Tag Archives: EU data protection regulation

Christopher Wolf on the Critical Time for the EU Data Protection Regulation

243Christopher Wolf, who co-chairs the Future of Privacy Forum, wrote an article on the state of the art in data protection and privacy law at the beginning of 2013, pointing out the main developments in the field of last year and sketching what could happen in the year that just began.

The article focuses on the European developments in the data protection legal regime, as “what happens in the EU has an impact on multinational organizations operating across borders, and on the evolution of privacy frameworks around the world.”

Wolf writes about the main critiques the Regulation in its entirety faces, emerging especially from UK and also from France, but also discusses topical issues, such as “the right to be forgotten”.

In November 2012, Europe’s Network and Information Security Agency (ENISA), released a report on the technical aspects of the “right to be forgotten”. ENISA pointed out that any technical solution for the “right to be forgotten” would require an unambiguous definition of the personal data that is covered by the “right to be forgotten”, a clear notion of who can enforce the right, and a mechanism for balancing the “right to be forgotten” against other rights such as freedom of expression. According to the Report, the text of the current European proposal leaves each of these subjects open to debate, making it difficult to implement technical mechanisms to deal with the “right to be forgotten”.

You can find the piece HERE.


Data protection officers needed more and more: "Data Protection Officer Drought Predicted"

http://www.informationweek.com writes today about the increased necessity of properly trained DPOs, citing Google’s global privacy counsel Peter Fleischer:

“Soon, many thousands of companies operating in Europe will be looking to appoint [data protection officers] to meet legal obligations, and since there is no available pool of such people, companies need to start thinking now about how to recruit, train and resource a DPO, and/or an entire DPO team, for the large companies”.

I remind you that iblogpdp.com was also concerned with this issue previously this year. You found out then that Article 35 of the proposed EC data protection regulation states that a data protection officer shall be designated in the following cases:

– when the processing is carried out by a public authority or body;

– when the processing is carried out by an enterprise employing 250 persons or more;

– the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.

Fleischer sees three viable approaches to the new rules, depending on the complexity of companies’ data processing requirements.

Companies that have relatively simply data operations can probably just train personnel from human resources or marketing, he suggests.

They might also be able to outsource the DPO role, which he sees as a potential business opportunity for entrepreneurs.

Companies with large, complex data processing and handling operations will have the most adjustment to do. “[T]oday, rather shockingly, some of the world’s largest data processing companies, with mega-databases of trillions of pieces of personal data, do not have a single heavy-weight DPO on staff,” he wrote.

Read the whole story HERE.