|January 26, 2012|
Previously published on January 2012
The European Commission has just released a new and comprehensive rewrite of European Union data protection law which, if adopted by the European Parliament, promises to have a major impact on companies doing business in the European Union. Thus, as the regulation moves towards final adoption, businesses should begin to assess its impact on their existing operations.
On 25 January 2012, Viviane Reding, the Vice-President of the European Commission and European Union Justice Commissioner, formally released the Commission’s proposed European Union-wide General Data Protection Regulation (the “Proposed Regulation”). This Proposed Regulation implements a comprehensive reform of European data protection laws intended to strengthen online privacy rights and boost Europe's digital economy. It seeks to take into account the realities of modern data flows, particularly in light of the increased use of social networking sites, cloud computing, location-based services and smart cards. This follows a month of uncertainty after it was understood that at least six European Union policy units had issued negative opinions on the draft Regulation leaked in December 2011. The Proposed Regulation will impact organisations doing business in the European Union, including U.S. organisations that are active in the European Union market and offer their services to European Union citizens.
While the reforms are intended to simplify numerous rules and regulations, and seek to remove some of the administrative costs associated with doing business in the European Union, they also impose potentially significant new obligations on businesses processing personal data in the context of their European operations. Thus, it will be important for organisations to understand these and implement them accordingly.
Summary of the Changes
The following key areas of the reform will impact on privacy and data protection compliance for organisations:
A Single Set of Rules: The Proposed Regulation provides for a single set of rules for all organisations processing personal data in the European Union. It will replace the first Data Protection Directive (published in 1995), which will be repealed. This Proposed Regulation will have direct effect in all Member States and, as a result, will achieve greater harmonisation than if the reform was made by a revised Directive, which carries with it a risk of inconsistent implementation by Member States, as witnessed with the implementation of the Data Protection Directive. In addition to the Proposed Regulation, there will be a new Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.
Fines: National data protection authorities will be allowed to impose fines of up to 2% of the worldwide gross revenue of an organisation. The 2011 proposal had set this amount at 5% of worldwide gross revenue.
"One-Stop Shop": The Proposed Regulation implements a "one-stop shop" approach to data protection compliance in the European Union, meaning that an organisation only needs to comply with the data protection laws in place in the jurisdiction in which it has its main establishment. This is similar to the passporting system and principle of home state supervision, which is already reflected in European financial services regulation. In addition, the Proposed Regulation will have extra-territorial effect. This means it will apply to organisations (such as many U.S. businesses) that are not established in the European Union, but are active in the European Union market and offer their services to European Union citizens.
Data Breach Notification: The Proposed Regulation imposes a general requirement on all businesses to notify data protection authorities and data subjects in the event of a data breach. Notice of data breaches must be provided to the data protection authority “where feasible” within 24 hours, and to affected data subjects “without undue delay.” While breach notification has recently become a requirement for telecommunications and internet service providers, the Proposed Regulation extends this requirement to all organisations. Given the increase in global cyber risks and the reputational impact and associated costs of data losses and breaches, this aspect of the reform is likely to have a significant impact on organisations.
Consent: Where consent is to be used as a justification for processing personal data, the Proposed Regulation requires that it must be given explicitly, rather than assumed. This will cause particular concern for e-commerce organisations worried about how to obtain consent without detrimentally affecting the user experience.
Data Portability: The Proposed Regulation also introduces a new individual right of data portability, which is designed to facilitate an individual's access to personal data. This requires organisations to permit customers to move their data to new organisations offering similar products or services. This is also intended to improve competition among services. While this may sound relatively straightforward, in practice the costs of migrating data from one system to another can vary significantly, and may be particularly burdensome for cloud providers and social networks.
The "Right to be Forgotten": The Proposed Regulation also adds a new "right to be forgotten" which allows an individual to require an organisation to delete personal data where there is no longer any legitimate reason for keeping it. This new right is more stringent in nature to the existing obligation for data controllers not to keep data for longer than is necessary.
International Transfer of Data: The Proposed Regulation provides for a shift in the rules to reflect the way that data is currently transferred internationally. They seek to address the problem that current data protection laws function only within a given territory, usually defined along national borders, and do not reflect the reality of international business. In particular, organisations making use of the cloud will be collecting data in one territory and subsequently processing it in numerous other territories. The Proposed Regulation will simplify the requirements for organisations seeking to do this. In addition, it also aims to improve the current system of “binding corporate rules” to make compliance less burdensome - “binding corporate rules” are typically a set of intra-corporate global privacy policies that satisfy the European Union standard of adequacy when organisations are seeking to transfer the data outside of the EEA. The Proposed Regulation would require all data protection authorities to recognise "binding corporate rules" approved by an individual data protection authority.
Data protection by design and by default: The Proposed Regulation requires data controllers to only collect and retain personal data to the minimum extent necessary in relation to the purposes for which they are intended by design to be processed. This will be particularly controversial for organisations seeking to undertake data analytics of their mass repositories of data.
Accountability and Data Protection Officers: The Proposed Regulation seeks to increase the accountability of data controllers and data processors, including by requiring that they carry out data protection impact assessments prior to risky data processing activities. In addition, organisations with over 250 full time employees will be required to have a Data Protection Officer.
The Reform Ahead
The Proposed Regulation will now be passed on to the European Parliament and Member States for discussion and approval. It will take effect two years after it is adopted by the European Parliament. It remains to be seen whether further objections will be raised, which will obviously impact on the implementation timetable.
It is clear that some of the changes will be welcomed as they will give rise to significant costs savings for organisations seeking to achieve data protection compliance in numerous Member States. In turn, this will help to promote innovation and growth. However, the potential changes relating to accountability, data breach notification, data portability and the right to be forgotten will require significant investment for organisations to implement them effectively.