Tag Archive: data protection

CHINA: PRC Cybersecurity Law – take action and monitor developments to avoid losing your China business

The PRC Cybersecurity Law is three weeks old, and non-compliant international businesses are already facing severe consequences. Since 1 June, twenty-two people engaged by a global technology giant have been arrested, and sixty online entertainment news sites have been shut down.

The law continues to evolve. The latest guidance provides practical answers to previous areas of uncertainty. Whilst some questions remain, the key message is: do not ignore the PRC Cybersecurity Law. It is now in force and organisations must comply with it.

Read on if you:

  • Transfer personal information and important data out of China
  • Are concerned your organisation may be a key information infrastructure operator
  • Supply network and cybersecurity products and services to China
  • Are unsure if you handle “important data” in or from China

Five key developments that you need to know

1. What is now in force?

2. Are the new overseas data transfer rules in force?

Not yet. The draft measures proposing conditions/restrictions on overseas transfers of personal data and important data by network operators including KIIOs (Draft Measures) did not come into force on 1 June 2017, surprising commentators. Unofficial sources indicate the lead regulator (CAC) discussed a revised draft of the Draft Measures with key stakeholders and proposed toning down some of the more onerous obligations. For now, we await official announcements from CAC.

If and when the Draft Measures come into force, organisations should follow the newly-published Draft Guidelines for Data Cross-Border Transfer Security Assessment (Draft Guidelines). These set out detailed guidance on the security self-assessments for cross-border transfers. They include practical tips on how and when to conduct a self-assessment, including key factors to consider (legality, legitimacy, control of risks, technical and management skills, the recipient’s capability to protect data, and the recipient countries’ political and legal environment), and a rating system to apply. Practical examples are also given on how to assess the sensitivity and level of influence of personal/important data, and solutions to minimise the risks.

3. Am I a KIIO?

We still don’t have a definitive answer, but previously unofficial guidance has now been formally published. The National Internet Security Check Operational Guideline is primarily a guideline for Government agencies. A key infrastructure protection regulation is being prepared by the Chinese authorities (which may or may not refer to this guideline) and (according to CAC) is expected to be published for public comment soon. It is hoped this regulation will provide greater certainty. For now, who does the guideline indicate will be deemed a KIIO?

  • Websites: operators of:
    • Party/Government websites
    • Key news websites
    • Websites with more than one million visits per day
    • Websites where a network security incident would have a significant impact (i.e. on work/lives of over one million individuals or 30% of a district; disclosure of personal information of over one million individuals; disclosure of large volumes of sensitive corporate information or “national basic data” (relating to resources, mapping); or damage to/endanger government image, social order or national security)
  • Platforms: operators of platforms:
    • With registered users over ten million, or with over one million active users (with a login frequency of at least once a day)
    • With average daily orders or transactions over RMB 10 million
    • Where a network security incident would have a significant impact (i.e. direct economic loss of RMB 10 million or above; on work/lives of over ten million individuals; disclosure of personal information of over one million individuals; disclosure of large volumes of sensitive corporate information or “national basic data” (see above); or damage to/endanger government image, social order or national security)
  • Production Businesses:
    • Operators of systems for public/government/cities such as healthcare, security, fire service, emergency management, production scheduling, traffic control
    • Operators of data centres with over 1,500 standard servers
    • Businesses where a network security incident would have a significant impact (i.e. on work/lives of 30% of a district; affect the utilities or transport of at least 100,000 individuals; death of five or more individuals, or serious injuries to fifty or more individuals; direct economic loss of RMB 50 million or above; disclosure of personal information of over one million individuals; disclosure of large volumes of sensitive corporate information or “national basic data” (see above); or damage to/endanger government image, social order or national security)

4. Can I still sell my technology products in China?

Yes, but you now need to consider the supervisory assessment/certification scheme for suppliers of critical network and cybersecurity products and services to KIIOs or to be used for other networks and information systems that relate to national security. We now have an initial catalogue of those caught by the new scheme:

Critical network equipment Specialised cybersecurity products
Routers All-In-One data backup
Switches Firewall (hardware)
Servers (rack-mounted) Web application firewall
Programmable logic controllers Intrusion detection system
Intrusion defence system
Security isolation and information exchange products (gatekeeper)
Anti-spam mail products
Network integrated audit system
Network vulnerability scanning product
Security data system
Website recovery products (hardware)

The new Trial Measures for Security Review of Network Products and Services (Trial Measures) provide practical guidance on how the scheme will be implemented. Whilst uncertainties remain, the Trial Measures clarify that:

  • Reviews will focus on “security and controllability” risks of products and key components, from manufacture through to sale, implementation and maintenance/support. Initially TC260 standards have been released for evaluating security and controllability of central processing units, operating systems and office software
  • Competition impact is a lesser concern, but reviews will look at dependence on certain providers
  • Reviews will also consider risks of providers accessing data and user information through their products/services
  • Reviews may be conducted in a lab, onsite, remotely or through background investigations. While some technical documentation must be provided, it is not yet clear whether source code must be disclosed; and what sort of test environment providers may need to make available to the authorities

5. What is “important data”?

“Important data” is broadly defined to include information that relates to national security, economic development, or social or public interest. Appendix A of the Draft Guidelines sets out an 11-page list of examples in key sectors such as utilities, telecommunications, geographical information, finance and e-commerce. The coverage is very broad, and is a useful reminder to organisations that the PRC Cybersecurity Law does not just affect personal data and has a very wide reach.

What other developments are anticipated?

Issue Development Impact
General personal data protection Draft Information Security TechniquesPersonal Information Security Specifications, published for public consultation and, according to reports, expected to be implemented soon.

This is in effect an update to the 2013 general data protection guidelines governing personal data, which is the current persuasive best practice, and practical guidance, on how to handle personal data in China

High: first statement of key data protection principles in China; significant changes to key terms such as “sensitive personal data” and “data controller”; greater clarity on privacy notices and terms to be included; additional security measures; and new DPO requirements
Minors’ data Draft Regulations on the Protection of the Use of Internet by Minors, published for public consultation in January 2017 Medium: additional protections for minors’ online, including safeguards for collection, use and disclosure of minors’ personal data by “network information service providers”
Encryption Draft PRC Encryption Law, published for public consultation in April 2017 High: more standardised approach to encryption and IT security in China (including mandatory national standards); use of encryption would be mandatory for some networks and data; encryption will remain heavily regulated; requirement for suppliers to provide decryption support
Consumer data Draft Regulations on the Implementation of the Law on the Protection of the Rights and Interests of Consumers, published in Summer 2016 High: strengthening of consumer personal data protection, including consent, mandatory data breach notification and record retention requirements
E-commerce data Draft E-commerce Law High: new data protection obligations including prior notice consent; explicit consent for subsequent changes of scope/purpose; data retention, use and security obligations: immediate data breach notifications: and irretrievable anonymisation of e-commerce data before disclosure

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/china-prc-cybersecurity-law-take-action-and-monitor-developments-to-avoid-losing-your-china-business/

ITALY: The privacy authority issues its guidelines on the GDPR

The European privacy regulation (GDPR) can now rely on detailed guidelines from Italian data protection authority on how to comply with it.  Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-the-privacy-authority-issues-its-guidelines-on-the-gdpr/

DLA Piper Italy and AIGI event on the General Data Protection Regulation

DLA Piper Italy and AIGI will run an event on how the General Data Protection Regulation will impact the business of companies on 16 February 2017. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/dla-piper-italy-and-aigi-event-on-the-general-data-protection-regulation/

EU – First GDPR Guidance published by Article 29 WP

The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to:

  • the right to Data Portability;
  • Data Protection Officers (DPO); and
  • the Lead Supervisory Authority.

Whilst WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification will be ready in 2017 – the first three guidelines already provide a first glance on WP29’s view on GDPR topics.

Guidelines on the right to Data Portability

In article 20 GDPR, a new right to data portability is created. This right aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another. The WP29 opinion provides guidance on the way to interpret and implement the right to data portability. It clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies.

From this opinion it appears for example that:

  • this right is only applicable if the legal basis of the data processing is the data subject’s consent or the necessity to perform a contract;
  • this right is limited to personal data provided by the data subject (including personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour);
  • data controllers must inform the data subjects regarding the availability of the new right to portability (e.g. WP29 recommends that data controllers always include information about the right to data portability before any account closure);
  • data controllers are encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The WP29 Guidelines on Data Portability can be found here.

Guidelines on Data Protection Officers

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. From the WP29 guidelines it becomes clear that DPOs are not personally responsible in case of non-compliance with the GDPR.

WP29 also provides some further details and concrete examples on when a DPO must be appointed. For example it states that ‘core activities of the controller or processor’ (which triggers the appointment of a DPO as set out in Article 37 GDPR)  refers to  the key operations necessary to achieve the controller’s or processor’s goals, which can also be part of other activities (e.g. a hospital processing patient data).

Article 37 GDPR doesn’t require that the DPO is someone working within the controller or processor, this can also be a third party. However, WP29 does state that the ‘personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential’, such in order to ensure that data subjects will be able to contact the DPO.

WP29 states that the DPO should be involved in all issues relating to the protection of personal data, such from the earliest stage possible.

In its guidelines, WP29 further defines the (independent) position and tasks of the DPO.

The WP29 guidelines on the DPO can be found here.

 

Guidelines on the Lead Supervisory Authority

In its third opinion, WP29 provides guidelines for identifying a controller or processor’s lead supervisory authority. This topic is relevant where a controller or processor is carrying out the cross-border processing of personal data.

In accordance with Article 56 GDPR, WP29 states that identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In principle, for the controller this will be the place of its central administration. However, WP29 makes it very clear that there can be situations where more than one lead authority can be identified, i.e. a controller has separate decision making centres, in different countries, for different processing activities. The example given by WP29 relates to a bank, whose banking decisions are made in one jurisdiction where also HQ is based, but whose insurance division is based in another jurisdiction. In that case, there are two supervisory authorities.

In its guidelines, WP29 provides further criteria on how to identify the main establishment in cases where it is not the place of central administration in the EU.

Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

The WP29 Guidelines on the Lead Supervisory Authority can be found here.

 

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-first-gdpr-guidance-published-by-article-29-wp/

CHINA: significant changes to data and cybersecurity practices under PRC Cybersecurity Law

After a third deliberation, the Chinese government passed the new PRC Cybersecurity Law on 7 November 2016. The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China.

The new PRC Cybersecurity Law intends to combat online fraud and protect China against Internet security risks. In short, it imposes new security and data protection obligations on “network operators”; puts restrictions on transfers of data outside China by “key information infrastructure operators”; and introduces new restrictions on critical network and cybersecurity products.

The new law has been widely reported in both the local and international press. While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law, there has been widespread international unease since the first reading. Commentators have expressed concern that competition will be stifled; regarding the handover of intellectual property, source codes and security keys to the Chinese government; as to perceived increased surveillance and controls over the Internet in China; and in relation to the data localisation requirements. Other new obligations, including increased personal data protections, have been less controversial, but are a clear indicator of the increased focus within the Chinese authorities on data protection, and could signal a change to the data protection enforcement environment in China.

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia):

  • Chinese citizen’s personal information and “important data” gathered and produced by “key information infrastructure operators” (“KIIO”) during operations in China must be kept within the borders of the PRC. If it is “necessary” for the KIIO to transfer such data outside of China, a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws permit the overseas transfer. While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection, such as public communications and information service, energy, transportation, water conservancy, finance, public service and e-government, the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors. “Personal information” is defined as including all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity, including, but not limited to, natural persons’ full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth. However, the types of information that might constitute “important data” is currently unclear. In any case, these data localisation rules are likely to create practical issues for international businesses operating in China.
  • A range of new obligations apply to organisations that are “network operators” (i.e. network owners, network administrators and network service providers). A “network” means any system comprising computers or other information terminals and related equipment for collection, storage, transmission, exchange and processing of information. Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networks/infrastructure or even just websites in China.
    • In terms of data protection, network operators must make publicly available data privacy notices (explicitly stating purposes, means and scope of personal information to be collected and used); and obtain individuals’ consent when collecting, using and disclosing their personal information. Network operators must adopt technical measures to ensure the security of personal information against loss, destruction or leaks, and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities. They must also comply with principles of legality, propriety and necessity in their data handling, and not be excessive; not provide an individual’s personal information to others without the individual’s consent; nor illegally sell an individual’s personal data to others. The rules do not apply to truly anonymised data. There are also general obligations to keep user information confidential and to establish and maintain data protection systems. Data subject rights to correction of their data, as well as a right to request deletion of data in the event of a data breach, are also provided. While an earlier draft specifically provided protection to personal information of “citizens”, the final law does not make this distinction, and so seemingly offers a broader protection to all personal information. These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China.
    • As regards network security, network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity, which includes (amongst other things): formulating internal security management systems and operating instructions; appointing dedicated cybersecurity personnel; taking technological measures to prevent computer viruses and other similar threats and attacks, and formulating plans to monitor and respond to network security incidents; retaining network logs for at least six months; undertaking prescribed data classification, back up, encryption and similar activities; complying with national and mandatory security standards; reporting incidents to users and the authorities; and establishing complaints systems.
    • Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes, and will be subject to government and public supervision. The form and extent of such co-operation is not currently clear, and international businesses have expressed concerns over the extent to which this may require them to disclose their IP, proprietary and confidential information to the Chinese authorities.
    • More general conditions on network operators carrying out business and service activities include: obeying all laws and regulations, mandatory and industry national standards, social mores and commercial ethics; being honest and credible; and bearing social responsibility. There are also requirements on network operators to block, delete and report to the authorities prohibited information and malicious programmes published or installed by users.
    • Network operators handling “network access and domain registration services” for users, including mobile phone and instant message service providers, are required to comply with “real identity” rules when signing up or providing service confirmation to users, or else may not provide the service.
  • Additional security safeguards apply to KIIOs, including: security background checks on key managers; staff training obligations; disaster recovery back ups; emergency response planning; and annual inspections and assessments. Further, strict procurement procedures will apply to KIIOs buying network products and services.
  • Providers of “network products and services” must comply with national and mandatory standards; their products and services must not contain malicious programs; must take remedial action against security issues and report them to users and relevant authorities; and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers. These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and, in particular, the contractual terms on which they are offered to customers.
  • Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided. This potentially catches a wide range of software, hardware and other technologies being sold – or proposed to be sold – by international companies in the China, since the definitions used in the law are drafted very broadly. Further guidance by way of a catalogue of key network products is expected in due course. There are concerns that this may create barriers to international businesses looking to enter the Chinese market.
  • Each individual and organisation shall be responsible for its own use of websites, and may not set up websites or communication groups for the purpose of committing fraud, imparting criminal methods, producing or selling prohibited items, or engaging in other unlawful activities. Again, there is scope for this to be interpreted and applied broadly.
  • Institutions, organisations and individuals outside China that cause serious consequences by attacking, interfering or destructing key information infrastructure of China shall be responsible for any damage, and the relevant public security department of the State Council may freeze assets and impose other sanctions against them. While these provisions would appear to have an extra-territorial effect, and could be interpreted very broadly, it is unclear what sanctions could in practice be enforced against organisations without a presence in China.
  • Other new rules relate to: network/online protections for minors; the establishment of schemes for network security monitoring, early warning and breach notification to relevant authorities and the public, as well as rights for individuals and organisations to report conduct endangering network security; opening of public data resources; and prohibitions on hacking and supporting activities.

While criminal sanctions, administrative penalties and civil liabilities potentially await those (both organisations and, in some circumstances, individual employees and officers) who violate the new law, unfortunately great uncertainties remain as to how the new legislation will be enforced, who exactly is caught by the various new rules, and the precise steps that organisations must take to comply with them. It is hoped that the Chinese authorities will publish more detailed, practical guidance in the coming months. In the meantime, organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017, and to keep these under review as further guidance becomes available.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/china-significant-changes-to-data-and-cybersecurity-practices-under-prc-cybersecurity-law/

GERMANY: Cloud Computing and trans-border transfers of personal data under review of German DPAs

GERMANY: Cloud Computing and trans-border transfers of personal data under review of German DPAs

by Jan Spittka und Jan Pohle

While Cloud Computing and other types of trans-border transfers are nowadays vitally important for data processing, the transfer of personal data to third countries (i.e. non-EU/EEA countries) is subject to specific requirements under European data protection law. The data controller, e.g. the company transferring personal data to its affiliates or service providers, must ensure an adequate level of data protection, according to the EU Data Protection Directive (Directive 95/46/EC). Trans-border flows of personal data are now reviewed by German Data Protection Agencies (DPAs).

Enquiry of the DPAs

On 3 November 2016, ten German DPAs made a statement to the press (available here – in German only), explaining that the transfer of personal data has increased strongly over the last years. In order to raise awareness of the legal frame regarding cross-border data transfers, a questionnaire (available here – in German only) will be send to 500 German companies of all size and with various fields of activity. Both management and companies´ data protection officer shall sign the questionnaire. The companies are expected to specify which services and products used by them require cross-border data transfer. The questionnaire contains in particular inquiries relating to marketing, recruiting, cloud storage, internal communication systems, and intra-group data transfer. The legal ground for each data transfer must be communicated.

Legal Background

The EU Data Protection Directive provides for several options to ensure an adequate level of data protection: Standard Contractual Clauses, Binding Corporate Rules, a special agreement, especially the US-EU-privacy Shield or a decision of the European Commission, stating that a certain country ensures such level of data protection. German DPAs notice an unsatisfying level of sensibility regarding data protection in cross-border scenarios. Their aim is to evaluate if and to what extent companies comply with European Data Protection law.

 Practical Impact

 

  • Companies using Cloud Computing should be alarmed.
  • DPAs expressed that the questionnaires and the corresponding answers may constitute a reason to conduct a “more thorough investigation”.
  • Such investigations could lead to administrative fines up to EU 300,000.
  • Therefore, the questionnaire has to be considered thoroughly and reviewed carefully. If German DPAs are not satisfied with the answers,       following measures will probably be taken.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-cloud-computing-and-trans-border-transfers-of-personal-data-under-review-of-german-dpas/

EUROPE: ECJ – Dynamic IP addresses may constitute personal data

By Jan Pohle and Jan Spittka

In its landmark decision in the case Breyer v. Federal Republic of Germany (decision dated 19 October 2016, case number C-582/14), the European Court of Justice (ECJ) not only ended the long and tricky debate whether dynamic IP addresses constitute personal data even if the data controller processing the IP addresses does not hold the means to link it to the respective data subject. The court also came to the conclusion the provisions of German law dealing with the processing of personal data in the online environment do not comply with the EU Data Protection Directive (Directive 95/46/EC) as these provision do not provide for a statutory permission to process personal data based on a balancing of interest between legitimate interest of the data controller and the interest of the data subjects.

 

Background

The case has been presented to the ECJ by the German Federal Court of Justice (Bundesgerichtshof – “BGH“). The claimant Mr. Breyer had sued the German Federal Department of Justice and Consumer Protection (Bundesministerium für Justiz und Verbraucherschutz – “BMJV“) to cease-and-desist the registration and storing of his dynamic IP address after visiting the BMJV’s websites. The BMJV argued that IP addresses have to be retained after the end of the visit of the website to protect itself against cyberattacks. The BGH asked the ECJ whether dynamic IP addresses constitute personal data with respect to an “online media service provider” (i.e. the operator of a website), if only a third party (here the internet service provider) holds the additional data necessary to identify a visitor of this website. Furthermore, the BGH asked whether the operator of a website has the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website.

Ruling of the ECJ

The ECJ decided that a dynamic IP address does not only constitute personal data with respect to the internet service provider (which has the means to link the IP address to the individual behind the address in any case), but also with respect to the operator of a website, if this website operator has legal means to identify the visitor with the help of additional information from the visitor’s internet service provider. The ECJ confirmed this with respect to German law. Although the operator of a website does not have any direct claims against an internet service provider to provide the name of an individual behind an IP address, the court found it to be sufficient, if the website operator can obtain the information required to identify the visitor of the website from the internet provider via a competent authority which requests the information to prepare criminal proceedings, e.g. in the event of cyberattacks. As a consequence, the processing of IP addresses by website operators is subject to and has to comply with the applicable member state data protection requirements. Beyond this specific case, the ECJ has provided sufficient tools to determine whether information constitutes personal data, if the information cannot be directly linked to an individual, but only by using additional information which is held by a third party. According to the ECJ, this is not the case, if  the identification of the data subject was

  •  prohibited by law or
  •  practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.

The classification of dynamic IP addresses as personal data required the ECJ to have a closer look on the German data protection rules dealing with the processing of personal data in the online environment. Currently applicable law allows the processing of personal data without the data subject’s consent only in specific comprehensive cases. A general provision which provides for the possibility of a balancing of interest in a particular case is not included. According to the ECJ, this lack of a statutory permission is not complaint with Article 7 lit. f) of the Data Protection Directive. This finding also has a fundamental impact going beyond the case at hand as all member state data protection laws now have to be reviewed whether they allow for balancing of interests, at least in individual cases.

Conclusion

The decision of the ECJ forces all operators of websites, irrespective of whether they are public administration or private businesses, to review the collection, processing and use of IP addresses in connection with their websites. However, the ECJ has also strengthened IT security as it pointed out that member state law has to provide for the possibility to process personal data without consent for cybersecurity purposes.

Jan Spittka and Jan Pohle

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/ecj-dynamic-ip-addresses-constitute-personal-data-and-german-law-not-compliant-with-data-protection-directive-by-jan-spittka-and-jan-pohle/

GLOBAL: Large number of Internet of Things devices are NOT privacy compliant

An investigation run by 26 privacy authorities showed that 60% of the reviewed Internet of Things technologies did not pass the test of compliance with data protection laws.  Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/internet-of-things-devices-are-not-privacy-compliant/

How the new privacy portability right will change your industry

The new privacy data portability right is empowering individuals to have a full control on their personal data representing both an opportunity and a risk for companies.  Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/how-the-new-privacy-portability-right-will-change-your-industry/

EU – The right to be forgotten and the role of the Companies Registry

On 8 September 2016, Advocate General Bot released his opinion on the “Camera di Commercio Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni” c-398/15  (“Manni Case“). If confirmed by the European Court of Justice, the opinion will no doubt shed further light on the construction of the right to be forgotten.

Background

The original plaintiff, Salvatore Manni, is an Italian citizen and former sole director of a building company which went bankrupt. The information about the building company’s bankruptcy and its then sole director had been permanently stored in the Companies Registry (Registro delle Imprese) held by the local Chamber of Commerce (Camera di Commercio), despite the company had been liquidated. Mr Manni claimed that access to the above data from third parties jeopardized certain sales of real estate, and accordingly requested the Companies Registry to anonymize his data or restrict access to the same Registry. The Chamber of Commerce opposed that the Companies Registry is a public database with a specific obligation to provide to everyone (upon specific request) the companies’ main information. The case escalated up to the Italian Supreme Court (Corte Suprema di Cassazione), which referred the issue to the ECJ, asking whether certain personal information (legally) made available by the Companies Registry should after a certain time be erased, or anonymized, or restricted to a limited number of third parties.

The Advocate General’s Conclusions

According to the Advocate General all Companies Registry’s data should be made available with no restriction. Indeed, the Company Law Directive 68/151 requires Member States to take all necessary measures to ensure the compulsory disclosure by a company of a number of limited information and documents, including general details of the legal representatives.

The fundamental function of the Companies Registry is to provide a complete picture of the life and history of a company, allowing anyone to read the information at any time. While acknowledging that any derogation to a (fundamental) data protection right should be limited to the strict necessary, the Advocate General stressed that allowing a public Company Registry to keep track of the whole life of a company (even when such company no longer exists) would not be disproportionate, also taking considering that the information is very limited (i.e. the name of the individuals that had the power to represent the company) and certain rights may be exercised also after the company ceased to operate (for instance for actions against the liquidators, etc.). The  Registry does not play a limited statistical role, it safeguards legal certainty as a mean to encourage market transactions, also through information about who represented a certain company over a certain period of time. While Directive 68/151 does not provide for a period of time after which it is necessary to cancel a certain information, the Advocate General added that it should also not be for the Registry to determine when such information should be restricted or anonymized, as it would otherwise add a discretionary assessment of the legitimate interests of the parties involved, with obvious risks of uneven decisions from the various public Registries.

The Right to be Forgotten is not Absolute

The Advocate General’s analysis echoes the ruling of the Google Spain Case, confirming that the right to be forgotten is not absolute and should be balanced with other fundamental rights, such as freedom of expression or – like in the Manni Case – interests of third parties to gain information on particular persons that held a key position in a company. The right to be forgotten will still require a case-by-case assessment, taking into account the specific type of information, its sensivity for the individual’s private life as well as the interest of the public in having access to that information and the role played by the data subject.

In this case, the essence is that a Companies Registry is not a broadly disseminated newspaper or a social media, and it should be treated accordingly. It is a public registry, aimed at facilitating certain fundamental economic transactions. It is true that, by entering a specific enquiry with the Companies Registry, it is possible gather the information that a certain individual was the sole administrator of a bankrupt company, and this information may, from the perspective of potential buyer, be a determining factor in completing a certain purchase. However, the fact of associating in a public Registry a certain person holding a specific office to a company that was declared bankrupt, is not per se derogatory for such person. A bankruptcy may be due to many factors, including some external market trends.

Albeit the Advocate General took into account the balance between the Company Law Directive (68/151) and the Data Protection Directive (95/46), his views would stand also taking into account the right to be forgotten as devised by Article 17 the European General Data Protection Regulation, which among other things also confirms that the right to be forgotten does not apply for the purposes of archiving in the public interest.

For further information on this opinion, see also here from Cristina Ulessi.  It will no doubt be very interesting to review the ECJ’s final position.

@giangiolivi

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-right-to-be-forgotten-and-the-role-of-the-companies-registry/

Older posts «