The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach...
Transcript of The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach...
1
The prospects for data breach laws in 22 European countries
Stewart Dresner, Chief ExecutivePrivacy Laws & Business
Wednesday, 4 November 200916´30-17´45: PARALLEL SESSION A: Ooopsss!!!!! Where did I leave my computer?
Prevention and reaction in light of security breaches
31st International Conference of Data Protection and Privacy Commissioners, Madrid
2
3
The prospects for data breach laws in 22 European countries: Contents
1. Privacy Laws & Business’s knowledge base and contacts2. Rationale and scope for data breach research3. The research method4. Common themes5. Current data breach laws and demand for new laws6. Results: DPAs’ views and preferred policies7. Advantages and disadvantages of a data breach law for
DPAs, companies and individuals*8. Recommendations by DPAs and companies*9. Privacy Laws & Business’s conclusions10. What next?
* Slides available on request
4
5
6
7
Privacy Laws & Business
23rd Annual International Conference
July 5th – 7th 2010
St John’s College
Cambridge
United Kingdom
8
9
EPON Data ProtectionCommissioner Roundtables
• Madrid, Spain (2003)• Rome, Italy (2003)• Czech Republic,
Hungary and Poland in Prague (2004)
• Paris, France (2005)• Berlin, Germany (2005)• Dublin, Ireland (2006)• Russia, Greece, Portugal
in London (2006)
• Stockholm, Sweden (2007)• Helsinki, Finland (2007)• Brussels, Belgium (2007)• Hague, Netherlands
(2007)• Madrid, Spain (2008)• Luxembourg (2008)• Warsaw, Poland (2008)• Zurich, Switzerland (2009)• Rome, Italy (2009)
10
IPON Roundtables
• Argentina’s DP Commissioner/Australia’s DP Commissioner in Montreux, Switzerland - 2005
• Binding Corporate Rules, Washington DC - 2006• European HR issues in Washington DC - 2006• Canadian HR issues in Toronto - 2007• Asia-Pacific Briefing, London - 2007• Asia-Pacific Conference, Strasbourg – 2008• Madrid, November 3rd 2009
Employee surveillance in Europe: Balancing privacy rights and management control
11
12
13
EPON/IPON Participants include:• Accenture• Arnold & Porter• Barclays Bank• Boeing• BP• BT• Citigroup• CSC• Deutsche Bank• eBAY• Eli Lilly• ExxonMobil
• FIFA• Fujitsu• General Electric• General Motors• Google• Halliburton• HBOS• IBM• IMS Health• Intel• Johnson & Johnson
• Kodak• Lloyds Register• Manpower• Nestle• Novartis• Oracle• Pfizer• PwC• Procter & Gamble• Schering-Plough• Sony• Total• Walt Disney• Western Union• Wyeth
EPON/IPON Meeting Hosts
15
Other PL&B Services
• Consulting• Data Protection Audits• Recruitment
– Advice on job descriptions– Interim managers
• Training
16
Rationale for data breach research• USA: data breach laws in most states. Have these US
laws set a trend for Europe or are current data protection laws enough?
• US laws’ role in helping raise awareness• Lack of research linking data breaches to ID theft,
credit card fraud etc. But a consensus that increased data losses should be tackled
• DP and privacy laws in the EU and US cover data security – Is there a need for specific provisions on action to be taken when data is lost or stolen?
17
Scope & Geographical Context
27 EU member statesAll other countries within the EuropeanEconomic Area:
• Norway, Iceland, Liechtenstein• Switzerland • Jersey, Guernsey, Isle of Man
18
Research Timeline 12008
• January: Questionnaire by email to DPAs• Follow-up telephone calls and emails• Responses from: Czech Republic, Denmark, Finland,
Guernsey, Hungary, Iceland, Ireland, Jersey, Slovak Republic, Sweden & United Kingdom
• European Privacy Officers Network members’ survey and results
• February: Report in PL&B’s International newsletter (available on request)
• March: Detailed report for DPAs and feedback
19
Research Timeline 2
• April: Target larger/more experienced countries’ DPAs• May-June: Responses from Italy, Spain, Portugal,
Poland, Luxembourg, France and Belgium• July: Presentation of results at PL&B’s Annual
Conference, Cambridge• Aug-Nov: Drafting report• Jan-Mar 2009: Responses from Austr, Germ, Neths• Feb-April 2009: DPAs check reports. Updates• April/May 2009: Conference and Report published
20
Research Methods• Email responses from most countries. • Face-to-face interviews (Italy, Portugal,
Luxembourg)• Telephone interviews (Jersey, Guernsey,
Germany)Other Methods• National expert’s comments in Switzerland
(David Rosenthal, Special Counsel, IT & Telecommunications, Homburger, Zurich)
21
Questions to DPAs
16 questions covering the following areas:1. Current laws2. Demand for data breach laws3. Purpose and scope of legislation4. Regulatory options and
preferred policies
22
Common themes
1. Definitions – what is a data breach? 2. Breach notification: How, when and
who should companies notify?3. Lack of research particularly on impact
of data breaches on individuals4. Always a risk attached to the processing
of personal data 5. Criminal liability for organisations?
23
Current data breach laws• Data protection legislation in all European countries
but only general application of this legislation to the unauthorised access, loss or theft of personal data
• Data breaches covered by DP laws, criminal & civil codes and additional e-communication legislation
• Some reporting requirements and guidance but no specific mention in law of action to be taken, except
• Specific data breach law in Germany (2009) where individuals suffer considerable damage and for specific data: professional secrecy, criminal or administrative offences and bank or credit card data
24
Demand for data breach laws
• Increase in reported data breach incidents
• Hot topic for the media and growing political interest. Differing pressures in different countries -more in the Netherlands, less in Portugal
• Trend for data controllers to contact the authorities where data has been inappropriately released
• No Europe-wide demand for a specific data breach law as current legislation is sometimes enough
25
DPAs’ views on purpose and scopeof specific data breach rules
1. Harmonisation within the EU but national implementation to reflect national needs
2. Any new data breach provisions to include:• data controllers and data processors• the public and private sectors
3. Problems with breach notification in the US discourage Europe e.g. over-notification and inconsistency of reporting rules
4. Responsibilities and tasks must be stated clearly
26
Regulatory OptionsAgreement that some form of a data breach regulation
would be a good idea. Four options or a combination:
1. Insert data breach provisions into existing relatedlegislation2. EU Member States insert mandatory breach notification requirement as a specific national law3. Amend EU e-comms or general DP Directive 4. Practical Guidelines by the EU Art. 29 Data Protection Working Party
27
Driving factors behind a separate data breach law
1. Increase the protection of personal data2. Make organisations more accountable
for data security3. Force organisations to improve security
standards4. Restore individuals’ confidence in data
controllers
28
• Some consistency is needed across Europe in this area
• EU should regulate first • DPAs favouring amending their current
data protection or other law to cover data breaches (UK, Jersey, Finland, Poland, Portugal, Luxembourg, Italy, Netherlands and Germany)
DPAs views on possible data breach laws
29
DPAs’ Preferred Policies 11. More human and financial resources2. Notification of data breaches.3. Orders from DPAs to data controllers and
processors to act in a specific way in response to a data breach.
4. Discretion to impose sanctions and appropriate fines
5. Compensation to individuals (in conjunction with civil law provisions)
6. Power to conduct audits when necessary7. Power to publicly ‘name and shame’ organisations
30
8. Support new provisions covering both the public and private sectors (All)
9. Favouring new provisions to cover both data processors and controllers (All DPAs apart from UK, Ireland, Guernsey, Germany and the Netherlands)
10. Want companies to notify them of data breaches (UK,Jersey, Czech Republic, Guernsey, Ireland, Finland, France, Portugal, Luxembourg, Italy, and Germany)
11. Favouring companies paying compensation to individuals where appropriate (Poland, UK, Finland, France, Italy, and Austria)
11. Offering data breach guidance (UK and Ireland)12. Some form of redress for data subjects
DPAs’ Preferred Policies 2
31
PL&B’s ConclusionsThe ‘ideal’ is a synthesis of DPAs’ and companies’ views which are also practical for data subjects. A data breach plan should be:
1. proportionate2. an alert to a DPA when there is substantive
rather than a procedural problem3. have more emphasis on a remedy to a
problem, and 4. less emphasis on sanctions.
32
What next?EU Level1. Extension of EU e-communications directive to
include data breach legislation for ISPs, other sectors?2. Amend general EU Data Protection Directive?3. Practical guidelines by the EU Art.29 Working Party?National Level1. Modest amendments to national laws
e.g. Luxembourg amending DP code to include responsibilities of processors as well as controllers
Company Level1. Broader breach management programmes2. Continuing improvement of internal systems
e.g. reporting mechanisms
33
Report from Privacy Laws & BusinessData Breach Dossier on request
Questions?Research Director and Editor: Stewart Dresner
Researcher: Amy Norcup
34
Contact detailsStewart Dresner, Chief Executive Adèle Kendler, Project Manager
Privacy Laws & Business2nd floor, Monument House, 215, Marsh Road, Pinner,
Middlesex,HA5 5NE, United KingdomTel: + 44 208 868 9200 Fax: + 44 208 868 5215
www.privacylaws.com
35