Chapter 14 Other Issues

• Jurisdiction: United States

14. Other Issues

14.1. Data Protection

The EIR Recast is set in today's mode of technology and personal data protection. The allocation in the EIR Recast of a separate chapter (Chapter VI) containing Articles 78-83 on data protection indicates the heightened importance of this topic at the EU level. The EIR 2000 did not contain any provisions dealing specifically with personal-data protection. Particular attention paid to the issue of data protection can be explained by the fact of increased flows of information transcending national borders, and gathered and exchanged throughout the EU, often electronically. As discussed above, the EIR Recast promotes cooperation and communication between different actors involved in insolvency proceedings (see Articles 41-43, 56-58) and aims at ensuring the publicity of insolvency registers with information concerning insolvency proceedings (see Articles 24-27). Such publicity and exchange are crucial to better ensure that creditors and courts receive relevant and timely information about the insolvency proceedings opened in other Member States. This should also prevent the opening of parallel insolvency proceedings against the same debtor. At the same time, an intensified exchange of information and the placement of such information in the publicly available insolvency registers can create exposure to various risks, including personal-data breaches.

The need to formulate rules dealing with the matter of data protection also stems from a degree of unification brought by the EIR Recast in reliance on procedures for notification and lodging of claims (see Article 55, as well as standard notice and claims forms). For instance, a standard claims form shall include information on the name, postal address, e-mail address (if any) and personal identification number (if any) of a creditor, which all may constitute personal data.

At the time of the EIR Recast adoption (20 May 2015), the major European instruments dealing with personal data protection had been the Directive 95/46/EC ("Data Protection Directive," or DPD) and Regulation (EC) No. 45/2001. The former applies to the processing of personal data by a natural or a legal person, public authority, agency or any other body, while the latter has a narrower scope and applies to the processing of personal data by the community institutions and bodies. The EIR Recast in its Chapter VI refers to both of these instruments while providing clarifications in light of the (cross-border) insolvency context. It shall be noted, however, that as of 25 May 2018, a new Regulation came into effect, namely the General Data Protection Regulation (GDPR) (EU) 2016/679. The GDPR repeals the Data Protection Directive with effect from 25 May 2018 (Article 94 GDPR). Unlike the DPD, which required transposition into national laws, the GDPR introduces a single set of mandatory rules and is directly applicable throughout the EU, and even outside the EU as explained below.

While the Regulation (EC) No. 45/2001 stays in force, its application should be adapted to the principles and rules established in the GDPR and applied in its light (Recital 17 GDPR). Taking into account these important developments, Chapter VI EIR Recast will be addressed with due account of the GDPR.

14.1.1. Scope of Application of Data-Protection Rules

The EIR Recast and the GDPR have different...