By now, everyone has heard of the draft EU Data Protection Regulation that is expected to replace the current Data Protection Directive, which dates from 1995. The key innovative provisions in the Regulation will significantly affect online fashion retailers by widening the territorial scope of EU data protection laws. Bricks-and-mortar fashion retailers in the EU, who are already subject to the Directive, will also feel the impact of the Regulation in many ways, including a new obligation to appoint a Data Protection Officer.
The New Territorial Scope of the Data Protection Regulation
Under the current Directive, the data protection laws in the EU notably apply to a data controller established outside the EU (such as a fashion e-tailer website operated in Japan) if the equipment used by the data controller for processing personal data is situated in the EU. In many cases, a website outside the EU won’t be subject to EU data protection laws.
The draft Regulation will expand the application of the European principles of data protection to any entity targeting sales to or tracking EU residents. But the changes may go farther − modifications to the draft Regulation proposed by the European Parliament would greatly extend the Regulation’s scope to data processors whose processing activities are related to the offering of goods and services to EU subjects. The Parliament’s modifications would also have the Regulation apply to personal data processing activities related to any kind of monitoring of EU residents.
Designation of A Data Protection Officer (DPO)
Under the current Directive, there is no general requirement to appoint a DPO. At this time only five EU member states have included in their laws an obligation to have a DPO. Pursuant to the draft Regulation, however, the intention is to obligate private entities to designate a DPO.
The original draft Regulation proposed by the European Commission would require a DPO when personal data processing is carried out by an enterprise employing 250 persons or more. The Parliament’s modifications concern legal entities in general and would require a DPO when it carries out personal data processing related to more than 5,000 individuals in any consecutive 12-month period.
More generally, the designation of a DPO would become mandatory where the core activities of the data controller or the data processor consist in (i) processing operations requiring regular and systematic monitoring of individuals, or (ii) processing special categories of data (such as health, racial or ethnic data), location data or data on children or employees in large-scale processing systems.
For the moment, it is uncertain which version will prevail, or even whether a new version may arise. In any case, the new Regulation will certainly have major consequences for fashion retailers in the EU and fashion e-tailers established outside the EU. With adoption expected in 2015 and a transitional period lasting at least 12 months, there is still time to prepare for the Regulation’s entry into force.