The European Data Protection Supervisor has recently issued an opinion on the review of the EU legal framework for data protection (Directive 95/46/EC). It expresses concerns regarding the increasing difficulties for individuals to protect the privacy of their personal data, and calls for strengthening individuals’ rights over them. This can be done, the EDPS argues, by making security breach notifications mandatory for all relevant sectors, increasing transparency of processing for data subjects, and introducing new rights, such as the “right to be forgotten” and the “right to data portability”.
Filed under Cédric Laurant, English, EU Law, Europe, European Union, Marie-Andrée Weiss, Outlines, Reports & Surveys · Tagged with Article 29 Data Protection Working Party, behavioral advertising, cloud computing, data controller, data portability, Data Protection Authority, data security breaches, data subject, EDPS, ENISA, EU Directive 2002/58/EC, EU Directive 2009/136/EC, EU Directive 95/46/EC, EU e-Privacy Directive, European Commission, European Data Protection Supervisor, European Network and Information Security Agency, European Union, right to be forgotten, right to data portability, right to oblivion, security breach, technologically neutral rights, transparency
A French bill “to better guarantee the right to privacy in the digital age” has implemented the European Directive 2009/136/EC by requiring the data controller to inform the “Data Protection Correspondent” (a person within an organization who could be the controller or someone assisting the controller), or in the absence thereof, the French data protection authority (the Commission Nationale de l’Informatique et des Libertés), of a breach of integrity or confidentiality. Those involved in the breach must also be informed, at least if security breaches are “likely to adversely affect” their personal data. The bill follows the recommendation of the Directive to notify individuals of security breaches for all sectors, not just electronic communications. It was adopted by the French Senate on March 24, 2010 and is currently before the National Assembly.
(A French version of this article is also available in this blog.)
Filed under Cédric Laurant, Comments, Countries, English, EU Law, Europe, European Union, France, Marie-Andrée Weiss · Tagged with Act No. 78-17 of January 6 1978, Act on Data Processing Data Files and Individual Liberties, California, California Office of Privacy Protection, California Security Breach Notification Act, CNIL deliberation No. 81-94 of July 21 1981, Commission nationale de l’informatique et des libertés, contract, contractual clauses, data breach, data confidentiality, data controller, data protection correspondent, data security, data security breaches, EU Directive 2002/58/EC, EU Directive 2009/136/EC, French Data Protection Act, French Data Protection Authority, French National Assembly, French Senate, general IT security measures, personal data, security breach, security breach notification, technological protection measures, unauthorized access, United States
A central aspect of every cloud service contract is the security of data processing. It is therefore important, if only for liability reasons, that responsibility for specific security measures be clearly assigned. This can be done by using security service level agreements between the cloud service provider and its client that clearly assign who is responsible for which particular security measure.
Storing data in a cloud located outside the EU raises specific legal compliance issues. According to some experts, such clouds are even unlawful. There are, however, some ways to make sure that, even if a data controller stores data into a cloud located in a third country, he is still in compliance with German data protection law. A data exporter must use, in order to satisfy the adequate level of data protection requirement, specific standard contractual clauses for all contracts with a cloud service company located outside the EU. Binding corporate rules are the alternative solution, though only for private clouds.
Filed under Cédric Laurant, Comments, English, EU Law, Europe, European Union, Germany, Marie-Andrée Weiss, Outlines · Tagged with adequate level of data protection, anonymization, Argentina, Article 26 (EU DP Dir.), Article 29 Working Party, BDSG, Binding corporate rules, Bundesdatenschutzgesetz, cloud computing, cloud service contract, cloud service provider, confidentiality, data controller, data processing security, Data Protection Authority, data protection law, data security, data security breaches, Datenschutzzentrum, Düsseldorfer Kreis, Dr. Thilo Weichert, encryption, EU Directive 95/46/EC, European Commission, European Privacy Seal, EuroPriSe, external audit, German Federal Data Protection Act, Germany, Google, IaaS, integrity, liability, PaaS, personal data, private cloud, pseudonym, public cloud, SaaS, Safe Harbor Framework, Safe Harbor self-certification, SAS 70, Security Service Level Agreement, standard contractual clauses, State of Schleswig-Holstein, Switzerland, third country, third party, United States, Yahoo
Will France adopt a law requiring the notification of security breaches?
Posted by "Security Breaches" Administrator on August 6, 2010 · 3 Comments
A French bill “to better guarantee the right to privacy in the digital age” has implemented the European Directive 2009/136/EC by requiring the data controller to inform the “Data Protection Correspondent” (a person within an organization who could be the controller or someone assisting the controller), or in the absence thereof, the French data protection authority (the Commission Nationale de l’Informatique et des Libertés), of a breach of integrity or confidentiality. Those involved in the breach must also be informed, at least if security breaches are “likely to adversely affect” their personal data. The bill follows the recommendation of the Directive to notify individuals of security breaches for all sectors, not just electronic communications. It was adopted by the French Senate on March 24, 2010 and is currently before the National Assembly.
(A French version of this article is also available in this blog.)
Rate this:
Filed under Cédric Laurant, Comments, Countries, English, EU Law, Europe, European Union, France, Marie-Andrée Weiss · Tagged with Act No. 78-17 of January 6 1978, Act on Data Processing Data Files and Individual Liberties, California, California Office of Privacy Protection, California Security Breach Notification Act, CNIL deliberation No. 81-94 of July 21 1981, Commission nationale de l’informatique et des libertés, contract, contractual clauses, data breach, data confidentiality, data controller, data protection correspondent, data security, data security breaches, EU Directive 2002/58/EC, EU Directive 2009/136/EC, French Data Protection Act, French Data Protection Authority, French National Assembly, French Senate, general IT security measures, personal data, security breach, security breach notification, technological protection measures, unauthorized access, United States