International E-news - February 2011



  1. New infringements and fines adopted under Spain’s Data Protection Law
  2. Portugal’s Data Protection Authority implements an electronic notification system
  3. Portugal’s Data Protection Authority states its position on the Agreement for the sharing of personal data between Portugal and the USA for law enforcement purposes
  4. EU consults on class actions: data protection may be included
  5. Israeli court sets a high privacy standard in the workplace
  6. Italy to conduct 250 inspections by June
  7. EU announces Israel’s status as providing adequate protection of personal data

1. New infringements and fines adopted under Spain’s Data Protection Law

On 15 February 2011, Spain’s legislature approved several amendments related to infringements and fines under its Data Protection Law (the Act). The amendments will come into force after publication in the Official Gazette, reports Baker & McKenzie’s LegalBytes.

Infringements under the amended law are categorised as minor, serious or very serious. Minor infringements include, for example, transmitting data to a data processor without the mandatory formalities set out in Article 12 of the Act. There are many serious infringements, for example, deterring or obstructing the exercise of the rights of access, rectification, cancellation or opposition. Very serious infringements include, for example, transferring personal data to countries that do not provide an adequate level of protection without the authorisation of the Director of the Data Protection Agency, except where such authorisation is not required.

Minor infringements are subject to fines ranging from €900 to €40,000, while the fines for serious infringements range from €40,001 to €300,000. Fines from €300,001 to €600,000 may be imposed on those who commit very serious infringements.

Within each category, the amount of the fines imposed will depend on several factors, such as degree of intentionality; and the nature of the damage caused to the data subjects or third parties.

The Agencia (Data Protection Athority) may put the commencement of disciplinary proceedings on hold and issue a warning to offenders and require them to provide evidence of the adoption of corrective measures within a given deadline, subject however, to the following criteria being met:

  • the facts constitute a minor or serious infringement under the Act; and
  • the offender has not been previously sanctioned or warned.

If the information is not provided within the stated deadline, the relevant disciplinary proceedings will begin.

Roundtable in Spain? Later this year, if there is enough interest, PL&B’s Privacy Officers Network would organise a Roundtable in Spain to discuss these changes to its data protection law and their impact on business. If you or a colleague are interested, e-mail glenn@privacylaws.com with Roundtable in Spain in the subject line.

2. Portugal’s Data Protection Authority implements an electronic notification system

Following the announcement by Portugal’s Data Protection Authority – the Comissão Nacional da Protecção de Dados (CNPD) at PL&B’s Privacy Officers Network Conference, on November 24 and 25 last year, the CNPD implemented on January 13 an electronic notification system for personal data processing. This can be done by completing and submitting online forms, reports Baptista, Monteverde & Associados.

On the website of CNPD at www.cnpd.pt, there are two electronic forms available - one of them specifically for notifications regarding the installation of a video surveillance system and another more generic one for all other data processing work. The general form covers a wide range of fields, such as human resources, insurance, banking, telecommunications, pharmacovigilance, health and marketing.

These amendments were accompanied by the revision of the notification fees and of the means of payment, as established in Deliberation 50/2011, published in the Official Gazette No. 5, Series II, of January 7, 2011.

3. Portugal’s Data Protection Authority states its position on the Agreement for the sharing of personal data between Portugal and the USA for law enforcement purposes

On February 7, Portugal’s Data Protection Authority delivered an opinion about the Agreement, signed on June 30, 2009 in Lisbon, between Portugal and the United States of America to enhance the cooperation of these two countries in preventing and combating crime, reports Baptista, Monteverde & Associados.

The CNPD asks if it makes sense to apply this bilateral Agreement between the EU and the USA, particularly when there are ongoing negotiations for an agreement between the EU and the USA to establish binding and guiding principles for specific agreements between the EU Member States and the USA.

The main concern of the CNPD regarding this Agreement is the lack of adequate protection for personal data of Portuguese citizens. In the context of the existing American laws, they could never file a complaint before North-American Courts regarding the violation of the privacy of these personal data.

4. EU consults on class actions: data protection may be included

The Commission’s consultation paper announces that its aim is to establish a common set of principles which will underpin all collective (class) action cases and ensure consistency in different areas of the law. "The consultation explores in which fields different forms of collective redress ... could have an added value for improving the enforcement of EU legislation or for better protecting the rights of victims." Cases relating to the violation of privacy or data protection law could certainly be included in this. Indeed, this consultation reiterates the recent proposed revisions to the EU Data Protection Directive (95/46/EC), ‘improving redress mechanisms’ by including ‘the possibility for class action procedures’.

The paper, ‘Towards a Coherent European Approach to Collective Redress’ , says that class actions are possible in consumer and environmental law in some – but not all – EU legal systems.

Kostas Rossoglou, legal officer at BEUC has told PL&B that ‘BEUC and our members have long been supporting the introduction of a pan-European instrument for judicial collective actions that would have a wide scope, including violations to data protection and e-privacy legislation’.

At a European Commission/Council of Europe Conference on 28th January in Brussels, in response to a question from PL&B’s Chief Executive, Stewart Dresner, Canadian Privacy Commissioner, Jennifer Stoddart and Marc Rotenberg, President of the Electronic Privacy Information Centre, in the USA, both said that they considered that the right to such a collective action could play a useful role in Europe to protect legal rights. See the question at the start and the answers at 2 minutes 30 seconds until 4 minutes 30 seconds.

Responses to the consultation paper are sought by 30 April.

The next issue of PL&B International will include a report which looks at the possibility of DP class actions in various EU Member States under their current legislation.

5. Israeli court sets a high privacy standard in the workplace

The Israeli National Labour Court handed down a precedent-setting decision on 8 February, ruling that an employer may access employees' email accounts only in extreme circumstances. The decision is thus likely to make many companies in Israel draft new computer use policies. The court issued specific guidelines for email monitoring, based on the type of email account in question.

Read more about this topic in the PL&B International Report, issue 109, February 2011.

6. Italy to conduct 250 inspections by June

Italy’s DPA, the Garante, is conducting a series of inspections in banks, marketers, cloud computing providers and private investigators up until June this year.

The inspections will look at several issues, such as the adoption of security measures, data retention periods, providing consent, and notification. The DPA has scheduled over 250 site inspections, to be conducted in collaboration with the Special Unit of the Guardia di Finanza.

In 2010, the Garante conducted 474 inspections, which resulted in 424 disciplinary proceedings. These were mainly for failure to give notice, unlawful processing of data, or failure to adopt security measures. These inspections focused on the health sector, hotel chains, and activation of multiple phone cards.

There were 55 criminal offences which involved, for example, the failure to take security measures, or false declarations and notifications. The overall revenue from these penalties was about €3,800 000. See PL&B International October 2009 pp.1-4.

7. EU announces Israel’s status as providing adequate protection of personal data

The EU Commission published today its formal decision to approve Israel’s status as a country providing “adequate protection” for personal data under the European Data Protection Directive.

Dr. Omer Tene informed PL&B that this decision is restricted to automated international data transfers from the EU as well as to non-automated data transfers that are subject to further automated processing in Israel. It will allow unrestricted transfers of personal data from the EU to Israel, for example between corporate affiliates or from European companies to data centres in Israel.

The formal decision explains the detailed assessment by the European Commission by referring, for example, to Israel’s Basic Laws, Israeli case law, Israel’s Protection of Privacy Act 1981, the organisation and functioning of Israel’s Law, Information and Technology Authority (its Data Protection Authority), and sectoral legal instruments. It also follows the positive opinion of the EU’s Article 29 Data Protection Working Party concerning the level of protection under Israeli law.

Dr Tene reports that the decision also imposes a burden, since enforcement of privacy and data protection in Israel will now be followed closely by EU regulators, seeking to verify that data originating from their country and sent to Israel is indeed protected. The decision expressly provides that: “the competent authorities in Member States may exercise their existing powers to suspend data flows to a recipient in the State of Israel in order to protect individuals with regard to the processing of their personal data… where there is a substantial likelihood that the standards of protection are being infringed [and] there are reasonable grounds for believing that the competent Israeli authority is not taking or will not take adequate and timely steps to settle the case at issue (…)”.

The decision was adopted yesterday. 

 

Privacy Laws & Business has a substantial collection of information on Israel's privacy laws, including slides and reports from our conference in Israel last October. For the programme, see www.privacylaws.com/Documents/EPON/Israel/israel.pdf and for access to the information, contact glenn@privacylaws.com

For further details on the Privacy Laws & Business International Newsletter, please click here.

Copyright Privacy Laws & Business 2011