise” the bureaucracy in that organisations will in future need to maintain new detailed documentation and records of all their processing ready for regulatory inspection.  So the overhead is likely to go up in net terms.  This is also bad news for data protection supervisory authorities (such as the ICO), as they will lose a major revenue stream (the registration fees). As a consequence, data protection authorities may be further stretched in resource, unless funding is made available from elsewhere.

Keep an eye out next week for Part 2 of “Europe under Review” on the topic of data collection…

Europe under Review: Part 1 of 8 – Registration

Europe Under Review

Over the next few weeks we will be going back to data privacy basics. We will be comparing current data privacy laws and best practice in the EU with the proposed new state of play under the draft Data Protection Regulation.

The draft Regulation, which has received a lot of publicity already, is likely to transform data privacy in Europe. The aim of the draft Regulation is to create a future proofed and harmonised set of privacy rules across all European member states. Since the first draft of the Regulation, the content has been under much scrutiny; with lobbyists, national data protection authorities and parliamentary committees suggesting countless changes. With the final detail still to be determined, it seems that the Regulation is here to stay. Certainly it is time to check on progress. See our blog post of 12 March below for the latest developments.

In our eight-part “Europe Under Review” blog posts, we will cover topics such as registration, data collection, accuracy and proportionality, data retention, data security, international data transfers, privacy governance and individual rights.

Keep an eye out for our first “Europe under Review” blog post on the topic of registration this week.

Europe Under Review

Progress on EU data privacy reform: “irreversible”

Today, the European Parliament voted through the new EU Data Protection reform package (621 in favour of the new Regulation and 10 against with 22 abstentions). It’s a clear endorsement of the proposals.  The EU press release says this reform is “a necessity” and is now “irreversible”.

Viviane Reding (the EU Justice Commissioner) said that strong data protection is Europe’s trade mark. She also referred to the US data spying scandals as indicating that data protection is more than ever a competitive advantage.

Specifics

  • MEPs increased the fines to be imposed on firms that break the rules to up to Euro 100 million or 5% of annual worldwide turnover (increased from Euros 1 million / 2% of annual worldwide turnover)
  • Data exports to be only permitted with prior authorisation
  • Rights to have data erased, limits on profiling and plain language privacy policies will be the norm
  • The Principle of Accountability underpins the whole proposal: so the focus on governance, policies, procedures, audits and appointing a Chief Privacy Officer / Data Protection Officer is key

Next steps

The European Parliament will not change its position even if the composition of the Parliament changes after the EU elections in May. The Parliament will now negotiate with the Council (representing the 28 EU member state governments).  So far the Council has said it broadly supports the proposals but the detail is yet to be confirmed and, we we blogged last week, they recognise that there is still work to be done.

Thoughts?

The fact that the Council has yet to define its position means that this is not yet final. Expect more negotiations on this when the Justice Ministers meet in June.

Viviane Reding says this is about strengthening protection for citizens and making life easier for business. Many will take issue with the second part of that statement.

Interesting, there was less Parliamentary support for the new Data Protection Directive regulating privacy issues in relation to law enforcement bodies (this sits separately from the proposed general Regulation). However, this was also voted through even if less decisively (371 in favour, 276 against with 30 abstentions).

Progress on EU data privacy reform: “irreversible”