This page contains a Flash digital edition of a book.
SNIA Europe update Right to Erasure


WHAT’S HOT


What does the Draft Regulation say? Originally branded as “the right to be forgotten”, the “right to erasure” will apply where there is no longer any need to retain the data for the purpose for which it was collected, or where the data subject objects to the processing. The general rule is that a data controller must, without delay: (1) erase all personal data relating to the data subject and prevent further dissemination; and (2) arrange for its Internet or cloud hosting providers to erase “any links to, or copy or replication of that data”.


What are the implications for business? The scope of the “right to erasure” is still unclear and could be interpreted to require the deletion of personal data held on all forms of storage media including back-up devices, business records and archives. The cost would be signifi cant. The Draft Regulation does, however, provide that where “the particular type of storage technology does not allow for erasure and has been installed prior to entry into force of [the] Regulation”, further processing of the data should instead be restricted.


Data Portability


What does the Draft Regulation say? The right to data portability will be merged with the right of data subjects to access and obtain their personal data. Electronically processed data must be provided to data subjects on request “in an electronic and interoperable format” in order to facilitate the transfer of data between service providers. Further, where technically feasible, the data should be transferred directly from controller to controller at the request of the data subject.


What are the implications for business? The right to data portability will be of concern to businesses that add signifi cant commercial value to an individual’s personal data. The new rules are likely to require businesses to (1) create the technical means to facilitate the transfer; and (2) hand over valuable data fi les of their customers to competing service providers if requested by the data subject.


International Data Transfers


What does the Draft Regulation say and what are the implications for business? The Draft Regulation takes a cautious


European Data Protection Seal (“EDPS”) The Draft Regulation would introduce a new certifi cation programme allowing data controllers/processors to have their activities audited and certifi ed by DPAs or accredited third parties. Cloud providers are considered to be prime candidates for the EDPS programme. EU customers would be able to rely on the EDPS as the basis for ensuring their vendors’ compliance with EU law.


Sanctions


What does the Draft Regulation say? The Draft Regulation establishes an


Eye-popping maximum penalty of up to €100 million or 5% of turnover (whichever is higher) for a serious breach of the Regulation. There is also a private right of action for individuals who have suffered damage, including non-pecuniary damage, as a result of violations of the Regulation.


What are the implications for business? This very high level of fi nes signifi es the importance placed by the EU Parliament on the right to data protection. Given the territorial scope of the Draft Regulation, the possibility of the imposition of fi nes on


approach to international data transfers in light of the Snowden revelations and concerns over the effi cacy of the existing US-EU Safe Harbor framework. The Draft provides that companies must seek authorisation from local EU data protection authorities (“DPAs”) prior to any disclosure of EU personal data to a non-EU government or court; and (2) inform the relevant data subject of the proposed transfer. These obligations may be directly contrary to national security and law enforcement requirements in foreign countries where EU data is stored (e.g., those applicable to U.S. cloud providers).


As a demonstration of its concern over transfers to the US, the EU Parliament has recently voted to suspend the US-EU Safe Harbor framework (a popular vehicle used to legitimise transfers of data from the EU to the US). The European Commission (“Commission”), meanwhile, has recommended various improvements to the Safe Harbor framework. This raises pertinent issues about the impact on long-term cloud and other outsourcing agreements involving international transfers from the EU.


businesses operating outside the EU should also not be ignored – the Draft Regulation purports to catch all businesses even if they have no physical presence in the EU, so long as they process personal data in connection with the provision of services to, or the monitoring of individuals in, the EU.


Next Steps


The EU Parliament’s vote of overwhelming support for the Draft Regulation precedes European elections that could have a signifi cant impact on the make-up of the EU Parliament and the Commission. With strong concerns being raised by several EU Member States, it is diffi cult to predict whether the Draft Regulation will ultimately be enacted in its current form or when it will pass into law. It is in any event expected that a two-year grace period will apply.


Affected organisations should not be complacent, however, because many of the obligations set out in Draft Regulation will require signifi cant adjustments and could take considerable time to implement.


About Squire Sanders


Squire Sanders is one of the world’s strongest international legal practices with more than 1,300 lawyers around the world. The fi rm’s Global Data Protection Group advises clients on a wide range of policy, legal and compliance issues. The Group is led by partner Ann LaFrance, who serves as a special advisor to the Board of SNIA-Europe on data privacy and protection matters. For more information, visit: www.squiresanders.com


1. The adopted text of the Draft Regulation is available at the following link which shows the original text proposed by the European Commission in January 2012 (the left column) compared to the text that has recently been adopted by the EU Parliament (the right column): http://register.consilium. europa.eu/doc/srv?l=EN&f=ST%207427%202014%20REV%201


14 www.dcsuk.info I May 2014


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56