Data protection under the Insolvency Regulation (Recast)
The European Insolvency Regulation has a separate chapter on data protection of insolvency registers and data transferred when selling an insolvent company. The General Data Protection Regulation takes effect on 25 May 2018. How will it influence the EIR?
In June 2017 the European Insolvency Regulation (Recast) (‘EIR Recast’) entered into force.The EIR Recast is set in today’s mode of technology and data protection. Chapter VI on Data Protection (Articles 78 – 83) is, compared with the Insolvency Regulation of 2000 which has been replaced, entirely new. It is a logical consequence of the introduction of a system of interconnected insolvency registers, which will increase flows of information transcending national borders, and gathered and exchanged throughout the EU, often electronically. The recitals to the EIR Recast explain the principles which form the foundation for the rules on data protection. The Regulation respects the fundamental rights and observes the principles recognised in the Charter of Fundamental Rights of the European Union, amongst others by promoting their provisions concerning the protection of personal data. Recital 84 adds: ‘Directive 95/46/EC of the European Parliament and of the Council and Regulation (EC) No 45/2001 of the European Parliament and of the Council apply to the processing of personal data within the framework of this Regulation’.
The allocation in the EIR Recast of a separate chapter on data protection indicates the heightened importance of this topic at the EU level. In the cross-border insolvency context, this issue becomes particularly relevant when applied to information contained in insolvency registers and (standard) notifications and claim forms. This information often contains the name, postal address, e-mail address (if any) and personal identification number (if any) of a creditor, which may all constitute personal data. Furthermore, in insolvency practice information regarding debtors of the insolvent debtor or data of subscribers or clients of an insolvent debtor (for example a child day-care centre, a fitness centre or a list of clients from a shop or an employment agency) will frequently be transferred separately as part of the sale of an insolvent business. Insolvency, indeed, is rather privacy sensitive.
As the recital referred to above stated at the time of the adoption of the EIR Recast (20 May 2015), the major European instruments dealing with personal data apply: Directive 95/46/EC (‘Data Protection Directive’, DPD) and Regulation (EC) No. 45/2001. The former applies to the processing of personal data by a natural or a legal person, public authority, agency or any other body, while the latter has a narrower scope and applies to the processing of personal data by the Community institutions and bodies. Chapter VI of the EIR Recast refers to both of these instruments, while providing clarifications in light of the (cross-border) insolvency context. Three years after finalising the text, and close to a year after the coming into force of the EIR Recast, the General Data Protection Regulation (GDPR) (EU) 2016/679 will take effect as of 25 May 2018, repealing the Data Protection Directive on the same date. Unlike the latter Directive, which required transposition into national laws, the GDPR introduces a single set of mandatory rules and is directly applicable throughout the EU.
While Regulation (EC) No. 45/2001 remains in force, its application should be adapted to the principles and rules established in the GDPR and applied in light of it (Recital 17 GDPR).
Leaving aside the different, though somewhat overlapping, scope of the EIR Recast and the GDPR, in practice the responsibilities regarding the processing of personal data will be a topic of concern. The responsibilities related to the processing of personal data within the operation of the EIR Recast are divided between Member States and the European Commission (EC). Article 79(1) EIR Recast obliges Member States to communicate to the EC the name of the natural or legal person, public authority, agency or any other body designated by national law to exercise the functions of controller with a view to its publication on the European e-Justice Portal. For example, as of April 2018, national data controllers include the Federal Ministry of Justice in cooperation with the Federal Computing Centre (Austria), the Ministry of Justice (Estonia) and the Council for the Judiciary (the Netherlands). According to the definition given in Article 4 GDPR, a controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Both the DPD and GDPR impose a primary obligation related to data processing on data controllers. Therefore, being able to ascertain a controller is important to ensure legal certainty and the lawful and fair processing of personal data within the EIR Recast framework.
In addition, Member States are required to adopt technical measures to ensure the security of personal data processed in their national insolvency registers (Article 79(2) EIR Recast). Such measures should protect against unauthorised or unlawful processing and against accidental loss, destruction or damage of personal data. Concrete ways to reach this goal are left to the Member States to work out. One of the additional duties of Member States is the supervision of data controllers to guarantee that data kept in the insolvency registers is accurate and up to date. They should also provide information to affected persons to enable them to exercise their rights, and in particular the right to the erasure of data. The existence of this latter right is among the most notable achievements of the GDPR (Article 17 GDPR) [Previously this issue was dealt with by the CJEU in the Google Spain SL case, which essentially recognised this right to exist in the Directive 95/46/EC]. However, this right is not absolute and as long as personal data is necessary in relation to the purposes for which it was collected or otherwise processed (e.g. as long as personal insolvency proceedings are ongoing and publicity of the insolvency process is mandatory), personal data shall not be erased from the insolvency registers. At the same time, in order to grant sufficient protection to information relating to individuals not exercising an independent business or professional activity, Member States should be able to make access to that information subject to supplementary search criteria such as the debtor’s personal identification number, address, date of birth or the district of the competent court, or to make access conditional upon a request to a competent authority or upon the verification of a legitimate interest (Recital 79, Article 27 EIR Recast).
The EC, itself being a data controller, is entrusted with a number of responsibilities in connection with the processing of personal data. In particular, like any other controller, it shall define the necessary policies and apply the necessary technical solutions to fulfil its responsibilities within the scope of the function of the controller (Article 80(2) EIR Recast). In particular, the EC must implement technical solutions required to ensure the security of personal data while in transit, that is in any transit to or from the e-Justice Portal (Article 80(3) EIR Recast). Importantly, the EC does not maintain its own insolvency register. Instead, it supports the system composed of the national insolvency registers and the European e-Justice Portal, which serves as a central public electronic access point to information in the system (Article 25(1) EIR Recast). Precisely because of this framework, the EC does not store personal data related to data subjects. This data is stored in the national databases operated by the Member States (Article 83 EIR Recast). This only covers data protection as far as it concerns registers. The separation of duties and responsibilities between Member States and the EC when it comes to personal data protection generally places all risks on the Member States, as they bear the ultimate responsibility for data processing in the insolvency registers.
Insolvency practitioners, when processing (collecting, recording, storing, using, disclosing or transmitting) personal data, particularly special categories of personal data (sensitive data), should be acquainted with the GDPR. Evidently there will be other contributions, but a useful outline is provided on the site of the Squire Patton Boggs (UK) LLP Data Privacy & Cybersecurity Team.
I am indebted to Ilya Kokorin, lecturer on company and insolvency law, University of Leiden, for the entertaining discussions we had on the topic.