European Union: Europe - Recent Data Protection Developments At EU Level

Binding Corporate Rules Available for Data Processors

On 21 December 2012, the Article 29 Working Party (the "Working Party"), an independent European advisory body on data protection and privacy comprised of a representative of the national data protection authorities of the EU Member States, issued a press release announcing the possibility to adopt Binding Corporate Rules ("BCRs") for processors (i.e. the persons processing personal data on behalf of the controllers). The BCRs for processors have become available as of 1 January 2013.

Under Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Data Protection Directive"), any transfer of personal data outside the EU/EEA to a country that is not recognised by the European Commission as providing an adequate level of protection for personal data is prohibited. Still, the transfer will be permitted in the situations listed in Article 26 of the Data Protection Directive or if the parties adduce adequate safeguards, for instance by signing a data transfer agreement implementing the model clauses published by the European Commission or by adopting BCRs. BCRs are specifically designed to facilitate intra-group transfers of personal data and provide more flexibility than the model clauses. 

BCRs are increasingly used to make possible the intra-group transfer of personal data of a controller (i.e. the persons collecting the data and determining the purposes and the means of the processing of personal data) for transfers of personal data between EU entities and group companies located outside the EEA.

With the new BCRs for processors, personal data can be transferred from a European based processor to one of its group companies located outside the EEA (in order to carry-out sub processing). Such BCRs will ensure that such a transfer takes place in accordance with the EU rules on data protection.

BCRs for processors have to be authorised by local data protection authorities. The authorisation procedure is the same as for controllers. The BCRs will require an authorisation by the national data protection authority in each EU Member State where a processor is established. However, the system of mutual recognition which facilitates authorisation procedures for the participating Member States also applies to BCRs for processors. Currently, 21 data protection authorities have adopted the mutual recognition procedure.

Proposed Implementing Acts of Data Protection Reform Package

On 22 January 2013, the Article 29 Working Party (the "Working Party"), an independent European advisory body on data protection and privacy comprised of a representative of the national data protection authorities of the EU Member States, published a follow-up opinion (the "Opinion") on the European Commission's data protection reform proposals.

The Working Party had already published two opinions concerning the Data Protection Reform Package, respectively on 23 March 2012 and 5 October 2012 (see, VBB on Belgian Business Law, Volume 2012, No. 4, p. 5 and No. 10, p. 5, available at www.vbb.com).

The data protection reform proposals published on 25 January 2012 propose a draft Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Draft Regulation"). The Draft Regulation is intended to replace the present Data Protection Directive 95/46/EC. The reform also includes a draft Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (the "Draft Directive").

In an earlier opinion, published on 5 October 2012, the Working Party had commented on various issues and had elaborated an article-by-article analysis of all the possible delegated acts. The delegated acts allow the European Parliament and the Council to delegate to the European Commission the power to adopt non-legislative acts of general application to supplement or amend specific non-essential elements of a legislative act.

For its part, the Opinion now focuses on the implementing acts. Implementing acts are used where uniform conditions are needed for implementing legally binding acts of the Union. Such implementing acts are adopted through a committee procedure and the role of the European Parliament and the Council is more limited than in the adoption of delegated acts.

The Opinion provides an analysis of all the provisions contained in the Draft Regulation which enable the adoption of possible implementing acts. It provides for a clear analysis of the powers of the European Commission when adopting these acts.

Overall, the Working Party recommends the use of guidelines issued by the European Data Protection Board ("EDPB") – the proposed successor to the Working Party – where a flexible approach and room for cultural differences is required. The Working Party also appears to favour a reduced role for the Commission and a strengthening of the EDPB's role with regard to the implementing acts provided for by the Draft Regulation.

The full Opinion of the Working Party can be consulted here.

Data Protection Draft Regulation under Scrutiny at EU Parliament

On 10 January 2013, Jan Philipp Albrecht (the "Rapporteur") presented to the EU Parliament's Committee on Civil Liberties Justice and Home Affairs (the "LIBE Committee") his draft report (the "Draft Report") on the European Commission's Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Draft Regulation"). The Draft Regulation is intended to replace the present Data Protection Directive 95/46/EC.

The Draft Report proposes a large number of amendments to the Draft Regulation and provides a basis for further discussions within the LIBE Committee before the Draft Regulation will be voted upon by the European Parliament.

In the parliamentary procedure leading to the adoption of the Draft Regulation, the LIBE Committee plays a critical role and is in charge of consolidating all the amendments proposed by the four other Parliamentary advisory committees.

Among others, the Draft Report suggests (i) an extension of the territorial scope of the Draft Regulation; (ii) a clarification of key concepts; (iii) the reinforcement of data subjects' rights; and (iv) the setting up of an EU data protection agency.

The Rapporteur proposes to make the Draft Regulation applicable to a controller not established in the European Union when processing activities seek to offer goods or services to data subjects in the Union.

The Rapporteur also clarifies the definition of "personal data" by introducing subjective elements enabling the assessment of the efforts made by a data controller in order to identify a data subject through anonymous data. The Draft Report furthermore introduces the notion of pseudonyms as a "unique identifier which is specific to one given context and which does not permit the direct identification of a natural person, but allows the singling out of a data subject."

Concerning the reinforcement of data subjects' rights, the Draft Report expresses the view that the notion of consent should remain the cornerstone of the EU approach to data protection, since this is the best way for individuals to control data processing activities.

Finally, the Rapporteur also supports the Commission's proposal to have a "one-stop shop" for companies that operate in several EU countries. The "one-stop-shop" mechanism was proposed by the Draft Regulation, making the data protection authority of the country where a company has its main establishment the lead authority acting and single contact point for the controller. To ensure consistency in the application of EU data protection rules, the Rapporteur wants, in addition, to create a powerful and independent EU data protection agency entrusted with taking legally binding decisions vis-à-vis national data protection authorities.

The Draft Report can be consulted here.

Meanwhile, the Industry, Research and Energy Committee (the "ITRE Committee") of the European Parliament has already adopted on 20 February 2013 its opinion on the Draft Regulation. Following the ITRE Committee's opinion, the Employment Committee is also due to vote on its own opinion on the reform proposals. The LIBE Committee will then consolidate all the amendments and vote on its Draft Report at the end of April 2013.

Use of E-mail on Work Floor

The Brussels Labour Court of Appeals gave judgment on 7 February 2013 on the privacy of e-mails in the professional inbox of an employee (the "Judgment").

It forms a reminder for businesses of the importance of a proper e-mail and internet policy.

In the case at hand, the e-mails of an employee had been read by an assistant without his permission. The secretary came across specific facts by reading personal e-mails, including e-mails to close relatives. The secretary informed the employer who sought to dismiss the employee on the basis of these facts.

The Brussels Labour Court of Appeals was of the opinion that the examination of the e-mails without the employee's consent, without informing the employee with regard to the purpose of the review of his e-mails and without informing the employee of any rules authorising the company to carry out such an examination of his e-mails, violated the privacy of the employee.

In particular, the Labour Court of Appeals was of the opinion that the company had violated:

• Article 8 of the ECHR and Article 22 of the Constitution (right to privacy);
• Article 124 of the Law on Electronic Communications of 13 June 2005 which prohibits persons from gaining knowledge about the content of e-mails;
• CBA No. 81 which outlines the rules and conditions which an employer must respect in order to monitor his employees' e-mails legitimately;<
• Article 314bis of the Criminal Code (which penalises the disclosure of the content of a private communication which had been obtained illegally).

A failure to comply with the multiple regulations governing privacy and the use of internet and e-mail by employees can give rise to penalties for the employer. In addition, all evidence obtained in violation of these regulations is in principle inadmissible in court.

In the case at hand, the employer had failed to observe applicable rules and the evidence was thus considered inadmissible. However, this does not mean that an employer does not have the right to monitor the use of internet and e-mail by his employees. Still, this right is subject to a number of constraints. Amongst other obligations, the employer must make sure that:

• the possibility to monitor the internet and e-mail use is stipulated in a written document;
• the monitoring must pursue a "higher" purpose that must have been clearly spelled out;
• the monitoring should be proportionate to the intended purpose; and
• staff should be informed of the possible monitoring.

It follows that a clear internet and e-mail policy is of the utmost importance to give the employer the possibility to monitor the use of internet and e-mail of its employees.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.