PL&B International E-news, Issue 62



1. Netherlands proposes heavy fines for ignoring stricter website rules

The Netherlands data protection authority proposes heavy fines for websites which ignore new strict rules and publish people’s personal details, such as their criminal record or sexual preferences.

The data protection authority (CBP) published, on 16th October, new recommendations which would give people the right to demand that information about them is removed from websites. ‘The publication of personal details on the internet can follow people for years,’ the CBP notes. ‘Personal details should therefore be used with caution, particularly on the internet.’

The CBP includes names, addresses, telephone numbers, photographs and other personal details. ‘This means that drunken wedding photographs can also be removed on request,’ one newspaper commented. While privacy laws have always included the Internet there were a number of grey areas. The new recommendations state that private individuals must give permission for information about them to be put on the internet. Websites which refuse to remove unwanted information face civil court proceedings. The CBP's proposals are subject to public consultation before actual guidelines are finalised.

See further information in Dutch.

Privacy Laws & Business’s European Privacy Officers Network is holding briefings by specialist lawyers and Roundtables with the data protection authorities in Belgium (November 13th) and the Netherlands (November 14th). The briefings are being hosted by Covington & Burling (Brussels) and De Brauw Blackstone Westbroek (The Hague).  

2. SWIFT: Surprise decision by the Spain’s Data Protection Agency on its data processor status

In an as yet unpublished decision, the Spain’s Data Protection Agency has reached a conclusion which appears to be inconsistent with last year’s “unanimous” Opinion of the Article 29 Working Party in relation to SWIFT. On 27 July 2007, the Agency ruled that SWIFT “acted, at all times, as the data processor” including when it made the “crucial decision” to transfer data to the US Treasury Department.

This decision by the Spain’s DPA is significant for the following reasons:

(1) The bulk of the decision seems to relate to the activities of SWIFT SCRL (the Belgian headquarters organisation) rather than to the activities of SWIFT Iberia SL (its Spanish sales agent).

(2) The decision was issued on 27 July 2007, 10 months after the Article 29 WP Opinion.

(3) Most importantly, the decision, in very clear terms, finds SWIFT SCRL to be a data processor. This is contrary to the opinion of the Article 29 Working Party (of which the Spanish DPA is of course a member) that SWIFT is a joint data controller, although interestingly the decision is consistent with the first opinion in relation to SWIFT which was handed down by the Schleswig-Holstein data protection regulator in August 2006 which also found SWIFT to be a data processor.

(4) This latest decision illustrates not only the complexity of the issues surrounding the status of SWIFT's operations but also the ongoing uncertainty regarding the status of controller / processor relationships since the Article 29 Working Party's opinion in the SWIFT case. SWIFT has always maintained that it is a data processor when handling payment messages on behalf of approximately 8,000 of the world's financial institutions.

More generally, it is worth noting that the Article 29 Working Party's Opinion in relation to SWIFT has been criticised strongly by a number of commentators (including on a panel at the Privacy Laws & Business conference in Cambridge in July this year). Concerns have been expressed that the approach taken by the Article 29 Working Party has the potential to undermine and disrupt many established controller / processor relationships including a wide range of conventional service provider and outsourcing arrangements. Its impact has already been felt well beyond the financial sector. This latest decision in Spain is likely to lead to yet more debate on this already controversial issue.

Story supplied by Christopher Millard, Partner, Linklaters, London

Privacy Laws & Business’s European Privacy Officers Network is holding briefings by specialist lawyers and Roundtables with the data protection authorities in Spain (March 11th & 12th 2008) and the Luxembourg (May 20th & 21st 2008). The briefings are being hosted by Bird & Bird (Madrid) and Linklaters and Deloitte (Luxembourg). 


Click here for further information about subscribing to the international newsletter.

Copyright Privacy Laws & Business 2007