Data protection and privacy law in the EU: Comprehensive reform under discussion
On January 25, 2012, the European Commission proposed a comprehensive reform of the data protection rules ensuing from EC Directive 95/46/EC (October 24, 1995). This reform is the outgrowth of extensive public consultations started in 2009 and has several objectives, including: 1) harmonizing EU privacy legislation and eliminate the current legal disparities among EU members; 2) reducing the costly administrative burden of companies by approximately EUR. 2.3 billion a year; and 3) strengthening the control individuals have over the use of their data, especially within the online environment and the growing digital economy.
This new legal framework is made up of two proposals:
- A new regulation for the protection and processing of individual personal data and on the free movement of such data, which is intended to supersede the current EC Directive 95/46; and
- A new directive on the protection of personal data processed for the purposes of prevention, detection, investigation, or prosecution of criminal offences and related judicial activities, which is intended to replace the current Council Framework Decision 2008/977/JHA of November 27, 2008.
The Commission’s proposals will be submitted to the European Parliament and the EU member states to be examined and discussed. They will become effective two years after they have been adopted. And, given the multi-layer approval process, not to mention the chance of significant changes during the process, we suspect adoption will not happen till 2013 at the earliest.
Key changes in the proposed regulation include:
- Single corpus of rules. A single data protection rule will apply throughout the European Union.
- EU market targeting criterion. EU rules will apply to personal data processed abroad by companies or organizations that are active in the EU and offer their services to EU citizens.
- Reporting to a single EU supervisory authority. Companies with multi-jurisdictional operations in Europe will only have to report to the national data protection authority in the EU country in which their main establishment is located. Individuals will be able to look to the data protection supervisory authority in their countries of residence, even when their data is processed by a company based outside the EU.
- No further notice obligation. The current obligation of companies to report their data protection-related activities to perhaps multiple supervisory authorities will be eliminated, but a new regulation will require data controllers and processors to: (a) ensure the documentary traceability of their processing, (b) adopt policies and appropriate measures to protect personal data, and (c) be able to evidence their compliance status. Previous authorizations to transfer data outside the EU will be unaffected as will court decisions within a third country requiring foreign companies to disclose personal data received from the EU (e.g., e-discovery).
- Data protection officer appointment. The appointment of a data protection officer becomes compulsory for: (i) public sector entities; (ii) private entities employing more than 250 employees; and (iii) any entity whose primary activity consists of processing operations that, by virtue of their nature, scope, and/or purpose, require regular and systematic monitoring or follow-up of data subjects.
- Data protection impact assessment. Companies are required to conduct an analysis before they process any personal data if the processing is likely to affect rights and freedom of data subjects (e.g., children, sensitive data, genetic data, biometric data, monitoring of accessible public areas, automated profiling, etc.). Where such findings indicate that data processing still presents a high degree of specific risk, the applicable data protection supervisory authority must be consulted. Essentially, data controllers have to worry more about transparency of their practices and the actual need to collect particular information.
- Data breach security prompt notification. The applicable national supervisory authority must be notified of any serious security data breach as soon as practicable (if possible, within 24 hours).
- Children. Specific provisions are included with respect to the processing of a child’s data. For example, express parental or guardian consent is necessary for an online service to process the data of a child under the age of 13. Data controllers must make reasonable efforts to obtain verifiable consents and make it clear that they’re asking for such consents. The Commission may require standard forms and specific methods to obtain consents.
- Explicit consent. Wherever consent is required for data to be processed, the consent has to be given explicitly, rather than assumed, and data controllers have the burden of proving that consent was properly obtained.
- Processing transparency. Data controllers are required to implement procedures and mechanisms allowing individuals to exercise their statutory rights, including how to file requests on electronic forms, sufficient time (one month) to answer a request, and why a data controller may refuse to provide requested information (the data controller will have the burden of proof that a request is excessive).
- Data subject information. More information is to be provided to individuals about the processing of their personal data, including storage duration, the right to file a complaint with the data protection supervisory authority, the level of the legal protection given to the data in a foreign receiving country or international organization and the extent to which the authorities in that country or organization can potentially access the data by virtue of their rules, and the source from which the individual’s data was indirectly collected.
- Better individual access facilitated. Individuals will have better access to their personal data and, if asked, data controllers must provide the processing purpose, categories of data processed, data storage duration, the right to request data rectification, data erasure, or object to the data processing, and any available information as to the data source.
- New right of portability. Individuals will have the statutory right to transfer their personal data from one service provider to another without objection from the data controller. The regulation also provides that individuals can receive a copy of their data on electronic media.
- Right “to be forgotten.” Individuals will have a new statutory right to demand the deletion of their personal information and links to such information or any copy thereof if there is no legitimate reason for it to be stored. The data controller must coordinate with any necessary third party involved in the processing to ensure effective deletion.
- Profiling. Individuals will have the right to be free of any measures based on automated processing intended to evaluate certain personal aspects about them if the processing is likely to produce legal effects on them or otherwise significantly affect them. The implementation of any such processing: (a) must be accompanied by appropriate guarantees to safeguard each individual’s legitimate interests (e.g., the right to obtain human intervention), (b) requires the individual’s prior express consent, and (c) must have been duly authorized by the European Union or a law of a Member State.
- Data transfers outside the EU. The regulation elaborates the conditions, proceedings, and criteria under which the European Commission is entitled to recognize the adequacy of the protection of personal data of a non-EU country. Any data transfers to third countries still remain subject to the prior implementation of appropriate guarantees, including the execution of data transfer agreements based on the EU Commission’s standard clauses or the Binding Corporate Rules approved by the relevant data protection supervisory authority. Standard contractual clauses can now be adopted by a data protection supervisory authority, provided they have been declared generally valid by the EU Commission.
- Fines. Independent data protection authorities in each EU state will have more power to better enforce and ensure compliance with EU privacy rules. They will have the power to impose fines on companies that breach the data protection rules in their territory of up to €1 Million or 2% of the defaulting company’s global annual worldwide turnover.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.