LEGAL IAN SKUSE
SAFETY CATCH A
ny corporate involved in the collection or processing of
personal data is in for a busy time in the coming years. There is a new EU framework for this under the EU general data protection regulation (EGDPR) and, at the same time, there is a new EU directive on passenger name records (PNRs). We are also still struggling with ‘Privacy Shield’, which was expected to take over from the ‘Safe Harbour’ regime regarding protection for EU citizens’ data processed or stored within the US, and it seems Privacy Shield is some way from becoming an agreed set of rules.
EGDPR CHANGES The framework for this new regulation has finally been agreed and is likely to be introduced in the first half of 2018, and there are some key changes to our present regime for protecting personal data. The new regulation will extend beyond the European Union (EU) to those who are processing or monitoring information relating to EU data subjects. New obligations require data controllers to maintain certain documents and records, conduct data protection impact assessments and ensure that, where required, a data subject’s
BUYINGBUSINESSTRAVEL.COM
This will require a careful review of how and why data is used
consent is freely given and can be withdrawn. All data breaches are to be reported, where possible, within 72 hours and, if not, there should be a reason why. Data processors have to put in place technical and organisational measures to ensure compliance, and the regulation allows for the imposition of fines of up to 4 per cent of annual worldwide turnover for significant breaches. Other specified breaches of
the regulation can mean the levying of fines of up to 2 per cent of turnover. Binding corporate rules are required to allow data transfers between companies across international borders. In some cases a data protection officer must be designated.
In view of the hike in sanctions for major breaches, corporates should be devising internal policies and be carrying out an audit of what personal data is processed, stored or used. Consideration will be needed to ensure that individuals’ consent has been obtained. Where data
There are questions over the effectiveness of new policies regarding data protection
is transferred outside of the EU, this should be legitimate and protected by binding contracts.
PNRs AND PIUs This new directive will require airlines to hand national authorities passengers’ data for all flights from third countries to the EU or from the EU outbound. This is for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. EU member states will set up passenger information units (PIUs) to manage the PNR data collected by airlines, which will be retained for five years, but depersonalised after six months. These PIUs are to have their own data protection officer to ensure the rules are adhered to. This management of PNR data needs to be excluded from the usual cover of the Data Protection Act as various security departments for EU member states will be harvesting the data. The European Parliament has agreed the text that, following approval by the European Council, will be passed by member states into national laws.
PRIVACY SHIELD Privacy Shield was the policy regarding the export of data from the EU to the US, agreed in February 2016 after two years of negotiations, and
following the ruling of the European Court of Justice that the earlier arrangement of Safe Harbour did not protect European data adequately. The EU Article 29 Data
Protection Working Party is critical of the new Privacy Shield wording, which it believes casts its net too wide and potentially allows mass data collection. There is also concern that the US ombudsman dealing with European complaints may not have sufficient powers. Article 29 often forms policy from which EU member states design their own rules and practices, and the fear is that Privacy Shield might be challenged in the courts.
CAREFUL SCRUTINY Given the scope and complexity of these various new data protection arrangements, and the potential size of fines for data breaches, corporates will wish to understand their exposure. This will require a careful review of how and why data is collected, stored or passed to any third party. Contracts with suppliers who might receive personal data will need to be scrutinised to ensure that these new obligations and regulations are taken into account.
Ian Skuse is a partner in Blake Morgan’s Aviation team (
blakemorgan.co.uk) and is based in their London office. Ian was a partner with Piper Smith Watton LLP, which merged with Blake Morgan LLP in August 2015.
BBT JULY/AUGUST 2016
97
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68 |
Page 69 |
Page 70 |
Page 71 |
Page 72 |
Page 73 |
Page 74 |
Page 75 |
Page 76 |
Page 77 |
Page 78 |
Page 79 |
Page 80 |
Page 81 |
Page 82 |
Page 83 |
Page 84 |
Page 85 |
Page 86 |
Page 87 |
Page 88 |
Page 89 |
Page 90 |
Page 91 |
Page 92 |
Page 93 |
Page 94 |
Page 95 |
Page 96 |
Page 97 |
Page 98 |
Page 99 |
Page 100
