Sweeping changes proposed to European data protection law
February 2013 | SPOTLIGHT | DATA PRIVACY
Financier Worldwide Magazine
Information is arguably the most valuable asset a business has. Businesses that think strategically about the creation and development of their information assets are able to increase their value, often by substantial amounts. However, much of the information processed within business systems is about individuals, and individuals have rights relating to their information. There is a degree of friction here: businesses wish to gather and use ever increasing amounts of information about people, yet this is only permitted in compliance with laws that safeguard the rights of individuals.
In Europe, the Data Protection Directive of 1995, as implemented by national law in each member state, governs how organisations may process personal data. That law is generally regarded as out of date for the digital era. In 2012, the European Commission issued a proposal to replace the Data Protection Directive with a regulation. The draft regulation contains provisions that would greatly enhance individuals’ rights but increase the compliance burden for businesses seeking to utilise personal data. The European Parliament is currently considering the draft regulation and early indications are that a tougher regime is favoured. Businesses will face significant challenges to comply.
Who and what is covered by the draft regulation?
The draft regulation covers the processing of personal data by both data controllers and data processors. ‘Personal data’ is already defined in very broad terms in the EU, and the regulation broadens this definition further by including location data, online identifiers and genetic information.
The regulation seeks to expand the reach of EU data protection law to cover processing by controllers established outside the EU where the data processing activity is related to offering goods or services to, or monitoring, EU data subjects. The regulation is intended to have very broad reach.
Main obligations on data controllers and processors. In general terms, the regulation strengthens the existing obligations relating to data processing. Data must be processed fairly and lawfully; collected for specified, explicit and legitimate purposes; be adequate, relevant and limited to the minimum necessary for the specified purpose; accurate; and kept in an identifiable form for no longer than necessary for the purposes for which the data were collected. The controller is responsible for ensuring (and demonstrating) that each processing operation complies with the regulation.
Of particular note is the inclusion of a more onerous data minimisation principle and restrictions on the use of consent. The controller has the burden of demonstrating that consent was obtained, and consent is not permitted where there is an imbalance in the relationship between the controller and the individual. Therefore, it will be difficult to use consent in the context of an employment relationship.
The regulation imposes prescriptive requirements on a data controller to adopt policies and implement appropriate measures to ensure compliance. These measures include numerous detailed requirements such as maintaining detailed records of the data processing activities, performing data protection impact assessments, and the appointment of a data protection officer. Further, the regulation incorporates the concepts of data protection by design and by default, and establishes the right to be forgotten and the right to data portability.
Overseas transfers. The regulation does not significantly ease the existing restrictions on the transfer of personal data from the EU. The Commission retains the power to determine whether individual countries offer adequate safeguards for personal data. Currently, the US is not considered to be adequate, but a separate EU-US Safe Harbor has been established. This programme appears likely to be reviewed. Transfers may also take place where adequate safeguards are adduced, such as binding corporate rules, model contractual clauses, or other approved clauses. There are other exceptions that may apply, but they are limited.
Security breach notification. Mandatory notification to both the supervisory authority and to affected individuals is required in the event of a data breach. Breaches will need to be notified to regulators within 72 hours after becoming aware of the incident.
Powers of supervisory authorities. The powers of supervisory authorities are strengthened and harmonised by the regulation. Where a company has operations in a number of member states, the supervisory authority in the main establishment will be the lead regulator and will act as a single contact point.
Penalties and fines. The regulation proposes an array of mandatory fines for both negligent and deliberate breaches, up to a maximum of 2 percent of a company’s worldwide turnover. Even relatively minor administrative failings appear to be liable to a fine. Significantly, processors may also be subject to a fine.
Next steps in the legislative process
The draft regulation is currently being considered by the European Parliament, and will then be considered by the Council of the European Union. It may return to both the European Parliament and the Council for a second reading if agreement on the text is not reached. Each member state is developing a negotiating position and will take part in working groups, discussions and lobbying activities over the next two years. The current draft of the regulation will alter, possibly significantly, as it is reviewed by the European Parliament, the Commission and the Council. All three bodies will be subject to intense lobbying by those affected, as well as by national interests. The draft regulation should not be regarded as settled at this stage.
It is expected that it will take 18 months to two years for the draft regulation to proceed through the political process and be agreed. There will then be a further period before the regulation is implemented in member states. The earliest possible date for a change in the law appears to be 2016.
How are organisations preparing for change?
Many organisations are still considering what the regulation is likely to mean for them in practical terms. Others are already working with their government affairs teams to influence key decision makers, and to educate legislators and policy makers. Some organisations are working through trade or commercial associations. In some cases, such as in the UK, governments are soliciting feedback from organisations in order to inform their negotiating strategies.
Although the precise nature and extent of any change is not yet fixed, there are a number of areas in which change seems inevitable. Examples include compliance obligations imposed on data processors, more detailed record keeping obligations for all organisations, the right to be forgotten, the requirement to appoint a data protection officer, and the general strengthening of the data quality principles, including the need to undertake data privacy impact assessments. Some organisations are already focusing on what these requirements will mean in practical terms, and are starting to plan enhancements and changes to their data protection programmes.
Bridget Treacy and Lisa Sotto are partners at Hunton & Williams LLP. Ms Treacy can be contacted on +44 (0)20 7220 5731 or by email: firstname.lastname@example.org. Ms Sotto can be contacted on +1 (212) 309 1223 or by email: email@example.com
© Financier Worldwide
Bridget Treacy and Lisa Sotto
Hunton & Williams LLP