Feeds

Now draft biz guillotine law triggers info privacy watchdog

Data revealed during insolvencies sparks Euro ire

There are insufficient data protection safeguards built in to proposed reforms to the EU's insolvency law framework, a privacy watchdog has said.

In a recently issued opinion into the European Commission's draft Insolvency Regulation, the European Data Protection Supervisor (EDPS) raised concerns about the mandatory publication of information relating to the opening and closing of insolvency proceedings (11-page 71KB PDF) as well as the exchange of information between courts and liquidators.

In December last year the Commission published its draft Insolvency Regulation in a bid to overhaul existing laws that have been in operation since 2000. The proposals seek to make clearer the processes involved when there are parallel court proceedings initiated by creditors in different EU member states regarding payment of the debts they are owed.

Under the Commission's proposals, a court that is asked to open secondary proceedings will "immediately" be required to inform the appointed liquidator in the main proceedings in order to give those liquidators the chance to challenge those secondary proceedings from commencing.

In addition, EU member states would also be required to provide a free, publicly-accessible online register of key information relating to insolvency proceedings involving companies, the self-employed and independent professionals. National registers would be connected to a pan-EU online portal. Foreign creditors will be able to lodge claims for payment of debts by submitting a standard form within 45 days of notice of the opening of proceedings in the insolvency register being published.

The EDPS, which advises EU institutions on privacy issues, said that because the proposals "necessarily" involve the processing of personal data, EU data protection laws must be respected in the new regime. However, the watchdog said whilst the Commission has made references to those laws being applicable to the regime, it said there are still data protection "shortcomings and inconsistencies" contained within the proposed Regulation.

"The general references [to data protection] need to be specified and translated into concrete safeguards that will apply for any situation in which personal data processing is envisaged," Giovanni Buttarelli, the assistant EDPS, said in a newly adopted opinion on the draft Insolvency Regulation. "Such safeguards should be developed in the proposed Regulation."

"For instance, the retention period of the data processed and sometimes published for insolvency proceedings should be specified. Besides, it is not sufficiently clear who is responsible for the data published and, as a result, who should update the data and ensure it is secured enough. In other words, data controllers should be designated. In addition, substantive provisions are needed to further develop in a concrete manner the modalities according to which the existing rights of the data subject about whom data is collected and processed may be exercised against the various actors in such a specific area," he added.

Buttarelli said that it may not always be necessary or proportionate for information about individual insolvency proceedings to be published on the Commission's proposed online registers. He said that, even if the information should be detailed in this way, there should be a limit on how long the information should sit there before being removed, as well as efforts made to ensure the data is both accurate and secure.

"The necessity and the proportionality of the proposed system for the Internet publication of decisions opening and closing insolvency proceedings is assessed and it is verified whether the publication obligation does not go beyond what is necessary to achieve the public interest objective pursued and whether there are not less restrictive measures to attain the same objective," Buttarelli said.

"Subject to the outcome of this proportionality test, the publication obligation should in any event be supported by adequate safeguards to ensure full respect of the rights of the persons concerned, the security/accuracy of the data and their deletion after an adequate period of time," he added.

Buttarelli also called on the Commission to clarify aspects about how information contained within the national registers can be processed and used.

"[The Regulation] must identify the purpose of the processing operations and establish which are the compatible uses; identify which entities (judges and authorities responsible for the opening and the closing of insolvency procedures, competent authorities and potentially others) will have access to which data stored in the database and will have the possibility to modify the data; ensure the right of access and appropriate information for all the data subjects whose personal data may be stored and exchanged; define and limit the retention period for the personal data to the minimum necessary for the performance of such purpose," he said.

"These are essential elements that should be included in the Regulation itself," the watchdog added.

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.