|January 30, 2012|
Previously published on January 2012
The EU has unveiled its plans for sweeping changes to its dated data protection laws, which would have significant implications for companies both inside and outside the EU that handle data of EU citizens; and may subject them to severe fines of up to 2% of global annual turnover for violations of the new rules.
We have highlighted below how some of the proposed amendments, if adopted in this form, would change the current EU privacy framework.
A single set of privacy standards would be established in all twenty-seven EU countries (previously, privacy standards differed by country). On one hand, compliance may be easier and less costly because companies need only comply with a single set of standards, rather than twenty-seven; on the other hand, the new uniform requirements are more onerous than existing requirements in certain EU countries with more lenient privacy laws (such as the U.K.).
The amendments would also apply to U.S. and non-EU based companies "that are active in the EU market and offer their services to EU citizens." A memo explaining the proposed amendments states that the European Commission will establish "clear rules defining when EU law is applicable to data controllers established in third countries, in particular by specifying that whenever goods and services are offered to individuals in the EU, or whenever their behaviour is monitored, European rules shall apply."
Companies may be fined up to 1 million Euros or 2% of their "global turnover" for serious offenses (such as processing sensitive data without an individual's consent). Less serious offenses (such as charging a fee when an individual requests his or her data) may be subject to fines of 250,000 Euros or up to 0.5% of "global turnover."
Wherever consent is required for data to be processed, consent must be given explicitly, "meaning that it is based either on a statement or on a clear affirmative action by the person concerned and is freely given."
Individuals would have a "right to be forgotten." There would be an explicit requirement that requires online social networking services and all other data controllers (1) to minimize the volume of users' personal data that they collect and process and (2) to delete an individual's personal data if that person explicitly requests deletion and there is no other legitimate reason to retain it. There would also be a requirement for "privacy by default" which means that the default settings should be those that provide the most privacy.
A standardized security breach notification requirement would be established (currently, this is only required of telecommunications companies). All data processors would be required to notify national Data Protection Authorities - within 24 hours of the breach being discovered, where feasible - and the affected individuals "without undue delay."
Companies with more than 250 employees must appoint a privacy officer. Firms which are involved in processing operations "which, by virtue of their nature, their scope or their purposes, present specific risks to the rights and freedoms of individuals ('risky processing')" must appoint a privacy officer and must carry out Data Protection Impact Assessments.
EU companies would be subject to enforcement by a single data protection authority, located in the country where the company has its main European operations.
The reforms would also simplify the regulatory environment by "doing away with formalities such as general notification requirements."
The Commission's proposals will be sent to the European Parliament and EU Member States for discussion. They will take effect two years after they have been adopted.