Search News & Insights
Robust EU Data Protection Regime Proposed
PRACTICE AREA GROUP: Technology and Innovation
On 25 January 2012, the European Commission published a proposed new Data Protection Framework for the EU. This framework includes a General Data Protection Regulation (the “Regulation”) which is intended to harmonise data protection laws across the EU. Its provisions will have direct effect and will establish a new regime to replace the existing law in each Member State of the EU in its entirety.
The Data Protection Framework will now go before the European Parliament and the Council of Ministers for discussion and ratification. It is anticipated that the new rules will not be in force earlier than 2014.
The Regulation as currently drafted proposes a number of important and significant changes to the existing law which we have outlined below.
Extension of Establishment Principle
The Regulation extends the scope of the European data protection regime to data controllers, established outside of the EU, in situations where the processing of personal data by those controllers is related to either offering goods or services to EU residents, or to the monitoring of their behaviour.
This change would bring many US online businesses, who target residents through tracking, mining and targeted advertising, into scope where previously the law may not have applied to their data processing activities. However, it is not clear how these rules will be enforced outside the EU.
Severe Financial Sanctions
The new regime will have a tiered penalty system with maximum penalties for intentional or negligent breaches of up to €1,000,000 or two per cent of the annual worldwide turnover of an “enterprise”. What constitutes an “enterprise” for the purpose of the Regulation remains to be determined. The highest penalties will apply to breaches such as processing personal data without sufficient legal basis, failure to notify a personal data breach in accordance with the Regulation, or failure to designate a data protection officer where required to do so.
Data subjects will also be given a judicial remedy, including damages, against data controllers and processors who infringe their rights by failing to comply with the Regulation.
The Regulation proposes to make it more difficult for organisations to rely on consent. The definition of consent now requires it to be explicit and data controllers must be able to prove that it has been obtained. However, data subjects are still permitted to give consent by a “clear affirmative action” such as clicking on a tick-box online. Consent may not be relied upon if there is a “significant imbalance in the form of dependence between the position of the data subject and the controller”.
For data controllers operating in Member States that have until now permitted them to work on the basis of implied consent, this will require a major change in practice and could prove challenging in the online environment. It may also prove difficult for data controllers to obtain valid consent in situations where there is an inherent imbalance between the controller and subject, such as between an employer and employee.
Security Breach Notification
The Regulation proposes a general obligation for notification of personal data breaches (currently notification is only mandatory in the telecommunications sector) on both data controllers and processors. In the event of a personal data breach, the data controller will be obliged to notify the supervisory authority (in Ireland, this is the Data Protection Commissioner) within 24 hours of becoming aware of the breach. A data processor must inform their controller of a breach “immediately” after they discover a breach.
The data subject will also have to be informed if the breach is likely to have an adverse affect on them not later than 24 hours after the breach has been established. Communication of the breach to the data subject will not, as a rule, be required if the controller can demonstrate it has implemented appropriate technological protection measures such as encryption, although the supervisory authority may require it to do so.
These requirements are similar to those set out in the Code of Practice issued by the Irish Data Protection Commissioner though the Regulation seeks to make notification mandatory and to impose stricter timelines for notification. Data controllers and processors will now need to have continuous monitoring and reporting systems in place which may prove to be onerous.
Transfer of Data
The existing general restriction on the transfer of data outside of the EEA remains and transfers outside of the EEA will only be permitted where adequate protection is established through, for example, a European Commission decision to the effect that a certain third country ensures an “adequate level of protection”, or the use of Model Clauses or Binding Corporate Rules (“BCRs”). It is proposed to simplify the procedure for establishing BCRs and BCRs will be automatically accepted by all EU Member States once they are authorised by a single supervisory authority.
Right to be Forgotten/Right to Data Portability
The Regulation will introduce increased rights for data subjects. They will have a “right to be forgotten and to erasure” in certain circumstances, enabling them to obtain the erasure of their personal data where they object or withdraw consent to processing (provided that there is no other legitimate grounds for retaining such data). As regards the right to object, the burden will now be on the controller or processor to show that it has a compelling legitimate reason to continue processing.
In practice, this means that a data controller will have to delete personal data completely from their system and, with regard to any information made public via the internet or otherwise, the controller will have to ensure that all other recipients of the information do likewise and erase all hyperlinks to the information. This will impact strongly on online platforms such as social media networks.
There will be a right to data portability which will allow a data subject whose data is processed by electronic means and in a commonly used format to require that data to be transmitted to them on a standard file, or another automated processing system, for further use.
In an effort to reduce the burden of compliance on organisations, data controllers and data processors will ultimately be accountable to one supervisory authority of a single Member State with regard to their EU-based processing activities. The authority responsible shall be determined according to the location of the main establishment of the organisation in question or, if there is no EU establishment, where most of the processing takes place.
An organisation will need to demonstrate that it has taken steps to comply with the Regulation and these steps will have to be documented and available to a supervisory authority for inspection. It will also have auditing and training requirements.
All controllers or processors that have more than 250 people in permanent employment will be required to appoint a data protection officer for a minimum initial period of two years. This will also be required of a controller or processor which engages in “regular and systematic monitoring of data subjects”. If the requirement is triggered solely by the number of employees, a group of companies would be advised to share a single officer.
The draft Regulation may be amended following consultation with relevant stakeholders over the coming months. However it is interesting to note that the initial stance being adopted by the Commission appears to be one of imposing increased obligations on data controllers and ensuring compliance with such obligations through the threat of significant financial penalties, while bringing the data protection regime in line with the E-Privacy Regulations.
According to the Commission, the harmonisation and simplification of rules, associated administrative requirements and enhanced enforcement provisions to be brought about by the Regulation will provide greater legal certainty for organisations, ultimately saving them millions of Euro annually while at the same time affording greater protection to individuals.
It remains to be seen whether organisations with significant business in Europe will agree with the Commission’s view, but they should nevertheless begin planning a compliance strategy well before the predicted 2014 effective date of the Regulation if they are to adhere to its provisions adequately.