Frederik Van Remoortel

In January 2012, the European Commission published its proposal for a general Regulation on data protection, which would apply directly in all EU Member States (see our newsletters from February 28, 2012, July 12, 2012, and January 22, 2013). The new Regulation should replace the current Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the various national laws implementing this Directive.

The Commission’s proposal meanwhile has been extensively discussed within the European Parliament and the Council, thousands of suggested amendments to the original text have been made and lobbyists and interest groups are working overtime.

The vote within the LIBE committee, the European Parliament’s lead committee for the proposed Regulation, has already been postponed twice and is now expected to take place on October 21, 2013. This vote is a condition for negotiations to start between the European Parliament and the Council. As there are still many key issues that are under discussion, these negotiations promise to be difficult and lengthy.

Hence, whereas under the current timetable it is still the intention to adopt the new Regulation prior to the EU Parliament elections to be held in May 2014, there is an increasing concern about the delays to implementation.

Political pressure in order to get the Regulation voted before these elections in May 2014 is now increasing. On September 18, 2013, for instance, Viviane Reding, vice-president of the European Commission and EU commissioner for justice, tweeted: “It’s time political leaders showed determination + adopted the Data Protection Regulation – Europe’s citizens deserve nothing less.” The weeks and months to come will therefore be very important.

However, whereas everyone agrees that the current legal framework, mainly based on a 1995 Directive, is no longer adapted to the needs of the digital economy, one should not forget that this existing legislation is still in place and that in certain areas more recent legislation exists (e.g. e-commerce Directive). Moreover, if the new Regulation will be voted before the 2014 EU Parliament elections, it will only sort its effects in 2016. If it is not voted by then, the decision making process will start again after the elections and the newly elected bodies will not be bound by the results of the current negotiations, which means that there will be additional delays of several months, if not years.

The current legal framework and the various national data protection laws may therefore be in place for many more years to come. Hence, whereas companies should definitively start thinking about how they will deal with the new Regulation, they should meanwhile not forget about their obligations under the current legislation.

This is in particular true because national data protection authorities (DPA’s) – in those countries where they have the power to do so – do not hesitate to enforce the rules. Even when under the current legal framework, these enforcement measures do not – contrary to what will be the case under the Regulation – result in heavy fines, the adverse publicity caused by media attention, should make companies act carefully. Recent events such as the NSA’s Prism program have made privacy and data protection an increasingly important topic in the media.

Some recent decisions illustrate this perfectly.

BELGIUM

NMBS Europe (international branch of the Belgian national railways)

Issue: Data breach – When cleaning out the data in the customer lists of the online sales department and the lists of the call center of NMBS Europe, personal data of at least 700.000 customers of NMBS Europe was temporarily transferred from a secure environment to an unsecure environment. This made the personal data available on the website of NMBS Europe via Google.

The personal data concerned names, addresses, date of birth, sex, mother tongue, e-mail addresses and (mobile) phone numbers of individuals who had requested information or who had purchased train tickets. The list apparently also included ministers, officials of the EU commission and personnel of several embassies.

The issue became public in December 2012, but the breach occurred in May 2012 already, so that the data had been available over the internet for more than eight months. Only when a blogger made the news public in December 2012, did the NMBS react.

More than 1.700 individuals filed a complaint with the Belgian DPA.

This data breach, one of the biggest of its kind in Belgium, received a lot of media attention, not only with respect to the breach itself but also with respect to the poor way in which the NMBS responded to these events.

Actions of the DPA: The Belgian DPA investigated the matter and decided that the NMBS had infringed the Belgian data protection act (insufficient level of security and violation of the obligation of a fair and lawful processing).

The Belgian DPA, which itself cannot impose sanctions, transferred the file to the office of the public prosecutor in accordance with article 32 of the Belgian Privacy Act. The public prosecutor will decide whether or not there will be a criminal prosecution.

Following this and some other recent data breaches, the Belgian DPA has published a recommendation on Information Security on January 21, 2013 (available in Dutch and French here).

THE NETHERLANDS

Data analysis by mobile operators

Issue: The four largest mobile network operators in the Netherlands – KPN, Tele2, T-Mobile and Vodafone – analyzed data traffic (packet inspection) on the mobile network.

Actions of the DPA: The DPA investigated the matter and in its reports of May/June 2013, the DPA confirmed the existence of violations of the Dutch Data Protection Act and of the Telecommunications Act by all four operators. The mobile operators were found to have stored detailed data about websites visited and apps used, in breach of the law. The DPA also concluded that, customers were not, or incorrectly, informed about the processing of such detailed information and the purpose thereof, in breach of the Data Protection Act.

Some of the established infringements have meanwhile stopped. The Dutch DPA will verify to what extent some established violations are still on-going and decide whether it will take enforcement measures.

Healthcare institutions and access to patient data

Issue: In 2011 and 2012, the DPA received signals about an alleged broad access to digital patient files by workers of healthcare institutions.

Actions of the DPA: The DPA initiated an investigation with nine healthcare institutions on the way workers could access the digital patient files. In its June 2013 report, the DPA announced that at none of the healthcare institutions concerned the access to digital patient files was organized in such a way that it would be limited to persons treating the patient or for whom access was necessary for the treatment. None of the institutions concerned were therefore in compliance with article 13 of the Data Protection Act.

The healthcare institutions have provided an action plan to the DPA in order to become compliant and the DPA is in contact with them on the timing for compliance. The DPA will take sanctions if the road to compliance takes too long.

FRANCE

Access request – Equipement Nord Picardie

Issue: An employee invoked his right to access the personal data (in particular geo-localization data) processed about him by his employer, the Société Equipement Nord Picardie. The latter, however, refused to provide a copy of the personal data that it processes (offering the employee to come and see the data at the premises). Moreover, the employer did not to cooperate with the DPA when it sent a notice of default, in which it asked to communicate the data concerned and also to communicate to the DPA the procedures put in place by the employer in order to respond to access requests.

Actions of the DPA: The DPA decided in June 2012 that there was a violation of the French Data Protection Act by not adequately replying to the notice of default of the DPA and ordered the employer to pay a fine of 10.000 EUR.

Video surveillance – SAS Professional Service Consulting

Issue: In December 2010, an employee of SAS Professional Service Consulting filed a complaint about the use by his employer of video surveillance .

Actions of the DPA: The DPA initiated an investigation and i.a. established that (i) the cameras filmed the working place of certain employees without interruption, (ii) the information provided to the data subjects was insufficient, and (iii) the security measures to access the data were insufficient. Notwithstanding notices, subsequent controls and promises of the company, the DPA had to establish in December 2012 that the system was still in place and that the violations had not stopped. The company was ordered to pay a fine of 10.000 EUR in May 2013.

GERMANY

Google Street View – April 2013

Issue: From 2008 to 2010, Google collected wireless-network data by its cars taking photos for the Street View service. Google’s cars captured the data, including contents of e-mails, passwords, photos and chat protocols.

Actions of the DPA: In April 2013, Google was ordered to pay a fine of 145.000 EUR and was ordered to destroy all the data concerned. In a similar matter, the French regulator CNIL levied a 100.000 Euro fine in 2011.

UNITED KINGDOM

Nationwide Energy Services Ltd / We Claim you Gain.

Issue: Direct Marketing The UK Office of Communications (OFCOM) is responsible for keeping a register of phone numbers allocated to subscribers who have notified that they do not wish to receive unsolicited calls for direct marketing purposes on those lines. Telephone Preference Service Limited (TPS) is a company set up by OFCOM to carry out this role. Businesses who wish to carry out direct marketing by telephone can subscribe to TPS for a fee and will then on a monthly basis receive the list of numbers in that register. Nation Wide Energy Services Ltd and We Claim you Gain Ltd, both part of the same group of companies, made unsolicited calls for the purpose of direct marketing to consumers on the TPS list. 2.700 complaints were made to TPS which notified the DPA theraof, and the DPA also received complaints directly.

Actions of the DPA: The DPA held that it is a necessary step for businesses undertaking telesales to make arrangements to ensure that they do not make direct marketing calls to consumers that have subscribed to TPS, unless they have obtained the informed consent of the consumers concerned. Nation Wide Energy Services Ltd was ordered to pay a monetary penalty of 125.000 £ and We Claim you Gain Ltd was ordered to pay a monetary penalty of 100.000 £ in June 2013.

Bank of Scotland

Issue: Customers’ account details were repeatedly faxed to the wrong recipients by the Bank of Scotland. The information included pay slips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details.

Actions of the DPA: The DPA ruled that several provisions of the UK Data Protection Act had been infringed, including the obligation to take appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. A monetary penalty notice in the amount of 75.000£ has been served on the Bank of Scotland in July 2013.