In response to the invitation from the Ministry of Justice to
respond to the Proposal for a Regulation on the protection of
individuals with regard to the processing of personal data and on
the free movement of such data, Clyde & Co submitted a response
Summary of contents of the response:
1. As a firm we are both a data controller and legal counsel to
data controllers and data processors. We welcome many of the
changes which have been proposed but our experience shows that
compliance with the differing data protection regimes and
requirements across the European Union is challenging, and that
this often leads to uncertainty as to whether compliance has been
achieved or not, leading to an increased costs burden from the need
to take advice in each of a number of jurisdictions.
2. We believe that this is an area of law which would certainly
benefit from having its profile raised and would hope that in the
run up to the implementation of the Regulation both the Commission
and the Information Commissioner's Office (ICO) (as well as
other data protection regulators across the European Union) embark
on a coordinated marketing exercise to raise the profile not only
of the Draft Data Protection Regulation but also of the importance
of data protection as a whole.
3. The proposed increased sanctions are potentially
disproportionate to the risk of harm to individuals for breaches of
4. To achieve the successful implementation of a pan- European
data protection regime, more consideration will be required of how
such a regime will be policed and how consistency across the Union
will be achieved on a day to day basis. For example, how will the
situation which arises where a data regulator in one Member State
interprets the legislation differently to the regulator in another
Member State be resolved?
5. We have concerns regarding the ambitious territorial scope of
the draft Regulation, both within the EU (with the various
regulators permitted to levy cross-border fines) as well as from
the provisions designed to make non-EU based organisations comply
with the Regulation; it is difficult to see how these will work in
6. The drafting of a right to be forgotten makes it somewhat
less extensive than the public may anticipate from the media
attention given to it, and query how much more extensive the
proposed legislation is to that which currently exists in many
7. As a law firm we hold a large amount of our clients'
personal data (and indeed much other confidential information about
their affairs). It is essential we and similar businesses are
permitted to retain information about those whom we have acted for
and against and to be able to access that information for a long
period, not least to ensure we comply with our professional rules
for example as to conflicts of interest between our clients.
8. We believe that mandatory notification of data breaches
within 24 hours will often be impracticable given that the data
controller's immediate priority will often be to implement
remedial / disaster recovery procedures. Smaller businesses may not
even have developed such procedures and may need legal advice on
their obligations, which is likely to take much more than 24 hours
to obtain in practice. The scale of a data loss may not always be
immediately apparent until a forensic investigation has been
carried out. For all these reasons, we think the time limit for
mandatory notification should be carefully reviewed, perhaps with
the upper time limit for the maximum length of time which should
lapse prior to a breach being notified being qualified by an
exception which can be invoked if notification was not reasonably
practicable (the onus being on the data controller to show
9. We believe a de minimis exception should be considered for
mandatory notification. Does the ICO really wish to be told of
every such loss or only those which risk harm to individuals or may
indicate a need for intervention by the ICO into the data
controller's activities or actions?
10. We are pleased to see that the model contract clauses and
binding corporate rules (BCRs) are proposed to remain in place;
although we think more consideration needs to be given to these and
(in relation to BCRs) the related approval process in order to
increase their uptake as well as to market their usefulness. We
favour a more streamlined procedure for having BCRs and simplified
drafting for new versions of model contract clauses.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
A US district court in New York has recently ruled that ReDigi, the operator of an online marketplace for pre-owned music downloads, is liable for copyright infringement.
In a decision earlier this month, a US district court in New York has ruled that ReDigi, the operator of an online marketplace for pre-owned music downloads, is liable for copyright infringement.
A number of publications including the Financial Times, have described how US lobbyists, many working for large technology companies such as Facebook and Google, have been seeking to curb the territorial extent of the proposed EU data protection reforms.
The English Court of Appeal has recently confirmed the commercial and legal importance of database rights and, in particular, their relevance to the sports industry.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”