the prospects for data breach laws in 22 european countries€¦ · rationale for data breach...
TRANSCRIPT
![Page 1: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/1.jpg)
1
The prospects for data breach laws in 22 European countries
Stewart Dresner, Chief ExecutivePrivacy Laws & Business
Wednesday, 4 November 200916´30-17´45: PARALLEL SESSION A: Ooopsss!!!!! Where did I leave my computer?
Prevention and reaction in light of security breaches
31st International Conference of Data Protection and Privacy Commissioners, Madrid
![Page 2: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/2.jpg)
2
![Page 3: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/3.jpg)
3
The prospects for data breach laws in 22 European countries: Contents
1. Privacy Laws & Business’s knowledge base and contacts2. Rationale and scope for data breach research3. The research method4. Common themes5. Current data breach laws and demand for new laws6. Results: DPAs’ views and preferred policies7. Advantages and disadvantages of a data breach law for
DPAs, companies and individuals*8. Recommendations by DPAs and companies*9. Privacy Laws & Business’s conclusions10. What next?
* Slides available on request
![Page 4: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/4.jpg)
4
![Page 5: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/5.jpg)
5
![Page 6: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/6.jpg)
6
![Page 7: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/7.jpg)
7
Privacy Laws & Business
23rd Annual International Conference
July 5th – 7th 2010
St John’s College
Cambridge
United Kingdom
![Page 8: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/8.jpg)
8
![Page 9: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/9.jpg)
9
EPON Data ProtectionCommissioner Roundtables
• Madrid, Spain (2003)• Rome, Italy (2003)• Czech Republic,
Hungary and Poland in Prague (2004)
• Paris, France (2005)• Berlin, Germany (2005)• Dublin, Ireland (2006)• Russia, Greece, Portugal
in London (2006)
• Stockholm, Sweden (2007)• Helsinki, Finland (2007)• Brussels, Belgium (2007)• Hague, Netherlands
(2007)• Madrid, Spain (2008)• Luxembourg (2008)• Warsaw, Poland (2008)• Zurich, Switzerland (2009)• Rome, Italy (2009)
![Page 10: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/10.jpg)
10
IPON Roundtables
• Argentina’s DP Commissioner/Australia’s DP Commissioner in Montreux, Switzerland - 2005
• Binding Corporate Rules, Washington DC - 2006• European HR issues in Washington DC - 2006• Canadian HR issues in Toronto - 2007• Asia-Pacific Briefing, London - 2007• Asia-Pacific Conference, Strasbourg – 2008• Madrid, November 3rd 2009
Employee surveillance in Europe: Balancing privacy rights and management control
![Page 11: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/11.jpg)
11
![Page 12: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/12.jpg)
12
![Page 13: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/13.jpg)
13
EPON/IPON Participants include:• Accenture• Arnold & Porter• Barclays Bank• Boeing• BP• BT• Citigroup• CSC• Deutsche Bank• eBAY• Eli Lilly• ExxonMobil
• FIFA• Fujitsu• General Electric• General Motors• Google• Halliburton• HBOS• IBM• IMS Health• Intel• Johnson & Johnson
• Kodak• Lloyds Register• Manpower• Nestle• Novartis• Oracle• Pfizer• PwC• Procter & Gamble• Schering-Plough• Sony• Total• Walt Disney• Western Union• Wyeth
![Page 14: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/14.jpg)
EPON/IPON Meeting Hosts
![Page 15: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/15.jpg)
15
Other PL&B Services
• Consulting• Data Protection Audits• Recruitment
– Advice on job descriptions– Interim managers
• Training
![Page 16: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/16.jpg)
16
Rationale for data breach research• USA: data breach laws in most states. Have these US
laws set a trend for Europe or are current data protection laws enough?
• US laws’ role in helping raise awareness• Lack of research linking data breaches to ID theft,
credit card fraud etc. But a consensus that increased data losses should be tackled
• DP and privacy laws in the EU and US cover data security – Is there a need for specific provisions on action to be taken when data is lost or stolen?
![Page 17: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/17.jpg)
17
Scope & Geographical Context
27 EU member statesAll other countries within the EuropeanEconomic Area:
• Norway, Iceland, Liechtenstein• Switzerland • Jersey, Guernsey, Isle of Man
![Page 18: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/18.jpg)
18
Research Timeline 12008
• January: Questionnaire by email to DPAs• Follow-up telephone calls and emails• Responses from: Czech Republic, Denmark, Finland,
Guernsey, Hungary, Iceland, Ireland, Jersey, Slovak Republic, Sweden & United Kingdom
• European Privacy Officers Network members’ survey and results
• February: Report in PL&B’s International newsletter (available on request)
• March: Detailed report for DPAs and feedback
![Page 19: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/19.jpg)
19
Research Timeline 2
• April: Target larger/more experienced countries’ DPAs• May-June: Responses from Italy, Spain, Portugal,
Poland, Luxembourg, France and Belgium• July: Presentation of results at PL&B’s Annual
Conference, Cambridge• Aug-Nov: Drafting report• Jan-Mar 2009: Responses from Austr, Germ, Neths• Feb-April 2009: DPAs check reports. Updates• April/May 2009: Conference and Report published
![Page 20: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/20.jpg)
20
Research Methods• Email responses from most countries. • Face-to-face interviews (Italy, Portugal,
Luxembourg)• Telephone interviews (Jersey, Guernsey,
Germany)Other Methods• National expert’s comments in Switzerland
(David Rosenthal, Special Counsel, IT & Telecommunications, Homburger, Zurich)
![Page 21: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/21.jpg)
21
Questions to DPAs
16 questions covering the following areas:1. Current laws2. Demand for data breach laws3. Purpose and scope of legislation4. Regulatory options and
preferred policies
![Page 22: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/22.jpg)
22
Common themes
1. Definitions – what is a data breach? 2. Breach notification: How, when and
who should companies notify?3. Lack of research particularly on impact
of data breaches on individuals4. Always a risk attached to the processing
of personal data 5. Criminal liability for organisations?
![Page 23: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/23.jpg)
23
Current data breach laws• Data protection legislation in all European countries
but only general application of this legislation to the unauthorised access, loss or theft of personal data
• Data breaches covered by DP laws, criminal & civil codes and additional e-communication legislation
• Some reporting requirements and guidance but no specific mention in law of action to be taken, except
• Specific data breach law in Germany (2009) where individuals suffer considerable damage and for specific data: professional secrecy, criminal or administrative offences and bank or credit card data
![Page 24: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/24.jpg)
24
Demand for data breach laws
• Increase in reported data breach incidents
• Hot topic for the media and growing political interest. Differing pressures in different countries -more in the Netherlands, less in Portugal
• Trend for data controllers to contact the authorities where data has been inappropriately released
• No Europe-wide demand for a specific data breach law as current legislation is sometimes enough
![Page 25: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/25.jpg)
25
DPAs’ views on purpose and scopeof specific data breach rules
1. Harmonisation within the EU but national implementation to reflect national needs
2. Any new data breach provisions to include:• data controllers and data processors• the public and private sectors
3. Problems with breach notification in the US discourage Europe e.g. over-notification and inconsistency of reporting rules
4. Responsibilities and tasks must be stated clearly
![Page 26: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/26.jpg)
26
Regulatory OptionsAgreement that some form of a data breach regulation
would be a good idea. Four options or a combination:
1. Insert data breach provisions into existing relatedlegislation2. EU Member States insert mandatory breach notification requirement as a specific national law3. Amend EU e-comms or general DP Directive 4. Practical Guidelines by the EU Art. 29 Data Protection Working Party
![Page 27: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/27.jpg)
27
Driving factors behind a separate data breach law
1. Increase the protection of personal data2. Make organisations more accountable
for data security3. Force organisations to improve security
standards4. Restore individuals’ confidence in data
controllers
![Page 28: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/28.jpg)
28
• Some consistency is needed across Europe in this area
• EU should regulate first • DPAs favouring amending their current
data protection or other law to cover data breaches (UK, Jersey, Finland, Poland, Portugal, Luxembourg, Italy, Netherlands and Germany)
DPAs views on possible data breach laws
![Page 29: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/29.jpg)
29
DPAs’ Preferred Policies 11. More human and financial resources2. Notification of data breaches.3. Orders from DPAs to data controllers and
processors to act in a specific way in response to a data breach.
4. Discretion to impose sanctions and appropriate fines
5. Compensation to individuals (in conjunction with civil law provisions)
6. Power to conduct audits when necessary7. Power to publicly ‘name and shame’ organisations
![Page 30: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/30.jpg)
30
8. Support new provisions covering both the public and private sectors (All)
9. Favouring new provisions to cover both data processors and controllers (All DPAs apart from UK, Ireland, Guernsey, Germany and the Netherlands)
10. Want companies to notify them of data breaches (UK,Jersey, Czech Republic, Guernsey, Ireland, Finland, France, Portugal, Luxembourg, Italy, and Germany)
11. Favouring companies paying compensation to individuals where appropriate (Poland, UK, Finland, France, Italy, and Austria)
11. Offering data breach guidance (UK and Ireland)12. Some form of redress for data subjects
DPAs’ Preferred Policies 2
![Page 31: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/31.jpg)
31
PL&B’s ConclusionsThe ‘ideal’ is a synthesis of DPAs’ and companies’ views which are also practical for data subjects. A data breach plan should be:
1. proportionate2. an alert to a DPA when there is substantive
rather than a procedural problem3. have more emphasis on a remedy to a
problem, and 4. less emphasis on sanctions.
![Page 32: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/32.jpg)
32
What next?EU Level1. Extension of EU e-communications directive to
include data breach legislation for ISPs, other sectors?2. Amend general EU Data Protection Directive?3. Practical guidelines by the EU Art.29 Working Party?National Level1. Modest amendments to national laws
e.g. Luxembourg amending DP code to include responsibilities of processors as well as controllers
Company Level1. Broader breach management programmes2. Continuing improvement of internal systems
e.g. reporting mechanisms
![Page 33: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/33.jpg)
33
Report from Privacy Laws & BusinessData Breach Dossier on request
Questions?Research Director and Editor: Stewart Dresner
Researcher: Amy Norcup
![Page 34: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/34.jpg)
34
Contact detailsStewart Dresner, Chief Executive Adèle Kendler, Project Manager
Privacy Laws & Business2nd floor, Monument House, 215, Marsh Road, Pinner,
Middlesex,HA5 5NE, United KingdomTel: + 44 208 868 9200 Fax: + 44 208 868 5215
www.privacylaws.com
![Page 35: The prospects for data breach laws in 22 European countries€¦ · Rationale for data breach research • USA: data breach laws in most states. Have these US laws set a trend for](https://reader033.vdocument.in/reader033/viewer/2022060522/60513d284006c11fe972d245/html5/thumbnails/35.jpg)
35