The recent AG’s Opinion in the Google case referred by the Spanish courts raises three issues of wide interest: the territorial scope of EU data protection law, liability of search engines and the Right To Be Forgotten. The ECJ will have the final say in the matter later this year. In the meantime, Datonomy flags the key issues – which are bound to influence debate on the new General Data Protection Regulation. Datonomy’s correspondents in Spain have been following this case right from the start: back in March 2011 we reported that the Spanish Audiencia Nacional was considering requesting a preliminary ruling from the Court of Justice of the European Union (ECJ) on several matters regarding the position of search engines in relation to the European Data Protection Directive. That referral was made in March 2012, and the Advocate General in the case delivered his Opinion at the end of June. … Continue Reading ››
Draft rules coming into effect next month for communications service providers on when and how to notify data security breaches are the clearest indication yet of the obligations proposed for all data controllers under the draft General Data Protection Regulation. The new telco-specific regime includes some welcome concessions on when deadline for notifying regulators starts, and the circumstances when individuals need to be notified. Datonomy analyses the new rules. Who is the new regulation aimed at? Last week, the European Commission presented a new draft Commission Regulation on the measures applicable to the notification of personal data breaches under the E-Privacy Directive 2002/58/EC. This Regulation (like the notification requirements under the 2002 Directive) applies only to “providers of publicly available telecommunications services” and will come into force in August 2013. According to the E-Privacy Directive, telecom companies, internet service providers and other providers of publicly available electronic communications services (“CSPs”) are … Continue Reading ››
The latest development in the complex procedural journey of the draft Regulation is the publication of a (mostly business-friendly) compromise text by the Presidency of the EU Council of Ministers.  Datonomy takes stock of the current state of play, and highlights the Council’s “direction of travel” on some key practical issues.  What’s the latest news on the regulation?   Last week the EU Council’s Justice and Home Affairs Committee published a draft compromise text of the General Data Protection Regulation. This note from the Presidency to the Council summarises the key points. The Presidency’s marked up text will inform the Council’s negotiating stance with other EU institutions – notably LIBE, the lead European Parliamentary Committee, in the weeks and months ahead. The Presidency’s aim is to “secure broad support for its approach”. The text is significant because although it is by no means the final word, it  “reflects the Presidency’s … Continue Reading ››
Datonomy readers may have had to grapple with the tricky issue of which national data protection law to apply in the context of an online service with a cross border dimension. They are not alone - the German courts have recently considered the issue in relation to Facebook's operations. In April, the German Higher Administrative Court of Schleswig-Holstein ruled that German data protection law does not apply to Facebook's collection and processing of personal data of users in Germany. Instead only Irish data protection law would be applicable. The case The Internet giant faced an order by the Independent Data Protection Authority of Schleswig-Holstein, which wanted to force Facebook to allow German users the use of pseudonyms for the registration and for their profile names instead of the real name. German data protection law obliges website providers to enable this feature to the extent that this is technically possible … Continue Reading ››
On 27 February 2013, the Article 29 Working Party (hereinafter "Article 29 WP") adopted its newest Opinion WP 202 (hereinafter "Opinion") regarding apps on smart devices. This article summarizes some of the most important statements and guidelines provided by the European data protection authorities. Applicable law First of all, the Opinion emphasizes that the Data Protection Directive (95/46/EC) and the ePrivacy Directive (2002/58/EC, as revised by 2009/136/EC) constitute the relevant EU legal framework for the processing of personal data via apps on smart devices and that both directives are imperative laws which cannot be excluded by contractual agreement. Four main parties Hereafter, the Opinion identifies four main parties which, depending on the purposes and means of the respective data processing activity, carry different responsibilities: 1. App developers According to the Opinion, app developers decide the extent to which apps access and process personal data in the device and insofar have to be regarded as data … Continue Reading ››
With the Bank Holiday weekend fast approaching many Datonomy readers are likely to be taking some work home, checking into emails and looking at other work functions over the break.  And the chances are that you will be doing this on a personal device, such as a smartphone, tablet or laptop. As Datonomy readers are no doubt aware, working off your own personal device is an increasing trend known as 'bring your own device' (BYOD).  In September 2012, Apple's CEO, Tim Cook, stated that iPads were in 94% of Fortune 500 companies, and tablets represent just one wavelength in the spectrum of technology infusing the workplace. Along with the potential benefits of BYOD, such as working from your favourite coffee shop with a latte in hand, comes increased data protection and data security risks.  The Information Commissioner's Office (ICO) recently commissioned a survey that YouGov conducted in February this year which … Continue Reading ››
There have been various press reports over the last couple of days on the Irish Presidency's memo to the EU Council of Ministers' on the draft data protection Regulation.  The memo has been reported as a watering down of the Commission's proposals.  The Presidency encourages further consideration of a more risk based approach to compliance, with an alleviation of some of the burdens of the new Regulation where processing of data is limited or involves pseuodonymous data. They have also asked the Council to consider whether the controversial requirement for organisations to appoint a data protection officer could be made optional, with possible incentives in the form of reduced regulation where an organisation does appoint a DPO. Datonomy's view is that although the memo is a step in the right direction it is a tentative one which fails to delve into specifics or tackle the more controversial provisions of the draft Regulation. The jury … Continue Reading ››