Mardi 23 octobre 2012Tuesday 23 October 2012

Droit de la protection des données - approche comparée en droit français et en droit anglaisLaws of the data protection - comparative approach in French law and UK law

Intervenant / Speaker:

Nathalie Moreno Avocat et solicitor spécialisée en droit des nouvelles technologiesAvocat and solicitor specialising in the law of the new technologies

Commission

PARIS - LONDRESResponsable : alain-chRistian monkam

Speakers Profile

Dr Nathalie Moreno, Partner of the UK interna-tional firm Speechly Bircham, IP, Technology & Data ProtectionA Harvard Law School graduate and a PhD in International law holder, Nathalie is an internatio-nal technology commercial partner, with over twenty years experience in advising technology-enabled businesses across sectors in EMEA and globally.

Nathalie is fluent in Spanish and French and has a working knowledge of Russian.

Laurie-Anne AncenysLaurie-Anne is a triple qualified lawyer advising clients under English, French and Spanish laws. Laurie-Anne graduated from the Universities Paris Pantheon-Sorbonne and Complutense of Madrid with a double degree programme in French and Spanish Law

Dr Nathalie MorenoMember of:Paris Bar

Solicitor (Law Society of England and Wales)

International Technology Law Association (I-Tech)

Society for Computers and Law (SCL)

Agenda1.The legal framework At the EU level At the national level The role of the data protection authorities

2. Overview of some key themes Notifications International transfers Whistleblowing Hotlines Data protection breaches The right to be forgotten Offences and penalties

3. The proposed reform of the EU data protection framework Key measures Opinions of the Data Protection Authorities

The EU legal frameworkEuropean Directives

Directive 95/46/CE of 24 Octobre 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Basis of current data protection legislation in all Member States of the European Union

Directive 2002/58/EC «Directive on privacy and electronic communications»

Directive 2006/24/EC on data retention

Directive 2009/136/EC of 25 November 2009, modifying Directive 2002/22/EC «Universal Service Directive», Directive 2002/58/EC «Directive on privacy and electronic communications» and Regulation (EC) no.2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws

Council Framework decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters

Regulation (EC) 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data

Charter of Fundamental Rights of the European Union of 7 December 2000

The national legal frameworkFrench law Law no. 78-17 of 6 January 1978 on Informa-

tion Technology, Data Files and Civil Liberties

Conditions for the lawfulness of data processing

Formalities required prior to data processing

Obligations of data controllers

Rights of data subjects

Sanctions and Penalties

Other applicable laws

English law Data Protection Act 1998

The eight principles

The rights conferred by law

Mandatory formalities and exceptions

Offences and Penalties

Other applicable laws

The role of the data protection authoritiesFrench law The French national data protection agency

(CNIL)

Independent administrative body

In charge of privacy and the protection of public or individual liberties

Advisory and consultation role, in charge of keeping a register, audits, enforcement of sanctions and penalties

English law Data Protection Act 1998

The eight principles

The rights conferred by law

Mandatory formalities and exceptions

Offences and Penalties

Other applicable laws

French law

Notifications:

Simplified declaration

Ordinary declaration

Authorisations

Opinion requests

Unless exemption applies to specific data processing

English law

Notifications:

One single notification related to all data processing activities

International data transfersKey legal conceptProhibition of International data transfers towards countries that do not offer an adequate level of protection.

International data transfers may be authorised in the following cases:

Countries recognised as adequate by the European Commission

Model clauses

Safe Harbor

Binding Corporate Rules (BCR)

Exceptions

French law In principle, the transfer must be authorised

by the CNIL

English law The transfer does not need to be authorised by

the ICO

NotificationsKey legal conceptData controllers have the obligation to notify the relevant authorities of their data processing activities unless an exemption applies

Whistleblowing hotlinesKey legal concept

Whistleblowing hotlines are subject to notifications.

French law Unique Authorisation AU-004 (restrictive

scope)

Authorisation

Notification of the works council.

English law Covered by the general notification filed with

the ICO

Data protection breachesKey legal concept No general legal obligation for the data controllers to inform the authorities in case of breach

For the providers of electronic communications services offered to the public:

Obligation to inform the relevant authority (and the data subjects where appropriate) Exceptions Register of breaches

French law

No specific template

English law ICO has put in place a template log for data

breaches notifications

Serious breaches must be notified

Guidelines available

Right to be forgottenKey legal pointPerceived by some as a novelty – part of French law for a long time

French law The Data subject can request from the data

controller that personal data related to him/her may be deleted (art. 40)

English law No equivalent provision in the Data Protection

Act of 1998

Offences and penaltiesFrench law Warning and notice

Penalties – up to €300.000

Criminal offences: imprisonment and up to € 1.5 million in fines for companies

Injunction to stop data processing or with-drawal of authorisation

Obstruction to CNIL’s intervention - 1 year imprisonment + 15,000 in fines

English law Warning and audits

Penalties –up to £500.000

Liability of directors of the company involved

Criminal offences

The draft european reform proposal Key measures Published on 25 January 2012 by the EU Commission to modernise the legal system

Consists of two documents:

A « general regulation on data protection » which purpose is to replace the current Directive 95/46/EC on « personal data protection »; and

A directive on protecting personal data processed for the purposes of prevention, detection, investi-gation or prosecution of criminal offences and related judicial activities

Overview of the key measures of the Regulation

The draft european reform opinions of the data protection authoritiesCNIL Acknowledges that the rights of EU citizens will be

greatly reinforced with : Right to be forgotten Data portability Explicit consent Power of sanctions

Expresses key reservations: In relation to art. 51 – data protection

authorities’ scope of jurisdiction In relation to the level of protection of EU

data subjects - should be equivalent to EU consumers

ICO Acknowledges improvement of rights for data

subjects : Obligation to notify in case of breach Explicit consent Accountability principle Privacy by design Data protection impact assessment analysis

List of its multiple concerns in a report