Live Blogging from the IAPP Privacy Congress in Paris
Barbara Bennett, Stefan Schuppert, Winston Maxwell. Lionel De Souza and I are the Hogan Lovells lawyers participating in the IAPP Privacy Congress in Paris. I am moderating and participating in sessions on cloud computing with Bojana Bellamy of Accenture, and a panel on convergence with Lord Richard Allan of Facebook and Wendi Lozada-Smith of AT&T This entry contains a live blog from the opening session.
The Privacy Congress comes on the eve of the European Commission's proposal for revision of the EU privacy framework and the anticipated release of the Department of Commerce White Paper and FTC Report on privacy. So the future of privacy law is very much in focus.
The Chair of the Dutch Data Protection Authority and Chair of the Article 29 Working Party, Jacob Kohnstamm is the opening speaker.
The patchwork of laws across Europe requires a region-wide regulation to provide a level playing field and uniformity. This should be the focus of the upcoming proposal for revision from the European Commission of the legal framework.
The present norms, which are technologically neutral, should persist and be strengthened.
Given the increasing cross-border context of issues, the Article 29 Working Party will have to play a stronger role in interpretation and clarification. More frequent guidance on issues such as the definitions of "personal data" and "consent" will be needed, while still recognizing the independence of national Data Protection Authorities. Powers of DPAs need to be harmonized and strengthened, including the ability is enjoin data processing and to levy fines. Up to now, there have been no significant court judgments in terms of fines.
Article 29 Working Party needs a new name to reflect its true role and importance.
Data controllers need to ensure compliance and to demonstrate such compliance. Privacy should be first step when launching new products and services, not the last step. Privacy by Design and transparency are essential.
Companies should be able to seek guidance externally from privacy professionals just as they do with respect to competition law.
The Chairman went on to criticize Google, Facebook and the Online Behavioral Advertising industry for their interactions with DPAs and the Article 29 Working Party, and suggested that under the new regime, their conduct would have been different.
In the Q and A session, which became an especially lively exchange, Peter Fleischer of Google pointed out that changes to Google Buzz were made even before a letter of complaint from the Article 29 Working Party had been received,.
The Chairman re-assured a questioner that innovation is taken into account along with privacy when the Article 29 Working Party considers regulation. "We are paid to deal with privacy, however."
The main task of DPA is enforcement and not to sit with individual companies on what they should be doing, in an advisory capacity.
On the Global Privacy Enforcement Network (GPEN), the Chairman said the idea was for information sharing during enforcement actions, but he observed that the national restrictions on information sharing has not produced as much cooperation as envisioned, but the Commissioners are committed to working together more across borders.
The second speaker is Viviane Reding, Vice-President of the European Commission, responsible for Justice, Fundamental Rights and Citizenship.
I will share some of the contents of the forthcoming European Commission recommendations on the revision of the Data Protection framework: Codes of practice such as Binding Corporate Rules are not explicitly forseen in the current Directive but are recognized as a matter of practice by the Article 29 Working Party. One of the strengths of BCRs is legal certainty and flexibility. (Interesting that the primary focus here is on the BCR code of conduct concept, similar to the anticipated focus on codes of conduct by the US Department of Commerce in its White Paper.)
My reform plans for BCRs: Simplification -- Approval from each member state currently required, which is costly and an administrative burden. A waste of time and money, and sometimes detrimental to credibility and efficiency of DPAs. I propose that BCRs be based on EU law, with streamlined approval process and a single point of contact. Once approved by one DPA, not further approval needed. BCRs should be used by companies of any size, and should cover everything from paper-based filing system to cloud computing. Consistent Enforcement -- Enforcement should be possible by any DPA (unlike now where not all DPAs have enforcement power). DPAs and courts should be able to enforce. Innovation in Enforcement -- We need to encourage innovation in enforcement and embrace new technology. First, we need to consider geographical borders. Data controllers and subjects m realities. Data subjects, controllers and processors may be in different jurisdictions. BCRs should apply to all internal (inside the EU) and external (in the US, India, Asia and South America) processing. BCRs should apply both to data controllers and processors. This would extend to cloud computing.
BCRs will faciliate international interoperability.
We are in time so of difficult economic times and decisions. While bringing member states out of their debt crisis, we need to do everything to promote economic growth. I will do my utmost to ensure that data protection reform will both reinforce fundamental protection of individual rights and promote growth.
Ms. Reding did not take questions.
Please join us for our April 2016 Privacy and Cybersecurity Events.