PL&B International E-news, Issue 81

1. Swiss Court rules for DP Commissioner with restraining order against Dun & Bradstreet

In the first use of his new enforcement powers to impact the private sector, Switzerland’s Data Protection Commissioner, Hanspeter Thür, successfully requested the Federal Administrative Court to order Dun & Bradstreet to withdraw a service. This new power given by amendments to Switzerland’s data protection law is now fully in force from 1st January this year after a one year transition period.

Dun & Bradstreet had offered to Swiss employers a service which would check employees or prospective employees' backgrounds regarding credit history and other personal information to help companies assess their suitability for employment.

The Swiss Federal Data Protection Commissioner’s application to the court for a restraining order to stop the company offering this service was on 15th December. The Federal Administrative Court responded quickly with a written decision on 14th January.

2. Swiss/US Bilateral Safe Harbor agreement now in force

The US-Swiss Safe Harbor Framework to simplify the transfer of personal data by Swiss firms to American companies (PL&B International E-News 22nd December 2008) entered into force earlier this week on 16th February.

Both these issues and their implications for companies doing business in Switzerland will be covered at the next meeting of the European Privacy Officer Network in Switzerland. April 28th: Briefing in Zurich; and April 29th: Roundtable with the Data Protection Commissioner, Deputy Commissioner and three other members of their team.  

3. EU Art. 29 DP Working Party adopts strong Opinion on broadening the scope of EU data breach proposals

The Art. 29 DP Working Party adopted on 10th February a strong Opinion (number WP 159) on strengthening Art. 4 of the e-Privacy Directive to broaden the requirement for service providers to notify security breaches.

They recommended that:

  1. national regulatory authorities should be informed
  2. affected users are informed immediately
  3. service providers should retain records of all personal data breaches.

Crucially, the Opinion supports the European Parliament’s amendments broadening the scope of the directive specifically referring to “e-banking services, private sector medical records and online shopping” as examples of services that may be subject to personal data breaches. The Art. 29 Working Party’s Opinion follows soon after that of the EU Data Protection Supervisor (Privacy Laws & Business International E-News 28th January 2009).

Privacy Laws & Business’s conference: Data Breach Laws in Europe: Data Protection Commissioners' Views and Recommendations from 20 countries will take place on the afternoon of 22nd April 2009 in Edinburgh, the day before the European Data Protection Commissioners’ Spring Conference. The presentations will report on the results of the Privacy Laws & Business survey of the attitudes of 20 European Data Protection Authorities towards introducing national data breach laws.  

4. EU Art. 29 DP Working Party adopts guidelines on EU-US discovery conflict

The Article 29 Working Party has adopted guidelines for European data controllers to deal with demands for disclosure of information in the course of legal proceedings in other countries, primarily in the US. The process started last year, when France’s CNIL announced that it had received complaints from French companies that they were being required to provide information including personal data to US courts in the course of pre-trial discovery. When CNIL took over chairing the Article 29 Working Party, they announced that this subject would be a priority. Working document WP 158 1/2009 was adopted on 11 February 2009.

It explains the differences in attitudes to litigation and in particular the pre-trial discovery process between common law jurisdictions such as the United States and the United Kingdom and civil code jurisdictions. The document then sets out guidelines for EU data controllers when trying to reconcile the demands of the litigation process in a foreign jurisdiction with the obligations of the EU Data Protection Directive.

5. European Commission dissolves DP Expert Committee

The European Voice newspaper reported on 12 February that the EU Commission has dissolved the five-member group of data protection experts appointed in December for a one-year renewable term (PL&B International Newsletter December 2008 pp. 12-13) The group to advise on revision of the Data Protection Directive had only met once. The dissolution was after complaints in France’s Assembly that the members were “representing American interests”.

6. Bank of NY Mellon pays $150,000 to Connecticut for 2008 data breach

On 3 February it was announced in Connecticut that the state’s Departments of Banking and Consumer Protection had reached a settlement with the Bank of New York Mellon for a data breach in February 2008. The settlement includes paying $15,000 to the state, paying for customers’ credit monitoring (estimated to cost $3.48 million), compensating for any actual damage caused, and upgrading the bank’s data security. The data breach occurred when a backup tape with personal data on hundreds of thousands of customers was lost while being transferred to a storage facility in New Jersey. The Bank says there is no evidence that the data on the tape has been found or misused.

Click here for further information about subscribing to the international newsletter.

Copyright Privacy Laws & Business 2009