Likumdošana

European Union: European Commission's Proposed Change To The EU Data Protection Laws: Detailed Analysis

The European Commission’s new draft data protection regulation was leaked to the press earlier this month. The proposal includes repeal of the present EU Data Protection Directive 95/46 and recommends a General Data Protection Regulation, as well as a Police and Criminal Justice Data Protection Directive.

The Commission appears to have made good its threats to increase enforcement to make U.S. and other companies outside the EEA comply. Some of the ground-breaking proposals include a harmonised enforcement and sanctions mechanism which include penalties of 1%, 3% or 5% of a enterprise's annual worldwide turnover for intentional or negligent breaches of various data protection obligations. Those penalties will certainly force organisations to sit up and take notice of their data protection obligations.

As suspected, the draft regulation includes new elements in relation to the principles of transparency and data minimisation, as well as a new principle of accountability for data controllers. Built into the new principle is an obligation for Privacy by Design “and by default”.

In addition, the right to be forgotten shifts the burden from individuals to organisations by requiring organisations that seek to continue to process personal data to demonstrate compelling legitimate grounds for the processing which override the interests or fundamental rights of the individual. This new right to be forgotten extends to erasure of information in the public domain available via the Internet or other communication service, and links to a new right to have the data restricted.

The draft Regulation also includes an obligation on large enterprises to appoint a data protection officer for both data controllers and data processors, where the processing of personal data requires regular and systematic monitoring.

The draft Regulation further proposes a new ‘super’ regulator, a European Data Protection Board to consist of the heads of each of the Member States’ Data Protection Authorities to replace the Article 29 Working Party. This new ‘super’ regulator will have the power to review and opine on measures at the national level relating to cross-border data processing whether within the European Union or outside of it, including approvals of data transfer agreements and binding corporate rules.

As we recently saw with France’s implementation of a data protection label, the proposed Regulation encourages the use of data protection certifications, such as seals and marks, for data controllers, aimed at helping individuals assess an organisation’s privacy practices.

Unless organisations raise data privacy and protection up the priority list of importance, they would be sitting on a time bomb. The issue is not whether this proposal will come into force, but when, and while there may be some changes while the proposal makes its way through the European Parliament, the way forward for organisations is now clear, and organisations will have at least two years to bolster their processes and procedures and get ready for the new horizon.

Likums SOPA ļaus bloķēt mājas lapas, bez tiesas ordera

ASV parlamentā notika likuma uzklausīšana saistībā ar tīmekļa domēnu, kuri izplata kontrafakta preces, darbības izbeigšanas procesa vienkāršošanu.

ASV parlamenta notika Stop Online Piracy Act (SOPA) likumu apspriede saskaņā ar kuru autortiesību pārkāpumi tiks uzskatīti par smagiem noziegumiem. Apspriedes galvenais mērķis bija legālas darbības apturēšanas mehānisma vienkāršošana tām juridiskam personām, kuras pārkāpj autortiesības.

Pēc SOPA likuma apstiprināšanas, autortiesību īpašniekiem kļūst vieglāk veikt cenzūru domēnos, kuri apdraud viņu tiesības. Viņi var pieprasīt izdzēst domēnu ar atsaucēm uz kontrafakta materiāliem no meklētājprogrammām, ka arī domēni bloķēšanu un naudas saņemšanas ierobežošanu pārkāpējiem.

Tā, Amerikāņu skaņu ierakstu kompāniju asociācija (Recording Industry Association of America, RIAA) nosūtīja Amerikāņu tirdzniecības pārstāvja birojam (US Trade Representative) domēnu sarakstu, kuras, pēc komisijas informācijas, ir lielāki autortiesību pārkāpēji interneta. Šī saraksta pamata daļu veido Torrent-trekeri.

Būdams viens no likuma SOPA lobistiem, RIAA cer, ka pārkāpēju saraksts palīdzēs valdībai noskaidrot galvenos autortiesību pārkāpējus, un atbalstīs jauna likuma realizāciju.

Gadījumā ja SOPA likums tiks pieņemts visi domēni var būt bloķētas bez attiecīga tiesas rīkojuma, bet tikai uz ģenerālprokurora parakstu.

RIAA saraksta ietverti arī ārzemju domēni, kuri apdraud autortiesības, starp tiem Krievijas sociālais tīkls «ВКонтакте», un Ķīnas meklētājprogramma Sougou. Tomēr lai bloķēt ārvalstu resursu, ja tā domēns neietilpst zone.com, viena amerikāņu likuma nav pietiekami, šim nolūkam ir nepieciešama starptautisks regulējums.

"Roskomnadzor" begins to punish

Recently Russian media took the news that, according to the deputy head "Roskomnadzora" Roman Sheredina, the number of credit institutions registered in the registry operators PD, does not exceed 30% of the total population and is now about 300. In this regard, the agency moves from advocacy to attract operators to the administrative responsibility for "failure to provide notification about the processing of the POA, as well as information about changes in the information contained in the notice. Specialists InfoWatch tried to give a small forecast of further development of the situation.

Rustem Khairetdinov, Deputy Director General InfoWatch: "On how it will carry out inspections and how violations will be evaluated, as well as on what sanctions would be taken against violators, largely depends on the ratio of the Russian business community in general to the idea of protection of personal data.

In accordance with Russian tradition of baptism, after the thunder, some companies will begin to take seriously, rather than formal efforts to protect personal data only after it become known cases of the first companies to proven susceptible to sanctions ".

Act insiders as costs of free market

<>iAs reported today by RBC Agency, President Dmitry Medvedev instructed the Deputy Prime Minister Alexei Kudrin and head of the presidential administration Sergei Naryshkin, together with interested federal authorities and the media agree on a draft law on inside in the media.

Draft federal law "On counteracting misuse of insider information and market manipulation" should be finalized by May 1, 2010

New legislative initiative of the Government commented senior research analyst InfoWatch Nikolai Fedotov: "When the media of classified information - paper, prepared for her shredder and when it is CD, it waits microwave. And when such a vehicle - a man?

Obviously, the government is preparing for the development and liberalization of exchange trade, the exit to the free circulation of many stocks, the emergence of derivatives. In a command-and state-monopoly economic trade secrets almost no demand, and the law on insider will not help. But the free market - is another matter.

Защита данных в Европе станет жестче

Berlīne. Eiropas komisija izskatīs jaunu likumu, kurš piespiedīs visas komerckompānijas, aģentūras, un organizācijas Eiropā ziņot patērētājiem par klientu konfidenciālu datu noplūdes / nozaudēšanas faktu.

Vivian Ridin, Eiropas Komisijas sakaru speciālais pilnvarnieks, Eiropas Parlamentā Strasbūrā paziņoja, ka komisija ir Eiropas Savienības izpildorgāns un panāks mandāta darbības sfēras paplašinājumu par cietušo informēšanu par to personas datu kompromitēšanas faktu ap 2012.gadu. ASV štatu vairākums un Japāna pieņēma tamlīdzīgus likumus jau 2003.gadā.

Sākumā Eiropas likumdevēji apstiprinās likumprojektu kompānijām, kas strādā telekomunikāciju jomā, kurš pirmkārt uzliks par pienākumu, Eiropas sakaru operatoriem un internetprovaideriem paziņot par datu noplūdi.

Skaļu lietu saraksts Lielbritānijā un Vācijā par informācijas noplūdēm, zādzībām, valsts iestāžu un lielu kompāniju informācijas prettiesisku izmantošanu, ir pārliecinošs fakts Eiropas likumdevējiem mandāta ietekmes jomas paplašinājumam.

«Es uzskatu, ka ir visi priekšnoteikumi, lai likums par apziņošanu stātos spēkā», - paziņoja Ann Bevitt, Londonas kompānijas Moriison un Forester advokāte. Kompānija sniedz konsultācijas starptautiskiem uzņēmumiem par datu pārvaldes pamatiem. «Šis process var aizņemt kādu laiks, bet es domāju, ka patērētāju vairākums gribēs zināt par to personas datu noplūdi, ja tāds pēkšņi notiks».

Eiropas valstu vairākumā, ieskaitot Lielbritāniju, nav darbojošos likumu, kas uzliktu par pienākumu kompānijām apziņot cietušos klientus, to personas datu noplūdes gadījumā, kaut arī daži dara to pēc personīgās iniciatīvas. Tomēr pie tam, dažām kompānijām tomēr uzliek naudas sodu par īpaši lieliem incidentiem ar datu noplūdi. Tā, piemēram, Britu finansiāls kontrolieris 2007.gadā uzlika naudas sodu 980,000 vai $1.5 miljona apmērā Hipotekāru «Nationwide Building Society» brokerim, klēpjdatora nozaudēšanas dēļ, kurā ietverta vairāku miljonu klientu personīgā informācija.

Pēc Nikolaja Fedotova, InfoWatch vadošā analītiķa domām, «Ir gadījumi, kad cietušo apziņošana par to personas datu noplūdi patiešām derīga. Un tieši tajos, kad datu subjekts spēj uzsākt jebkādas darbības kaitīgu seku nivelēšanai. Piemēram, banku kartes datu kompromitēšanā turētājs var viņu nobloķēt un pasūtīt no jauna.

Citos gadījumos cietušajam nav iespēju iespaidot sekas. Piemēram, gadījumā, kad izpausta mājas adrese , neviens nepārvāksies. Tādos gadījumos obligāta paziņošana par noplūdi ir bezjēdzīga. Un pat kaitīgi, kā zināms no ASV prakses (kur paziņošana ir obligāta), pilsoņu daudz maz vērienīga apziņošana neizbēgami nonāk presē. No atklātības var rasties papildus morālais zaudējums, tā var pamudināt citus blēžus izmantot situāciju.

No citas malas, praktiski neizbēgama noplūdes atklātība nozīmē kompānijas reputācijas zaudējumu. Paredzot to, firmas labāk aizsargās personas datus. Kaut arī ne visas. Kompāniju-monopolistiem un valsts institūcijām to reputācija vienaldzīga, tādēļ mehānisms nenostrādā.

Visumā, cietušo apziņošanai ir jēga tikai par dažām noplūdēm. Bet labāk - nevis vienkāršs pavēstīt, bet gan uzreiz uzsākt kaut kādas kompensējošās darbības. Piemēram, apmaksāt cietušajam finansiāla monitoringa pakalpojumu vai kompensēt atjaunotās kartes vērtību. Tamlīdzīgas saistības iekļaušana likumā nozīmēs īstenu gādību par pilsoņu interesēm».

Jautājums, vai Eiropas likumdevēji varēs uzstādīt informācijas aizsardzības stingrākus likumus, nekā, piemēram, šobrīd Beļģijā darbojošos, ir aktuāls. Saskaņā ar likumu, kurš tiks aplūkots tuvākajās dienās, ES valstīm ir laiks līdz 2010 gadam, lai piekristu likuma prasību pielietojumam telekomunikāciju kompānijām un Internetprovaideriem.

Tomēr jau pašlaik Eiropas komerciālas kompānijas norūpējušās par Eirokomisijas jaunu iniciatīvu, kura tuvākajā laikā skars tikai telekomunikācijas un Internetprovaideru. Pēc viena no lobbistu iesnieguma, tamlīdzīgs paplašinājums var palielināt cenas uz precēm un Eiropas kompāniju pakalpojumiem.

Ohio Officials, Insurers Look to Protect Policyholder Data

Starting Nov. 2, 2009, Ohio regulators and all insurance companies that do business in the state will begin new procedures designed to protect policyholders' personal information.

Insurance companies will be required to report any loss of policyholder information within their possession to the Department of Insurance within 15 days of the discovery that the information has been lost or stolen, according to Insurance Director Mary Jo Hudson.

"Policyholder information is a valuable asset for insurance companies. We also know that is invaluable to Ohio policyholders," said Hudson. "While there have been few reports of information being lost or stolen, these new procedures will help the Department and insurance companies work together to assure information is safeguarded in the best possible manner and, in the unlikely event of release, all efforts will be made to limit any harm."

The reporting procedures will be part of the department's risk assessment responsibilities and will extend to agents that are appointed by an insurance company. Insurance companies will be required to educate their agents about this obligation, according to Hudson.

Indiana Combats Identity Theft

The state of Indiana will soon require much more documentation to obtain a driver’s license or a state identification. The state says the measures are aimed at preventing identity theft, which victimizes millions of Americans each year. However, some are still fighting the new rules. They fear it will hamper a person’s ability to cast a ballot.

If you want to renew your driver’s license in Indiana today, all you basically have to do is show your current license and you’re in.

Come January 1st, anybody wanting to renew or get a new driver’s license in Indiana or obtain a photo ID will need to show a lot more.

ROSEBROUGH: For identity, the most common would be a birth certificate or passport. Then for social security number, you need our social security card or like a W2 forum that will have your social security number on it. That’s Indiana BMV spokesman Dennis Rosebrough. He says the new measures are to prevent someone from pretending to be someone else.

ROSEBROUGH: If you know anybody who’s ever experienced identity theft. That is really, really painful experience to go through.

But this need for extra documentation concerns Karen Celestino-Horseman, an attorney representing the League of Women Voters of Indiana.

Indiana law says a person must show a photo ID when voting at a precinct. But Celestino-Horseman says some people may not have the necessary documents required to obtain a photo ID so they can vote.

CELESTINO-HORSEMAN: It’s really going to, I believe, seriously impact older persons. It is going to have an impact. And, it’s going to impact women whose names have changed.

Indiana’s Voter ID law was challenged all the way to the U.S. Supreme Court last year.

The American Civil Liberties Union of Indiana filed the lawsuit.

The U.S. Supreme Court upheld the law and ruled it did not severely burden voters. Now The League of Women Voters has filed a separate lawsuit in Indiana, contending the ID requirements go against the state’s constitution. That lawsuit has already been dismissed by an Indiana court, but the league is appealing to the Indiana Appellate Court.

Celestino-Horseman says the BMV’s new requirements will only add to the burden the voter ID law already places on the poor and elderly.

CELESTINO-HORSEMAN: The side-effect of all of this is that I have to go through all of this so that I can vote, yet at the same time we as a country are going across overseas and internationally telling people that freedom of voting is one of the most important rights that there is and we encourage them to open up their elections and to vote. While back here in Indiana, we’re doing nothing but making it more difficult.

The League of Women Voters isn’t the only group concerned about the potential impact of the new requirements.

So is a New York based advocacy organization called Demos. Demos is party to a lawsuit filed last month against the state of Indiana for a separate voter-related issue.

Federal motor-voter law states that anyone seeking public assistance through a state agency, must be provided a voter registration form.

Demos’ spokeswoman Brenda Wright claims Indiana isn’t doing that and that’s why the group is suing the state. Wright says the new ID requirements in Indiana will prevent more poor people from voting.

WRIGHT: In Indiana, 40 percent of low income, eligible persons are not registered to vote. That’s something like 385,000 people. So, we need to be thinking about ways to open the process up and not ways to keep people out. Indiana BMV spokesman Rosebrough says the new requirements are just putting into place what the 911 Commission called for to help thwart terrorism.

He says a person’s driver’s license is more than just to drive.

ROSEBROUGH: Because it has become such an important personal identification document, it really now has changed our responsibility to make sure that that document is in fact an accurate verification of your identity.

This year already, Indiana has reported 1100 cases of people trying to obtain duplicate identification cards to possibility be used to steal a person’s identity.

ID Theft Bill Proposed

LANSING -- Identity theft victims will be able to seek compensation for the time and effort it takes to clean up their damaged credit history if legislation proposed by a S.W. Michigan lawmaker becomes law.

Representative Matt Lori (R-Constantine) says that the bill updates Michigan law by better defining what constitutes identity theft, and increasing the penalties. It also makes victims of identity theft eligible for restitution from the Michigan Crime Victim Compensation Fund.

Lori says that the crime is increasing in frequency, and it's time victims get extra help. The legislation also reduces the risk of identity theft by establishing procedures for companies to properly destroy personal data. It now heads to the full House for consideration.

Germany Adopts Stricter Data Protection Law — Serious Impact on Business Compliance

On July 3, 2009, the German Federal Parliament passed comprehensive amend¬ments to the Federal Data Protection Act (the “Federal Act”). These amendments also passed the Federal Council on July 10, 2009, and the revised law will enter into force on September 1, 2009. The new amendments cover a range of data protection-related issues, including marketing, security breach notification, service provider contracts and protections for employee data. They also include new powers for data protection authorities and provide for increased fines for violations of data protection law provisions.

Change in Marketing Rules

Under the revised law, the processing and use of personal data for the purposes of selling addresses and using contact details for marketing will be permitted only if the individual has expressly con¬sented to such use. There are, however, certain exceptions to this basic rule:

(i) Processing and use of existing data sets will continue to be governed by the old law until August 31, 2012. During the transition period, the so-called “list privilege” (permitting the transfer and use of certain data elements combined in lists) will continue to apply to previously collected data. The revised restrictionson processing and use of new data sets will apply beginning September 1, 2009.

(ii) Consent will not be required for the processing and use of certain data combined in lists, provided that the processing and use is necessary for one of the following purposes: (a) promoting the data controller’s own offers if the data controller collected the data directly from the individual or from a public directory; (b) advertising regarding the professional services of an individual using a professional address; or (c) advertising for charitable donations.

(iii) Data contained in lists may be transferred without the individual’s consent provided that: (a) information regarding the origin and the recipient of the data is retained for two years and (b) the advertisement identifies which data controller originally collected the data.

(iv) The data may be used for pro¬moting third-party offers only if the advertisement states the identity of the data controller responsible for the data. In addition to taking into account the new rules when planning marketing campaigns, data list sharing or third-party promo¬tions, existing arrangements should be reviewed to evaluate whether there will be a legal basis for transfer and use after the August 31, 2012, compliance deadline.

Encryption as a Security Measure

Although the current law already recognizes encryption as an appropriate technical and organizational measure, a new amendment to the annex to Section 9 of the Federal Act will now explicitly refer to encryption tools and procedures as being appropriate for access control and safeguarding data transmission. Such encryption tools and procedures must reflect the “Stand der Technik” — state-of-the-art technology. Introduction of Security Breach Notification Requirement

Data controllers will be subject to comprehensive breach notification requirements. The notification rules will apply to the following categories of data:

(i) sensitive data (as defined in the Federal Data Protection Act);

(ii) personal data subject to professional or official confidentiality obligations (e.g., data held by lawyers and doctors);

(iii) data concerning criminal acts or administrative offenses;

(iv) bank or credit card account details;

(v) customer data or traffic data as defined in the Telecommunications Act (e.g., data held by telecommunica¬tions operators, such as subscriber personal data and traffic data);

(vi) customer data or usage data as defined in the Telemedia Act (e.g., data held by electronic information and communication services providers, including registration or usage data that may identify an individual user).

Notification is required in the event of an unlawful data transfer or unauthorized access by third parties if the data loss is likely to have a serious impact on the rights or protected interests of the individuals concerned. The legislative commentary to the draft law indicates that both the types of data and the possible consequences of the breach should be taken into account when assessing whether the incident is likely to have a “serious impact.”

Where notification is required, the data controller must notify the appropriate data protection authority and the affected individuals without delay. The notification must be made without delay (a) after appropriate measures have been taken to secure the data and (b) once criminal prosecution will no longer be affected. The law also specifies certain minimum content requirements for the notification. Where notification to individuals would be disproportionately burdensome, particularly where a large number of individuals are affected, notice must be provided to the general public. Such notification must be made by placing at least a half-page advertisement in daily national newspapers, or by other means that would provide equivalent exposure for the notification.

Organizations will need to prepare inci¬dent response procedures and appoint an incident response team in order to ensure that any breach event is dealt with effectively, efficiently and in accordance with the legal notification requirements.

Detailed Requirements for Service Provider Contracts

Under the new law, contracts between data controllers and data processors will need to contain detailed data protection requirements. The law lists ten issues that must be covered, including, but not limited to, scope and purposes of the data processing, security measures, data processor obligations, subcontracting rights, audit rights, return of storage media and disposal. These requirements will affect contracts between German entities as well as contracts between foreign service providers and their German customers. Companies should review any existing contracts involving German companies to ensure that they comply with the minimum require¬ments imposed by the amended law.

Additional Protections Regarding Employee Data

The new law also provides greater pro¬tection for the collection, processing and use of employee data. It introduces a def¬inition of employees and includes specific rules for the processing of employee data in the context of the employment relation¬ship. As a basic rule, employee data may only be collected, processed or used if necessary for decision-making purposes when establishing, maintaining or terminating an employment relationship.

For the purposes of detecting criminal offenses, employee data may be collected and processed only if a number of specific conditions are met: (a) documented evidence must substantiate the suspicion that the individual has committed a criminal offense; (b) the collection, processing and use of the data must be necessary for the detec¬tion; and (c) the type and scope of the collection, processing and use of the data must be proportionate, considering the employee’s protected rights and the circumstances of the investigation. Because the new rules limit the activities companies may engage in wheninvestigating employees, they will have a significant impact on any internal inves¬tigations or employee screening efforts.

Greater Recognition for Corporate Data Protection Officers

Corporate internal data protection officers employed by the company will benefit from stronger employment rights under the new law. The employment relationship may not be terminated by management without good reason, and termination is not permitted for at least a 12-month period after the term as data protection officer has come to an end, unless management is entitled to terminate based on important grounds. Data protection officers will also be entitled to participate in continuing education and training courses at the organization’s expense. Management should be aware of these changes to data protection officer employment status and may need to review current employ¬ment contracts or data protection officer appointment certificates accordingly.

New Powers for Data Protection Authorities

The amendments to the Federal Act also strengthen the powers of data protection authorities. For example, the data protection authorities will be empowered to order organizations to remediate compliance failures, including deficiencies relating to the collection, processing or use of personal data, or relating to technical or organizational failures. Where there are serious viola¬tions or deficiencies, the authorities will also be able to prohibit the collection, processing or use of data, or the imple¬mentation of individual data processing procedures, under certain circumstances.

Increase in Fines and Sanctions

The amendments to the law also increase the maximum fines for failure to comply with data protection formalities from the current €25,000 per violation to €50,000, and from €250,000 per violation to €300,000 for more serious violations of the law. In addition, even higher fines may be imposed for commercial gains realized as a result of the violation — a violating company may be forced to disgorge profits that exceed the amount it would normally have to pay in fines.

Conclusion

The new amendments to the Federal Data Protection Act will impact business activities across the board. From adapt-ing marketing strategies, to renegotiating service provider relationships, to comply¬ing with new data breach notification requirements, now is the time for companies to review their data protection practices and consider implementing a more holistic approach. The new rules are likely to lead to increased interest in enforcement on the part of the data protection authorities. To avoid busi¬ness risks including fines, audits and reputational damage, compliance efforts must be properly focused. Data protection compliance and risk management must be understood as core elements of good business governance with respect to customers as well as to employees.

Likumdošana

Today almost every country has laws on protection of personal data of its residents. Those companies who carry out their business operations on local markets must meet the requirements of local laws and regulations and guarantee the safety of private information of its staff members and the customers alike. Almost every country has customized rules and regulations that regulate the operations of companies working in various market segments. Large companies who carry out their businesses on several national markets face most difficulties in connection with the above. They have to deal with requirements of a bundle of laws, including:

Besides these laws, almost every country has customized rules and regulations that regulate the operations of companies working in certain market segments. The laws require that companies take reasonable steps (organizational, technical and so on) to protect private information and prevent data leaks and abuses by its own staff members. For example, the U.S. law HIPAA requires that companies protect private medical data of the residents, and the law GLBA requires that companies protect the safety of private financial details.

Implementation of InfoWatch solutions makes it possible to comply with the requirements of international and national laws regulating corporate information security, protection of investor and resident rights, internal control and audit principles, operational risks including risks occurring in various industries – banking, telecommunication services and so on.