Data Protection Issues from a Practical Perspective Balázs Fazekas Réczicza White & Case LLP VIII. Annual Conference on ICT Law April 20, 2007, Pécs
WHITE & CASE LLP Data Protection Issues from a Practical Perspective 2 Issues Raised Incomplete harmonization of community law Personal data, privacy, company interest Data Transfers Within group between authorities Chain of transfers Rights of data subjects to enforce agreement Law office as data controller Online environment Miscellaneous issues
WHITE & CASE LLP Data Protection Issues from a Practical Perspective 3 1.Incomplete harmonization of community law Terms, definitions Data controller – “adatkezelő” really? Data processor – “adatfeldolgozó” really? What does a data controller/processor do exactly? Decisive element should be: Who is in charge of making decisions on the use (processing) of the personal data Relaxation of primary rules (examples) Hungarian law: title for controlling: consent or law Directive: additional legitimate titles for data controlling (Article 7 of 95/46/EC Directive) Hungarian law: information to data subject should be very specific to be eligible for a consent Directive: Softer information provision requirements (e.g., “categories” pf recipients of personal data – Article 10(c) of Directive) What is realistically acceptable under Hungarian law? What is reasonably expected from data controller? Example: existing client base, change of data processor. New consent? Never tested before court
WHITE & CASE LLP Data Protection Issues from a Practical Perspective 4 2.Personal data, privacy, company interest What are the boundaries of personal data / private information / business information? Example: company needs to research in employee files (e.g., due to internal audit, responding to authority request, etc.). Files may contain (often in a single document or ): personal data (own and third party) private information (private secrets) business information Company has the right to access business information (only). Common practical solution: company policy prohibits private use of office equipment Is it enough? Still room for privacy? Objection on the basis of personal data of third parties? Data protection commissioner’s position…
WHITE & CASE LLP Data Protection Issues from a Practical Perspective 5 3.Data transfers – intra group transfers Hungarian law does not recognize a group as a single entity. Some jurisdictions do. In reality, multinational companies regularly transfer personal data within group (payroll functions, administration) Recent phenomenon: shared services centers (outsourced administrative functions) – recipient and transferor of vast amount of personal data Aim of data protection regulation is to protect data subjects. In the event of intra group transfer, the aim is not jeopardized clear purpose of use transparent flow of data established interfaces between employee and company But in Hungary, consent is required for such transfer Practical solution: Information: appropriate company policies with proper provision of information to data subjects (employees) remedy mechanism protecting data subjects (employees) Consent: consent together with employment agreement, consent forms for third parties (e.g. customers, marketing Problems: transfer requirement is triggered – painful, difficult to implement: transfer of already existing third party personal data (e.g., escalation of consumer complaints to head office) or database (e.g., pharmaceutical industry: marketing databases)
WHITE & CASE LLP Data Protection Issues from a Practical Perspective 6 4.Data transfers – foreign authorities Hungarian and foreign authorities are often not certain as to under what circumstances, and what scope of personal data may be transferred for purposes of mutual legal assistance e.g. US listed/traded Hungarian companies: PSZAF – SEC (US maintains extra terrestrial jurisdiction in some cases) Relevant bilateral agreements are not always clear. Inquiry should be made through Ministry of Justice Under Hungarian law, the consent of data subject should be specific (including exact definition of the recipient authority). Reference to „foreign authorities” in general is not sufficient.
WHITE & CASE LLP Data Protection Issues from a Practical Perspective 7 5.Data transfers – chain of transfers Example: International network of offices, including Budapest, London New York, Singapore. London office collects and aggregates personal data, forwards to New York or Singapore for further use (billing, administration). Is London a controller or a processor? London is within EEA, „level of protection” rules are not triggered Does the Budapest office need to confirm if New York is registered as a Safe Harbour? What about Singapore? Does Budapest need to be party to a data processing agreement under the EC standard contractual claues?
WHITE & CASE LLP Data Protection Issues from a Practical Perspective 8 6.Rights of data subjects to enforce agreement Standard contractual clauses (for transfer of personal data for data processing in other (non-EEA) country) provide remedies for the benefit of data subjects. Does the agreement need to be registered by / notified to the data protection commissioner? In some countries, yes. Does the agreement need to be consented by or disclosed to the data subjects? The agreement covers data subjects even withouth knowing about the agreement Information on or an extract of the agreement should be provided upon request.
WHITE & CASE LLP Data Protection Issues from a Practical Perspective 9 7.Law office as data controller Under the Act on Attorneys, the attorney (law office) is de facto a data controller. Co-existence of attorney regime and data protection regime: Are there collisions between the two regimes? (E.g. security measures) Attorney Act recognizes special forms, such as association of offices Are associated offices data controllers? Are they entitled to receive personal data? Transfer to foreign associated offices is a transfer to abroad? Level of protection under other attorney secret regimes? Client data vs third party data Law office collects and uses various personal data: client data – primarily for administration and billing purposes third party data – counterparty in litigation, contact details in agreements, etc. Is level of protection under the “attorney secret” regime sufficient, or consent?
WHITE & CASE LLP Data Protection Issues from a Practical Perspective 10 8.Online environment Consent together with registration or sign up. Minors under 18 do not have legal capacity to make statements concerning their personal rights Consent of parent is required How to verify parent consent in online environment? How to act in a prudent manner? Privacy policy, Terms of Use of online service Service available in Hungary / Targeted to Hungarian users Often not fully compliant with Hungarian data protection and online consumer protection laws. More attention is required, more prudent localization practice Jurisdiction issues: how to enforce anything against foreign online service?
WHITE & CASE LLP Data Protection Issues from a Practical Perspective 11 9.Miscellaneous issues Non direct marketing companies may be considered as direct marketing entities under Act CXIX of 1995 (e.g., pharmaceutical companies) Should be prepared for opt-out requests, maintaning lists Where is the right balance in practice? Position of Data Protection Commissioner often liberal to the extreme, requires unreasonable efforts or compromise to implement in practice Companies try to comply formally but with least burdens Real-life practical solutions never tested before court, great amount of legal uncertainty (becomes extra cost)
WHITE & CASE LLP Data Protection Issues from a Practical Perspective 12 Worldwide. For Our Clients. White & Case, a New York State registered limited liability partnership, is engaged in the practice of law directly and through entities compliant with regulations regarding the practice of law in the countries and jurisdictions in which we have offices. Thank you for your attention! Balázs Fazekas Réczicza White & Case LLP 1061 Budapest, Andrássy út 11. Tel.: