A quick review of the draft EU Data Protection Regulation
A widely-leaked version of the first legislative proposal for a General Data Protection Regulation is making its way through Brussels and beyond. The purpose of this 'Regulation' is to provide a new tool for harmonising the protection of personal data across the European Union, and one that takes into consideration the current legislative and technological environment. The key point is that Europe's rules on privacy are often taken as an example to the world -- and provide a rare opportunity to scale-up protections. Many countries across the world have data protection laws only because they wanted to satisfy European standards for data protection, and modelled their own legislation on the previous/current 1995 Directive.
This new Regulation is ambitious. In our discussions with officials in Europe, this was not an easy document to develop because of all the competing viewpoints. We have heard that the law enforcement and national security communities are particularly worried about the direction of this policy. We were surprised to hear that many within industry were actually seeking a stronger 'regulation' rather than a 'directive' because it would at least ensure that there was a harmonised approach across all EU member states. We have heard that the policy-makers involved in this process wanted to created a stronger regime for privacy rather than use this opportunity to water down a regulatory regime -- and these opportunities do not come along often.
As expected, there are now requirements for 'privacy impact assessments' for risky processing, requiring companies and governments to consult with individuals and NGOs. Interestingly it also requires that the processing of criminal data is only done by government agencies, unlike in the UK where it is done by a private organisation.
As next steps it will be reviewed by the different Directorates-General of the European Commission in the coming weeks, and thus could be liable to change. The Commission is not expected to release its final proposal until late January 2012. It will then have to be approved by the European Parliament, first by the LIBE Committee.
The summary below was provided in part by our colleagues at Covington & Burling, combined with input from our other partners and network of experts. We welcome anyone else sending us their analyses; in 2012 we will run some workshops to discuss these developments and consider the ramifications for the protection of privacy in Europe and internationally.
Although implementation of the Regulation is not expected for some time, it will eventually replace Data Protection Directive 95/46 and be directly applicable in all European Member States. One of the chief criticisms of the existing EU data protection regime is that EU Member States have implemented the Directive in a divergent fashion. The Regulation would remedy this problem and establish a common set of standards applicable across the entire EU. Highlighted below are some of the more notable aspects of the draft Regulation. That said, with over 91 articles, the Regulation contains a great deal, including a number of radically new concepts. It also envisions the Commission enacting a large number of delegated acts intended to furnish additional guidance and detail on particular matters.
The draft Regulation provides that the supervisory data protection authority of the Member State where a data controller’s main establishment is based shall serve as its lead authority, avoiding situations where a controller may be subject to the competing jurisdictions of multiple EU authorities. The Commission has included a new mandatory mutual assistance obligation intended to address forum shopping concerns.
There is a much broader scope to this Regulation. The new Regulation also will apply to non-EU companies that "direct" their processing activities to data subjects residing in the EU or whose activities serve to monitor the behavior of data subjects, replacing the current "making use of equipment" test with a new "targeting" test. The new standard will impact online service providers, in particular, and proposed recitals clarify that relevant factors include whether services are provided in European languages or currencies or involve local domain names. Websites merely accessible to European users, however, will not be caught.
The definition of "data subject" is expanded by incorporating language previously found in Recital 26 of the Directive. A data subject is now someone who can be identified (directly or indirectly) by the controller directly or "any other natural or legal person". Identification may occur by reference to an identification number, location data or online identifier, amongst other things. The proposal also introduces a host of new definitions, including ones for "personal data breach", "biometric data", "data concerning health", "genetic data", "main establishment", and "child".
Meanwhile location data, IP addresses, and cookie identifiers now fall within the Regulation, where previously there was some confusion as to whether this was 'personal data'.
- European Data Protection Board
The proposal establishes a European Data Protection Board, consisting of the heads of the supervisory authority of each Member State and of the European Data Protection Supervisor. The Board is intended to replace the existing Article 29 Working Party, and will have a similar role, broadly speaking.
Meanwhile, public sector organisations are expected to have a data protection officer, as are some private sector organisations.
The draft law contains a stand-alone section on consent, which is now defined as any “freely given specific, informed and explicit indication of will”. Consent cannot be used as a legal basis for processing personal data where “significant imbalance in the form of dependence between the position of the data subject and the data controller” exists. Data protection authorities have traditionally advised against the use of consent as a legal basis for processing and this mentality is reflected in the draft Regulation. In addition, the consent of a child (defined as any person below the age of 18 years) will only be valid when authorized by the child’s parent or custodian. Consent will also be considered invalid if it cannot be withdrawn without the individual suffering detriment. The individual may object to profiling as well.
- New rights for data subjects
The draft contains a heavily caveated “right to be forgotten and erasure” that imposes a specific obligation on a controller to render inaccessible certain data, including such data when it appears on the Internet, when it is 'no longer necessary' or when consent is withdrawn (exceptions are drawn around free expression, historical/statistical data, or legal compliance). A new data portability right will enable data subjects to request that their data be held by a data controller, such as a social network service provider, in a format that allows them to transfer that data to another service provider. The Commission reserves the right to specify the electronic format and technical standards to enable such transmission.
- Impact assessments and prior authorization/consultation
The proposal also appears likely to increase the administrative burden for data controllers in certain respects, although it does dispose of the current national notification regimes. Controllers must carry out data protection impact assessments where processing operations are likely to put the rights of data subjects at risk by virtue of their nature, scope and purposes. In addition, controllers with more than 250 employees must appoint a qualified data privacy officer. In limited cases -- where processing is likely to pose a high degree of risk to data subjects -- data controllers will have to obtain an authorization from or consult with their supervisory authority prior to processing the personal data. Apart from the duty to appoint a privacy officer, these new obligations appear to apply equally to large multi-nationals and small and medium enterprises.
- Breach notification
The draft Regulation, as was expected, introduces a comprehensive breach notification regime. Rules similar to those found in the e-Privacy Directive (applicable to providers of publicly available electronic communications services and networks) have been proposed. Data controllers would be required to notify any data breach to their data protection authority, notwithstanding the fact that protective measures, such as encryption, are in place or the likelihood of harm is low. Data controllers must notify data subjects when a data breach is likely to “adversely affect” the protection of their personal data unless the data controller can demonstrate, to the satisfaction of the supervisory authority, that they have implemented appropriate technological protection measures.
The provisions that will govern future foreign e-discovery exercises are likely to attract much attention and comment. Controllers will first be required to seek authorization from their data protection authority before they can make personal data available in response to a court judgment or decision by an administrative authority in a third country. These provisions, together with the higher monetary penalties envisioned by the Regulation, are clearly intended to serve as a counterweight to pressures exerted under foreign legal regimes, such as those in the U.S.
- Data transfers
The existing EU restriction on data transfers to countries that do not offer adequate protection remains in place. However, the use of standard contractual clauses will no longer be subject to prior authorization or approval by data protection authorities. Also, the adoption of binding corporate rules (BCR) would be made easier, and an entire section is devoted to the concept. The draft Regulation retains the original derogations for transfers to third countries, such as consent, but adds a new derogation for transfers necessary for the legitimate interests of a data controller, although this must be balanced against the rights of the data subject.
The draft Regulation contains an elaborate section on administrative sanctions. Mirroring sanctions for violations of EU competition law, each competent authority would now have the power to impose administrative sanctions and to tailor these sanctions according to a company’s annual turnover. For certain types of intentional or negligent violations, supervisory authorities will be able to impose fines of between 100,000 and 1,000,000 Euros, or as much as 5% of an enterprise’s annual worldwide turnover.