Organisations operating in Europe are set to become subject to a new and far-reaching data protection reform package which will harmonise data protection rules across the EU.
In March 2014, the European Parliament approved legislation to reform EU data protection following an original reform package proposed by the European Commission in January 2012. Since then, the legislative process has been moved onto the Council of the EU for its approval of the proposed reforms. The core area of contention revolves around the extensive reforms proposed by the Regulation. Some of its main measures include the following:
- Territorial scope: any organisation operating and processing personal data in the European Union market, irrespective of whether the organisation is physically in the EU, will be subject to the Regulation. The same will apply to any data controllers or data processors established in the EU regardless of where the personal data they process is territorially located.
- One-Stop-Shop: a data controller with operations in more than one EU Member State will be regulated by the Data Protection Authority (“DPA”) in the Member State where it has its “main establishment”. The DPA in Ireland will be the Office of the Data Protection Commissioner.
- Consent: it will be mandatory for consent to be explicit and freely given. Data controllers will need to prove consent was given should it ever be challenged. The validity of consent will expire once the purpose for which it was sought ceases.
- Data Protection Officer: any organisation that processes data relating to more than 5,000 data subjects over a 12-month period must appoint a Data Protection Officer.
- Risk Impact Assessment: data controllers will be obliged to conduct risk impact assessments where their method of processing data presents significant risks to data subjects.
- Breach Notification: it will be compulsory for data controllers to report a breach to its DPA.
- Penalties: organisations breaching the new rules could face penalties of up to 5% of annual turnover or €100million.
- Right to be Forgotten: the right of individuals to request data controllers to de-list any inaccurate, irrelevant or outdated information pertaining to them will be included in the new legislation.
There has been a steady stream of status updates in terms of EU institutions finalising the Regulation. In November 2014, Luca De Matteis, Justice Counsellor and permanent representative of Italy to the EU announced to delegates at the International Association of Privacy Practitioners Conference that the Italian presidency had made a breakthrough by reaching a consensus on two of the most politically sensitive issues: the contentious one-stop-shop concept and the obligations to be placed on public sector organisations.
Following a Council of Ministers meeting in early December 2014, it was confirmed that specific aspects of the draft regulation, including provisions relating to the public sector, had been discussed. The Council also held a debate on the "one-stop-shop" mechanism on the basis of a proposal presented by the Italian Presidency. The indications are that the one-stop-shop provision may include a “proximity” requirement to give some powers to local DPAs representing data subjects and that there may be some flexibility afforded to Member States to make specific rules for public sector organisations. Whilst a majority of ministers endorsed the general architecture of the proposal it was concluded that further technical work will need to be done in the coming months.
With the text of the Regulation due to be finalised in the first half of 2015, all organisations should familiarise themselves with these upcoming changes before they come into force.