Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with James Michael

April 2007

James Michael

 

Interviewee: James Michael, Editor, Privacy Laws & Business International Newsletter

 

Interviewer: Terry McQuay, President of Nymity


Subject: Customer Privacy

 

Nymity: Do all countries in the EU have private sector privacy laws for customer personal information?


Michael: Yes. There are now 27 countries in the EU (Bulgaria and Romania joined in January), and all of them have data protection laws in accordance with the EU Data Protection Directive, covering both the public and private sectors. For many countries these data protection laws are in addition to other, earlier, privacy protection laws. Some of the countries, such as Iceland and Austria, give some protection to legal persons (companies) as well as natural persons (people).

 

Nymity: Does each of the countries with privacy laws have privacy commissioners?

 

Michael:  Yes they all have independent privacy regulators which take different forms, such as a Commissioner, as in the United Kingdom, a multi-member authority, as in France, or an ombudsman, as in Finland. The majority of EU countries have a single commissioner, who of course, has support staff. In the United Kingdom, the Information Commissioner oversees both the Data Protection Act and the Freedom of Information Act, as does the Commissioner in Hungary.

 

Nymity: Do privacy commissioners have order making powers? Do they issue fines for non-compliance?

 

Michael:  Yes they usually have order making powers. Regarding the power to impose fines, some commissioners do so directly, for example, France’s Commission Nationale de l'Informatique et des Libertés (CNIL). Others do it through the courts. Spain is particularly active in imposing fines and has imposed fines of hundreds of thousands of dollars on Microsoft and Telefonica, the country’s largest telecommunications company. In the United Kingdom, the Information Commissioner can institute proceedings in the courts, and has recently urged the law to be changed so the courts could impose prison sentences as well as fines. The UK government has recently announced its agreement and will make legislative time for this initiative.

In a recent case involving the Nationwide Building Society, (the UK’s largest home loans mutual organization) the theft of a laptop with customer details exposed shortcomings in the organisation’s data security. The Information Commissioner’s Office worked closely with the Financial Services Authority, which supervises the financial services sector. In the end the FSA imposed a fine of £980,000. It could do so without going to court, which the ICO would have to do to impose a fine.

 

Nymity: Beyond non-compliance, what are the top privacy risks for organizations operating in the EU?

 

Michael:  In addition to penalties imposed by the courts at the instigation of data protection authorities, or by the authorities themselves, there is the possibility of civil liability to data subjects who have been harmed by data breaches. There also is the relatively incalculable harm done to corporate reputations by publicised data breaches. In France last August, the CNIL required Crédit Lyonnais to advertise in two newspapers the fact that it had been fined 45,000 Euros for processing false information on its customers and for not co-operating with the CNIL in its investigations

 

Nymity: Does an organizations transferring customer information into the country make it subject to that country's privacy laws?

 

Michael:  Yes. National data protection statutes apply to any personal information processed within the jurisdiction. The dispute over the U.S. Treasury’s scrutiny of financial transactions communicated by SWIFT (Society for Worldwide Interbank Financial Telecommunication) is because the company is established under Belgian law, has its headquarters in Belgium, and has one of its two processing sites in Europe.

 

Nymity: What are the privacy requirements for an organization to transfer customer information outside the country to Canada?

 

Michael:  For European countries to transfer personal information to Canada, they would have to satisfy the national data protection authorities that there is adequate protection. In December 2001, the European Commission (the European Union’s Civil Service) issued a Decision under Article 25(6) of the EU Data Protection Directive stating that for the purposes of the Directive, Canada is considered as providing an adequate level of protection of personal data transferred from the Community to recipients subject to the Personal Information Protection and Electronic Documentation Act (PIPEDA). This was confirmed in 2006 after a review of the Canadian legislation.

 

Nymity: To the US?

 

Michael:  Provide at least adequate protection under the EU Directive, through model contracts, Binding Corporate rules, or dealing with a US Safe Harbor company. There are other possible conditions for transferring personal data to non-adequate countries, such as the performance of a contract.

 

Nymity: How does consent work for the collection and use of customer information within a country?

 

Michael:  The consent of the data subject to processing of the subject’s personal data is an essential element of the EU Data Protection Directive and the national laws implementing it. That consent must be informed, and voluntary, however. The easiest way of complying with this is when the information is obtained from the data subject, the subject should be informed of how it is to be processed, and asked for his or her consent (the ‘opt-in’ approach). Another method is to inform the data subject of the purpose of the collection and processing when the information is obtained. There are exceptions to the requirement for data subject consent, such as processing required by law, to protect the vital interests of the data subject or to perform a contract with the data subject.

 

Nymity: Many countries have a registration requirement for collection and use of customer information. Which countries? How does it work?

 

Michael:  The registration requirement began with the Swedish data protection law in 1973, when there were far fewer computers, and it was feasible to require anyone processing personal data on a computer to register with a central authority. As other European countries legislated, they followed the Swedish model, in some cases after Sweden had abandoned a detailed registration scheme. Now it is a requirement of the EU Data Protection Directive that EU Member States rely instead on a relatively simple notification to the central authority, especially when sensitive information is being processed.

 

Nymity: Are there breach notification requirements?

 

Michael:  Not yet (in the sense of the California-model law), although there is pressure for some kind of data breach notification, if only through codes of conduct.

 

Nymity: Which countries have the strictest privacy requirements? and matching enforcement?

 

Michael:  It is difficult to say. Several countries give protection to information about legal persons as well as natural ones, which is stricter in a sense. Some (e.g. Iceland) extend some protection to the dead, which is also stricter in a sense. As data protection and privacy affects journalism, France is relatively strict. In terms of enforcement, Spain is probably the most diligent, especially in the scale of its fines, although France may catch up with the new CNIL powers. In the 20th anniversary edition of the PL&B Newsletter, we asked five data protection experts from around the world if they would single out countries that were particularly good or bad (http://www.privacylaws.com/templates/Page.aspx?id=993&epslanguage=EN). Dr. David Flaherty, consultant and former Information and Privacy Commissioner, British Columbia, was particularly critical of the USA.

 

Nymity: In closing, what privacy recommendations do you have for organizations based in Canada that have customers located in the EU?

 

Michael:  Inform EU customers that their data are being processed in Canada, and assure them that the EU Commission has found that Canadian protection is adequate for purposes of European data protection standards under the provisions of PIPEDA. Avoid processing of EU customers’ data in the United States. If such processing is unavoidable, have it done only by a company in the US that has been approved as part of the Safe Harbor system.

 

Finally, keep up to date by keeping watch on the news on the home page of www.privacylaws.com and subscribe to the Privacy Laws & Business International and United Kingdom Newsletters (http://www.privacylaws.com/templates/Page.aspx?id=297). You can then ask us your own specific questions!

 

 

 

 

Now Hiring

 

 

 

 

 

 


Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY