The EU Privacy reform was agreed in December and the European Commission has now published the first Q&A clarifying some changes of this data protection revolution.

We had covered in a previous post on the DLA Piper blog Data Protection Matters the breaking news about the agreement reached at the European level on the privacy reform. We are working on a series of posts on the most “hot” topics of the new data protection regulation, but the European Commission has published the first questions and answers on the topic. Below is a first interpretation of some of the questions raised by the European Commission and you can also find the recording and the slides of our webinar on the topic here

Why did the Commission propose a reform of the EU privacy rules?

The position of the European Commission is that the goal is to avoid the inconsistency among European data protection regulations across the European Union deriving from the implementation of the EU Directive 95/EU and to modernize the rules in a digital world. The EU privacy regulation is directly enforceable and therefore no implementation is “in theory” required

BUT

The regulation still leaves some “gray areas” that will need local implementation. And indeed, one of the current questions is whether the whole local data protection law shall be fully repealed since it was mainly the implementation of the EU Directive 95/46 or some of its provisions shall survive cross referring to the regulation. Also, the approach followed in the latest version of the regulation on the “one-stop shop” rule still leaves a considerable control to local data protection authorities.

Will cross border businesses have to deal with a single privacy law? And what about non-EU entities?

The previous question is linked to this issue. There will be a single piece of legislation setting data protection rules across the whole European Union with savings for companies that are estimated in the range of € 2.3 billion a year.

Companies established in more than one EU Member State or established in a single EU Member State (or having a processor established in a EU Member Sate), but performing data processing activities in the Union that substantially affect or are likely to substantially affect individuals in more than one Member State will have to deal with a lead data protection authority rather than with 28 different authorities under the “one stop shop rule

BUT

considerable exceptions have been introduced as to matters that are more relevant locally and therefore shall be dealt by the local privacy authority which in any case shall cooperate and agree any decision with the lead authority. A relevant issue is therefore whether such complex structure will really simplify the life of companies and how such “cooperation” will actually work.

And this is an issue also for non-EU entities that either offer their products/services in the European Union or monitor (e.g. by means of cookies) the behavior of individuals located in the EU.

What will change under the EU Data Protection Regulation?

The reform reproduces a number of principles that were already contained in the previous directive or resulting from the case law of the European Court of Justice as in the case of the right to be forgotten with the objective to give individuals more control on their personal data. However, the main change is

the introduction of the accountability principle

which provides that data controllers “shall be responsible for and be able to demonstrate compliance” with the data protection principles provided by the regulation. This means that the burden on proof of showing privacy compliance will be on data controllers and in this respect the arrangement of documentation showing

the compliance with the principles of privacy by design and by default and security by design will be crucial

in case of data breach or mere privacy audit. Also, the development of anonymization techniques it will become exponentially relevant in the context of Big Data and Internet of Things technologies when the processing of personal data is not necessary to achieve the pursued objectives.