October

"The Ministries for Justice and Home Affairs of the 28 Member States of the European Union met to further discuss the draft General Data Protection Regulation that is intended to replace the current European data protection framework. The new draft framework aims at simplifying the regime and lowering the administrative burden. This principle has been called the ""one-stop-shop"" and has been criticized by a number of national data protection authorities concerned about the potential for forum shopping for the jurisdiction offering the lowest level of protection. Despite several different propositions, the way to a consensus seems to still be long and puts the initial calendar for adoption of the new text in jeopardy. The Council issued a press release indicating that ""expert work"" towards finding a compromise will continue, notably around the scope of the powers to be granted to the competent supervisory authority (potentially limiting the scope of its powers), the involvement of other ""local"" data protection authorities in the decision making process, and the evolution of the role and powers of the European Data Protection Board. Nevertheless, Viviane Reading, the European Commissioner responsible for Justice, Fundamental Rights and Citizenship has indicated that she hopes to see a compromise text presented in December and a decision taken before May 2014, when the European elections will take place."

"The Austrian Data Protection Act (DPA) has been substantially revised for the first time since becoming effective in 2000. The revised DPA introduced a ""data breach notification duty"" to the Austrian data protection regime, which is similar to the respective obligations under U.S. and UK data privacy laws. With this, Austria (in addition to Germany) is one of the first Member States to implement such an information duty. In a nutshell, this obligation requires every data controller in Austria to inform data subjects properly if he becomes aware of a systematic and seriously unlawful misuse of their data. The revised DPA also provides for new provisions about the processing of personal data in the course of videotaping | video monitoring, the data subjects' rights of data access, and a new approach of self registration through the data controller combined with a massive extension of the authority's competencies. The administrative fines for breaches of the DPA were also raised to a maximum penalty of EUR 25,000 for deliberate violation of those provisions and EUR 10,000 for violation of the notification and information obligations of the DPA. "

The Belgian Privacy Commission and Ministry of Justice have executed a protocol that puts in place a new approval process for data transfer agreements (DTA). For customized DTA, it brings considerable improvement, but unfortunately it also adds a layer of administrative burden in relation to the use of the EU Model Clauses. The Protocol now acknowledges that it is sometimes justified for data exporters to make (some) changes to the EU Model Clauses. In order to facilitate this, the approval process has therefore been streamlined. But while this is a big step forward, at the same time, it is a big step backwards when it comes to the use of EU Model Clauses. Prior to the Protocol, no formal approval was required when the EU Model Clauses were used in an unaltered form. A data exporter simply had to submit a copy to the Privacy Commission when filing the notification. This has now changed. It has come to light that the Belgian Privacy Commission did not intend to increase the administrative burden for the use of EU model clauses. While the Protocol clearly uses the word 'authorizing', this should not be interpreted as introducing a formal authorization requirement, but rather as a confirmation given to the data exporter that the DTA used does indeed comply with the EU model clauses.