Thu, Sep. 28, 2017

Privacy: Data Collection, Storage, Use, Sharing and Loss

CK - Washington. The continued Equifax data breaches that by now affect half the Ame­ri­can population puzzle consumers who do not know if their financial and per­so­nal da­ta are lost. By contrast, Germans and most Europeans benefit from data trans­pa­ren­cy laws designed to protect their privacy and guide all who commercially collect, sto­re, massage and share data. A new European data directive, effective May 25, 2018, go­verns rights and obligations relating comprehensively to such data activities.

Consumers will receive detailed information on the intended activities when granting companies access to their data. They will receive additional disclosures after a com­pa­ny stores data and intends to use it for other than the original purposes. Dis­clo­su­res to con­su­mers must be clear and intellible for a lay person. Technical or le­gal jar­gon in­com­pre­hensible to average consumers will be outlawed: The binding re­gu­la­ti­on even sug­gests 15 words per sentence, separated by not more than one com­ma. Information must be provided free of charge to the person who owns it. That alo­ne is a far cry from the practices of some American data hoarders who persistently ig­no­re what a Secret Ser­vi­ce director advised more than a decade ago: Don't hoard data be­cau­se they leave you and all Americans vulnerable.

Regulation (EU) 2016/679 on the protection of natural persons with regard to the pro­cessing of personal data and on the free movement of such data, known in German as Datenschutz-Grundverordnung, lists information and reporting requirements and may increase burdens on entities that process personal data in any way. The above dis­clo­sure requirements may be more difficult than some of the other obligations, but en­ti­ties with prior exposure to the data protection directive 95/46/DC which will ex­pi­re can build on their experience.

Art. 21 defines a consumer right to object meaningfully to the collection of data, and Art. 35 requires the notification of consumers following a risk-intensive data breach. A key objective is the assurance of disclosures at the earliest possible time and by active con­duct of the data collector and processor.

In addition to active disclosures, consumers have a right to passive or responsive ac­ti­on by the data holders. The latter must respond to consumer inquiries about data held or transferred as well as requests to transfer data.

The European Union expects to achieve additional transparency and compliance by esta­bli­shing reporting requirements. Beneficiaries may be government agencies but third par­ties may also benefit, such as under the right-to-forget rules in Art. 17(2) about expunging published data.

The regulation may be implemented differently in the various E.U. member states. What­ever the national implementation, companies involved in the collection, sto­ra­ge, processing and dissemination of consumer data need to consider the fun­da­men­tal-right statement at the beginning of the new regulation:
The protection of natural persons in relation to the processing of personal da­ta is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union … and Article 16(1) of the Treaty on the Func­tioning of the European Union … provide that everyone has the right to the pro­tec­ti­on of personal data concerning him or her.
Germany has some of the strictest substantive and procedural data protection sys­tems, and the E.U. update will likely enhance the comprehensive consumer data sche­me. This summer, German law journal Kommunikation & Recht published some articles from a conference on data protection on the regulation, including Transparenz als Her­aus­for­de­rung: Die Informations- und Meldepflichten der DSGVO aus Unternehmens­sicht by attorneys Michael Kamps and Florian Schneider.


      CURRENT :: 2003 :: 2004 :: 2005 :: 2006 :: 2007 :: 2008 :: 2009 :: 2010 :: 2011 :: 2012 :: 2013 :: 2014 :: 2015 :: 2016 :: 2017