The Draft EU Data Protection Regulation: Where Are We Now, and Where Are We Going?
Recent news on both sides of the Atlantic has included considerable commentary on the issues of data privacy and international data flows. With an important vote on the issue due to take place in the EU Parliament next month, now seems like a good time to bring readers up to date with progress on the proposed draft General Data Protection Regulation (the "Regulation"). This legislation (once adopted by the EU) will provide the superstructure to its approach to the challenges of data privacy in the 21st Century.
The European Commission published its reform proposals for EU data protection law in January 2012. These reforms are intended to replace the current Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Data Protection Directive" or the "Directive").
The reforms are chiefly embodied in a draft Regulation which is currently making its way through the EU's legislative process (albeit not at a breakneck pace). The Regulation is aimed at harmonizing the data protection procedures and enforcement across the whole EU. This should provide a "one-stop shop" for non-EU companies who want to understand their compliance obligations. Under the current Directive, the EU Member States have more scope for interpretation in their national laws, and their implementation of EU law has been more uneven. This note highlights some of the key changes to the present regime that will be introduced if the draft Regulation is adopted in its current form.
Key Changes to current EU data protection law
1. The longer reach of EU law
The Regulation introduces some key changes to existing EU law. One of the most important changes is to the territorial scope of EU data privacy law.
The current Directive applies to the data processing activities of an establishment of a data controller in the EU. The draft legislation, however, also covers the data processing activities of an establishment of a data processor in the EU. So, for the first time data processors are brought within the scope of the EU data protection legislation.
The territorial reach of the Regulation will also extend to data controllers who are not established in the EU, but who offer goods or services to data subjects in the
EU, or who monitor the behaviour of data subjects.
These proposed changes (if implemented) will bring all foreign companies who process the data of EU citizens within the ambit of EU data privacy law.
2. More rights for individuals; less legalese from companies
The Regulation will require data controllers to have transparent and easily accessible policies with regard to their data processing activities and the rights of data subjects. This information must be communicated in clear and plain language, especially where it is addressed to a child.
Data Subjects will now also have the right to transfer data from one electronic processing system to another, without being prevented from doing so by the data controller. This right is particularly relevant for online service providers. It is intended to promote further interoperability between online systems.
3. Privacy by design; new responsibilities for data processors
The Regulation introduces a new concept of accountability for data controllers. They must adopt internal policies and mechanisms to ensure compliance with the Regulation and to be able to demonstrate compliance. They must also implement appropriate technical and organizational measures at the outset to ensure that their data processing activities meet the requirements of the new legislation (in other words, "privacy by design").
Data Processors will also have obligations under the legislation for the first time. They will be required to implement security measures. Before now, obligations were only placed on data processors on a contractual basis with the data controller on whose behalf they processed data.
4. Data breaches – the need to notify
The draft Regulation requires data controllers to notify the applicable national data protection authority within 24 hours of becoming aware of a data security breach. Similarly, data processors must notify data controllers of such breaches.
The requirement to report data security breaches is already incorporated into other EU data privacy legislation, but it is of narrower ambit and does not currently exist in the Directive.
5. Time to appoint a DPO?
The new legislation makes it mandatory for the certain types of entity to appoint a "data protection officer".
The tasks of such data protection officers will include informing the data controller/processor of its obligations, monitoring the implementation and application of policies and acting as a contact point for the applicable national data protection authority.
The types of entity who will have to make such an appointment are: (i) public sector bodies; (ii) private sector businesses with over 250 employees; and (iii) businesses whose core activities consist of processing operations which require regular and systematic monitoring of data subjects.
6. International Transfers from EEA to Third Countries
The draft Regulation includes a new exemption from the export ban on personal data from the EEA. The legislation will now permit the transfer of data which is in the legitimate interests of the data controller/processor, provided that the transfer is not massive or frequent, or where the data controller/processor has adopted safeguards to protect the transferred data.
7. Data Subject's right to "forum shop"
Data subjects who wish to bring a court action against a data controller or processor for an alleged breach of the data protection legislation will be able to choose between courts located in either the EU Member State where: (i) the defendant is established; or (ii) the data subject resides.
8. Bigger Fines for non-compliance
The draft Regulation will impose potentially hefty fines on non-compliant businesses. These could amount to as much as 2% of annual global sales for intentionally or negligently not complying with the specific provisions of the new legislation.
The proposed legislation, if adopted, will bring more businesses under its ambit. It will also be easier for data controllers from outside the EU to understand their compliance obligations than is currently the case under the Directive. However, the draft Regulation is set to be stricter than current EU law, and the penalties for noncompliance will be greater.
Under the current legislative timetable, the draft Regulation is to be adopted prior to the European Parliament elections in May 2014. If this timetable is met without further slippages, then we can expect the Regulation to come "on-line" in the EU during 2016.
This date is closer than it seems. Businesses should keep a close eye on the passage of the draft Regulation and its contents, in order to be in the best possible shape to meet its requirements when it does enter force. We will continue to provide updates as the legislative processes, etc., progress.