Tag Archive: Data security

EU – The right to be forgotten and the role of the Companies Registry

On 8 September 2016, Advocate General Bot released his opinion on the “Camera di Commercio Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni” c-398/15  (“Manni Case“). If confirmed by the European Court of Justice, the opinion will no doubt shed further light on the construction of the right to be forgotten.


The original plaintiff, Salvatore Manni, is an Italian citizen and former sole director of a building company which went bankrupt. The information about the building company’s bankruptcy and its then sole director had been permanently stored in the Companies Registry (Registro delle Imprese) held by the local Chamber of Commerce (Camera di Commercio), despite the company had been liquidated. Mr Manni claimed that access to the above data from third parties jeopardized certain sales of real estate, and accordingly requested the Companies Registry to anonymize his data or restrict access to the same Registry. The Chamber of Commerce opposed that the Companies Registry is a public database with a specific obligation to provide to everyone (upon specific request) the companies’ main information. The case escalated up to the Italian Supreme Court (Corte Suprema di Cassazione), which referred the issue to the ECJ, asking whether certain personal information (legally) made available by the Companies Registry should after a certain time be erased, or anonymized, or restricted to a limited number of third parties.

The Advocate General’s Conclusions

According to the Advocate General all Companies Registry’s data should be made available with no restriction. Indeed, the Company Law Directive 68/151 requires Member States to take all necessary measures to ensure the compulsory disclosure by a company of a number of limited information and documents, including general details of the legal representatives.

The fundamental function of the Companies Registry is to provide a complete picture of the life and history of a company, allowing anyone to read the information at any time. While acknowledging that any derogation to a (fundamental) data protection right should be limited to the strict necessary, the Advocate General stressed that allowing a public Company Registry to keep track of the whole life of a company (even when such company no longer exists) would not be disproportionate, also taking considering that the information is very limited (i.e. the name of the individuals that had the power to represent the company) and certain rights may be exercised also after the company ceased to operate (for instance for actions against the liquidators, etc.). The  Registry does not play a limited statistical role, it safeguards legal certainty as a mean to encourage market transactions, also through information about who represented a certain company over a certain period of time. While Directive 68/151 does not provide for a period of time after which it is necessary to cancel a certain information, the Advocate General added that it should also not be for the Registry to determine when such information should be restricted or anonymized, as it would otherwise add a discretionary assessment of the legitimate interests of the parties involved, with obvious risks of uneven decisions from the various public Registries.

The Right to be Forgotten is not Absolute

The Advocate General’s analysis echoes the ruling of the Google Spain Case, confirming that the right to be forgotten is not absolute and should be balanced with other fundamental rights, such as freedom of expression or – like in the Manni Case – interests of third parties to gain information on particular persons that held a key position in a company. The right to be forgotten will still require a case-by-case assessment, taking into account the specific type of information, its sensivity for the individual’s private life as well as the interest of the public in having access to that information and the role played by the data subject.

In this case, the essence is that a Companies Registry is not a broadly disseminated newspaper or a social media, and it should be treated accordingly. It is a public registry, aimed at facilitating certain fundamental economic transactions. It is true that, by entering a specific enquiry with the Companies Registry, it is possible gather the information that a certain individual was the sole administrator of a bankrupt company, and this information may, from the perspective of potential buyer, be a determining factor in completing a certain purchase. However, the fact of associating in a public Registry a certain person holding a specific office to a company that was declared bankrupt, is not per se derogatory for such person. A bankruptcy may be due to many factors, including some external market trends.

Albeit the Advocate General took into account the balance between the Company Law Directive (68/151) and the Data Protection Directive (95/46), his views would stand also taking into account the right to be forgotten as devised by Article 17 the European General Data Protection Regulation, which among other things also confirms that the right to be forgotten does not apply for the purposes of archiving in the public interest.

For further information on this opinion, see also here from Cristina Ulessi.  It will no doubt be very interesting to review the ECJ’s final position.




Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-right-to-be-forgotten-and-the-role-of-the-companies-registry/

GERMANY: Amended Liability Laws to Promote Public Wi-Fi

By: Dr. Thomas Jansen and Mari Martin

On May 11, 2016, the German coalition government agreed to amend the Telemedia Act, which sets the framework for Internet usage across Germany, in order to limit fault liability for Wi-Fi providers. The new regulation states that Wi-Fi providers will not be held liable for the illegal activities of persons using the service. This means that Wi-Fi providers are not responsible for users’ potentially illegal web activity, which may include copyright violations and illegal access to music, movies, and computer games. In the past, Wi-Fi operators in Germany have faced liability for the misconduct of users, regardless of their degree of fault. This left many businesses in Germany reluctant to provide public Wi-Fi access. With these amendments, the German government intends to encourage an increase in the number of Wi-Fi hotspots available in the country. This amendment clarifies that both private and commercial Wi-Fi service providers, such as restaurants or hotels, can rely on the so-called “liability privilege,” meaning they will no longer be liable for users’ online activity. However, some hurdles to an open Wi-Fi structure remain. The new law would require users to give their Wi-Fi host a written assurance that they will not act illegally before signing into the network. In addition, hotspot providers must provide “adequate” electronic security, for example, through the use of encryption methods. The amendment is the latest step in the coalition government’s “Digital Agenda,” which is aimed at improving electronic capabilities nationwide. Currently, far fewer hotspots are offered in Germany than in other EU countries such as the UK and France. With this amendment, the German government intends to change this. “We hope for an impulse so that, for example, cafés or airports or simply a private person can open his WLAN and make it accessible to others,” said Tanja Alemany, spokesperson for the German Economy Ministry. Potential hotspot providers who until now have been hesitant to provide public Wi-Fi access should now feel more secure in offering such hotspots. However, the law has been criticized by retailers, providers, and privacy activists. In particular, the provision requiring “adequate” electronic security was criticized by Germany’s HDE retailers’ federation as setting a legal “trap” because of the vague langue used in the rules regarding how the Wi-Fi is to be made electronically secure. The Bundestag is likely to debate the amendment in the coming weeks. The legislation is expected to enter into force later this year.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-amended-liability-laws-to-promote-public-wi-fi/

NETHERLANDS – Legislation on mandatory data breach notification adopted by the Dutch Senate

By Richard van Schaik, Robin de Wit and Charlotte van Triest

On May 26, the Dutch Senate adopted the legislative bill on Data Breach Notifications, thereby amending the Dutch Data Protection Act and the Telecommunications Act (Wetsvoorstel meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp).

Content bill

The bill introduces the mandatory obligation for all types of data controllers to notify data breaches to the Dutch Data Protection Authority (“DPA”) and under circumstances also the obligation to notify the individuals affected by the data breach. Also, the DPA will have the authority to impose increased fines for noncompliance with this obligation.

The obligation to immediately notify the DPA arises in case of a security breach that has or is likely to have serious adverse effects on the protection of personal data. The severity of the potential consequences of the data breach is key when assessing the impact of the data breach. The government’s explanatory memorandum specifically states some factors that have to be taken into account in this assessment, namely: (i) the nature and scope of the data breach; (ii) the nature of the breached personal data; (iii) the extent to which technical measures have been put in place; and (iv) the consequences to the privacy of the individuals affected.

Additionally, data controllers will have the obligation to notify individuals affected by the data breach, but only in case the breach is likely to have adverse effects on the data subject’s privacy. In any case, data controllers will be required to maintain an internal register recording all data breaches that have or could possibly have serious adverse consequences on the protection of personal data.

It should also be noted that the obligation to notify should be separated from the obligation to implement adequate technical security measures , since both serve a different purpose. The DPA is expected to issue guidelines specifying the requirements for the obligation to notify in further detail.

In addition, the bill introduces increased regulatory and investigative powers for the Dutch DPA, thereby becoming the regulatory authority responsible for the oversight based on the Data Protection Act as well as the Telecommunications Act. Under the new bill, in case of a failure to notify or other violations of specific articles of the Data Protection Act the Dutch DPA will be authorized to impose increased fines up to EUR 810,000 or 10% of the company’s annual net turnover per violation, which could also be calculated based on global revenues. Fines will only be imposed following a binding instruction from the DPA, except in case of deliberate violations or violations as a result of serious culpable negligence. The intended purpose of the binding instruction is to offer the alleged offender a chance to restore the suspected data breach and to avoid a serious fine.

At this moment it is unknown when the adopted legislation will enter into force. It is expected that the bill will enter into force on 1 January 2016.

Companies are advised to review whether they comply with the newly imposed notification requirements for data controllers, especially in relation to current data processors’ agreements.

DLA Piper’s global privacy team has helped clients through more than 450 breaches. For further information, please contact Richard van Schaik (richard.vanschaik@dlapiper.com) and Róbin de Wit (robin.dewit@dlapiper.com)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/netherlands-legislation-on-mandatory-data-breach-notification-adopted-by-the-dutch-senate/

UK: Health and Social Care Information Centre – information security

On 6th June, the UK’s Health and Social Care Information Centre (HSCIC) responded to a letter from the Secretary of State to Health, confirming its commitment to ensuring data security across the health and social care system. 

With the vast amount of data collected by health and social care entities, and the very sensitivity of that, the risks are really very significant.

HSCIC set out five proposals to ensure data security:

  1. requiring certification from all health and social care entities that they meet their information governance obligations, and reporting their status to the public.  This will also involve updating the existing IG Toolkit;
  2. making data security and information governance requirements pre-requisites for providing health and social care services – including the CQC’s inspection regimes and NHS England’s commissioning and contracting arrangements;
  3. providing the best available support and resources to health and social care entities – including an approved framework of security, testing and training services;
  4. an independent security audit programme across the health and social care system; and
  5. establishing a national security strategy noting the various measures in place already and embedding these and new technologies in the design, specification and procurement of all national and local information systems.

HSCIC see this as being very much a partnership with other entities, and will report on progress annually starting in March 2015. 

Again, the message is clear – data privacy and security is no longer merely a compliance obligation.  This letter and the related developments will bring data security and good information governance right into the heart of health and social care contracting and the provision of these services.  We can expect to see a great deal of activity in this area – and DLA Piper will be a pro-active part of that.

You can find HSCIC’s web page with the Secretary of State’s letter and HSCIC’s response here.

For further information, please post a reply or contact JP Buckley at jp.buckley@dlapiper.com.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-health-and-social-care-information-centre-information-security/