data protection
Subscribe to data protection's Posts

Article 29 Working Party Publishes Statement on the Risk-Based Approach to Data Protection

On May 30, 2014, the European Union’s Article 29 Data Protection Working Party adopted “Statement on the role of a risk-based approach in data protection legal frameworks” (WP281).  The Working Party, made up of EU member state national data protection authorities, confirmed its support for a risk-based approach in the EU data protection legal framework, particularly in relation to the proposed reform of the current data protection legislation.  However, with a view to “set the record straight,” the Working Party also addresses its concerns as to the interpretation of such an approach and sets out its “key messages” on the issue.

Approaching Risk

In support of the risk-based approach, which broadly calls for increased obligations proportionate to the risks involved in data processing, the Working Party sets out examples of its application in the current Data Protection Directive (95/46/EC) and the proposed General Data Protection Regulation.  The Working Party confirms that the risk-based approach must result in the same level of protection for data subjects, no matter the size of the particular organisation or the amount of data processed.  However, the Working Party clarifies that the risk-based approach should not be interpreted as an alternative to established data protection rights, but instead a “scalable and proportionate approach to compliance.”  Consequently, the Working Party accepts that low-risk data processing may involve less stringent obligations on data controllers than comparatively high-risk data processing.

Key Messages

To conclude its views on the risk-based approach, the Working Party establishes 13 key messages – in summary:

  1. Protection of personal data is a fundamental right and any processing should respect that right;
  2. Whatever the level of risk involved, data subjects’ legal rights should be respected;
  3. While the levels of accountability obligations can vary according to the risk of the processing, data controllers should always be able to demonstrate compliance with their data protections obligations;
  4. While fundamental data protection principles relating to data controllers should remain the same whatever the risks posed to data subjects, such principles are still inherently scalable;
  5. Accountability obligations should be varied according to the type and risk of processing involved;
  6. All data controllers should document their processing, although the form of documentation can vary according to the level of risk posed by the processing;
  7. Objective criteria should be used when determining risks which could potentially negatively impact a data subject’s rights, freedoms and interests;
  8. A data subject’s rights and freedoms primarily concerns the right to privacy, but also encompasses other fundamental rights, such as freedom of speech, thought and movement, prohibition on discrimination, and the right to liberty, conscience and religion;
  9. Where specific risks are identified, additional measures should be taken – data protection authorities should be consulted regarding highly risky processing;
  10. WHile pseudonymising techniques are important safeguards that can be taken into account when assessing compliance, such techniques alone do not justify a reduced regime on accountability obligations;
  11. The risk-based approach should be assessed on a very wide scale and take into account every potential/actual adverse effect;
  12. The legitimate [...]

    Continue Reading



read more

Guidance on Personal Data Used in Advertising in Germany

German data protection authorities published new guidelines in December 2013 about the collection and processing of personal data for advertising purposes.  The 2013 advertising guidelines (available here in German) supplement another set of advertising guidelines published in October 2012 (available here in German). Together, the 2012 and 2013 guidelines help to clarify how German data protection law relates to advertising activities.

The 2013 guidelines cover the following three main topics:

  1. The “list-privilege” exception. The Bundesdatenschutzgesetz (Germany’s Data Protection Act) provides an exception to the rule that consent is required before personal data is processed for advertising. Certain personal data, such as name, address and year of birth, may be used for an organisation’s own marketing purposes without prior consent as long as the data is aggregated. The 2013 guidelines provide useful information on this exception by, for example, clearly stating that e-mail addresses and telephone numbers do not qualify for this exemption, and by providing commentary on how long the information qualifies for this exception after the last time it is used to contact the person to whom the data relates (generally two years, but the 2013 guidelines state that the time period can vary based on the facts).
  2. Consent. The 2013 guidelines confirm that leaving business cards at a trade show for the express purpose of receiving information from business contacts constitutes consent to contact  the person named on the business card for advertising purposes. For the digital world, the 2013 guidelines advise a double opt-in for consent provided electronically (e.g., via e-mail or SMS).  Under the 2013 guidelines, double opt-in consent means that the person providing personal data about himself or herself must: (i) affirmatively consent (e.g., by clicking a button or checking an unchecked box on a website) at the time of data collection; and (ii) confirm his/her consent after receiving a written request for confirmation of consent (e.g., a detailed e-mail requiring confirmation by clicking a link) that includes enough information to enable the person to provide informed consent.
  3. Right to object to use of personal data for advertising purposes. The 2013 guidelines state that when a person indicates (whether in writing or otherwise) that he/she no longer wishes to be contacted for advertising purposes, the organisation holding the data should take action in accordance with such a request without “undue delay.” (The 2013 guidelines don’t specify what time period is acceptable for undue delay.)  The 2013 guidelines do, however, recognise that stopping all communications immediately may not be feasible, and advises organisations to inform individuals of any time lag to avoid complaints. The 2013 guidelines also remind organisations that a statement publicising an individual’s right to object should be included on every marketing communication, not just in (often lengthy) website terms and conditions.



read more

Safe Harbor: Still Alive, Well and Producing Corporate-Wide Privacy Management Programs

More than 4,000 U.S.-based multinational companies have selected the U.S. – E.U. Safe Harbor Program as the preferred compliance mechanism for international data transfers from the E.U. to the U.S.  Recent transatlantic surveillance politics between the European Union and the United States have, however, focused a controversial spotlight on the Safe Harbor Program.  In the world of international personal data transfer regulation, the Safe Harbor Program has become a cause célèbre in the E.U.-U.S. trade discussions and in political commentary by E.U. data protection regulators.  Despite the political wrangling, European data protection officials are unlikely to eliminate the benefits of the Safe Harbor Program without offering an alternative program that recognizes the work of companies in implementing E.U.-compliant data protection programs.

For more information on this subject, see “EU Privacy Safe Harbor Still Alive and Well, With Implications for Enterprise Risk Management,” written by Ann Killilea and published by Thomson Reuters Practical International Corporate Finance Strategies, November 15, 2013.




read more

STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law