Lee & White

With 621 votes in favour of the Regulation (10 against and 22 abstentions) on the 12th of March 2014, the European Parliament has secured the support given at committee level to the European Commission's data protection reform.

With the constant abuse and misuse of personal data, this reform is more than ever a necessity to return and strengthen the data protection rights of the people. Companies will have to step up to complying with the Regulation and put data protection compliance top on their agenda - or face the consequences of breach.

Through this reform, several changes are noted and include the following points:

• The Regulation will establish a single law on data protection in the EU and replace the current conflicting national laws. This blanket of uniformity means that companies will have one law to deal with instead of the differing national laws which have proven to be quite problematic and time-consuming to deal with under the current 1995 Data Protection Directive. Whilst some national laws are quite stringent, there were others which are regarded as watered-down equivalents. The benefits have been estimated at 2.3 billion EUR per year.
• There will be one single supervisory authority which will make it easier and cheaper to do business in the EU.
• Enforcement powers will be stronger and companies outside the EU must comply with the same rules, failing which, data protection authorities are equipped to fine wayward companies a much higher fine (up to 100 000 000 EUR or up to 5% of the worldwide annual turnover in case of an enterprise, whichever is greater) than currently.
• Economic growth is encouraged, especially with regard to small and medium enterprises (SMEs) where several exemptions will apply.
• "Privacy by design" whereby data protection safeguards are built into products and services from the earliest stage of development rather than a case of "going back to the drawing board" and "Privacy by default" whereby privacy-enhanced default settings are the norm are two important elements in the EU data protection rules. 

The bottom line is that, data subjects will have control over their personal data and companies who are still lagging behind in safeguarding personal data entrusted to them are in for hot water if they refuse to priotise the seafety and security of the data.

Feeble excuses for non-compliance often heard such as "no one ever gets caught anyway", "nobody else is doing it", or "we've other things which are more important" will thankfully, have to exit.

It has finally happened.

The Belgian Privacy Commission was once regarded as a toothless lion where its role was mainly passive in nature - giving advice and recommendations. Although it had the power to send warnings and denounce violations to the public prosecutor (only if a complaint first reaches the Commission), it was unable to sanction or do much else. This has resulted in violations of the Data Protection Law nationwide where companies and organisations fearlessly processed personal data according to their whims and fancies. The Privacy Commission has finally realised its inability to bite and is doing something about it.

On October 21, 2013, the Belgian Privacy Commission announced in De Standaard, its intention to set up a special investigation team which would actively seek out breaches of privacy. The Commission wants to play a more active role in checking whether companies or organisations are breaching privacy. By policing, it would be able to better protect the privacy of the individual and maintain law and order.

The initiative is said to have stemmed from recent data breaches:

• The National Railway Company of Belgium (NMBS/SNCB) stored personal data of 1.46 million customers  on a non-secure server which resulted in the leak of these data (which included first and last names, gender, date of birth, email addresses, phone numbers, and in some cases home addresses) whereby there was possible access by a mere online search engine query.

• Belgacom's (Belgium's largest telecoms company) internal IT systems had been breached and compromised with malware by a third party which enabled hackers to access telephone and online information.

Although this realisation has come in much later than preferred in comparison with the ICO, its UK counterpart, it is a move that must be applauded.

The gravity of the current situation where the protection of personal data is currently in shambles has reached its limit, and more than ever, the Privacy Commission needs stronger powers to tackle these breaches and safeguard the privacy of the individual. The Commission stated that the investigation team will in the first instance, look into companies and organisations which handle sensitive personal data such as insurance companies and hospitals and focus on a particular sector each year.

The Commission is also seeking to obtain the power to sanction non-compliant companies and organisations as the current situation is such that the Commission can refer violations to the courts, but this is regarded as an overkill. With such a power, the Commission would be able to make decisions such as to no longer allow an offender access to a particular database to render their operations and business more difficult or to revoke permission to build a database.

With this development, companies and organisations which are still relaxed in their attitude towards the protection of personal data and regard such protection as non-profitable, should re-think the business case of protecting personal data and have it as priority in their next budget before it is too late.

On 25th of June 2013, the Belgian Privacy Commission and the Ministry of Justice entered into a protocol agreement which forms the framework for the transfer of personal data outside the EU. Following this, contracts governing the exchange of personal data between companies outside the EU will be handled more smoothly from now on.

The immense volume of personal data transferred between countries has rightly demanded the need for the protection of such personal data. Where the data is transferred within Belgium and the EU, personal data may be transferred subject to the Belgian Data Protection Law. EU member states are accorded the same level of protection for the processing of personal data by virtue of the European Directive 95/46/EC.

Where the data is transferred outside the EU, personal data can only be transferred to countries which provide an adequate level of protection of the data - similar to the protection accorded within the EU. The European Commission has recognised a number of countries which are regarded as providing an adequate level of protection of personal data. This can be viewed on the European Commission's website.

Where a country is not recognised as offering an adequate level of protection, personal data may still be transferred through:

• European Commission's model contracts or contractual clauses drawn up by organizations themselves offering an adequate level of protection of the personal data to be transferred
• Binding Corporate Rules
• Exceptions provided by law.

In Belgium, where the European Commission's model contracts are used, these contracts are sent to the Belgian Privacy Commission to be checked to ensure conformity with the European Commission's standard contractual clauses. There is however, no need for a Royal Decree to validate such contracts and this has been clearly stated in the recent protocol agreement between the Belgian Privacy Commission and the Ministry of Justice. The date on which conformity with the standard contractual clauses is confirmed in writing by the Privacy Commission is also the date on which the data transfer is allowed.

In the second instance where organizations themselves draw up their own contractual clauses binding themselves and the receivers of the personal data, the existing situation is such that a Royal Decree is necessary. However, owing to the shared jurisdiction of the Belgian Privacy Commission and the Ministry of Justice, the process became long and cumbersome and meant that very few organizations took up this method of providing an adequate level of protection.

The protocol agreement has changed that - the Privacy Commission will now play the leading role in this procedure and quicken the process. Organizations can send the contracts to the Privacy Commission for review. If the necessary guarantees for the protection of personal data are in place, the Privacy Commission will forward these contracts to the Ministry of Justice along with a positive assessment and a proposed wording for a Royal Decree for the King's signature and publication in the Belgian Official Gazette. If not, the Privacy Commission will contact the applicant and refer to the principles which are required to be addressed properly in the contractual clauses.

The new procedure will significantly shorten the period of approval of such contracts and is said to be a win-win situation for the government, organizations and citizens. It will also prevent the possible consequences of violation and provide more legal certainty for the data subjects whos personal data is transferred as well as the organizations involved. The protocol agreement takes effect immediately.

"Privacy law is not allowing us to do this", "We're not allowed to do that". But what can proper personal data management, protection and handling actually do for you... Create business!

On our many encounters we regularly have lively discussions with professionals of all backgrounds and all levels, not surprisingly quite often on our favourite subject, personal data protection and management.

Most feedback we receive however, is related to the repressive perception of data protection law, and how it does not align with the commercial goals and roadmap of the organisation, more likely to limit rather than to offer opportunities.

What we try to explain in such cases, is that the law on the one hand forbids and regulates, but on the other hand enables and guides.

The law forbids that you do anything illegal with the data and use it in a way that can harm the individual identified by the data. It regulates the way that the individual can keep control over his property, i.e. his personal data, and what purposes this data can be used for.

On the other hand, the law creates the framework that allows you to handle personal data and guides both yourself and the data subjects on how to interact in an official and transparent way. You stay in full control but if you mess up, the law is there to enable the individual data subject to exercise his rights.

The basis of the law is the relationship between you and the data subject.

• It needs to be a live relationship.
• Both parties need to be in control.
• New relationships with other parties only with permission and knowledge of the data subject.
• The relationship needs to be transparent.
• Once the relationship ends, the data is no longer of any use and should not be used anymore.

The benefits are many:
As a company, you have many individuals with whom you regularly interact and who support you fully. You do not waste time on stale or dead relationships and do not waste resources on it. Your investment in personal data yields the maximum return. You send out communications to people who want to hear from you and will hear what you have to say.

As an individual, you know which companies you are working with and what they are doing with your information. Once you decide to move on, you know your personal data is not retained and can never be abused.

The downsides of not following this guidance:
As a company, your databases, cupboards and backup tapes are clogged down with stale information of people whom you once worked with but might never work with again. The information of 'live' relationships is hidden and lost in the noise of 'stale' data.

As an individual, your data is lingering forever and you have no control over what will happen with it. Will it end up in the company's archive forever, or in a hacker's database, or somewhere on a hard disk on eBay?

In our personal data workshops, we help every department within organisations maximize the full potential of handling personal data, exploring new potential and advising on ways of using the personal data, within the limits and spirit of the several international data protection legislations. The combination of the detailed knowledge and experience of our team in all related disciplines (data protection law, CRM, marketing, online presence, social networking) together with the knowledge, experience and market savvy of your team, creates novel and powerful new applications with many quick wins and long term benefits.

More information on our Personal Data Workshops and other services can be found here.

It is looking good for Data Protection in Belgium and the EU as Ms. Viviane Reding, Vice-President of the European Commission and EU Commissioner for Justice, Fundamental Rights and Citizenship, announced groundbreaking changes to EU Data Laws to be introduced in a Bill to the EU Parliament this week.

Speaking at the “Digital, Life, Design” conference in Munich on January 22^nd, 2012, she confirmed that personal data is indeed an asset, a  message which has already begun passing around since the UK Information Commissioner commissioned a report on privacy by design to help articulate the business case for proactive protection of privacy in 2008 and which we believe and preach with conviction. “Personal Data is the currency of today’s digital market, and like any currency, it needs stability and trust. Only if consumers can ‘trust’ that their data is well protected, will they continue to entrust businesses and authorities with it, buy online, and accept new services.”, she stated. And the amount of data, including Personal Data, is growing by a whopping 40% a year worldwide.

Given the fact that 72% of European Citizens said in a recent poll that they are concerned about how their personal data is used by companies, and given that businesses are concerned too, how can they keep control over data which races around the globe in a virtual cloud?

“Trust has to prevail”, states Ms. Reding. Rightly so. If the population is to give the current growth continued support, they need to have a good understanding of the issues and be able to trust that their data is not being abused. They entrust the EU with the task to draw up the rules and follow up on their correct implementation and execution. Trust is the key to any relationship - and how much more in the business world?

We have a unified currency in the EU, but Data Protection law is fragmented into 27 different, and sometimes conflicting, regulations. Whilst some member states are top of the class, others have watered the 1995 EU Directive down so much that it is no more than a sign on the wall showing how bad things are. A lot of burden has been added, sometimes in the form or red tape and lengthy cumbersome administrative procedures. As such, it has all been a futile exercise as it missed its economic goal.

Ms. Reding states “Privacy concerns are one of the most frequent reasons why people don’t buy goods and services online.”. She is adamant about the way forward: “This needs to be changed.”

Two legislative texts will be proposed:

“First, a Regulation to enhance opportunities for companies that want to do business in the EU's internal market, while ensuring a high level of data protection for individuals.

Second, a Directive to ensure a smoother exchange of information between Member States' police and judicial authorities in the fight against serious crime while at the same time protecting people’s fundamental right to data protection.”

The first point, legal certainty, will be achieved by one Data Protection Law in the form of a directly applicable Regulation which will apply to all Member States in the European Union, and to all organisations offering their goods and services to consumers in the EU – even if their servers are based outside the EU.

This new Regulation will unleash the potential of the Digital Single Market, and will save businesses around 2.3 billion Euros per year, removing barriers to market entry, which were especially affecting our clients, the small and medium-sized enterprises. It will simplify the regulatory environment and drastically cut red tape. Current notification requirements are replaced by a duty for companies to be responsible and accountable for the protection of Personal Data in their business field. Each company will have to appoint a Data Protection Officer.

There will be one law, applicable to all member states, and companies will only have to deal with a single Data Protection Authority linked to the country of its main establishment.

All Data Protection Authorities will have the same adequate tools and powers to enforce the EU Law.

They will:

• Deal with complaints
• Carry out investigations
• Take binding decisions
• Impose effective and dissuasive sanctions.

The rules for international data transfers will be strengthened and simplified - a necessary step in a world where data travels freely around the world and major companies have made it their specialty to circumvent the more ‘difficult’ countries by operating in or via countries with weaker Data Protection legislation.

Trust from the individuals will be earned through a few key principles, boiling down to one point: Transparency.

• Informed
  • People need to be informed in simple, clear, and unambiguous language.
• Consent
  • People need to freely give their specific and informed consent.
• Control
  • People need to have control over their own data at all time. Aside from the control we know already, it will also include portability, the possibility to take one’s data and easily move it from one provider to another, and the right, not the option, to be forgotten.
• Alert
  • Individuals need to be swiftly informed, within 24 hours, when any of their personal data is lost or stolen.
  • Companies suffering such a breach need to notify their Data Protection Authority without undue delay, i.e. ‘within 24 hours’.

Ms. Reding concludes:

"We will get a strong, consistent and future-proof framework for data protection, applied consistently across all Member States and across all European Union policies. We will make our data protection legislation fit for the digital age so it encourages innovation and development of new technologies and services.

We will adjust the rules to the reality of multinational businesses. And will adjust the rules to the reality of people's lives. Europeans live, work, shop and travel freely in the EU, so their data must travel freely as well: Freely and safely. The reform will become a golden opportunity for business: complying with the EU’s laws on data protection will lead to a competitive advantage. European data protection rules will become a trademark people recognise and trust worldwide. I would welcome if everyone here put these new rules to life."

Well said. Data Protection without a doubt enables businesses to make more and better business, leading to a competitive advantage over competitors, having a solid and healthy relationship with loyal customers. Any organisation would pay good money for this.

You can read the full text of Ms. Reding's speech here

It will take some time to bring the new law into practice, but organisations should be aware and prepared, making the necessary changes sooner rather than later.

If you need to assess your current status with relation to the new Data Protection Law or need advice on implementing or improving compliance with current or the next legislation, review our services and contact us.

Is this a typo? No, it isn't, the outlook for data protection is bleak, and no immediate improvement is to be expected.

First of all, the team at Lee & White would like to wish you a Happy New Year.

Happy because you chose to come here on your own accord and happy that we did not spam you with - probably sincere but spam wishes all the same and which are likely to be loaded with the inevitable commercial 'opportunities'.

As the new year has just started, we are hopeful that protection of personal data and control over use of your own personal data will improve significantly.

But looking back, what happened in 2011?

• A year of major privacy incidents that made it harder - but still normal to many- to ignore the importance of such incidents.
• The rise of moguls that devour personal data and any other data they can 'find', who make it difficult for you to control who is (ab)using your data, and even make you want and think it is normal to share your most personal of data with the world, but mainly the moguls themselves.
• Personal data collection devices with functions such as recording, tracking, spying, eavesdropping, ... commonly known as smartphones.
• ...

2012 will be the year of

• Street View becoming even more commonplace, exposing your most private locations.
• Spies recording your every move and thought using their personal data collection device.
• Full commercial exploitation of our most personal data of all... our face.
• Automatic identification and tracking through techniques such NFC, RFID, Bluetooth, GSM, Wifi, face and car registration recognition.
• Economic crisis... if privacy does not obviously have a positive business case (despite the fact that it actually does), then it gets deferred or cancelled.
• Basically, no place to hide or control who processes your personal data.
• ...

Technology is moving very fast, lawgivers are trying to keep up, priorities are economic and profit rules.

Well, I'm sure privacy will be top of the agenda in 2013.

The time has come. High time, in fact - given the numerous intentional and ignorant breaches that has occurred in the last decade.

Many organisations in Belgium, especially in the private sector have frequently set aside matters of data protection on the ground that no one ever gets caught in Belgium, and even if one was found out, the low risk of a fine meant that to spend resources (both monetary and manpower) was a waste of time. Profits are essential - and budgets are limited.

Coupled with the fact that the Privacy Commission's powers are quite restricted (having a mainly advisory role...), and seeing the lack of bite in previous breaches, complying with the duties set out by the Data Protection Law is just an unnecessary expense which no data controller in the business world wants to indulge in.

On December 7, 2011 in Brussels, Viviane Reding, Vice President of the European Commission, EU Justice Commissioner revealed plans to strengthen data protection by the choice of a type of legal instrument, new data protection rights and a new tool to ensure compliance with the new single data protection law in Europe.

As part of the effort to ensure greater data protection compliance, the powers of Data Protection Authorities in member states are to be strengthened so that they are able to effectively sanction breaches of the law.

In order to assist the authorities to enforce the new laws, a new Data Protection Board will be created from the current Article 29 Working Party. "When the reform will enter into force, a new European Data Protection Board will be created from the current Article 29 Working Party. Given its enhanced future responsibilities the Board should have an efficient and dedicated secretariat. How to do it? I think that this secretariat should be hosted by the European Data Protection Supervisor's office which would be a cost-effective solution drawing upon the ready-made experience of that office." said Reding.

She also went on to assure that it was not the intention of the European Commission to take over the enforcement of the data protection rules. "Last but not least, let me stress that the European Commission has neither the intention nor the means at its disposal to take over your role as interpreters and enforcers of data protection rules on the ground, or as decision-makers on individual cases. On the contrary, with the reform, you will have a fully independent secretariat at your disposal and better tools to develop a common legal doctrine."

The proposals for the new regime will also include the following:

• Individuals will get more rights that will be enforceable in the online environment and simultaneously, data controllers will be subject to stricter obligations.
• The principles of data minimisation and privacy by design will be strengthened.
• The right to be forgotten and the right to data portability are to be included.
• Adequate protection of children against abusive profiling or tracking on the internet.
• The administrative burden of compulsory notifications on personal data processing is to be reduced and prior checks are to be limited only to cases where they bring real added value. However, privacy impact assessments for risky processing will be introduced so that data protection is not undermined.
• Data breach notifications to be extended to all sectors and the role of data protection officers in the public sector and in large companies and in companies with risky processing will be strengthened.

If all goes well, and the proposals outlined become part of the new legal framework, EU will have a very promising data protection regime and data controllers will have little choice but to put protection of personal data first on their business agenda and make room in their limited budget to comply.

One of the largest corporate insurers was recently fined by Britain's financial regulator, the FSA for the loss of customer data. Zurich Insurance PLC was fined a record £2.3m for losing 46000 customers' personal information which included identification information, details of bank accounts, credit cards and insured assets which could have resulted in significant loss to customers.

The loss of customers' data dates back to August 2008 when Zurich Insurance had outsourced data work to the company's South African unit which lost an unencrypted back-up tape. The loss however, was not discovered until a year later.

Companies would benefit from learning from the mistakes that cost Zurich Insurance PLC not only £2.3m in fine, but also the loss of its customers' trust which is a valuable asset for any company.

"It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers' data," said Stephen Lewis, chief executive of Zurich Insurance.

Now, what are you as a company doing to ensure that your customers' personal information is protected? Do you have a Personal Data Protection Policy in place in your company, and are your employees aware of them? It would do you well to look at this seriously and ensure you are protected by protecting your customers.

There was a recent case in the press about Google collecting and storing information broadcast over open Wi-Fi networks, attributed to the overzealous IT people who captured all data that they could technologically grab, and store it, just in case they might use it in the future.

This is a good example of what happens quite often in IT projects.

• The business owner has a great idea to use a new technology to boost sales or to develop a new product.
• The business analyst uses these ideas and draws up the business requirements and scope of a project to achieve this goal.
• The project manager executes the project and drives the IT and business teams to deliver the required code.

The whole process is monitored end to end by the data protection officer who

• Assesses the impact on personal data protection at the time the business owner intends to initiate the project
• Reviews and approves the business requirements and analysis documents, checking that personal data processing is
  • fair and lawful,
  • collected for the specific purpose of the project,
  • adequate, relevant and not excessive.
• Participates in status and scope meetings, guarding the above.
• Performs integration and user acceptance testing with a focus on personal data
• Gives the final go that a project can go live and it is not, now and in the future,
  • a risk to trust and reputation of the organisation, or
  • a violation of applicable data protection laws.

So far the theory. What happens quite often is that no dedicated data protection officer is assigned, and every party in this process, to the best of their ability and in good faith, do what they think is best.

• The business owner will want his new product to be fully compliant with best practices and data protection law, but hands it over to the project manager and fails to check these requirements at the end of the project.
• The business analyst draws up the business requirements, but limited by time and budget sometimes forgets to add the 'hidden' requirements of data protection.
• The project manager is stuck to a budget and will deliver it at any cost, dropping requirements from the scope if necessary at crunch time.
• The IT and business teams will try to get the maximum out of the new technology and add any features or use any new technology that they feel like or are intellectually challenged to use.

The solution is that the whole process of developing a project be monitored and audited end to end, and independent parties should be responsible for doing this. They should explicitely approve any step in the project, ensuring that the scope is strictly limited to what the project requires and no extra 'features' are added that can prove to be a very expensive overhead and liability further down the road, both in money and less tangible values.

Now for the case of Google, is removing the offending data the solution? No, because the offence was processing the data (gathering wifi signals) in the first place which cannot be undone.

Ever wondered how much your personal data are worth in the open market? Are you even aware that your personal data are being traded by and between companies and may be easily bought by criminals? Well, be assured that there is a price tag on your data.

If you take a look at the Swipe Toolkit Data Calculator, you will see the value of each piece of personal data. According to this tool, a date of birth is worth US$2.00 in the open market, while a postal address is worth US$9.95. Now, imagine how much your personal data is worth in total? According to Ezine Articles, the price of personal data has dropped in the recent years. This only means access to your data is becoming increasingly easy; your identity is very highly likely to be stolen.