Sometimes the most interesting things that emerge from
conferences are whispered across the aisle just after a
presentation or debated by attendees off-site over a glass or two
The big-ticket question at last week's IAPP Europe Data
Protection Congress in Brussels wasn't on the agenda: Will
members of the European Parliament and the European Council manage
to bridge their differences and pass a new Data Protection
Regulation amidst significant competing pressures from various
A new Regulation (to replace the 1995 Directive) was announced
by the European Commission in January 2012. (Our summary of the
Regulation can be found
here). European legislators originally estimated that the new
Regulation could be passed as soon as the middle of 2013 (to be
followed by a two year implementation period). Jan Philipp
Albrecht, a Member of the European Parliament and champion of the
Regulation, conceded last week that the end of 2013 might be more
realistic. However, none of the government speakers whose sessions
I attended considered a scenario where the Regulation simply
wasn't adopted for lack of sufficient consensus on its
Some members of the audience, however, noted the deep fault
lines that were evident between the views of various speakers on
issues ranging from questions of power-sharing among national
governments (specifically, the potential loss of power of certain
"stricter" national data protection offices under the
"one stop shop" system) to widely varying assessments of
the practical and economic burden that the Regulation would place
on businesses (will businesses flee Europe due to increased
compliance costs and the threat of substantial fines, or will
customers be so enamoured of European-style privacy that they will
flock to companies that adhere to the Regulation?).
Testing which way the wind is blowing – and how fast
– is always a tricky proposition. But my overall sense from
the recent Congress is that the Regulation will pass –
eventually, and probably not in 2013 — in a form that retains
the proposed fines (enthusiastically endorsed by several government
speakers), breach notice requirements (with more realistic timing
than the current proposal of 24 hours), and expanded notion of what
constitutes personal data (everything you've ever posted on the
Web?). But some of the items that largely didn't even reach the
agenda at the Congress, such as the logistically challenging
"right to be forgotten" and the "right of
portability," may not make it through the legislative process,
or may survive in an industry-specific form.
Watch this space. But in the meantime, if you are a tech
company, keep on developing those privacy compliance products. More
than a few were already being promoted last week at the Congress.
And that may be the best predictor that we have.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On Friday, November 13, Federal Trade Commission ("FTC" or the "Commission") Chief Administrative Law Judge ("ALJ") D. Michael Chappell issued an Initial Decision in In the Matter of LabMD, Inc. (FTC Docket No. 9357), dismissing the Commission's Complaint against LabMD, Inc. ("LabMD"), upon a finding that the FTC had failed to "demonstrate a likelihood that [LabMD's] computer network will be breached in the future and cause substantial computer injury."
Whether you are in-house counsel or external counsel, upon first hearing of a massive data breach affecting your client, your first reaction will likely be at least a twinge of panic. So first, take a deep breath and calm down.
Anthony Albanese, the head of the New York Department of Financial Services, issued a letter to more than 20 federal and state regulators outlining proposed cybersecurity regulations for banks and insurance companies operating in New York.
High-profile data breaches seem to hit the headlines almost every day. These breaches have proved terrifying for many companies, particularly as the attackers release embarrassing emails and other information.