Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

Among the many amendments, organizations with more than 50 employees accessing or processing personal data would be required to appoint a data protection officer (“DPO”).  This obligation also applies to organizations whose data processing activities, such as the processing of sensitive data, biometric or genetic data or judicial data, require prior authorization from the French data protection authority (the “CNIL”).  The Bill also makes the DPO the central figure in the data compliance process, thereby strengthening the DPO’s role within an organization.  Acting in an independent manner, a DPO must inform and advise any person working on behalf of the data controller on issues relating to data protection, as well as maintain and regularly update a list of all the data processing activities carried out by the data controller.

The DPO also would play a central role in the handling of data security breaches.  In the event of a data security breach, the data controller must inform the DPO without delay or, in the absence of a DPO, the CNIL must be informed.  Upon learning of a breach, the DPO must immediately take all the necessary measures to (i) restore the integrity and confidentiality of the data, and (ii) notify the CNIL of the incident.  The DPO also must maintain an inventory of all data security breaches suffered by the organization.

The Committee’s Bill will be put to a vote before the general assembly of senators on March 23, 2010.  Olivier Proust, an attorney in Hunton & Williams’ Brussels office and a member of the Paris Bar, was among the legal experts who were consulted by the Senate in the course of drafting the amended Bill.

The Bill and the second Report are available (in French) on French Senate’s website.

The interaction between data controllers and data processors is essential in the application of Directive 95/46/EC, not least because the concepts determine who will be responsible for compliance with data protection rules and how data subjects can exercise their rights.  However, the increasing complexity of the environment in which these concepts are used has given rise to new and difficult issues.  The Opinion emphasizes the need to allocate responsibility between data controllers and data processors so that compliance with data protection rules are upheld sufficiently.  Despite the impact of information and communication technologies and globalization, the Working Party concluded that the current distinction between data controllers and data processors remains relevant and workable.  The following points are of particular importance:

Regarding Data Controllers

• first and foremost, the role of the concept of a data controller is to determine who will be responsible for compliance with data protection rules (i.e., allocation of responsibility) and how data subjects can exercise their rights in practice;
• the concept of a data controller also is essential in determining which national law is applicable to a processing operation/ set of processing operations;
• the concept of a data controller is autonomous, (i.e., it should be interpreted mainly in accordance with Directive 95/46/EC), and functional (i.e., it is based on a factual rather than formal analysis);
• determining the “purpose” of processing triggers the qualification of (de facto) data controller;
• determining the “means” of processing can be delegated by the data controller (as far as technical or organizational questions are concerned), however, substantial questions that are essential to the core of lawfulness of processing (e.g., type of data to be processed, length of storage, access, etc) are to be determined by the data controller.

Regarding Data Processors

• the qualification of a data processor depends on the decision of the data controller, who may decide to process the data within his organization, or to delegate all or part of the processing activities to an external organization;
• two basic conditions arise for qualifying as a data processor: (a) being a separate legal entity with respect to the data controller; and (b) processing personal data on behalf of the data controller;
• the role of a data processor stems from its core activities in a specific context and with regard to specific sets of data or operations.

Despite the growing popularity of other mechanisms that provide a legal basis for complying with the EU legal restrictions for transferring personal data outside the EU (such as binding corporate rules), the use of SCCs remains indispensable.  In many situations SCCs are the only “off the shelf” data transfer solution that can be used and implemented on short notice.  The Commission already published a set of SCCs for transfers to data processors that were approved in 2001, but companies have found that they do not always take business realities into account.  The SCCs can be burdensome to use in practice, in particular for the following reasons:

• The existing SCCs do not contemplate the possibility that a data processor outside the EU may need to transfer personal data to another data processor, which happens very often in practice.
• The SCCs can require the application of data security requirements from multiple EU Member States.
• Many Member States impose bureaucratic formalities (notarization of signatures, annual updates, etc.) on use of the clauses.
• There can be practical problems when using the clauses with multiple parties.
• The SCCs contain a mandatory arbitration clause to which many companies have objected.

Although the Commission did not adopt many of the suggestions made by the business associations, thus diluting the value of the new clauses, the new SCCs do have some important advantages over the existing controller-to-processor clauses.  For example:

• For the first time in EU data protection law, the new clauses provide a legal basis for processor-to-processor transfers.  Under the clauses, such transfers may be carried out when (1) the original data controller consents in writing, and (2) the same data protection obligations are imposed on the subprocessor as are imposed on the original data importer.  The original data importer remains liable for any data protection violations by the subprocessor.
• The arbitration clause has been deleted.

There are two further important points with regard to the new clauses:

• The new clauses must be used for new or changed transfers to data processors; i.e., the existing SCCs for controller-to-processor transfers may no longer be used for such transfers (but existing SCCs remain in effect).
• The SCCs cover transfers from the EU to a data processor outside the EU, but not transfers from a data processor in the EU to a subprocessor outside the EU, although data protection authorities “may” allow use of the new clauses in such situations as well.

The full text of the new SCCs has been published in the Official Journal of the European Union.  Christopher Kuner will provide a detailed analysis in the near future.

The Draft Law requires that data controllers provide information on their data processing activities to their data subjects in a clear, specific and easily accessible manner.  The data subjects would be able to exercise their right of access more easily, including by email.  The Draft Law also distinguishes between the data subject’s right to object to the use of his/her personal data for commercial purposes and his/her right to delete his personal data after it has been processed.

The Draft Law also proposes an increase in the obligations of data controllers.  Organizations with more than fifty employees that either access or process the personal data are required to appoint a data protection officer.  In addition to his obligation to inform the data subjects about a data processing activity, a data controller would have to obtain a data subject’s consent to process data (including for the use of cookies), except if a legal exception applies.  Data controllers would also have to implement stronger security measures to preserve the security and confidentiality of personal data.  In particular, in case of a data security breach, a data controller would have to notify the French data protection authority (“CNIL”), which would then decide whether to inform the data subjects concerned by this breach.

Finally, passage of the law would increase the CNIL’s enforcement authority.  Fines imposed by the CNIL for violations of the law would be increased to a maximum €600,000 (instead of the current €300,000).  The CNIL’s decisions to sanction data controllers would be published more frequently.  The CNIL would further gain the right to produce written observations or to be heard in any civil, criminal or administrative court hearing.

This Draft Law will now be examined by a Committee of the Senate before it is discussed and submitted for a general vote.  Olivier Proust, an attorney in Hunton & Williams’ Brussels office and a member of the Paris Bar, was among the legal experts who were consulted by the Senate in the course of drafting the new law.  View the Draft Law in French.

In 2008, the DPA was amended by Section 144 of the Criminal Justice and Immigration Act 2008 ("CJIA") to provide the Information Commissioner with the power to impose civil monetary penalties on data controllers who commit serious breaches of any of the obligations set out above (known as the "data protection principles").  Before doing so, the Information Commissioner must be satisfied that the contravention: (i) was serious and of a kind likely to cause substantial damage or distress to an individual; and (ii) was either deliberate or the data controller knew, or ought to have known, that there was a risk that the contravention would occur and that it would be likely to cause substantial damage or distress, but failed to take reasonable steps to prevent it.  In addition, before imposing a monetary penalty, the Information Commissioner is required to serve the data controller with a notice of intent, which must inform the data controller of the proposed amount of the monetary penalty and of its right to make written representations to the Information Commissioner within a specified period.  The Information Commissioner may not issue the monetary penalty until the period for making such representations has expired.

The Consultation

The Consultation provides organizations with an opportunity to express their views about the proposed maximum penalties.  The Consultation paper issued by the Ministry of Justice highlights the UK government's underlying aim of safeguarding personal data effectively and processing it responsibly and lawfully.  In addition, the UK government is of the view that the implementation of such penalties should contribute to increased compliance with the DPA and greater confidence for individuals whose personal data are processed.  The Consultation also stresses, however, that any financial sanctions imposed must be proportionate, taking into account specific circumstances, such as the financial hardship a penalty may bring to a data controller that has contravened the DPA. On this basis, the Ministry of Justice has suggested that, for small companies, the maximum fine should not exceed 10% of annual turnover.

Data controllers in the UK and their representative bodies have been invited to submit their responses to the Consultation by December 21, 2009, addressing, in particular, the issue of whether a penalty of up to £500,0000 is a "proportionate sanction for serious contraventions of the data protection principles."  The Ministry of Justice will publish a paper summarizing the responses received by January 11, 2010.

The Information Commissioner's Position

Section 144 of the CJIA also requires the Information Commissioner to publish guidance on the circumstances in which monetary fines will be issued, and how the level of a fine will be determined.  The Information Commissioner issued such statutory guidance in draft form on November 4, 2009 and it is expected that the guidance will become final after the Consultation process is complete.

The guidance emphasizes that a monetary penalty will be appropriate only in the most serious situations and, in particular, where it will act both as a sanction penalizing wrongful acts and a deterrent preventing future non-compliance.  In determining the amount of a financial penalty, the Information Commissioner will take into account the sector (for example, whether the data controller is a voluntary organization or an organization in the public sector), the size, and the financial and other resources of a data controller.  As a general rule, a data controller with substantial financial resources is more likely to attract a higher monetary penalty than a data controller with limited resources for a similar contravention of the DPA.

Monetary penalties can be issued only in respect of "serious" contraventions of the DPA.  A contravention is more likely to be serious where one of the following factors is present: (i) it is or was particularly serious because of the nature of the personal data concerned; (ii) the duration and extent of the contravention; (iii) the number of individuals actually or potentially affected by the contravention; (iv) the fact that it related to an issue of public importance; or (v) the contravention was due to either deliberate or negligent behavior on the part of the data controller.

The Information Commissioner will typically consider whether a data controller has taken reasonable steps to prevent a contravention on a case by case basis.  A data controller is more likely to be deemed to have taken reasonable steps to prevent a contravention if, for example: (i) a risk assessment was carried out or there is evidence to suggest that the data controller had recognized the risks of handling personal data and taken steps to address such risks; or (ii) guidance or codes of practice published by the Information Commissioner or others and relevant to the contravention were implemented by the data controller.

The underlying theme of the guidance focuses on reasonableness and proportionality.  As a general rule, the Information Commissioner will seek to ensure that the imposition of a monetary penalty is appropriate and the amount of the penalty is reasonable and proportionate, taking into account the particular facts of the case and the objective of the penalty. In particular, the Information Commissioner will consider the particular facts and circumstances of a contravention and of any representations made to him by a data controller.

The clauses are quite important for business, as they provide a legal basis for transferring personal data from the EU to data processors in other countries, and are often used in, for example, outsourcing contexts. Among the changes proposed by the three business groups was a new clause that for the first time would provide a legal framework for data transfers from one processor to another. This situation can occur, for example, when a data controller in the EU outsources the processing of personal data to a data processing company in the US, which in turn outsources the processing to a company in India. So far, European data protection law has lacked any discussion of the conditions under which such a transfer could be made between data processors. It is a significant development that the Working Party Opinion recognized this possibility.
 
Some of the other clauses proposed by the Working Party seem unrealistic and unworkable, such as requiring audits by data protection authorities in countries outside the EU, or requiring that the contract between the data processor and the subprocessor, be governed by the law of the country of the data exporter in the EU. ICC and the other business groups will work with the European Commission with the goal of ensuring that the final clauses approved by the Commission are drafted in a way that makes them useable in the real world. The final Commission decision on the clauses is not expected for a few months.