Sometimes the most interesting things that emerge from
conferences are whispered across the aisle just after a
presentation or debated by attendees off-site over a glass or two
The big-ticket question at last week's IAPP Europe Data
Protection Congress in Brussels wasn't on the agenda: Will
members of the European Parliament and the European Council manage
to bridge their differences and pass a new Data Protection
Regulation amidst significant competing pressures from various
A new Regulation (to replace the 1995 Directive) was announced
by the European Commission in January 2012. (Our summary of the
Regulation can be found
here). European legislators originally estimated that the new
Regulation could be passed as soon as the middle of 2013 (to be
followed by a two year implementation period). Jan Philipp
Albrecht, a Member of the European Parliament and champion of the
Regulation, conceded last week that the end of 2013 might be more
realistic. However, none of the government speakers whose sessions
I attended considered a scenario where the Regulation simply
wasn't adopted for lack of sufficient consensus on its
Some members of the audience, however, noted the deep fault
lines that were evident between the views of various speakers on
issues ranging from questions of power-sharing among national
governments (specifically, the potential loss of power of certain
"stricter" national data protection offices under the
"one stop shop" system) to widely varying assessments of
the practical and economic burden that the Regulation would place
on businesses (will businesses flee Europe due to increased
compliance costs and the threat of substantial fines, or will
customers be so enamoured of European-style privacy that they will
flock to companies that adhere to the Regulation?).
Testing which way the wind is blowing – and how fast
– is always a tricky proposition. But my overall sense from
the recent Congress is that the Regulation will pass –
eventually, and probably not in 2013 — in a form that retains
the proposed fines (enthusiastically endorsed by several government
speakers), breach notice requirements (with more realistic timing
than the current proposal of 24 hours), and expanded notion of what
constitutes personal data (everything you've ever posted on the
Web?). But some of the items that largely didn't even reach the
agenda at the Congress, such as the logistically challenging
"right to be forgotten" and the "right of
portability," may not make it through the legislative process,
or may survive in an industry-specific form.
Watch this space. But in the meantime, if you are a tech
company, keep on developing those privacy compliance products. More
than a few were already being promoted last week at the Congress.
And that may be the best predictor that we have.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In last year's BakerHostetler Incident Response Report, we reported the range of PCI DSS non-compliance fines as $5,000 – $50,000 and the per card amount of liability imposed to reimburse issuers of affected cards as $3-$25.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of its data security standard for the protection of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS).
The idea of cybersecurity may be foreign—or even frightening—to many attorneys. However, as evidenced in Part One of this series ("Cybersecurity: You Can't Afford to Ignore It Anymore," April 25) law firms appear to be the next great target for hackers. In light of that, as a risk management prevention tool, attorneys and firms need to be aware of how to protect themselves.
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).