IFCLA – Helsinki, 10 June 2010

Navigating the Privacy SeaChristian M. Runte, CMS Hasche Sigle

Christian Runte | Navigating the Privacy Sea | IFCLA – Helsinki, 10 June 20102

1. The Privacy Sea

2. How to Navigate it

Christian Runte | Navigating the Privacy Sea | IFCLA – Helsinki, 10 June 20103

Christian Runte | Navigating the Privacy Sea | IFCLA – Helsinki, 10 June 20104

Christian Runte | Navigating the Privacy Sea | IFCLA – Helsinki, 10 June 20105

Why the Sea Got Rough

Advanced technology (internet, increased storage capability), and increased relevance of data processing

Online transactions rapidly replacing "anonymous" real transactions; online transactions require identification and thus personal data

Changes in legislation (data breach notification etc.)

Aftermath of 9/11, online surveillance

Media coverage of data breaches and other privacy issues in the public sector (UK CD-ROMs, German tax data) and in the private sector (Facebook, Google, in Germany: Lidl, Deutsche Telekom etc.)

Christian Runte | Navigating the Privacy Sea | IFCLA – Helsinki, 10 June 20106

How Fragmented is Privacy Law?

EU level

One general directive (95/46/EC) but numerous other regulations, directives and decisions which also contain data protection provisions

Some better known: 2002/58/EC etc.

Some more hidden: Regulation 80/2009 etc.

Consultation process for new general directive 95/46/EC

"Harmonized diversity"

Implementation in member states differs, sometimes significantly

Differences in processes, formalities and bureaucracy

No single authority for the EU or even within some member states

Christian Runte | Navigating the Privacy Sea | IFCLA – Helsinki, 10 June 20107

Regulatory Authorities Dealing with Data Protection Aspects: Germany

Federal Level: 1 (+1)

Länder Level: 25

Further Authorities for Churches, Public Broadcasting, Public Healthcare etc.

Art. 28 [1] Directive 95/46/EC:"authorities shall act with completeindependence in exercising the functions…"

ECJ, 9 March 2010: Germany systemin violation of Art. 28 [1]

22

12

11

3

111

3

21

1

12

Christian Runte | Navigating the Privacy Sea | IFCLA – Helsinki, 10 June 20108

Everything Converging in the Cloud?

"Everything is content"

Convergence of technology and media delivery

Convergence of substantial law?

Possible but likely to be very slow

Overhaul of General Directive 95/46 (e.g. data breach)

Geographical convergence?

Which jurisdiction applies?

More jurisdictions will apply

Technical innovations (in particular cloud computing) will make it more complicated to be compliant in all relevant jurisdictions

Christian Runte | Navigating the Privacy Sea | IFCLA – Helsinki, 10 June 20109

Navigating it

Christian Runte | Navigating the Privacy Sea | IFCLA – Helsinki, 10 June 201010

Challenges

More cases will require advice for more than one jurisdiction

Knowledge of the local law

Contact to relevant authorities

The challenge is the number of countries and authorities involved and the number of local advisor you may need

Cost

Consistent advice

Requires management of

the client

and local advisors

Christian Runte | Navigating the Privacy Sea | IFCLA – Helsinki, 10 June 201011

A Possible Approach

Prepare your (local) memo first

Managing multiple jurisdictions

Do some local reconnaissance• General ressources

• Websites• Online Materials

Prepare questionnaire• Clearly defined questions• Provide your local answers as well

Budget, no quote

Direct contact between client and local counsel

Christian Runte | Navigating the Privacy Sea | IFCLA – Helsinki, 10 June 201012

Après Nous le Déluge

Public perception of data protection and privacy will not vanish, media will drive the process

Overhaul of Directive 95/46, consultation process

More convergence?

It's not a breach, it's a service

Data Breach Laws | ICAF – Berlin, 25 February 201013

Last page