- Email: [email protected]
European national news
computer law & security review 34 (2018) 1360–1363
Available online at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/CLSR
European national news Nick Pantlin1,∗ Herbert Smith Freehills LLP, London, United Kingdom
a r t i c l e
i n f o
Article history:
a b s t r a c t This article tracks developments at the national level in key European countries in the area of IT and communications and provides a concise alerting service of important national developments. It is co-ordinated by Herbert Smith Freehills LLP and contributed to by firms
Keywords:
across Europe. This column provides a concise alerting service of important national de-
Internet
velopments in key European countries. Part of its purpose is to complement the Journal’s
ISP/Internet Service provider
feature articles and briefing notes by keeping readers abreast of what is currently happening
Software
“on the ground” at a national level in implementing EU level legislation and international
Data protection
conventions and treaties. Where an item of European National News is of particular signif-
IT/Information Technology
icance, CLSR may also cover it in more detail in the current or a subsequent edition.
Communications
© 2018 Nick Pantlin. Published by Elsevier Ltd. All rights reserved.
European law/Europe
1.
Belgium
Cédric Lindenmann, Associate, [email protected] and Carol Evrard, Associate, [email protected] from Stibbe, Brussels (Tel.: +32 2533 53 51). No contribution for this issue.
2.
Denmark
Arly Carlquist, Partner, [email protected] from Bech-Bruun, Copenhagen office, Denmark (Tel.: +45 7227 0000).
2.1.
Electronic storage of accounting records
Since 2015 the Danish Bookkeeping Act (in Danish: “Bogføringsloven”) has allowed for the storage of accounting records electronically in locations around Denmark and in other jurisdictions. In April 2018, the Danish Business
∗
1
Authority published a guideline specifying the requirements for the electronic storage of accounting records. No approval procedure or authorisation is required prior to electronic storage; however four formal requirements must be complied with. The main requirement for storing financial data electronically is availability; the material must always be accessible to public authorities from Denmark for the purposes of audits and inquiries. This requirement is to be met irrespective of the geographical location of the data storage, i.e., in or outside Denmark, or whether a cloud solution is used so that the actual location of the data may not be known at any given time. If such a cloud solution is used the accounting records can be accessed online from Denmark by Danish authorities authorised by law. Accordingly, accounting records stored on electronic media in another country without online access in Denmark, e.g., in a USB device or a laptop, will not meet the requirements of the Danish Bookkeeping Act. The same applies for records stored electronically in Denmark, but for which access is dependent on the actual presence of a person staying in another jurisdiction.
Correspondence to: Herbert Smith Freehills Exchange House, Primrose St, London EC2A 2HS, United Kingdom. E-mail address: [email protected] For further information see: www.herbertsmithfreehills.com
https://doi.org/10.1016/j.clsr.2018.09.005 0267-3649/© 2018 Nick Pantlin. Published by Elsevier Ltd. All rights reserved.
computer law & security review 34 (2018) 1360–1363
1361
Companies which store accounting records must make sure to comply with applicable regulatory requirements, i.e., implementation of sufficient security measures, back-up of accounting records, supervision by the management of the company and compliance with minimum storage periods. Finally, descriptions and documentation of the relevant systems and required password(s) must be available in Denmark. The descriptions and documentation must make it possible for third parties with preceding knowledge of the system in question to access, navigate in and control the records.
processing is compliant with the relevant ad hoc codes of conduct; and e. the sanction mechanism has been revised, providing new rules for criminal penalties for several kind of offences such as unlawful processing of personal data, fraudulent acquisition of personal data, unlawful dissemination of personal data on a large scale and non-compliance with the Authority’s measures. With respect to administrative penalties, it will be up to the Authority to issue rules regarding their application.
3.
6.
France
Alexandra Neri, Partner, [email protected] and JeanBaptiste Thomas-Sertillanges, Avocat, [email protected] from the Paris Office of Herbert Smith Freehills LLP (Tel.: +33 1 53 57 78 57). No contribution for this issue.
Joe Jay de Hass, [email protected], Amsterdam office of Stibbe (Tel.: +31 20 546 0036). No contribution for this issue.
7. 4.
Germany
Dr. Matthias Schilde, [email protected], from the Berlin Office of Gleiss Lutz, Germany (Tel.: +49 30800979210). No contribution for this issue.
5.
Italy
Salvatore Orlando, Partner, [email protected] and Stefano Bartoli, Senior Associate, [email protected], from the Rome office of Macchi di Cellere Gangemi.
5.1.
The reform of the Italian data protection code
On 19 September 2018 reform of the Italian Data Protection Code (the “Code”) was implemented via Legislative Decree No 101 of 2018. Contrary to the first intention of the Government to abrogate the Code (see our prior note on this subject), in the end, and more in line with the directions received from the Parliament, the Government decided to amend the Code to harmonise its provisions with those of the GDPR. The main aspects of the reform include the following: a. the minimum age at which children may provide valid consent for personal data processing in relation to information society services has been set at fourteen years (children of less than fourteen years of age still require parental consent); b. the Italian Data Protection Authority (the “Authority”) has been tasked with issuing guidelines to simplify the duties of data controllers with respect to microenterprises, small enterprises and medium-sized enterprises under Recommendation 2003/361/EC; c. the processing of genetic, biometric and health data is not limited per se, but it is subject to security measures to be issued by the Authority; d. the processing of personal data for journalistic purposes or for academic, artistic or literary expression is not conditional on the data subject’s consent, provided that such
The Netherlands
Norway
Dr. Rolf Riisnæs, Partner, [email protected], and Dr. Emily M. Weitzenboeck, Senior Lawyer, [email protected], Wikborg Rein Advokatfirma AS, Norway (Tel. +47 22 82 75 00).
7.1.
New Personal Data Act enters into effect
On 20 July 2018, almost two months after the General Data Protection Regulation (GDPR) entered into effect within the European Union (EU), a new Personal Data Act came into effect in Norway. The new law, which incorporates the GDPR into Norwegian law, was actually passed by the Norwegian parliament on 15 June 2018 (Act of 15 June 2018 No. 38) but its entry into effect had to be delayed until the GDPR was incorporated into the European Economic Area (EEA) Agreement between inter alia Norway and the EU. As Norway is not a member of the EU, EU regulations are neither directly applicable nor directly effective in Norway but must be incorporated or implemented into Norwegian law. Certain articles in the GDPR provide EU and EEA states with a limited ability to provide specific rules governing specific processing situations. For example, Article 88 allows for the introduction, via national law or collective agreements, of more specific rules regarding the processing of personal data in the context of employment. Under the previous data protection legal regime, Norway already had some sector-specific data protection rules which limited an employer’s access to employee e-mail accounts and other electronic workspaces, as well as rules on video surveillance. Norway has used its opportunity to provide some specific rules and has reintroduced, with some slight modification, these sector-specific data protection rules through two new sets of regulations – Regulations of 2 July 2018 No. 1107 on camera surveillance in enterprises and Regulations 2 July 2018 No. 1108 on the employer’s access to e-mail and other electronically stored material, issued pursuant to Norway’s main employment legislation, the Working Environment Act. As under the previous data protection regime, the data protection supervisory authority in Norway is the Data Protection Authority (Datatilsynet). Similarly, appeals from decisions
1362
computer law & security review 34 (2018) 1360–1363
of the Data Protection Authority are heard by the Privacy Appeals Board (Personvernnemda).
8.
Wiseman, Senior Associate, [email protected], and Shayhan Patelmaster, Associate, [email protected] from the London Office of Herbert Smith Freehills LLP (Tel.: +44 20 7374 8000).
Spain 10.1.
Albert Agustinoy, Partner, [email protected], Jorge Monclús, Senior Associate, [email protected] and Daniel Urbán, Principal Associate from Cuatrecasas, Spain (Tel.: +34 93 290 55 85).
8.1.
Spain: new data protection measures come into force
Since November of last year, when the first draft of the Spanish Data Protection Act adapted for the General Data Protection Regulation (the ‘GDPR’, as approved through EU Regulation No. 2016/679) was released, certain doubts have arisen as to the application of several provisions of both the GDPR and national data protection laws. To address these doubts (whilst the new Spanish Data Protection Act is still being debated) the Spanish Government has recently approved a new piece of legislation (Royal DecreeLaw no. 5/2018, fully applicable as of 31 July) clarifying some of the main topics in this area, particularly relating to sanctions and sanctioning procedures before the Spanish Data Protection Agency. Among the most important provisions introduced is the provision stating that data processing agreements executed before 25 May 2018, but not adapted to the GDPR, are still valid until their termination date, provided that this date is before 25 May 2022. However any of the parties involved can ask for the data processing agreement to be amended at any point of time. The new legislation also clarifies that data protection officers will not be personally liable for breaching the GDPR or national data protection laws, since any sanctions would be imposed on the entity for which the officer works. The statute of limitations applies to such sanctions, and limits claims to within three years of any infringements under Articles 83.5 and 83.6 of the GDPR, and within two years of any infringements under Article 83.4 of the GDPR. This legislation entered into force on 31 July 2018, and clarified that sanction proceedings which are in progress before that date are governed by the previous procedural laws, except where the new piece of legislation is more beneficial to the alleged infringer.
9.
Sweden
Agne Lindberg, Partner, [email protected], and Erika Hammar, Associate, [email protected] from the Stockholm Office of Advokatfirman Delphi (Tel.: +46 8 677 54 00). No contribution for this issue.
10.
UK
Nick Pantlin, Partner, [email protected], Miriam Everett, Professional Support Consultant, [email protected], Claire
Data protection if there’s no Brexit deal
On 13 September 2018, the UK Government published a series of technical notes setting out the implications of a ‘no deal’ scenario (i.e., a scenario in which the UK leaves the EU without an agreement) in various sectors and areas, including a note specifically covering data protection. The note sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no agreement in place.
10.1.1. Transferring data from the UK to the EU Even in the event of a ‘no deal’ scenario, the technical note confirms that there should not be any impact on the transfer of personal data from the UK to the EU and beyond. A combination of the UK Data Protection Act 2018 and the EU Withdrawal Act would incorporate the GDPR into UK law. As such, the provisions currently found in Chapter V of the GDPR, which prohibit the transfer of personal data outside of the EEA without adequate safeguards in place, would remain. UK entities would therefore continue to be able to freely send personal data from the UK to the EU, and would continue to need to satisfy an appropriate legal basis to legitimise the transfer of personal data beyond European borders. The technical note further confirms that, “in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU”. However, there is a potential sting in the tail as the technical note provides that the UK will keep this under review – once the UK data protection regime is no longer required to mirror the GDPR, it would in theory be possible for the UK Government to amend the UK rules to provide that, for example, no personal data could be transferred outside of the UK without additional safeguards in place.
10.1.2. Transferring data from the EU to the UK In contrast to the export of personal data from the UK, the import of personal data to the UK from the EU will change on exit. As described above, the GDPR restricts the transfer of personal data outside of the EEA, meaning that in a ‘no deal’ scenario where the UK is no longer a Member State or part of the EEA, entities wishing to transfer data to the UK will need to satisfy one of the available legal bases for the transfer of personal data. One such mechanism is a finding of ‘adequacy’ from the European Commission. The European Commission has stated that if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision allowing the transfer of personal data to the UK without restrictions. However, it has further stated that any decision on adequacy cannot be taken until the UK is a third country (i.e., until after the UK’s exit from the EU).
computer law & security review 34 (2018) 1360–1363
In the absence of an adequacy decision (or in the intervening period of time whilst the European Commission is considering an adequacy decision), organisations in the EU wishing to send personal data to the UK will need to satisfy an alternative legal basis for doing so. The most common such basis is likely to be the use of the so-called Standard Contractual Clauses. These are sets of contractual clauses approved by the European Commission and incorporating various protections for personal data. By entering into the
1363
Standard Contractual Clauses, two entities are able to freely transfer data between each other. There are also specific derogations which might apply on a case-by-case basis, for example where the transfer of data is permitted with the explicit consent of the individual data subject. However, in all circumstances, entities will need to proactively consider what action they may need to take to ensure the continued free flow of data.
Available online at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/CLSR
European national news Nick Pantlin1,∗ Herbert Smith Freehills LLP, London, United Kingdom
a r t i c l e
i n f o
Article history:
a b s t r a c t This article tracks developments at the national level in key European countries in the area of IT and communications and provides a concise alerting service of important national developments. It is co-ordinated by Herbert Smith Freehills LLP and contributed to by firms
Keywords:
across Europe. This column provides a concise alerting service of important national de-
Internet
velopments in key European countries. Part of its purpose is to complement the Journal’s
ISP/Internet Service provider
feature articles and briefing notes by keeping readers abreast of what is currently happening
Software
“on the ground” at a national level in implementing EU level legislation and international
Data protection
conventions and treaties. Where an item of European National News is of particular signif-
IT/Information Technology
icance, CLSR may also cover it in more detail in the current or a subsequent edition.
Communications
© 2018 Nick Pantlin. Published by Elsevier Ltd. All rights reserved.
European law/Europe
1.
Belgium
Cédric Lindenmann, Associate, [email protected] and Carol Evrard, Associate, [email protected] from Stibbe, Brussels (Tel.: +32 2533 53 51). No contribution for this issue.
2.
Denmark
Arly Carlquist, Partner, [email protected] from Bech-Bruun, Copenhagen office, Denmark (Tel.: +45 7227 0000).
2.1.
Electronic storage of accounting records
Since 2015 the Danish Bookkeeping Act (in Danish: “Bogføringsloven”) has allowed for the storage of accounting records electronically in locations around Denmark and in other jurisdictions. In April 2018, the Danish Business
∗
1
Authority published a guideline specifying the requirements for the electronic storage of accounting records. No approval procedure or authorisation is required prior to electronic storage; however four formal requirements must be complied with. The main requirement for storing financial data electronically is availability; the material must always be accessible to public authorities from Denmark for the purposes of audits and inquiries. This requirement is to be met irrespective of the geographical location of the data storage, i.e., in or outside Denmark, or whether a cloud solution is used so that the actual location of the data may not be known at any given time. If such a cloud solution is used the accounting records can be accessed online from Denmark by Danish authorities authorised by law. Accordingly, accounting records stored on electronic media in another country without online access in Denmark, e.g., in a USB device or a laptop, will not meet the requirements of the Danish Bookkeeping Act. The same applies for records stored electronically in Denmark, but for which access is dependent on the actual presence of a person staying in another jurisdiction.
Correspondence to: Herbert Smith Freehills Exchange House, Primrose St, London EC2A 2HS, United Kingdom. E-mail address: [email protected] For further information see: www.herbertsmithfreehills.com
https://doi.org/10.1016/j.clsr.2018.09.005 0267-3649/© 2018 Nick Pantlin. Published by Elsevier Ltd. All rights reserved.
computer law & security review 34 (2018) 1360–1363
1361
Companies which store accounting records must make sure to comply with applicable regulatory requirements, i.e., implementation of sufficient security measures, back-up of accounting records, supervision by the management of the company and compliance with minimum storage periods. Finally, descriptions and documentation of the relevant systems and required password(s) must be available in Denmark. The descriptions and documentation must make it possible for third parties with preceding knowledge of the system in question to access, navigate in and control the records.
processing is compliant with the relevant ad hoc codes of conduct; and e. the sanction mechanism has been revised, providing new rules for criminal penalties for several kind of offences such as unlawful processing of personal data, fraudulent acquisition of personal data, unlawful dissemination of personal data on a large scale and non-compliance with the Authority’s measures. With respect to administrative penalties, it will be up to the Authority to issue rules regarding their application.
3.
6.
France
Alexandra Neri, Partner, [email protected] and JeanBaptiste Thomas-Sertillanges, Avocat, [email protected] from the Paris Office of Herbert Smith Freehills LLP (Tel.: +33 1 53 57 78 57). No contribution for this issue.
Joe Jay de Hass, [email protected], Amsterdam office of Stibbe (Tel.: +31 20 546 0036). No contribution for this issue.
7. 4.
Germany
Dr. Matthias Schilde, [email protected], from the Berlin Office of Gleiss Lutz, Germany (Tel.: +49 30800979210). No contribution for this issue.
5.
Italy
Salvatore Orlando, Partner, [email protected] and Stefano Bartoli, Senior Associate, [email protected], from the Rome office of Macchi di Cellere Gangemi.
5.1.
The reform of the Italian data protection code
On 19 September 2018 reform of the Italian Data Protection Code (the “Code”) was implemented via Legislative Decree No 101 of 2018. Contrary to the first intention of the Government to abrogate the Code (see our prior note on this subject), in the end, and more in line with the directions received from the Parliament, the Government decided to amend the Code to harmonise its provisions with those of the GDPR. The main aspects of the reform include the following: a. the minimum age at which children may provide valid consent for personal data processing in relation to information society services has been set at fourteen years (children of less than fourteen years of age still require parental consent); b. the Italian Data Protection Authority (the “Authority”) has been tasked with issuing guidelines to simplify the duties of data controllers with respect to microenterprises, small enterprises and medium-sized enterprises under Recommendation 2003/361/EC; c. the processing of genetic, biometric and health data is not limited per se, but it is subject to security measures to be issued by the Authority; d. the processing of personal data for journalistic purposes or for academic, artistic or literary expression is not conditional on the data subject’s consent, provided that such
The Netherlands
Norway
Dr. Rolf Riisnæs, Partner, [email protected], and Dr. Emily M. Weitzenboeck, Senior Lawyer, [email protected], Wikborg Rein Advokatfirma AS, Norway (Tel. +47 22 82 75 00).
7.1.
New Personal Data Act enters into effect
On 20 July 2018, almost two months after the General Data Protection Regulation (GDPR) entered into effect within the European Union (EU), a new Personal Data Act came into effect in Norway. The new law, which incorporates the GDPR into Norwegian law, was actually passed by the Norwegian parliament on 15 June 2018 (Act of 15 June 2018 No. 38) but its entry into effect had to be delayed until the GDPR was incorporated into the European Economic Area (EEA) Agreement between inter alia Norway and the EU. As Norway is not a member of the EU, EU regulations are neither directly applicable nor directly effective in Norway but must be incorporated or implemented into Norwegian law. Certain articles in the GDPR provide EU and EEA states with a limited ability to provide specific rules governing specific processing situations. For example, Article 88 allows for the introduction, via national law or collective agreements, of more specific rules regarding the processing of personal data in the context of employment. Under the previous data protection legal regime, Norway already had some sector-specific data protection rules which limited an employer’s access to employee e-mail accounts and other electronic workspaces, as well as rules on video surveillance. Norway has used its opportunity to provide some specific rules and has reintroduced, with some slight modification, these sector-specific data protection rules through two new sets of regulations – Regulations of 2 July 2018 No. 1107 on camera surveillance in enterprises and Regulations 2 July 2018 No. 1108 on the employer’s access to e-mail and other electronically stored material, issued pursuant to Norway’s main employment legislation, the Working Environment Act. As under the previous data protection regime, the data protection supervisory authority in Norway is the Data Protection Authority (Datatilsynet). Similarly, appeals from decisions
1362
computer law & security review 34 (2018) 1360–1363
of the Data Protection Authority are heard by the Privacy Appeals Board (Personvernnemda).
8.
Wiseman, Senior Associate, [email protected], and Shayhan Patelmaster, Associate, [email protected] from the London Office of Herbert Smith Freehills LLP (Tel.: +44 20 7374 8000).
Spain 10.1.
Albert Agustinoy, Partner, [email protected], Jorge Monclús, Senior Associate, [email protected] and Daniel Urbán, Principal Associate from Cuatrecasas, Spain (Tel.: +34 93 290 55 85).
8.1.
Spain: new data protection measures come into force
Since November of last year, when the first draft of the Spanish Data Protection Act adapted for the General Data Protection Regulation (the ‘GDPR’, as approved through EU Regulation No. 2016/679) was released, certain doubts have arisen as to the application of several provisions of both the GDPR and national data protection laws. To address these doubts (whilst the new Spanish Data Protection Act is still being debated) the Spanish Government has recently approved a new piece of legislation (Royal DecreeLaw no. 5/2018, fully applicable as of 31 July) clarifying some of the main topics in this area, particularly relating to sanctions and sanctioning procedures before the Spanish Data Protection Agency. Among the most important provisions introduced is the provision stating that data processing agreements executed before 25 May 2018, but not adapted to the GDPR, are still valid until their termination date, provided that this date is before 25 May 2022. However any of the parties involved can ask for the data processing agreement to be amended at any point of time. The new legislation also clarifies that data protection officers will not be personally liable for breaching the GDPR or national data protection laws, since any sanctions would be imposed on the entity for which the officer works. The statute of limitations applies to such sanctions, and limits claims to within three years of any infringements under Articles 83.5 and 83.6 of the GDPR, and within two years of any infringements under Article 83.4 of the GDPR. This legislation entered into force on 31 July 2018, and clarified that sanction proceedings which are in progress before that date are governed by the previous procedural laws, except where the new piece of legislation is more beneficial to the alleged infringer.
9.
Sweden
Agne Lindberg, Partner, [email protected], and Erika Hammar, Associate, [email protected] from the Stockholm Office of Advokatfirman Delphi (Tel.: +46 8 677 54 00). No contribution for this issue.
10.
UK
Nick Pantlin, Partner, [email protected], Miriam Everett, Professional Support Consultant, [email protected], Claire
Data protection if there’s no Brexit deal
On 13 September 2018, the UK Government published a series of technical notes setting out the implications of a ‘no deal’ scenario (i.e., a scenario in which the UK leaves the EU without an agreement) in various sectors and areas, including a note specifically covering data protection. The note sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no agreement in place.
10.1.1. Transferring data from the UK to the EU Even in the event of a ‘no deal’ scenario, the technical note confirms that there should not be any impact on the transfer of personal data from the UK to the EU and beyond. A combination of the UK Data Protection Act 2018 and the EU Withdrawal Act would incorporate the GDPR into UK law. As such, the provisions currently found in Chapter V of the GDPR, which prohibit the transfer of personal data outside of the EEA without adequate safeguards in place, would remain. UK entities would therefore continue to be able to freely send personal data from the UK to the EU, and would continue to need to satisfy an appropriate legal basis to legitimise the transfer of personal data beyond European borders. The technical note further confirms that, “in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU”. However, there is a potential sting in the tail as the technical note provides that the UK will keep this under review – once the UK data protection regime is no longer required to mirror the GDPR, it would in theory be possible for the UK Government to amend the UK rules to provide that, for example, no personal data could be transferred outside of the UK without additional safeguards in place.
10.1.2. Transferring data from the EU to the UK In contrast to the export of personal data from the UK, the import of personal data to the UK from the EU will change on exit. As described above, the GDPR restricts the transfer of personal data outside of the EEA, meaning that in a ‘no deal’ scenario where the UK is no longer a Member State or part of the EEA, entities wishing to transfer data to the UK will need to satisfy one of the available legal bases for the transfer of personal data. One such mechanism is a finding of ‘adequacy’ from the European Commission. The European Commission has stated that if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision allowing the transfer of personal data to the UK without restrictions. However, it has further stated that any decision on adequacy cannot be taken until the UK is a third country (i.e., until after the UK’s exit from the EU).
computer law & security review 34 (2018) 1360–1363
In the absence of an adequacy decision (or in the intervening period of time whilst the European Commission is considering an adequacy decision), organisations in the EU wishing to send personal data to the UK will need to satisfy an alternative legal basis for doing so. The most common such basis is likely to be the use of the so-called Standard Contractual Clauses. These are sets of contractual clauses approved by the European Commission and incorporating various protections for personal data. By entering into the
1363
Standard Contractual Clauses, two entities are able to freely transfer data between each other. There are also specific derogations which might apply on a case-by-case basis, for example where the transfer of data is permitted with the explicit consent of the individual data subject. However, in all circumstances, entities will need to proactively consider what action they may need to take to ensure the continued free flow of data.