Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Mardi 23 octobre 2012Tuesday 23 October 2012
Droit de la protection des données - approche comparée en droit français et en droit anglaisLaws of the data protection - comparative approach in French law and UK law
Intervenant / Speaker:
Nathalie Moreno Avocat et solicitor spécialisée en droit des nouvelles technologiesAvocat and solicitor specialising in the law of the new technologies
Commission
PARIS - LONDRESResponsable : alain-chRistian monkam
Speakers Profile
Dr Nathalie Moreno, Partner of the UK interna-tional firm Speechly Bircham, IP, Technology & Data ProtectionA Harvard Law School graduate and a PhD in International law holder, Nathalie is an internatio-nal technology commercial partner, with over twenty years experience in advising technology-enabled businesses across sectors in EMEA and globally.
Nathalie is fluent in Spanish and French and has a working knowledge of Russian.
Laurie-Anne AncenysLaurie-Anne is a triple qualified lawyer advising clients under English, French and Spanish laws. Laurie-Anne graduated from the Universities Paris Pantheon-Sorbonne and Complutense of Madrid with a double degree programme in French and Spanish Law
Dr Nathalie MorenoMember of:Paris Bar
Solicitor (Law Society of England and Wales)
International Technology Law Association (I-Tech)
Society for Computers and Law (SCL)
Agenda1.The legal framework At the EU level At the national level The role of the data protection authorities
2. Overview of some key themes Notifications International transfers Whistleblowing Hotlines Data protection breaches The right to be forgotten Offences and penalties
3. The proposed reform of the EU data protection framework Key measures Opinions of the Data Protection Authorities
The EU legal frameworkEuropean Directives
Directive 95/46/CE of 24 Octobre 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Basis of current data protection legislation in all Member States of the European Union
Directive 2002/58/EC «Directive on privacy and electronic communications»
Directive 2006/24/EC on data retention
Directive 2009/136/EC of 25 November 2009, modifying Directive 2002/22/EC «Universal Service Directive», Directive 2002/58/EC «Directive on privacy and electronic communications» and Regulation (EC) no.2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws
Council Framework decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters
Regulation (EC) 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
Charter of Fundamental Rights of the European Union of 7 December 2000
The national legal frameworkFrench law Law no. 78-17 of 6 January 1978 on Informa-
tion Technology, Data Files and Civil Liberties
Conditions for the lawfulness of data processing
Formalities required prior to data processing
Obligations of data controllers
Rights of data subjects
Sanctions and Penalties
Other applicable laws
English law Data Protection Act 1998
The eight principles
The rights conferred by law
Mandatory formalities and exceptions
Offences and Penalties
Other applicable laws
The role of the data protection authoritiesFrench law The French national data protection agency
(CNIL)
Independent administrative body
In charge of privacy and the protection of public or individual liberties
Advisory and consultation role, in charge of keeping a register, audits, enforcement of sanctions and penalties
English law Data Protection Act 1998
The eight principles
The rights conferred by law
Mandatory formalities and exceptions
Offences and Penalties
Other applicable laws
French law
Notifications:
Simplified declaration
Ordinary declaration
Authorisations
Opinion requests
Unless exemption applies to specific data processing
English law
Notifications:
One single notification related to all data processing activities
International data transfersKey legal conceptProhibition of International data transfers towards countries that do not offer an adequate level of protection.
International data transfers may be authorised in the following cases:
Countries recognised as adequate by the European Commission
Model clauses
Safe Harbor
Binding Corporate Rules (BCR)
Exceptions
French law In principle, the transfer must be authorised
by the CNIL
English law The transfer does not need to be authorised by
the ICO
NotificationsKey legal conceptData controllers have the obligation to notify the relevant authorities of their data processing activities unless an exemption applies
Whistleblowing hotlinesKey legal concept
Whistleblowing hotlines are subject to notifications.
French law Unique Authorisation AU-004 (restrictive
scope)
Authorisation
Notification of the works council.
English law Covered by the general notification filed with
the ICO
Data protection breachesKey legal concept No general legal obligation for the data controllers to inform the authorities in case of breach
For the providers of electronic communications services offered to the public:
Obligation to inform the relevant authority (and the data subjects where appropriate) Exceptions Register of breaches
French law
No specific template
English law ICO has put in place a template log for data
breaches notifications
Serious breaches must be notified
Guidelines available
Right to be forgottenKey legal pointPerceived by some as a novelty – part of French law for a long time
French law The Data subject can request from the data
controller that personal data related to him/her may be deleted (art. 40)
English law No equivalent provision in the Data Protection
Act of 1998
Offences and penaltiesFrench law Warning and notice
Penalties – up to €300.000
Criminal offences: imprisonment and up to € 1.5 million in fines for companies
Injunction to stop data processing or with-drawal of authorisation
Obstruction to CNIL’s intervention - 1 year imprisonment + 15,000 in fines
English law Warning and audits
Penalties –up to £500.000
Liability of directors of the company involved
Criminal offences
The draft european reform proposal Key measures Published on 25 January 2012 by the EU Commission to modernise the legal system
Consists of two documents:
A « general regulation on data protection » which purpose is to replace the current Directive 95/46/EC on « personal data protection »; and
A directive on protecting personal data processed for the purposes of prevention, detection, investi-gation or prosecution of criminal offences and related judicial activities
Overview of the key measures of the Regulation
The draft european reform opinions of the data protection authoritiesCNIL Acknowledges that the rights of EU citizens will be
greatly reinforced with : Right to be forgotten Data portability Explicit consent Power of sanctions
Expresses key reservations: In relation to art. 51 – data protection
authorities’ scope of jurisdiction In relation to the level of protection of EU
data subjects - should be equivalent to EU consumers
ICO Acknowledges improvement of rights for data
subjects : Obligation to notify in case of breach Explicit consent Accountability principle Privacy by design Data protection impact assessment analysis
List of its multiple concerns in a report