Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna

CMS - p2 Overview  Directive on the protection of individuals with regard to the processing of personal data (95/46/EC)  Implementation- France Ireland Luxembourg  Minimum standard- Laws of member states still of protection relevant  Baseline for international data protection/privacy laws

CMS - p3 Scope  Processing of - wholly or partly by automatic means personal data - which form part of a filing system or are intended to form part of a filing system  Exemptions - National Security - Crime and Taxation - Domestic Purposes  National laws - equipment situated in the UK for the apply in the processing of data place of establishment

CMS - p4 Essential Definitions  personal data- any information relating to an identified or identifiable natural person (“data subject”)  processing- any operation or set of operations which is performed upon personal data whether or not by automatic means  filing system- any structured set of personal data accessible according to specific criteria  controller- a natural or legal person, public authority, agency or body who alone or jointly with others determines the purposes and means of the processing of personal data  processor- a natural or legal person etc which processes personal data on behalf of the controller

CMS - p5 Principles of data quality  Fair and lawful processing  Collected and processed for specified and legitimate purposes  Adequate, relevant and not excessive in relation to the purpose for which they are processed  Accurate and up-to-date  Kept no longer than necessary

CMS - p6 Notification  prior notification of processing required except categories of processing unlikely to affect adversely the rights and freedoms of data subjects  details to be notified –name/purposes/categories of data subject and data/recipients/proposed transfers to third countries/description of security measures  sanctions –criminal penalties

CMS - p7 Legitimate Processing  unambiguous consent  necessary for the performance of or entering into a contract with the data subject  necessary to comply with a legal obligation  necessary to protect the data subjects vital interests  necessary for the exercise of official functions  necessary for the legitimate interests of the controller or third party recipients except where this prejudices the rights or freedoms of the data subject  special categories of processing –racial/ethnic origin –political opinions –religious/philosophical beliefs –trade union membership –health or sex life

CMS - p8 Information to be given to Data Subjects  identity of the controller  purposes of processing  further information to be fair - recipients - obligatory/voluntary/consequences - right of access/rectification  at the time of obtaining from a person other than the data subject and at least prior to disclosure unless this involves disproportionate effort

CMS - p9 Rights of Data Subjects  at reasonable intervals/without excessive delay or expense –confirmation of processing, purposes, categories of data and recipients –communication in intelligible form of the data and if available the source of the data –logic involved in automated decision making  rectification, erasure or blocking of data and notification to third parties unless involving disproportionate effort  compensation for damage and distress

CMS - p10 Transfer of data to non-EU members  No transfer to a non-EU member state unless: –adequate level of protection –unambiguous consent of the data subject –necessary for the performance of a contract with the data subject –necessary for pre-contractual measures in response to data subjects request –necessary for conclusion of a contract with a third party in the data subject’s interests –necessary or legally required in the public interest or for the establishment, exercise or defence of legal claims –necessary to protect the interests of the data subject –disclosure from a public register

CMS - p11 Transfer of data to non-EU members cont’d  Member state authorises transfer with adequate safeguards for the protection of privacy and rights and freedoms of individuals  Community approved standard contractual clauses offering sufficient safeguards –controller to controller –controller to processor

CMS - p12 US ‘Safe Harbor’  180 signatories  Principles –Notice- purposes - contacts - types of third party disclosure - clear/conspicuous language - at time of asking or as soon as practical thereafter (before use for another purposes/disclosure) –Choice- opt out - disclosure - incompatible purpose - clear/conspicuous/readily available mechanisms - opt in - sensitive information

CMS - p13 US ‘Safe Harbor’ cont’d  Onward transfer- notice and choice principles apply - agent/processor - subscription to principles - subject to directive - contractual safeguards - no responsibility - unless knowledge actual or constructive and reasonable steps to prevent or stop  Security - reasonable precautions to protect data from loss, misuse and unauthorised access, disclosure, alteration and distribution  Data Integrity- relevant for purpose - not incompatible with purpose - reasonable steps to ensure data is reliable/accurate/complete/current

CMS - p14 US ‘Safe Harbor’ cont’d  Access -access - ability to correct/amend/delete inaccurate information - subject to disproportionality and rights of other individuals  Enforcement -mechanisms for ensuring compliance -recourse for non-compliance -Readily available/affordable -Investigation/resolution -Award of damages -follow up verification of compliance -obligation to remedy problems -rigorous sanctions for non-compliance