The EU Commission is currently drafting a new EU data protection law. This paper summarizes the key proposals for the new law published by the EU Commission. The proposals are set out in the “Comprehensive approach on personal data protection in the European Union” (COM (2010) 609).
Who Should Read This?
Management and decision-makers, lawyers, compliance, risk and data security professionals in international business operating in Europe.
Why does EU Data Protection Law matter to US/International clients?
EU data protection law applies to any business which is established in an EU member state (e.g. an EU branch or subsidiary of a US company). It also applies where you hire an EU -based service provider to process data for you (e.g. webhosting/data storage).
EU Data Protection law can also apply where you target services at EU residents, regardless of where you are based.
What does EU Data Protection Law do?
The EU Data Protection Directive regulates the processing of personal data. It is very broad-based and regulates much data that would not be regulated elsewhere. For example, web navigation and IP addresses can constitute “personal data” in Europe. The Directive is an EU -wide law which will be implemented in each of the 27 EU member states. The legal obligation is to comply with the law implemented in each EU member state.
Failure to comply exposes you to fines and penalties. Enforcement powers are currently being strengthened. In the UK , for example, the Data Protection Regulator can now fine up to £500,000 (US$800,000) per breach. This fining power was introduced in 2010 and has been used several times to date.
What is the EU ’s Agenda on Privacy?
The EU Commission’s agenda is to protect personal data and the free flow of it within the European Union. However, the Commission also acknowledges that the data protection landscape has changed since the Data Protection Directive was first enacted in 1995. We have seen rapid technological development and globalization which has brought new challenges. The Commission has indicated that behavioral advertising and cloud computing are two examples of technology which allow individuals to share information about their behavior and preferences easily and make it globally available on an unprecedented scale.
The EU Commission’s proposals that are most likely to impact global business are as follows:
- Data Breach Notification
- Individual Rights
- Raising Awareness
- Ensuring Informed and Free Consent
- Protecting Sensitive Personal Data
- Make Remedies and Sanctions more Effective
- Enhancing the Internal Market Dimension
- Reducing the Administrative Burden
- Clarifying the Rules and Applicable Law and Member States’ Responsibilities
- Enhancing Data Controllers’ Responsibility: the “Principle of Accountability”
- Encouraging Self-Regulatory Initiatives and Exploring EU Certification Schemes
Data Breach Notification
The Commission believes that individuals should be informed when their data is accidentally or unlawfully destroyed, lost, altered, accessed or disclosed to unauthorized persons. While the e-Privacy Directive introduces a new data breach notification law for the communications sector (coming into force on 25 May 2011), the Commission may extend this to other sectors (e.g. information society services and financial services). The US , of course, already has many state-based breach notification laws that require companies to tell state authorities and individuals if their data is lost. The new EU rules will, however, apply to much broader classes of personal data.
The Data Protection Directive currently says that individuals should have the right to access, rectify, delete or block their data unless there are legitimate reasons, provided by law, to prevent this. These rights already exist in the current EU legal framework. However, the way in which these rights can be exercised is not harmonized and therefore exercising them is actually easier in some EU member states than in others.
The Commission supports the improving of modalities for actual exercise of the individual’s rights (e.g. by introducing deadlines for responding to individuals’ requests and by allowing the exercise of rights by electronic means).
The Commission wants to clarify the so-called “right to be forgotten” (i.e. the right of individuals to have their data no longer processed and deleted when it is no longer needed for legitimate purposes).
There are also proposals to add a new right of “data portability” - i.e. providing the explicit right for an individual to withdraw his/her own data (e.g. photos or a list of friends) from an application or service so that data can be transferred into another application or service as far as technically feasible without hindrance from the data controller. This could be particularly important in social networking.
This may involve a new general principle of transparent processing with specific obligations on the type of information to be provided and the modalities for providing it, including in relation to children. The Commission is also considering drawing up one or more EU standard forms (“Privacy Information Notices”) to be used by data controllers.
There is a recognition that the general public (and particularly young people) need to be more aware of the risks relating to processing of personal data and of their rights. The Commission may co-finance some awareness-raising activities and introduce obligations to carry out such activities.
Ensuring Informed and Free Consent
Consent is defined as the “freely given, specific and informed indication” of the data subject’s wishes by which he/she signifies agreement to the relevant data processing. This is, however, interpreted differently in different member states. In some cases, there is a general requirement of written consent. In other cases, implicit consent is acceptable. The Commission has also flagged the opacity of some privacy policies and the uncertainty around collection of consent for the purposes of behavioral advertising where internet browser settings are considered by some (but not by others) to deliver user consent.
The Commission will examine ways of clarifying and strengthening the rules on consent.
Protecting Sensitive Personal Data
Sensitive personal data includes information such as health records and data relating to racial or ethnic origin. The Commission will consider whether other categories of data should be added to the list of sensitive data (e.g. genetic data, geo-location data or financial services data). The Commission will also clarify and harmonize the conditions for processing such data.
Make Remedies and Sanctions more Effective
In order to ensure compliance, it is essential to have effective provisions on remedies and sanctions. The Commission will consider extending the power to bring action before a national court to data protection regulators and civil society associations and others, as well as strengthening the existing provisions on sanctions (e.g. by including criminal sanctions for serious data protection violations).
Enhancing the Internal Market Dimension
The Commission recognizes that it needs to harmonize data protection rules (not limited to minimum harmonization but amounting to harmonization “that is generally complete”). The Commission recognizes that the lack of harmonization is one of the recurring and main problems raised by business and is an additional cost and administrative burden for it. This can also create legal uncertainty for data controllers and also for data subjects.
Reducing the Administrative Burden
This will involve providing greater harmonization (as mentioned above). The Commission will also explore possibilities for simplifying and harmonizing the current registration/notification system including the possible drawing-up of a uniform EU -wide registration form.
Clarifying the Rules and Applicable Law and Member States’ Responsibilities
The Commission recognizes the complexity and uncertainty as to how data protection law applies to multi-national data controllers. The same question arises where the controller is established outside Europe but targets services at EU residents. The Commission considers the fact that the processing of personal data carried out by a controller established in a non- EU country should not deprive individuals of the protection to which they are entitled under the EU Charter of Fundamental Rights and EU data protection laws. So US and global operators who service EU residents must comply with EU data protection laws.
Enhancing Data Controllers’ Responsibility: the “Principle of Accountability”
The Commission considers that controllers’ obligations should be more clearly spelt out in the legal framework including as to internal control mechanisms and cooperation with the data protection regulators. The Commission will explore ways of ensuring that controllers put in place effective policies and mechanisms to ensure compliance with data protection rules. This will likely form part of the introduction of a new “accountability” principle. The Commission will also continue to promote the use of “Privacy Enhancing Technologies” ( PETs ) as well as “Privacy by Design”.
The Commission will examine:
- Making the appointment of an independent Data Protection Officer mandatory and harmonizing the rules relating to his/her tasks and competencies. There are likely to be exemptions for small and medium-sized businesses.
- Including in the legal framework an obligation on controllers to carry out a data protection impact assessment in specific cases (e.g. where sensitive data is being processed or when the type of processing otherwise involves specific risks).
- Further promoting the use of PETs and the possibilities for the concrete implementation of the concept of “Privacy by Design”.
Encouraging Self-Regulatory Initiatives and Exploring EU Certification Schemes
The Commission believes that self-regulatory initiatives by controllers can contribute to better compliance with the rules. The Commission will also explore the possible creation of EU certification schemes (e.g. “privacy seals” for “privacy-compliant” processes, technologies, products and services).
The Global Dimension: International Data Transfers
The Commission recognizes that the rules on international transfers of data need to be improved as follows:
- The requirements for recognition of “adequacy” in non- EU member states are currently not specified in satisfactory detail and the practice varies from one member state to another.
- model contracts (ie. data transfer agreements) are not designed for non-contractual situations.
- BCRs can be a useful tool to transfer data within the same corporate group but improvements should be made.
The Commission will examine how:
- To improve and streamline the current procedures for international data transfers.
- To clarify the Commission’s adequacy procedure and better specify the criteria and requirements for assessing adequacy.
- To define core EU data protection elements which could be used for all types of international agreements.
Revising the Data Protection Rules in the Area of Police and Judicial Cooperation in Criminal Matters
The Data Protection Directive applies to data processing in member states in both public and private sectors. It does not apply to processing of personal data “in the course of an activity which falls outside the scope of Community law” such as activities in the areas of police and judicial cooperation and criminal matters. The Lisbon Treaty has, however, abolished the previous “pillar structure” and introduced a new and comprehensive legal basis for the protection of personal data across the EU . There are proposals to consult on this with a view to further harmonization.
The Commission will propose draft legislation later in 2011. Non-legislative measures, such as encouraging self-regulation and exploring the feasibility of EU privacy seals, will be pursued in parallel. Timing on implementation of the new law is yet to be decided as is the form (i.e. whether it will be an EU Regulation, and therefore effective automatically in EU member states, or another EU Directive, requiring local implementation).
The Commission will also pursue an active infringement policy where EU rules on data protection are not correctly implemented and applied.