The New EU Data Protection Proposals: the Implications for your Business

A first draft of the first proposal for a General Data Protection Regulation (the Regulation) was released by the European Commission on 25 January 2012. The intention is that in due course the Regulation will replace the Data Protection Directive 95/46/EC.

The explanatory memorandum accompanying the Regulation states that the review of the existing data protection regime has been driven by “fragmentation in the way personal data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks associated notably with online activity”. The proposed introduction of the Regulation is intended to reduce this fragmentation, as it will be directly applicable in all EU Member States, with no need for any implementing legislation. As a Regulation, it may be relied on by individuals in national courts.

The release of the Regulation has been accompanied by a proposal for a new Directive applying to the processing of personal data by law enforcement authorities¹.

The Regulation proposes a wide range of changes to the existing EU data protection regime which will tighten the criteria for some processing and greatly increase the sanctions (although by less than in an earlier leaked draft of the Regulation), add new rights and relax or streamline others. What is clear is that, if the Regulation is implemented in its current form, the EU data protection landscape will become even stricter but much more consistent between Member States. In this briefing we summarise some of the key changes proposed.

If you would like to discuss how these changes will impact your business and data protection compliance procedures, please contact us.

Footnote

1. Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (COM (2012) 10/3)

The Regulation has to be approved by the EU Council and the European Parliament before it can come into effect. This process should take around two years, during which time the draft may be amended.

Once approved, the Regulation will have direct effect in all Member States. The draft proposes a two year implementation period for the new regime after the Regulation comes into effect. This means that data controllers (and in some instances, data processors) have around four years to put in place processes and systems to comply with the new Regulation.

It is not yet clear whether the UK government will conduct a formal consultation process with interested parties in respect of the Regulation before giving its views to the EU Council. We will follow the Regulation’s progress through the legislative process and would be happy to advise on its status.

Extra territorial effect

The provisions of the Regulation will apply to processing of personal data by a data controller or processor established in the EU, regardless of where the processing takes place. Establishment implies the “effective and real exercise of activity through stable arrangements”, regardless of legal form. The leaked draft Regulation provided that the Regulation would also apply to processing activities “directed to” data subjects residing in the EU. However, this test has now been replaced with a requirement that processing of EU data subjects’ data by a controller not established in the EU will be covered by the Regulation where the processing activities are related to the offering of goods or services to data subjects in the EU, or the monitoring of their behaviour. The existing test, regarding whether a controller not established in the EU makes use of equipment situated in the EU, will no longer apply.

This new extra-territorial element is a significant change from the existing regime and is clearly aimed at internet services that collect EU residents’ personal data. The Regulation gives some guidance on what “monitoring the behaviour” means. If individuals are tracked on the internet with data processing techniques which consist of applying a profile to an individual, particularly in order to take decisions concerning him or her or for analysing or predicting his or her personal preferences, behaviours and attitudes, this is likely to constitute monitoring behaviour.

Greatly increased fines

The Regulation introduces a tiered system of fines, the top tier being a fine of up to two per cent of an enterprise’s annual worldwide turnover for enterprises and up to €1,000,000 for other data controllers. The Regulation sets out which type of breaches each tier of fine should apply to. The top tier fine applies to breaches including processing personal data without satisfying a processing ground, or not in compliance with the conditions for consent set out in the Regulation. Breaches of around 25 other Articles in the Regulation may also attract a top tier penalty, including a failure to appoint a data protection officer, or a representative in the EU (in the case of controllers not established in the EU) in accordance with the Regulation; failure to notify a data breach; failure to implement internal policies to demonstrate compliance; and the export of personal data outside the EU in a non-compliant manner.

This level of fine is unprecedented in the field of data protection and touches levels applied for anti-trust infringements. There will be intense discussions during the review process as to the level of these fines, how they will be set and applied, and their suitability to the wide range of compliance obligations that they currently cover.

Supervision and enforcement action to be taken by regulator where main establishment in EU is located

The general rule, that national regulators have competency within their national territory, is added to by the introduction of a “one stop shop” concept. Where a data controller or processor has operations in several Member States, the “lead” regulator (the regulator in the Member State in which the controller or processor has its main establishment) will have competency to supervise and bring enforcement action in respect of all that controller’s or processor’s activities in the EU. The Regulation gives some guidance on what constitutes a “main establishment” and focuses on where processing is directed from rather than where it is undertaken. However, how this one stop shop will operate in practice remains unclear, particularly given the current divergent approaches to enforcement and sanctions between Member States.

Unified rules and consistency of application

The Commission decided to implement the new regime by Regulation as opposed to Directive specifically to reduce divergence in data protection rules between Member States but its application could still become inconsistent through measures and actions taken by national regulators.

The Regulation therefore sets out a consistency mechanism, under which national regulators should submit certain measures, in particular measures that would substantially affect the free movement of personal data between Member States, to the European Data Protection Board (made up of all EU national data protection regulators) for its opinion. The national regulators would then have to take this opinion into account. The Commission may also issue an opinion, which must be taken into account. There are also general obligations of co-operation between Member States.

This unified approach is relaxed in certain areas so that Member States are permitted to legitimise wider processing or restrict the scope of the data subject’s rights on the grounds of public security, the prevention and detection of crime and, where necessary, for regulatory and taxation purposes. Member States are also given the freedom to set out specific rules relating to the processing of personal data in the employment context, which will mean that consistency in this difficult area of cross border data handling is less likely to be achieved.

Further detailed requirements will flesh out the Regulation

The Commission is given delegated powers to issue more detailed criteria and requirements in relation to many of the substantive provisions of the Regulation and the European Data Protection Board is also tasked with issuing guidelines and best practice. In addition, the Regulation encourages associations and representative bodies to draw up sectoral codes of conduct which can be approved by national regulators or the Commission.

It is clear that the Regulation is the starting point for the new regime. These additional measures will resolve ambiguities in the Regulation and hopefully ensure consistency across Member States; however, they will also add another layer of more detailed compliance obligations which data controllers and processors will need to monitor carefully.

Data processors to have responsibilities

The Regulation retains the concept of data controllers and data processors, but introduces direct obligations on data processors. These include that processors must document in writing with the controller the controller’s instructions and the processor’s obligations. Processors must also maintain documentation for all processing operations for which they are responsible, and must make this available to the national regulator on request (the same obligation also applies to controllers). There are also obligations on processors to implement appropriate security measures and to appoint a data protection officer. Giving processors these responsibilities may assist the negotiation of processor arrangements.

Data protection officer appointment mandatory

There is an obligation for an independent data protection officer to be appointed where processing is carried out by a public body, an enterprise employing 250 or more people, or where the core activities of a controller or processor consist of processing obligations which require systematic and regular monitoring of data subjects.

This obligation applies to both controllers and processors and a failure to appoint may attract a top tier fine. The data protection officer must be appointed for periods of at least 2 years and may only be dismissed during that time if they no longer fulfil the requirements to be data protection officers. Such security of tenure is likely to give data protection officers greater influence than they may have had previously.

Abolition of notification regime and formalisation of impact assessments

The requirement to notify the national regulator that processing of personal data is taking place has been abolished, to reduce financial and administrative burdens. An “impact assessment” regime coupled with the concept of “accountability” would replace this. The impact assessment regime would require a controller or processor to carry out an assessment of the safeguards for protecting personal data where processing operations are likely to present a particular risk to data subjects. Where the impact assessments indicate a high risk, the national regulator should be consulted. The controller should seek the views of affected data subjects except where it would prejudice the controller’s security or commercial interests.

Accountability

Controllers and processors are required to implement specific compliance measures (which capture current best practice) including recording and establishing the details of personal data processing, data retention periods, the grounds on which data are processed and on which export is legitimised; undertaking a risk assessment in order to implement appropriate security; system design that minimises personal data collection and access; and verification of the effectiveness of those measures through independent internal or external audit where proportionate.

These measures need to be documented and made available to national regulators on request.

This part of the Regulation will have a significant impact on day-to-day data handling if effectively enforced and as such will affect all data controllers (although some documentation requirements are relaxed for certain organisations with fewer than 250 employees). The Commission may issue further requirements as to what constitutes best practice and this will set a base standard that must be achieved.
Consent as a ground for processing

The consent provisions have been strengthened. The definition of “data subject’s consent” has been amended to include the requirement that the consent is “explicit” and indicated through clear affirmative action. Consent to processing must be given in a form which clearly relates to the processing, rather than as part of a general consent to a range of matters. Consent will not be valid if there is a significant imbalance in the form of dependence between the position of the data subject and the controller, and consent in respect of a person under 13 years old must be obtained from their parent.

Right to be forgotten and data portability

The Regulation introduces a right for data subjects to be “forgotten”. Data controllers must erase personal data relating to data subjects who have withdrawn their consent (or the storage period consented to has expired) and where there is no other ground available to process the data, or who have raised a legitimate objection to the processing, or where the data is no longer necessary in relation to the purposes for which it was collected, or the processing otherwise does not comply with the Regulation. The right is stated to apply in particular to personal data provided when the data subject was a child.

The right also requires a data controller who has authorised the third party publication of the data subject’s personal information to inform such third parties that the data subject requests them to erase links to or copies of his or her personal information. This obligation is considerably weaker than in the leaked draft Regulation, which required the controller to “ensure the erasure” of such links or copies.

Data subjects would also have the right to data portability where the controller processes them electronically in a structured and commonly used format. In these circumstances, the controller must provide a copy of such data to the data subject in the structured format. Where the data was provided by the data subject him or herself and the controller’s processing was based on the data subject’s consent or “on a contract” the controller must also permit the data subject to transfer the data to another automated processing system “without hindrance”.

The details of these rights (which the Commission has delegated powers to specify) will determine their practical workability but as drafted, they present many questions for businesses as to their scope and the steps that will be required to comply with them.

Mandatory data breach notification

Controllers must notify any data security breach which leads to unauthorised disclosure, access to, or destruction of, personal data to their national regulator and, in certain circumstances, the data subject, as soon as possible and where feasible, within 24 hours of becoming aware of it. The data subject should be notified if the breach is likely to adversely affect the protection of the personal data or privacy of the data subject. This timescale will be challenging for many organisations.

Data export

The process and restrictions in respect of data export from the EU have not been modified by the Regulation as much as some had hoped. The basic existing EU restrictions on data transfers to countries that do not offer adequate protection remain in place. However, the Regulation does make it clear that where EU model clauses are used or binding corporate rules approved no further authorisations are required, which will reduce the effort required to implement these types of export solutions. The permitted use of binding corporate rules has been codified in the Regulation, and one area of significant change in this respect is that binding corporate rules will be available for use by data processors’ groups of undertakings, which will better reflect the reality of processor designed security measures in cloud and other geographically distributed outsourced services.

Interestingly, an Article in the leaked draft Regulation which restricted a controller’s compliance with regulatory and disclosure requests and orders from non-EEA authorities and courts (for example under the US Patriot Act) without prior authorisation from the controller’s national regulator has been dropped from the Regulation, leaving the current uncertainty in relation to cross border regulatory and disclosure requests unaddressed.