New European Data Protection Regulation

Yesterday, the European Commission published a new General Data Protection Regulation (the Regulation) which proposes to comprehensively reform data protection rules across the European Union. If approved by the European Parliament and Council of Ministers, the Regulation will be directly applicable and impose a single set of data protection standards in all the European Union’s 27 member states. The European Commission estimates that introducing a single law will save businesses approximately €2.3 billion a year. The Regulation certainly aims to improve harmonisation in privacy law across Europe. However, the new rules will also impose substantial additional regulatory burdens on organisations. This is a real "sea change" in data protection / privacy law compliance risk.

Several versions of the Regulation have been leaked over the last 2 months. This has provided an insight into the EU interservice consultation where EU institutions have commented on the draft law. We can now see that while the European Commission has compromised on certain points, (e.g. the general requirement to obtain consent for all direct marketing has gone) the proposals in the original leaked version of the Regulation remain largely intact. There is no doubt that the current proposals are game-changing in terms of risk for any company, group or other organisation that handles personal data. The proposals affect you if you operate in Europe or if you target products or services at EU customers. So this should be on the risk radar of global companies and groups.

The key changes include:

• New single set of rules: The new EU Regulation will apply to all EU member states. The current EU Data Protection Directive (95/46 EC) will be repealed.

• Scope includes extra-territorial effect: The new rules will apply to any organisation operating in the EU but also to non-EU organisations who sell into any EU member state. So US and global companies are also caught.

• Fines: Companies that have violated certain of the new European data protection rules may be fined up to €1 million or up to 2% of their global annual turnover. This figure is a slight change from earlier drafts of the document which talked about 2-5% of global annual turnover.

• Scope of "Personal Data": The Regulation confirms the broader interpretation of “personal data” to include any information relating to living individuals. This underlines the continuing disconnect between EU data protection law scope and the narrower/different scope of data privacy laws in certain other jurisdictions, in particular the US. It also leaves the position of IP addresses, and equivalent online data, unclear. In addition, the new Regulation deals specifically, with “genetic data” and “biometric data”.

• Supra-national Data Protection regulation: Data controllers and data processors will be regulated by the data protection regulator in the EU country where they have their "main establishment". Equally, individuals can refer to the data protection regulator in their country, even when their data is processed by a company based outside the EU.

• Data Security Breach Notification: Companies must notify the national data protection regulator of a personal data breach without undue delay and “where feasible”, not later than 24 hours “after having becoming aware of it”. This provision has been amended from the earlier leaked drafts previously seen, which proposed notifying the relevant regulator “as a rule” not later than 24 hours after “the personal data breach has been established”. Nevertheless, the new "24 hour" rule is a huge change for EU privacy law and means you need to "go public with the bad news, and fast". This may create reputational risk.

• Explicit Consent: The Regulation clarifies the meaning of consent for the processing of data. Consent must be “explicit”. This will require consents to be specific as to data being collected and the purposes for which data are used and disclosed. This will pose real challenges for many data controllers in ensuring that data consents are both valid under the new rules and user-friendly. It also reinforces the current difficulties in trying to comply with the new cookie consent rule (as the "consent" test is the same for both rules).

• Data Protection Officers: There is a requirement for public authorities and large private companies ("large" means a company with 250 or more staff) to formally appoint data protection officers to ensure data protection compliance.

• Right To Be Forgotten: This right requires data controllers to delete personal data relating to a data subject where the individual withdraws consent, objects to that controller’s processing of their information, or where their personal data is no longer needed.

• Data Portability: Individuals will have the right to transmit information which is processed electronically to another electronic system. This will impact, for example, digital media, digital vaults and any products which store customer information.

• Children: There are new rules for processing data relating to children under 13.

• Subject Access: Individuals will continue to have rights to access their information from the data controller. This is causing many companies difficulties where individuals try to use subject access request rights to circumvent court disclosure and/or to go on a “fishing expedition” for a possible cause of action.

• New "Accountability" regime: Data controllers must adopt policies and appropriate measures to ensure, and be able to demonstrate, compliance with the new Regulation. This is, in effect, a new principle of “accountability” and requires a much more prescriptive “control framework” to be in place to ensure data protection compliance.

• Increased Responsibility for Data Processors: This includes the right for data subjects to claim compensation from data processors (IT vendors / service providers) and the need for data processors to implement appropriate security measures to protect personal data. So, processors will assume direct legal risk under the new rules.

• International Data Transfers: The current options available to permit international data transfers will be bolstered by the explicit incorporation of Binding Corporate Rules (an EU "data passport" to legitimise the international transfer of data across a corporate group).

What’s next?

Companies are expected to lobby the European Parliament and national governments heavily for amendments to these far-reaching proposals. The legislative text will be debated by the European Parliament and Council of Ministers as part of the Ordinary Legislative Procedure (formerly known as the Co-Decision Procedure). Once finally approved, there will be a two year period before the Regulation takes effect.