Brian Pennington

A blog about Cyber Security & Compliance


European Commission

An update on the progress of the European Data Protection Act

At last week’s Information Commissioners Data Protection Officers Conference in Manchester I had the privilege of being updated on the progress, or lack of progress, of the revised European Data Protection Act.

With the existing directive dating back over 17 years an upgrade is well over due but there is significant pressure from businesses to water down any revisions to the directive.

A watered down directive does not serve anyone, the privacy campaigners or those with commerce in mind, because breaches are happening far too often and breaches affect consumer confidence.

This means the larger retailers should be supporting stronger Data Protection controls so the smaller, less funded or less skilled businesses have the detailed controls and the incentives to put privacy and security first.

In the main hall and in the breakout room there was constant reference to the thinking about the issues before systems and processes are put in place. The two terms used were:-

  1. Privacy by Design
  2. Security by Design

Both Privacy by Design and Security by Design are essential for consumer confidence because they are demonstrable actions organisations can refer to when dealing with the users of their data.

Françoise Le Bail of the EU Commission stated that “23% of users feel they do not have complete control of their data when shopping online”. In other words almost a quarter of those who buy on line are suspicious of the people who want to take money from them. If those statistics were applied to bricks and mortar retailers the high street would look a lot worse than it does now and it already looks pretty bad.

Françoise Le Bail also stated that the EC’s priorities for the Act are: –

  • The architecture of the framework
  • Key provisions to include all personal data and consent
  • A more risk based approach – proportionality
  • Data Protection Offices are needed
  • A consistent European wide level of governance
  • Support for authorities by providing training and not just fines

David Smith the UK Deputy Information Commissioner stated the UK was not 100% in favour of the current draft proposals but the UK was largely supportive.

David Smith had a list of items that were favoured including:-

  • Improved consistency across Europe
  • Enhanced Individual rights
  • Code of conduct and certification

However, the UK is looking for additional items to be added and a clarification on others, for example:-

  • The UK wants a more “risk” based approach to personal data
  • Individual compensation should not be restricted to monetary loss. It should also take into account aggravation and heartache.
  • Data Protection training needs to be added to the school curriculum
  • There are two proposals in place by the EU and the UK doesn’t want any more than that. The two proposals are Law Enforcement and everyone else.

Other items of note

  • The date for the Act to be passed is likely to be June 2014 with enforcement two years later in 2016
  • The 24 hour mandatory breach notification is likely to slip to 72 hours
  • The maximum 2% of global turnover is likely to be approved but some members of the commission are pushing for it to be 10%
  • Right to be forgotten is a big problem due to the nature of what can be forgotten and what should never be forgotten
  • Data Portability is both a target for Europe and a problem and negotiations are on-going with the US and other nations on cross border data sharing.
  • MiData now has 26 signed up companies and the drive for more is growing

Other blog posts on the subject are below:-

EU Commission proposes a comprehensive reform of the Data Protection rules

This week the European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and to boost Europe’s digital economy.

The press release states:

Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.

“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,” said EU Justice Commissioner Viviane Reding, the Commission’s Vice-President. “The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

The Commission’s proposals update and modernise the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights in the future. They include a policy Communication setting out the Commission’s objectives and two legislative proposals: a Regulation setting out a general EU framework for data protection and a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

Key changes in the reform include:

  • A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
  • For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
  • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.

The Commission’s proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. They will take effect two years after they have been adopted.

The official press release was a short summary of what will be debated by the politicians. For a more detailed summary, based upon the January 2012 release and other research read my May 2012 post “Proposed European wide Data Protection Act – a review“.

As for the politicians debating the Act before passing it to law it is worth while reading the post “The Information Commissioner provides an update on the European Data Protection Act“.

It is disappointing that the delays will see the revised Act and the improvements in Data Protection and Privacy not being enforced until 2015.


The Information Commissioner provides an update on the European Data Protection Act

David Smith the UK’s Deputy Commissioner of the Information Commission has commented on the progress of the Revise European Data Protection Act.

Put simply, the proposals could prove to be one of the biggest changes to data protection this country has ever seen. Against that backdrop it is no surprise that we’ve been monitoring events in Europe closely, looking at how the initial reform proposals, published by the European Commission in January 2012, might be brought into law.

The process by which this proposal might become UK law is not a simple one, as our overview of the whole process shows. The crucial next step is for the European Parliament and the Council of the European Union to look at this separately before coming together to approve a final text. 

The European Parliament is where the MEPs sit, some 736 of them from across Europe. Much like our own Parliament, the MEPs will sit on several committees. There are five committees directly involved in looking at the data protection reforms: JURI (legal), ITRE (industry), IMCO (internal market and consumer protection), EMPL (employment) and LIBE (civil liberties). LIBE is the ‘lead’ committee. All committees will submit their own amendments before negotiating a consolidated Parliament view which is expected in late April. 

While that is happening, the council are also looking at the reforms. The council is made up of relevant ministers of each member state with responsibility for the issue at hand, although for practical purposes much of the work is done by government officials. For the data protection reform, the UK’s Ministry of Justice takes charge of the regulation, but works closely with the Home Office on the issue of the directive that will apply to law enforcement agencies. The subgroup of the council dealing with this issue is called DAPIX (Data Protection and Information Exchange) and is chaired by the Presidency of the Council – currently Ireland. The ICO has a key role in advising the Ministry of Justice throughout these discussions. 

At the time of writing, the parliamentary committees are well advanced in considering their compromise amendments on both parts of the package. The council, however, has not finished its first round of amendments. Nevertheless, with a timetable to adopt the new rules by the end of June – the end of the Irish Government’s presidency – this is one of the top priorities. The presidency is scheduling in more meetings to ensure that the negotiations can be completed as quickly as possible, to try to keep everything on track. 

Once both the parliament and the council have their consolidated views in what is known as the ‘First Reading’, they will need to negotiate, possibly over the summer if things go well, to get an agreement on the text. Failing this, they will move to the ‘Second Reading’ and further negotiations. 

Some of that negotiation will be around whether the reforms are in the form of a regulation, which will apply directly in every EU Member State, or a directive, which will need to be transposed in a more flexible way into national law. The proposal is for a general regulation with a directive specifically for the criminal justice sector. However there is speculation that this directive will be put on the back burner. This coupled with a move, which we and other data protection authorities are resisting, to confine the regulation to the private sector and develop a new directive to cover the public sector leave the outcome uncertain. Currently both the proposed regulation and the proposed directive allow two years for implementation following their coming into force. However experience suggests that because of its direct effect, implementation of any regulation will, in practice, come more quickly than implementation of any directive. 

In total, this means that the reform process will have taken around six years since the European Commission started its reflections on the matter. While this sounds like a long time we must remember that there are 27 Member States around the negotiating table; that’s at least 12 more than those negotiating our current framework which resulted in the Data Protection Act 1998! Even then the timescale is ambitious. Not many people expect agreement in June this year, but there is an imperative to get a package adopted by 2014 when the European Parliament and the commission are due for re-appointment. 

Crucially, the ICO has been involved throughout, and from several angles. It is extremely important that we, as the responsible regulator, pay attention at this crucial point in negotiations to what the proposals say, understand how they might affect the UK and use what influence we have to achieve a sensible outcome for individuals and businesses alike.

We recently published some of our thoughts on the latest developments which we passed to MEPs and other stakeholders. This builds on our initial analysis which we published last year to provide a core reference point explaining our views on the reforms.

In summary the Act is coming in 2013 but it is imperative that the Act comes because at the moment there are so many things missing that are essential for example mandatory disclosure of breaches and compulsory data officers for all companies over 250 employees. 

Lets hope they resolve it soon.

An overview of EU security legislation and the impact of cyber incident reporting

The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens.

ENISA has responded to the growing threat posed by cyber security incidents by producing an overview paper of current legislation and the impact of incident reporting.

I have summarised the ENISA paper below.

ENISA started the paper by quoting five recent incidents to support their findings and conclusions:-

  1. In June 2012 6.5 million (SHA-1) hashed passwords of a large business-focussed social network appeared on public hacker forums. The impact of the breach is not fully known, but millions of users were urged to change their passwords and their personal data could be at risk.
  2. In December 2011, the storm Dagmar affected power supplies to electronic communication networks in Norway, Sweden and Finland. As a result millions of users were without telephony or internet for up to two weeks.
  3. In October 2011 there was a failure in the UK datacentre of a large smartphone vendor. As a result millions of users across the EU and globally could not send or receive emails, which severely affected the financial sector.
  4. Over the summer 2011, a Dutch certificate authority experienced a security breach, allowing attackers to generate fake PKI certificates. The fake certificates, the result of the breach, were used to wiretap the online communications of around half a million Iranian citizens. Following the breach many Dutch e-government websites were offline or declared unsafe to visit.
  5. In April 2010 a Chinese telecom provider hijacked 15% of the world’s internet traffic through Chinese servers for 20 minutes, routing traffic to some large e-commerce sites, such as and as well as the .mil and .gov domains, et cetera. As a result, the internet communications of millions of users were exposed (to eavesdropping).

The five quoted incidents are just the tip of the iceberg, as you will find out later in the post, but to give an insight into UK breaches read my post on who the UK’s Information Commissioner has caught this year for breaching the current Data Protection Act here.

Article 13a of the Framework directive: “Security and Integrity”

The Telecoms reform passed into law in 2009, adds Article 13a to the Framework directive, regarding security and integrity of public electronic communication networks and services. Article 13a states:

  • Providers of public communication networks and services should take measures to guarantee security and integrity (i.e. availability) of their networks.
  • Providers must report to competent national authorities about significant security breaches.
  • National authorities should inform ENISA and authorities abroad when necessary, for example in case of incidents with impact across borders.
  • National authorities should report to ENISA and the European Commission (EC) about the incident reports annually.

Article 13a also says that the EC may issue more detailed implementation requirements if needed, taking into account ENISA’s opinion.

The EC, ENISA, and the national regulators have been collaborating for the past 2 years to implement Article 13a and to agree on a single set of security measures for the European electronic communications sector and a modality for reporting about security breaches in the electronic communications sector to authorities abroad, to ENISA and the EC.

In May 2012 ENISA received the first set of annual reports from Member States, concerning incident that occurred in 2011. ENISA received 51 incident reports about large incidents, which exceeded an agreed impact threshold. The reports describe services affected, number of users affected, duration, root causes, actions taken and lessons learnt. While nationally incident reporting is implemented differently, with different procedures, thresholds, et cetera, nearly all national regulators use a common procedure, a common template and common thresholds for reporting to the EC and ENISA.

Article 4 of the e-Privacy directive: “Security of processing”

The Telecoms reform also changed the e-Privacy Directive, which addresses data protection and privacy related to the provision of public electronic communication networks or services. Article 4 of the e-Privacy directive requires providers to notify personal data breaches to the competent authority and subscribers concerned, without undue delay.

The obligations for providers are:

  • to take appropriate technical and organisational measures to ensure security of services,
  • to notify personal data breaches to the competent national authority,
  • to notify data breaches to the subscribers or individuals concerned, when the personal data breach is likely to adversely affect their privacy
  • to keep an inventory of personal data breaches, including the facts surrounding the breaches, the impact and the remedial actions taken.

Article 4 also says that the EC may issue technical implementing measures regarding the notification formats and procedures, in consultation with the Article 29 Working Party, the European Data Protection Supervisor (EDPS) and ENISA.

Articles 30, 31 and 32 of the Data Protection regulation

The EC has proposed to reform the current European data protection framework (Directive 95/46/EC), and has proposed an EU regulation on data protection. The regulation regards organisations that are processing personal data, regardless of the business sector the organisation is in. Security measures and personal data breach notifications are addressed in Articles 30, 31 and 32:

  • Organisations processing personal data must take appropriate technical and organisational security measures to ensure security appropriate to the risks presented by the processing.
  • For all business sectors the obligation to notify personal data breaches becomes mandatory.
  • Personal data breaches must be notified to a competent national authority without undue delay and, where feasible, within 24 hours, or else a justification should be provided.

Personal data breaches must be notified to individuals if it is likely there will be an impact on their privacy. If the breached data was unintelligible, notification is not required, e.g. Tokenised data.

Read my summary of the proposed New EU Data Protection Act here.

Article 15 of the e-Sig and e-ID regulation: “Security requirements”

The EC recently released a proposal for a regulation on electronic identification and trust services for electronic transactions in the internal market. Article 15 in this proposal introduces obligations concerning security measures and incident reporting:

  • Trust service providers must implement appropriate technical and organisational measures for the security of their activities.
  • Trust service providers must notify competent supervisory bodies and other relevant authorities of any security breaches and where appropriate, national supervisory bodies must inform supervisory bodies in other EU countries and ENISA about security breaches.
  • The supervisory body may, directly or via the service provider concerned, inform the public.
  • The supervisory body sends a summary of breaches to ENISA and the EC.

EU Cyber Security Strategy

The European Commission is developing a European Cyber Security Strategy. The roadmap for the strategy refers to Article 13a and mentions extending Article 13a to other business sectors. The Commission has indicated that there will be five main strands:

  • Capabilities and response networks, for sharing information with public and private sector
  • Governance structure including the national competent authorities, to address incidents and develop an EU contingency plan.
  • Incident reporting for critical sectors like energy, water, finance and transport.
  • Pre-commercial procurement of security technology and public-private partnerships to improve security across the single market
  • Global cooperation, to address global interdependencies and the global supply chain.

A European Cyber Security Strategy is an important step to increase transparency about incidents, and ultimately to prevent them or limit their impact.

ENISA’s Review

Security measures and incident reporting, implemented across the EU’s digital society, are important to improve overall security. EU legislation plays an important role here as it allows harmonization across the EU member states. This in turn prevents weak links and unnecessary costs for providers operating cross-border.

The European Commission, in collaboration with the EU Member States, has undertaken a number of legislative initiatives aiming to further improve transparency about incidents. Another important step is the proposed Cyber Security Strategy, which emphasizes incident reporting and the importance of exchange across the EU about incidents and how to address them. We conclude with some general remarks.

Regulatory gaps: In the introduction we gave five examples of cyber incidents with a severe impact on the security or privacy of electronic communications. The 2nd incident, caused by the Dagmar storm, is in scope of existing incident reporting legislation and as such reported to authorities. The proposed regulation on electronic trust providers would also cover the 4th incident. But the remaining incidents (the 1st, 3rd, and 5th) are not clearly in scope or subject of debate between providers and the national regulator.

It is important that national authorities and the EC discuss, agree, and clarify the scope of legislation on electronic communications and address these and other gaps. This can be done without necessarily changing the text of existing legislation, such as the telecom regulatory framework, but rather the interpretation of what the services are, because the landscape of electronic communications is continuously changing (from landline telephones and minitel in the past, to mobile phones, internet and VoIP).

Model security articles: There is a lot of similarity between Article 13a of the Framework directive and Article 15 of the e-Signatures and e-Identities regulation. The former has been taken as a model for drafting the latter. Both articles combine security measures and incident reporting, at a national level and at an EU level. Consistency and standardization in the legislative texts allows for more easy governance by the member states, and more easy implementation by the providers. Furthermore, the combination of national reporting and EU reporting (present in both Article 13a and Article 15) allows national authorities room to adjust to national circumstances, while at the same time providing overview and feedback at an EU level, which allows Member States to optimize implementation and to ensure a harmonized approach across EU member states.

Governing security measures: Mandatory breach reporting receives a lot of media attention and it is arguably the most visible part of the security articles. The ultimate goal is to limit the impact of security and personal data breaches or prevent them altogether by making sure appropriate security measures are taken. This type of governance is crucial and not easy. In security much depends on the technical details of the implementation and these details are hard to capture in (high-level) legislation and subject to change.

National authorities should exchange knowledge about an effective and efficient combination of high-level legal obligations and technical implementation requirements. For the latter it is important to adopt a bottom up approach (i.e. commonly agreed recommendations), taking into account the (changing) state of the art and the practical experiences of regulators and experts from the private sector.

As a second, but related point, the need to take “appropriate technical and organisational security measures” is mentioned in all the security articles. Although these articles are aimed at different providers and different types of breaches, there is still a large overlap between the security measures that have to be taken. The competent national authorities should collaborate (nationally and at an EU level) to ensure that these security measures are implemented consistently and where there is an overlap, similarly, to allow providers to comply more easily, and to allow equipment vendors to adapt their products accordingly.

Optimizing incident reporting procedures:

  • Incident response versus incident reporting: To prevent incidents from escalating Member states should encourage providers to quickly contact technical experts, incident response teams (like national CERTs), crisis coordination groups, and other organizations relevant in the response phase, should this be necessary. Member states should underline that incident response receives priority. The purpose of mandatory incident reporting to national authorities is supervision over whether or not providers comply with legal requirements, while the purpose of information exchange in the response phase, for example with a national CERT, is to tackle the incident. Member states should encourage transparency and trusted information sharing in the response phase and ensure that response processes are independent and not slowed down by legal reporting requirements. Member states should for instance ensure that incident reporting procedures are easy and quick to apply.
  • Exchange and sharing: Over the past years CERTs have developed effective platforms for collaboration and information exchange. Beyond the response phase, however, there is still little exchange of information about breaches between different national authorities. The EC should continue to support the working groups and platforms for exchanging information between national authorities, about breaches, about lessons learnt and best practices.
  • Granularity and tools: An important aspect of the evaluation of existing legislation on incident reporting should be an analysis of costs and benefits. Both for national and EU level reporting it is important to review over time the thresholds for reporting, the type of information that is reported, the level of detail, and so on. If too few incidents are reported, then it will be difficult to draw meaningful conclusions about common root causes or trends. This would defeat the purpose of the legislation altogether and make the legislation cost ineffective. National authorities should analyse what is a good balance, taking into account the costs and benefits for providers as well as the national authorities. Providers and national authorities should investigate automated tools and computer interfaces to allow for cost-effective incident reporting at a sufficient level of detail, while avoiding the burden of manual and ad-hoc reporting procedures. For example, one could distinguish between small and large incidents and use less reporting detail for the (many) smaller incidents.

ENISA Conslusion

ENISA would like to remark that in recent years a lot of progress has been made, in terms of addressing incidents and increasing transparency about incidents. The national authorities, for example, recently submitted to ENISA and the EC, the first Article 13a incident reports regarding severe incidents that occurred in 2011. The vast majority of national authorities use a single set of security measures and a common reporting template allowing for efficient collection and analysis. ENISA will publish an analysis of the 51 severe incidents in September 2012. From next year, every spring ENISA will collect annual incident reports and publish an analysis of the incidents of the previous year. For example, next spring 2013 ENISA will publish an analysis of the 2012 incidents.

ENISA looks forward to continuing our work with national authorities and the European Commission to support an efficient and effective implementation of Article 13a, Article 4, and the other security articles across the single digital market, and to support collaboration and information exchange between national authorities across the EU, to improve security across the EU’s digital society.

Find the ENISA press release here.


Proposed European wide Data Protection Act – a review

Over the last few months I have attended several conferences and read a lot of research on the proposed upgrade of the European Commission’s 1995 Data Protection Act and have found it fascinating. The rumours, the speeches, the headlines and of course the lack of clarity on how the major issues will be dealt with in the real world.

EU Justice Commissioner Viviane Reding, the Commission’s Vice-President said:

“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,”

“The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

Do not get me wrong I am 100% in favour of a consolidated European Data Protection Act because ambiguity in one country leads to breaches in another and that is not good for business or for the privacy of individual citizens.

After all the consultations and feedback the big development was the leaking of a draft EU Data Protection Act document at the end of 2011. The draft provided concrete evidence to substantiate the rumours and speculation about the requirements and likely fines and provided confirmation about the direction the Act was heading.

The Act is heading in the right direction but some of the points were likely to be contentious for example the “Right to be forgotten” and “all business with 250+ employees needing a Data protection Officer”, there are others but I will cover them later in the post.

One thing is obvious, a consolidated European Data Protection Act has polarised people into one of four camps:

  1. Those concerned with the privacy of the citizen who want more restrictions and tougher sanctions.
  2. Those concerned about the impact and cost to businesses who want less restrictions and lower sanctions.
  3. Those who have to translate and ultimately enforce the Act and to try and stop it becoming another Human Rights Act….! They want a simple and coherent Act that is easy to enforce without a constant steam of lawyers muddying the waters.
  4. Those citizens who in the main do not have a clue what is being done in their name and there are 500 million of them.

Viviane Reding Vice-President of the European Commission, EU Justice Commissioner believes the proposed EU wide Data Protection Act will save European businesses €2.3Billion annually whilst protecting the privacy of European Citizens.

Great, everyone one wins. Or do they?

The majority of the savings will probably benefit businesses that currently have to cope with 27 differing Data Protection Acts currently being operated across the EU commission member states. However if you are a small business operating in one or two countries you may struggle to financially benefit from the consolidation.

The impact on the local Data Protection Authority (DPA), which in the UK is called the Information Commissioner, is likely to be massive which means they will need more staff to accommodate and enforce the new requirements which also means the individual states will have to spend more money.

Why will there be a massive impact? There are several reasons but one in particular stands out as an administrative nightmare, if Personally Identifiable Information (PII) relating to a European citizen is transferred outside the boundaries of the EU the local DPA has to be informed. How many times this will need to be done is hard to calculate but how much data goes to the Call Centres in the Philippines? With 600,000 Philippine’s employed in call centres it is going to be a lot. Then there is the data processing in India, Data Translation in America, Disaster Recover contingencies across the globe, Cloud computing (where is the cloud?), the list of possibilities is endless.

The EU Commission is mindful of these implications and is discussing how some specific actions can be taken into account when defining the final draft. Three specific areas they are looking at are:

  1. Binding corporate rules on what, where and how.
  2. Sectoral adequacies, and the continuation of the Safe Harbour Agreements
  3. Existing mechanisms such as contractual clauses that are broadly used on both sides of the Atlantic.

Using the UK as an example, last year the UK Information Commissioners (ICO) office handled 30,000 complaints and with the proposed requirements on businesses that number could easily quadruple.  You could say “some of the 30,000 complaints lead to convictions and fines and that could pay for the increased costs of operating the new Data Protection Act”, on the face of it you are correct except the fines are collected by the UK Treasury and are not handed to the ICO. If the fines were passed over then the process could be self-funding.

On the 3rd May 2012 Viviane Reding announced the intention to conduct a funding review of all DPAs and then to lobby Governments for the correct funding in each country and she believes that if the leveraged fines were pointed in the right direction they could become a revenue generator for the country.

“the national data protection authority can even be a good investment as it can bring additional revenue for the Member State due to the fact that the main establishment is located in its territory. Such extra revenue and wider benefits can come from tax income, newly created jobs, and the collection of administrative fines on infringements. Let’s also not forget that according to the reform proposals, the administrative fines a national data protection authority can impose can be up to 2% of the annual worldwide turnover of an enterprise. This can lead to quite substantial revenues”

This review will not impact individual DPAs until the summer of 2013 which is likely to be 12 months before the Act is enforceable but 12 months after the hundreds of thousands of business have asked for assistance on what they need to do, who they need to register with, etc.

A significant improvement within the Act will be a requirement on business to be pro-active. Prevention is better than the cure or in this case better than a Data a Breach.

Businesses will be required to:

  • have “Privacy/Data Protection by Design” which means that, at the point of building a process or system, security has to be on the list of desired out-comes.
  • Data Protection by default, which means all systems have to be secure.
  • All business must undertake a Privacy/Data Protection Impact Assessment, which means they must have a documented process for assessing the risk to their PII data and be able to demonstrate that they have undertaken, “at least” annually, an assessment of the risk and taken steps to mitigate the risk. This is not a Penetration Test this is a thorough assessment of people, process and technologies surrounding and impacting on the PII data. A good guide is contained in the book Privacy Impact Assessment by David Wright and Paul de Hert ISBN-10: 9400725426.

Another huge improvement is the requirement on business to formally notify the local DPA of any breaches. Breach Notification has been in existence for several years, for example in California and in Germany. The new requirements will mean businesses can no longer delay notifying those affected in the hope that it will never surface.

It is proposed that the organisation’s Data Controllers notify the DPA within 24 hours.

Mandatory Breach Notification is a difficult area because some breaches can run for months or years before they are discovered. It is the point of discovery that is important, as far as the Act is concerned, but if a business did try to cover up then there is a good chance they will be found out and the details of who did what will be clear for the world to see.

In 2007 when the UK’s HMRC lost a CD containing the child benefit details of 25 million people everyone expected an avalanche of Identity Thefts but, fingers crossed, nothing has happened in the last 5 years. They notified the authorities and the press within days. It could be argued however that, as a result, 25 million people were alerted and put under stress for no reason. Further details of the loss can be found here.

Similar to the HMRC situation in 2008 was when Heartland Payment Systems lost millions of credit card records. In this case they did not know the breach had occurred for approximately 8 months, but when they did find out they undertook forensics and notified the authorities within 8 days. The issue in this case was the data was used for criminal purposes. The criminal Albert Gonzalez AKA “segvec,” “soupnazi” and “j4guar17” has since been convicted and is currently serving 20 years for various crimes involving up to 130 million stolen credit cards’ data. Details of Gonzalez can be found here.

Once the DPA has been informed the organisation then has to inform the individuals affected. This is the first direct cost of a breach. See my post The huge and unexpected administrative costs of a data breach. There is always the risk that they may not understand the notification, for example a report indicated that “39% of those who received them (or properly noticed them) initially thought it was marketing material of some form”.

If adequate protection is in place, for example Tokenization, it is unlikely the organisation will have to inform the individuals. This makes putting security in place and being able to prove it was running essential.

Another impact which affects many countries, especially the UK, is the Freedom of Information Act (FOIA). Currently the FOIA does not allow access to information relating to voluntary breach notifications, which means if a cover up has been attempted but was not successful there is a chance they can avoid having all the information going public by admitting it and therefore suppressing it. The new Act will mean nearly all of the information about a breach will be in the public domain including an organisations failure to protect PII and possibly the organisations attempts to cover it up.

Across Europe the enforcement of the Act will be handled by the individual DPAs, around 1,500 seasoned Data Protection professionals, but many sceptics have speculated that larger businesses can flex their political muscle and lobby for leniency or to keep their breach out of the public eye.

The commission has recently taken a strong line on the need for independence and in April 2012 took action against Hungary for its DPAs lack of independence. For any Country to be hauled in front the of the European Courts of Justice is embarrassing, especially if they have to amend their own legislation. Full details of the Hungarian action can be found here.

Summary of proposed key changes in the proposed Act:

The Right to be forgotten is a contentious area for many organisations, for example;

  • Can someone with a bad credit history evoke the right to avoid their past?
  • If some evokes the right with their insurance company they will lose their Car Insurance no claims bonus – could this then create a right to be remembered? And who pays the administration costs for the reinstatement of the data.
  • In the case of employees past and present what information can be retained and what information has to be retained.

Privacy by Design. There is a debate as to whether the actual working will be Privacy or Data Protection which will be finalised when the final draft is passed for law. Organisations need to understand and account for:

  • why they need the data
  • what they are going to do with the data
  • how they intend to process the data
  • what protections are required
  • who will manage the processes

All organisations employing 250+ employees must have a Data Protection Officer.

All companies storing PII must undertake “regular” Privacy Impact Assessments. The wording may change to Data Protection Impact Assessment but that will not change the requirement to undertake, log and act upon the results of the Assessment.

All international data transfers need to be logged and the Data Protection Authority Informed.

Explicit consent must be obtained to include PII in databases and an ability to easily have their information removed.

Compulsory Breach Notifications within 24 hours of the breach.

Personally Identifiable Information is likely to include

  • Bank Account details
  • Credit Card data
  • IP addresses

Data Portability. Business must address the portability of data;

  • What is going to be done with it
  • How is it secured
  • How will fraud and Identity Theft be avoided

Significant fines can be levied. Actions that are likely to involve a fine from the DPA include

  • Failure to appoint a Data Protection Officer
  • Unauthorised International Data Transfer
  • Failure to undertake a Privacy/Data Protection Impact Assessment

Fines will be levied on a sliding scale

  • 0.5% of global turnover or                  €250,000
  • 1.0% of global turnover or                  €500,000
  • 2% of global turnover or                     €1 million of Global Turnover
  • So far no minimum figure is known.

The new EU Data Protection Act will be compulsory for all organisations except for Law Enforcement, who will operate under a European Commission “directive”. The Directive is designed to allow for faster and easier transfer of data and joined up policing across the member states.

This post was meant to be a short summary, compared to my notes it is, but the far reaching impact of this Act is largely unknown by most organisations and has a high probability of being passed into law during 2012 give a requirement to be compliant by 2014. Whatever the date is there is a need for organisations, of any size, to be aware of what is coming and to start developing plans to have Privacy and Data Protection at the forefront of their business plans NOW.


Blog at

Up ↑

%d bloggers like this: