What is new in the EU regulation?
Steps to compliance
All organisations hold and process personal data (ie, personally identifiable information) – at least about their own staff, clients and/or suppliers. In Europe, such information has been regulated by data protection laws since the early 1980s.
The Data Protection Act, which deals with the handling and processing of personal data, was implemented in Germany in 2001 – a result of the entry into force of the 1995 EU Data Protection Directive (95/46/EU). The Data Protection Act has been frequently amended by legislation. The most substantial modifications were made in 2009 and 2010.
This already complex legal regime is set to be shaken up by the European Commission, which is on a mission to force both the public and private sectors to apply more rigorous standards to data processing activities.
In January 2012 the commission published a first draft of its long-awaited legislative package (the new data protection regulation) to reform data protection laws across the European Union. The proposal will now enter the legislative procedure. Once the proposal has passed through the European parliamentary system, it will have immediate and direct effect in every EU member state with minimal further scope for debate, since it takes the form of a 'regulation'.
The changes will have a huge impact on all organisations with operations in or focus on Europe.
In short, the new laws will:
- increase the regulatory burden on organisations with European operations;
- increase the amount of time, money and personnel required to achieve compliance; and
- raise the stakes in terms of potential fines and brand damage, which could arise from non-compliance.
The legislative procedure is expected to continue for quite some time. Therefore, and because the commission has set a two-year timetable for the implementation of its proposal through the European parliamentary system, the EU regulation could replace the existing Data Protection Act by 2014 at the earliest.
This update examines the most important changes of the EU regulation in its latest version compared to the existing Data Protection Act, and the compliance steps that companies are recommended to take should the regulation become effective in its current form. The European Parliament and the Council of the European Union are entitled to amend the EU regulation during the legislative procedure.
What is new in the EU regulation?
Compared to the existing Data Protection Act, organisations operating in or with Germany should prepare for the following major changes.
The new law will apply to anyone processing data in the European Union, as well as those outside Europe which are offering goods or services to EU citizens. For a multinational organisation, the location of its European headquarters will determine which EU member state's laws will apply and which regulatory authority will have jurisdiction. That said, individuals will be given a wider range of powers to bring personal action against an organisation (either in the country where a non-compliant organisation is located or in the individual's local courts). Trade associations will also be empowered to bring class actions on behalf of their members. For the first time, data processors will share equal responsibility and liability for compliance with the new laws, raising the stakes for IT service suppliers.
Restrictions in use of data
The EU regulation significantly restricts the use of data. Organisations are especially impacted as far as customer data is concerned, regardless of:
- whether it is a business-to-consumer or a business-to-business scenario; and
- how big the organisation is.
This is because the use of such data is limited compared to the existing Data Protection Act. The processing of personal data must comply with data protection law by design or by default.
The EU regulation expands the consent requirements. It includes a radical overhaul of the level of consent that is required before organisations process data. At the heart of this change is the requirement that consent to use personally identifiable information should always be obtained in advance and on an opt-in basis before it is used. The EU regulation has pulled back from requiring parental consent to be obtained from under-18 year olds, as required by an earlier draft of the regulation that was leaked in November 2011. The bar is proposed at 13 years of age in the draft regulation published in January 2012.
However, such customer data can be electronically transferred to a competitor on request of the respective customer (Article 18). Individuals will be given the right to demand that an organisation should transfer any or all information held about them to a third-party organisation in a format which the individual determines. This increases the control that individuals have over data which identifies them and makes it easier for them to transfer business or employment relationships. It remains to be seen which party will be required to cover associated costs of such an exercise, but it seems likely that the transferring organisation will be expected to do so.
Additional duties for companies
There are extended administrative duties for companies laid down in the EU regulation, such as:
- an additional transparency obligation (Article 14);
- an unlimited right to information (Article 15);
- drafting corporate guidelines (Article 11); and
- complex documentation (Article 28).
Reporting requirements to the independent data protection supervisory no longer exist. Instead, organisations must carry out an impact assessment (Article 33) and, in some cases, consult the independent data protection supervisory to receive an approval for the respective data processing (Article 34).
Organisations will be required to demonstrate that they have undertaken regular data protection audits and privacy impact assessments using recognised industry standards. The key will be demonstrating that new processing systems and activities have been introduced only after privacy compliance and risk mitigation steps have been implemented. A key role of an organisation's data protection officer will likely be to coordinate such privacy by design initiatives. Regulators can designate processing activities in respect of which organisations should always proactively run a private impact assessment before processing commences. The EU regulation sets out a starting point list which includes any activities using data about an individual's "economic situation, location, health, personal preferences or reliability of behaviour".
As far as the data protection officer is concerned, the EU regulation puts smaller organisations in a better position than before: the obligation to have a data protection officer no longer applies to organisations with more than 10 employees, but only for those with more than 250 employees. Private sector companies with more than 250 employees or those whose core activities involve regular monitoring of individuals, as well as public authorities, will be required to appoint formally a data protection officer. The data protection officer must be empowered by the organisation to act as an independent assessor of its compliance with data protection laws and report to the board of directors in doing so. The EU regulation specifically requires the data protection officer to coordinate data protection by design and privacy impact assessment initiatives and to be responsible for data security initiatives generally. Responsibility for training staff is also mentioned as important. In short, the data protection officer must ensure that his or her organisation has adopted good data governance policies and procedures.
Finally, the EU regulation contains a new obligation to report data protection breaches. Organisations will have to notify data protection authorities within 24 hours of establishing that they have suffered a data breach or explain why it is not possible to provide full details of the breach. Slick internal procedures will therefore be required to verify suspected breaches and establish what has been lost or subject to unauthorised access.
More stringent prerequisites for data transfer to non-EU countries
Europe's arduous data transfer laws will be relaxed in that more options will be made available to enable organisations to share data with non-EU third parties. Specifically, the policy implementation known as 'binding corporate rules' will be formalised as a mechanism enabling data transfer compliance, which is good news for multi-site, multinational businesses.(1)
The EU regulation provides hefty penalties for repeated breaches, as follows:
- for first offences, the national supervisory authorities may send a warning letter.
- for serious violations (eg, processing sensitive data without an individual's consent or on any other legal grounds), supervisory authorities will impose penalties up to €1 million or up to 2% of a company's global annual turnover. The fines start at €250,000 or up to 0.5% of turnover for less serious offences (a company charges a fee for requests from a user for his or her data) and go up to €500,000 or up to 1% for not supplying information to a user or for not having rectified data.
Steps to compliance
Step 1: Implementation of good data protection governance measures
Review policies and procedures
An organisation's policies and procedures are a key benchmark against which its compliance is judged by regulators. The thought that has been given to both indicates how seriously data privacy compliance is taken. Information provided in policies, whether staff or customer facing, and the practices which they encourage are also at the heart of achieving compliance with two frequently breached principles of data protection law, namely:
- data security obligations which require "appropriate technical and organisational measures" to be in place to prevent data loss and unauthorised access to data. In other words, companies need to be well organised when it comes to information security; and
- knowledge/consent obligations which require an organisation to inform its staff, customers and suppliers what data it processes about them, and what it uses that data for. Again, internal and externally facing policies provide a key mechanism for supplying that information.
Regular and well-thought-out training programmes for staff which handle valuable data, whether run online or in person, provide an extremely useful enforcement risk mitigation tool. The existence of a staff training programme will not persuade a regulator to cease bringing enforcement action, but it will impress it and assist in settlement negotiations. The EU regulation goes further and requires organisations, through their data protection officers, to organise staff compliance training.
Audits and privacy impact assessments
A similar point applies in respect of audits and privacy impact assessments. If an organisation can show that it has taken data compliance seriously by running regular audits or a privacy impact assessment before introducing significant data processing activities, this will assist its discussions with a regulator should disaster strike. An example of circumstances which lend themselves to an audit or privacy impact assessment would include outsourcing (in particular, offshore outsourcing) where valuable data will be accessible by third-party providers. The UK Information Commissioner's Office (ICO) is offering private sector organisations the option to allow it to run an audit of their operations with the incentive that the organisation will be given credit for being open, which should stand it in good stead if a compliance issue were to arise in the future. The ICO has the right to require public sector bodies (and their suppliers) to undergo one of its compliance audits, and it is not inconceivable that this right could extend to all private sector organisations.
Data transfer compliance
Europe's current data protection laws prohibit data transfers to destinations which do not have the same strength as EU data protection laws, save where specific compliance steps have been taken. While, if implemented, the European Commission's proposed revisions to those laws would provide businesses with greater options to deal with this prohibition, this remains a difficult area for organisations in which to achieve compliance. The increased use of cloud and outsourced IT solutions and the large number of businesses which have their own overseas operations or share data with third parties overseas mean that more and more data is being transferred. Accordingly, it would be sensible to build into any compliance review a specific assessment of an organisation's data transfer compliance.
Step 2: Supplier/partner audit
A fundamental principle of data protection law has always been that an organisation remains responsible (and liable) for the compliance acts and omissions of its suppliers, even if not culpable for a compliance breach. Many recent regulatory enforcement actions have resulted from situations where a supplier to the organisation, which ends up on the receiving end of enforcement action, has caused the breach. The EU regulation to hold suppliers as responsible as their customers for such breaches will not change this position – it will likely lead to enforcement action being meted out to both suppliers and their customers. The principle of responsibility for a supplier's acts or omissions is also repeated in many important industry codes, such as the payment card industry's data security standard. Indeed, a recent payment card industry guidance note on the use of cloud IT services stressed that a company's payment card industry compliance standing would be jeopardised if its cloud service provider was responsible for a data breach. Given that the ultimate sanction for payment card industry non-compliance is the withdrawal of rights to use debit and credit payment facilities, this is an extremely important risk issue for many companies. The risk of withdrawal of payment facilities would likely hit an organisation harder than a regulator's fine.
While responsibility for a supplier or a partner's non-compliance cannot be avoided, mitigation measures can be adopted to reduce the fallout of a supplier induced security breach. These include:
- Encryption – European regulators regularly impose onerous and expensive obligations on businesses following a data breach, requiring the adoption of encryption technology at short notice. Accordingly, it is sensible for organisations to review their own internal procedures and policies that are relevant to staff access to and protection of valuable data, and to consider what security measures suppliers have undertaken to meet. Deployment of encryption is advisable where data is transported on portable devices or, in the case of particularly sensitive data (again, 'sensitive' at law and sensitive to data subjects), where it is sent by email.
- Service levels – data protection laws expressly require companies to have strong written service levels in place with suppliers which are given access to personally identifiable information. A failure to have agreed such measures is viewed in a dim light by regulators when data breaches occur.
- Data breach notifications – laws requiring regulators and those individuals affected by a breach to be notified, should one occur, already apply in some European countries and/or to organisations operating in some sectors (notably, financial services and telecoms). However, the EU regulation shows a clear intention to formalise these requirements across all organisations. Company management should consider whether their business is ready to meet these requirements.
- Supplier due diligence – if a security incident occurs which involves a supplier, regulators will be interested in seeing what pre-contract due diligence was undertaken on the supplier in question.
Step 3: Cookie compliance and other marketing activities
Since May 2011 Europe's new cookie laws have regulated the use of any technology which enables device or internet usage to be tracked. Significantly, the laws oblige opt-in consent to be obtained before such technology is placed on a device, unless it is strictly necessary to enable service provision. For many businesses, the biggest challenge faced as a result is how to put in place mechanisms to explain and obtain consent for cookie usage without putting users off visiting their website.
Steps which could be considered include:
- cookie audit – assess what cookies are used for by the company website(s) and why they are used; and
Europe's law makers and regulators are sending a clear signal to businesses that they are expected to demonstrate how seriously they take data protection compliance.
It seems highly likely that costly measures, including the appointment of data protection officers, the running of audits and privacy impact assessments and joint liability for corporates and their suppliers, will soon be introduced to encourage accountability for data compliance.
The central message is that regulators will be empowered to punish bad data governance – and 2% of worldwide turnover is an extremely high figure.
Businesses need to plan now and start preparing for a significantly higher regulatory burden.
For further information on this topic please contact Ulrich Bäumer or Stephanie Ostermann at Osborne Clarke by telephone (+49 221 5108 4168), fax (+49 221 5108 4169) or email ([email protected] or [email protected]).
(1) For further information, please see Articles 40-45 of the EU regulation.