On 25 January 2012, the Commission published its proposal for a new ‘General Data Protection Regulation’. The proposed Regulation promises greater harmonisation – but at the price of a significantly harsher regime, requiring more action by organisations and with tough penalties of up to 2% of worldwide turnover for the most serious data protection breaches.
Almost one year later, Jan Philipp Albrecht, a Rapporteur for the European Parliament, published his draft report on the Regulation. This recommends 350 amendments to the Commission text, significantly strengthening the obligations on organisations. The report is now being discussed by the European Parliament. The European Council is also, in parallel, reviewing the proposal and recommending changes.
The draft Regulation is even longer than the current Directive (95/46/EC), running to 118 pages and 139 Recitals.
The draft is to be finalised by 2014 and is planned to enter into force a further 2 years after that finalised text is published in the Official Journal.
The General Data Protection Regulation is to be accompanied by a new Directive, governing use of data by public authorities for law enforcement purposes, a proposal for which was also published on 25 January.
We have summarised key changes below.
The Regulation will continue to apply to processing carried out by or on behalf of EU operations. However, the Regulation is also due to apply to controllers with no EU establishment where they undertake processing related to offering of goods/services to EU residents, or which monitors individuals resident in the EU. Organisations covered on this basis would be required to appoint a local representative, against whom enforcement action may be taken, once they reach a threshold of processing data about 500 EU residents.
For organisations that operate across the EU, there are moves toward a partial country of origin approach. The original proposal suggested that the data protection authority in the country where the group’s ‘main establishment’ is based is to have lead supervisory responsibility. The draft Report suggests that this role will be more akin to that of a ‘single point of contact’ for the organisation. Where an organisation with no EU presence is subject to the Regulation, then the European Data Protection Board (which will replace the current Article 29 Working Party) will designate a single point of contact.
There are procedures to ensure consistency amongst supervisory authorities involving the European Commission and the European Data Protection Board. Further, where a matter affects individuals in other countries, then the draft Regulation gives those authorities rights to participate in joint actions. Individuals will be free to bring proceedings either in a country where the controller has an establishment, or where they live.
Identifiable data would still be covered and the usual test of ‘reasonable likelihood’ of identification is due to be retained.
The Regulation specifically notes that certain categories of online data may be personal - location data and online identifiers such as IP addresses and cookie identifiers are singled out for special mention. The draft Report suggests that such data should always be personal, unless it can be shown that the identifiers do not relate to natural persons (eg IP addresses allocable to corporates).
The draft Report acknowledges that anonymous data should not be covered – this is data that cannot be related to an individual, directly or indirectly. A technical possibility to make a link would not make data personal if this would require a disproportionate amount of time, effort or expense – however, this must be assessed not just at the point of data collection but throughout the period of processing.
The draft Report also proposes a new concept of ‘pseudonymous data’: data that singles someone out but does not allow direct identification.
The concept of sensitive data is to be retained – but is set to be extended to include genetic data and data about sexual orientation and ‘gender identity’. Processing of criminal offence data would only be carried out by official public bodies or in accordance with specific legal authority: a significant change for UK organisations.
Controllers, processors and producers:
The concepts are to be retained. As regards individuals, however, controllers and processors (and also joint controllers) would always be joint and severally liable, unless they can demonstrate that they are not responsible. The draft Report also suggests that ‘producers’ of systems should also be referenced in the Regulation and be required to ensure that the systems they design are data protection compliant.
Controllers and processors are to be required to document the processor’s tasks in more detail. Processors will need the consent of the controller to appoint sub-processors. Processors (as well as controllers) will have to co-operate with supervisory authorities under the draft provisions, as well as being directly subject to the Regulation and to having obligations to appoint DPOs, to document processing and to comply with certain other provisions of the Regulation (beyond mere security matters).
Organisations would be required to take measures to comply with the new rules and must be able to demonstrate this on request. Every processing operation would need to be documented and the documentation must be available to authorities on request.
The controller would have to implement measures to ensure that the data minimisation principle is met. The controller is also to be required to carry out privacy impact assessments for more ‘sensitive’ types of processing –including consultation with data subjects. Data protection officers are set to become mandatory for almost all organisations. There are limited exemptions for those processing data about less than 500 data subjects per year. The draft report suggests that a DPO should be appointed for 4 year terms and sets out extensive criteria that a DPO must be able to meet – including, ‘at least extensive’ knowledge of law, security, and sector specific knowledge - both in theory and practice.
Justifications for processing:
The amendments proposed in the draft Report will likely lead more organisations to seek individual consent to justify their processing of personal data. This is because the draft Report recommends codifying (narrowly) the situations when personal data can be processed based on the legitimate interests of the controller. For example, much direct marketing would only be possible based on prior consent.
Under the draft Regulation, consent must always be explicit. Consent would not be valid if it could not be withdrawn without the individual suffering detriment. It would also not be valid if there is a significant imbalance between controller and processor – for example, in the employment context, or for organisations which have a dominant market position. Consent will not be allowed to be ‘bundled’ with other terms ( consent for data processing must be clearly distinguished from these other provisions) and organisations cannot require individuals to give consent for non-essential processing. For online services using pseudonymous data, the report suggests that (approved) automated techniques to collect consent could be used.
The draft Report substantially tightens the original proposals related to profiling. A new definition of profiling is added, being any automated processing intended to evaluate personal aspects – this would include performance at work, health, preferences or behaviour: these are merely examples, the concept is broad with no de minimis requirement (as at present) that profiling must significantly affect the individual. Profiling which leads to legal effects or which significantly affects the individual and which is carried out in an entirely automated manner is outlawed in its entirety, as is profiling to identify or single out children, or which results in discrimination based on a protected characteristic (broadly, sensitive personal data), or which leads to an inference of sensitive data (the example given, being that visiting a gym indicates health data). Other processing is only to be permitted in limited situations, including processing which is ‘necessary’ for contractual purposes (not merely processing in the course of a contract, as at present), with consent or with express lawful authority.
Would be significantly strengthened. Data could only be collected and retained if the purpose of the processing ‘could not be fulfilled by other means’.
The more onerous transparency obligations across the EU are set to be combined - individuals would have to be told the purposes of processing and informed of their rights, what data is mandatory, the consequences of not providing data, the period for which data will be retained, if data will be exported and, if it is, how it will be protected. The report suggests that the use of Commission approved icons would be mandatory.
A new right to be forgotten is due to be introduced, in particular where processing is justified based on consent or contract. The draft report toughens-up the right, by stating that organisations which transfer data to others must ensure that the third parties erase data which is to be forgotten. However, the draft report emphasises that the right to be forgotten has to be balanced with rights to freedom of expression and that, where data has lawfully been made public, that a right to be forgotten is not ‘realistic or legitimate’.
The draft Regulation states that there is to be no charge for subject access, save in limited situations. There is also set to be a new right to data portability – with an obligation on providers to ensure that data is in a format that facilitates the exercise of this right. The draft Report strengthens this right and seemingly also applies it to paper records.
Information provided to children would need to be in clear, plain language. Where information society services are offered directly to children under 13, verifiable parental consent would be required.
Data breach notification:
It is due to be introduced. The drafted rules are similar to the rules currently being implemented in relation to providers of public (electronic) communications services, however all breaches would ordinarily need to be notified to supervisory authorities within 24 hours. The draft Report suggests a somewhat broader definition of data breach – covering any breach (even accidental) of the security obligations – but proposes extending the timescales for reporting to 72 hours.
The draft Regulation would abolish the current filing system. However, ‘risky’ processing would be subject to prior review by a data protection officer, or, for prescribed categories of processing, by data protection authorities. Risky processing could include processing using new technologies, or processing that could deprive individuals of the benefit of a contract. Data protection officers must, in turn, consult with authorities in certain cases.
Binding corporate rules are to be explicitly recognised. The draft Regulation would make it illegal to transfer data in response to legal requirements set out outside the EU. Transfers pursuant to overseas court order or administrative authority requirement would need an underpinning international treaty or mutual assistance agreement and specific authorisation would also need to be obtained.
The draft Report proposes that existing adequacy decisions (for countries and standard contractual clauses are to fall away two years after the Regulation comes into force. New decisions by the Commission are to be subject to approval of the European Parliament.
Privacy by design:
Privacy by design principle should be deployed and implemented by default.
Member States would be entitled to introduce derogations in limited areas: journalistic, literary and artistic processing, processing for health related purposes and employment.
Exemptions would also be possible for public security, important economic and financial interests and protections for the individual or the rights and freedoms of others.
The Commission is also set to be given powers to introduce supplemental legislation relating to data processing, although the draft Report seeks to limit the extent of the powers available to the Commission.
The draft Regulation proposes tiered penalties of up to 2% of worldwide turnover for the most serious data protection breaches. Data protection authorities will be required to co-operate with each other and provide mutual assistance in this regard. The draft Report recommends more discretion for supervisory authorities on the criteria to be considered when sanctioning, but leaves levels of penalties largely untouched.