This blog reports the latest leak from "the DAPIX sieve" in the areas of transfers of personal data outside the EEA and fines from Data Protection Authorities (references below has the link to the leaked document).
As is well known the Irish have published the first 40 Articles of the Commission’s Regulation (see previous blogs); this leak (at the end of the Irish Presidency) gives a good idea of the direction of travel in relation to the remaining 50 Articles.
In summary, I think that data controllers should welcome the easing of the transfer position from that in the original Regulation; I would expect that adherence to a code of practice covering all the key requirements that a data controller needs to consider when transferring personal data outside the EEA should work as easily as an assessment of adequacy as required by the Eighth Principle.
Alternatively, there can be contract terms approved by the ICO – which is more flexible than using those published by the Commission (which have to be adopted in their entirity).
In relation to fines, the first thing to say is that the DAPIX leak does not provide any figure; the multi-million euro fine hasn’t gone (yet) – these important numbers [the dots in square brackets] have been left for later arguments between Member States.
However, what is new is a set of prescriptive conditions which, if adopted, appears to make a Monetary Penalty Notice (MPN) almost impracticable to serve. This is because the Commissioner would have consider a dozen factors (many of which will give no doubt rise to appeal). In addition, Member States can decide whether public sector data controllers can be fined; this might be attractive to the UK Government.
In addition, the fines in the Regulation require consideration of the actual damage caused; this compares unfavourably with the current MPN where large fines have been contingent on grave security errors on the part of the data controller (i.e. the MPN of the UK DPA does not need damage to data subjects – only the likelihood of substantial distress or damage which should have been preventable/forseeable).
Transfers outside the EEA
Transfers outside the EEA become more manageable. As well as the equivalent of the circumstances where a data controller does not need to assess adequacy (i.e. the Schedule 4 conditions of the DPA more or less continue), there are a number of options available for transfers. These options arise when adequacy requirements are covered in:
(a) binding corporate rules;
(b) standard data protection clauses adopted by the Commission;
(c) standard data protection clauses adopted by a supervisory authority in accordance with the consistency mechanism;
(d) contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority;
(e) an approved code of conduct (i.e. code of practice), or
(f) a certification mechanism.
Data controllers can no longer assess adequacy for itself (unlike the 1998 Act) for all transfers. However, if a particular transfer "is not large scale or frequent and is necessary for the purposes of legitimate interests pursued by the controller or the processor", and "where the controller or processor has assessed all the circumstances surrounding the data transfer" and has "adduced suitable safeguards with respect to the protection of personal data" .... then the transfer can occur.
The leaked document omits the level of fines, presumabably because there is not agreement on the fine level. However, it is clear that any fine will be subject to a large number of conditions, several of which appear to be immaterial (see next). The Monetary Penalty Notice familiar to UK readers will have to substantially change; it will have less of a bite (if it ever did have a bite).
Before fining an organisation, a Regulator has to take into account the following:
(a) the nature, gravity and duration of the infringment having regard to the nature scope or purpose of the processing concerned;
(b) the intentional or negligent character of the infringement,
(c) the number of data subjects affected by the infringement and the level of damage suffered by them;
(d) action taken by the controller or processor to mitigate the damage suffered by data subjects;
(e) the degree of responsibility of the controller or processor having regard to technical and organisational measures implemented by them pursuant to Articles 23 and 30;
(f) any previous infringements by the controller or processor;
(g) the financial situation of the controller or processor, including any financial benefits gained, or losses avoided, directly or indirectly from the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) the level of co-operation with the supervisory authority during the investigation of the infringement.
(j) adherence to approved codes of conduct pursuant to Article 38 or approved certification mechanisms pursuant to Article 39;
(k) whether a data protection officer has been designated;
(l) whether the controller or processor is a public authority or body;
(m) any other aggravating or mitigating factor applicable to the circumstances of the case.
In addition each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. Note this means that MPNs for public authorities could be history if the Government decides.
This step can be justified as the public sector gets its money from the Treasury. The concept of a public sector regulator fining another public body and then returning the fine to the Treasury (only for the money to be passed back to the public authority the next financial year) is an odd one. Mind you, the other alternative of allowing the Regulator to keep the fine, introduces a motive for a Regulator (if short of cash) to go fishing for fines.
Finally, it appears to me, that the European Data Protection Board is reduced to a talking shop; it can issue opinions, recommendations and guidelines (in exotic locations one hopes). Looking at the Working Party experience, such opinions are largely ignored in the law enforcement area. I expect this to continue.
As for the rest, I leave the reader to have a go at the remaining 220 pages! Why is it that in data protection, every publication has to be a 100+pages!
To download the latest leak (220+ pages – be warned): http://www.statewatch.org/news/2013/jun/eu-council-dp-regulation-revised-11013-13.pdf (Hats off to Statewatch)
This blog covers the first 40 Articles: Member States divide over the protection offered by the Irish version of the data protection regulation: http://amberhawk.typepad.com/amberhawk/2013/06/member-states-divide-over-the-protection-offered-by-the-irish-version-of-the-data-protection-regulat.html
Irish do a "hatchet job" on the Data Protection Regulation: http://amberhawk.typepad.com/amberhawk/2013/06/member-states-divide-over-the-protection-offered-by-the-irish-version-of-the-data-protection-regulat.html
How the UK’s risk-based data protection policy can result in lower standards of data protection. http://amberhawk.typepad.com/amberhawk/2013/06/how-the-uks-risk-based-data-protection-policy-can-result-in-lower-standards-of-data-protection.html