EU Data Protection Reforms & Info Security

Proposed New EU Data Protection Regulation: What Does it Mean for Information Security?

As had been widely anticipated, the European Commission released its proposa[1]l to reform the European Union’s data protection framework on January 25, 2012.  The reform —introduced after many years of public consultations and stakeholder stakeholders – will fundamentally change many aspects of the current regulation of personal data in all of the EU member states.

The main aspects of the proposed reform which have received attention include:

• Single Regulator: The establishment of a single set of European rules valid everywhere across the EU – with the upgrading of the previous Directive into a Regulation.  Companies with operations in multiple EU member states will be subject to the jurisdiction of a single data protection authority (“DPA”), based on their main place of establishment in the EU.
• A breach notification mandate: In the event of a serious breach, organizations must notify the national supervisory authority “as soon as possible (if feasible within 24 hours).
• Increased enforcement powers for data protection authorities: DPAs will be able to fine organizations that violate the rules.  There will be three levels of fines for intentional or negligent violations of the Regulation, with the maximum penalty for certain offenses being 5% of an organization’s annual worldwide turnover.
• Explicit consent requirement: Wherever consent is required for data to be processed, it must be given explicitly, rather than assumed, according to the regulation.
•  Extra-territorial reach: The regulation applies to “personal data handled abroad by companies that are active in the EU market and offer their services to EU citizens.”  Data controllers and processors established outside the EU would be subject to EU law if they direct data processing activities at EU residents or “serve to monitor the behaviour” of such residents.

Next, the proposal will be reviewed in the European Parliament and member states, via the Council of Ministers.

The reforms fundamentally changes the way that data protection will be regulated and introduces some important new reforms - such as the mandatory data breach notification requirement.   However, one area of reform which has not received as much attention are the proposed changes to Article 17, the Security of Processing – currently covered by Article 27 -  in the new Section 2 Data Security (in place of  Section VIII Confidentiality and Security of Processing).

Security of Processing (Article 27)

Article 17 of the existing Directive, requires organisations to:

 “implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.”

This provision is not dissimilar to obligations imposed on Australian public and private organisations covered by the Privacy Act (via National Privacy Principle 4 and Information Privacy Principle 4).   It imposes a loose requirement to take “appropriate measures” and specifically notes that in selecting technology solutions, organisations should have regard to the risks rising from the nature of the data being processed, and the costs of the technology.

Under the new proposal, these requirements are significantly expanded.  Article 27 requires that organisations must, “following an evaluation of the risks,” implement at least 10 different types of controls:

• equipment access controls: to deny unauthorised persons access to data-processing equipment used for processing personal data;
• data media controls: to prevent the unauthorised reading, copying, modification or removal of data media;
• storage controls: to prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data;
• user controls: to prevent the use of automated data-processing systems by unauthorised persons using data communication equipment;
• data access controls: to ensure that persons authorised to use an automated data-processing system only have access to the data covered by their access authorisation
• communication controls: to ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment;
• input controls: ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data were input;
• transport controls: to prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media;
• recovery controls: to ensure that installed systems may, in case of interruption, be restored;
• reliability and integrity controls: to ensure that the functions of the system perform, that the appearance of faults in the functions is reported and that stored personal data cannot be corrupted by means of a malfunctioning of the system.

This list is far more prescriptive than the previous provision and presumably will form the basis for a more comprehensive review of the organisational information security controls in place in any assessment of compliance with the Regulation.  This is consistent with the stated intention of the Reforms being to provide a more “comprehensive … policy on the fundamental right to personal data protection”.[2]

As well, a number of these controls go beyond the traditional domain of data protection within the context of privacy – where the focus has been on the unauthorised disclosure of personal information.  The new provisions include controls which are directed at availability, reliability and integrity (which, with confidentiality, form the triad of purposes recognised by information security theory as supporting information security control systems).  This indicates the willingness of the European regulator to extend legal obligations beyond the narrow confines of protecting data confidentiality which has traditionally been viewed as the arena of operation of information security, at least for data protection considerations.

The provision also includes the express power for the Commission to make further provisions specifying specific requirement to meet the this obligations, including “notably encryption standards.”

This more prescriptive approach supports two other major new reforms (which unfortunately seem to have been somewhat diluted in the actual draft released):

• A requirement to consult with the Supervisory Authority prior to commencing “risky” processing;
• A requirement to incorporate “Data Protection by Design” principles into the development of new data processing systems.

Together, the three new provisions support the general requirement to take “appropriate technical and organisational measures”, as included in Section 38 of the Recitals to the Reform, and articulated expressly in new Article 18 of the proposed Reform:

The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors requires that appropriate technical and organisational measures be taken to ensure that the requirements of the Directives are met.  In order to ensure compliance with the provisions adopted pursuant to this Directive, the controller should adopt policies and implement appropriate measures, which meet in particular the principles of data protection by design and data protection by default.

Prior Consultation with Supervisory Authority (Article 26)

Prior to processing personal data in a way that is “likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes,” organizations must consult with their supervisory authority.  

Commentary on earlier drafts of the proposal suggested that this provision was going to include a requirement that a Privacy Impact Assessment (PIA) be undertaken.[3]  The same commentary also noted that, although the draft Regulation did not define exactly what processing would fall into this definition, it did list a few examples that “likely” would, including:

• running automated models to analyse or predict a person’s performance at work, creditworthiness, economic situation, location, health, personal preferences, reliability, or behaviour, where the result will affect the data subject;
• the processing of certain types of sensitive data;
• conducting video surveillance; and
• utilizing large-scale filing systems containing genetic, biometric, or children’s data.

Although the proposed Reform no longer includes a specific requirement, as part of the consultation now mandated, the organisation may be required to conduct a data protection impact assessment. Even if this does occur, it is a somewhat reduced obligation from that initially flagged which would have required a mandatory PIA for high risk processing systems.

Data Protection by Design and Default (Article 19)

Similarly, the wording of the final article included in the proposed Reforms is somewhat weaker than had been foreshadowed by earlier draft.  Although titled “Data Protection by Design”, there is no specific reference to the application of the end to end design principles that have become known as “Privacy by Design.”  Instead, the proposed Reform requires that, “having regard to the state of the art and the cost of implementation, the controller shall implement appropriate technical and organisational measures and procedures …” so that data is processed in accordance with the Directive and privacy is ensured.

Summary

Although it is still early days for the proposed reforms – it is already clear there has been some reduction in the scope and application of the data security provisions in the proposed new Data Protection Directive as released.  It is not expected that the current proposals will become law until 2014, following lengthy further consultation, by which time many further changes will be made.  It is hoped that these further changes will not substantially diminish the current data security related provisions, which may already be the cause of some disappointment to information security professionals hopeful of a more clearly articulated compliance regime.

References:

Existing Directive:

http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML

Proposed reforms:

http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_10_en.pdf (directive)
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf (regulation)
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm (background documents and frequently asked questions)

The Article 29 Working Party a response to the Commission’s proposal: http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20120125_pr_dp_proposals_en.pdf

Commentary:

https://www.privacyassociation.org/publications/european_commission_publishes_new_framework_on_data_protection

http://www.huntonprivacyblog.com/2012/01/articles/european-commission-publishes-data-protection-law-reform-package/

http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

http://www.hldataprotection.com/2011/12/articles/international-eu-privacy/details-of-eu-data-protection-reform-reveal-dramatic-proposed-changes/index.html