Category Archives: EU Legislation

The EU’s ambitious plans for a radicalisation of data protection laws have suffered a serious set-back. EU justice commissioner Viviane Reding finally conceded in a speech at a meeting of EU justice and home affairs ministers in Athens last week that the draft General Data Protection Regulation will not be agreed during the current term of the EU Parliament. The most recent delay has been caused by the EU Council of Ministers failing to reach agreement before starting negotiations with the EU Parliament and the Commission, with several Member States demanding significant changes to the proposals. New timetables have been proposed and optimistic statements made that there will still be a new data law by the end of this year.  However, the reality is that any prediction about the substance or process to agree the draft Regulation post this May’s parliamentary election season is guesswork at best.   Fundamental differences remain among Member … Continue Reading ››
Datonomy readers may have had to grapple with the tricky issue of which national data protection law to apply in the context of an online service with a cross border dimension. They are not alone - the German courts have recently considered the issue in relation to Facebook's operations. In April, the German Higher Administrative Court of Schleswig-Holstein ruled that German data protection law does not apply to Facebook's collection and processing of personal data of users in Germany. Instead only Irish data protection law would be applicable. The case The Internet giant faced an order by the Independent Data Protection Authority of Schleswig-Holstein, which wanted to force Facebook to allow German users the use of pseudonyms for the registration and for their profile names instead of the real name. German data protection law obliges website providers to enable this feature to the extent that this is technically possible … Continue Reading ››
In a month that has seen US politicians claim that is "losing the war" against international cyber attacks, and yet more household names report hacks on their systems, Datonomy has been looking at the practical obligations that the EU's proposed new Directive on Network and Information Security could bring for businesses, and considering similar measures which are coming into force in Asia. As if the escalating levels of threat are not enough (take your pick of this month's news coverage – how about the "Eight billion hacking attacks a day" headline from ITV here )  governments around the globe are proposing new legal obligations and sanctions to compel organisations to get their cyber defences in order and notify the authorities when their systems have been compromised. The EU officially unveiled its cyber strategy and Directive on Network and Information Security at the start of the month. This … Continue Reading ››
So, the reports that we would not see the detail of the reforms until March proved unfounded. The official publication of the Commission's DP reform proposals earlier today, exactly on schedule,  cannot have escaped the notice of Datonomy readers. (But just in case, the link to the package of new measures is here .) The centre of attention is the comprehensive Regulation, weighing in at 139 Recitals and 91 Articles and a total of 118 pages (if you include the memo at the front and the impact statement at the back). The Datonomy correspondents at Olswang have been busy all afternoon analysing the practical implications of the proposal, and their initial analysis for in house counsel is now available. The new regime will obviously have a major impact on data protection regulators too – the  initial reactions of the UK's  regulator are here on the ICO's website. Anyone who missed Vice … Continue Reading ››
If , like this Datonomist, you have been trying to make sense of the conflicting reports about  delays - or otherwise - to publication of the draft DP Regulation, then this report  just posted byEuractiv.com confidently predicts the publication of a "package" comprising a communication, a regulation, a directive and a technical report on the 25 January - the date  expected for formal publication, following the unofficial debut of an interservice text last month.     Datonomy is sure that its readers have already seen the various reports since last week, rumouring the possible delay and detailing the numerous objections from various Directorates General at the Commission which prompted it.   If not,  the Euractiv article provides  a useful snapshot of these, as does recent coverage on MLex. Which report is right?  Who knows.  Datonomy is saving it energies for analysing the official draft of the proposal - whenever it may emerge! The leaked … Continue Reading ››
The draft data protection regulation of the European Commission that had leaked in early December has been widely criticised by the German Minister of the Interior and aFederal Constitutional Court judge. The points of concern were not the new and mainly stricter rules of the draft regulation, but that the European Commission chose a regulation instead of a directive. First, Johannes Masing, one of the sixteen judges of theFederal Constitutional CourtinKarlsruhe, unmistakably warned about the new regulation in a newspaper article last Monday titled "Goodbye to fundamental rights". Mr. Masing said that as a regulation was in fact a directly applicable law in every member state, national rights would be pushed aside. This would also be the case with regard to the fundamental rights of the Grundgesetz, the German constitution. In Germany, data protection laws do not originate from the European Directive 95/46/EC or a simple law, but were "invented" … Continue Reading ››
After a first read through of the leaked Commission proposal for a new data protection regulation (Draft Regulation) that was published by statewatch.org (it is not meant to be officially published until the end of January), I remembered a speech by Viviane Reding's Chief of Cabinet who said that the Commissioner for Justice was very impressed by German data protection rules. This might help in explaining several provisions of the Draft Regulation. Take for example the rules on data processing. After some scandals on data leakages at data processors,Germanytightened the requirements for the contract on data processing to cover several specific details of data security. Article 27 of the  Draft Regulation takes up this idea and requires controller and processor to stipulate several rules and precautionary measures in their agreement, as that the controller may only act on instructions from the controller and that its staff must have committed themselves to … Continue Reading ››