In December 2012, Jan Philipp Albrecht, a Rapporteur for the European Parliament, released a draft report (the ‘‘Report’’) on the European Commission’s proposed EU Data Protection Regulation (the ‘‘Draft Regulation’’), which is intended to replace the existing legislative framework that has been in place in the European Union since 1995 (see analysis at WDPR, February 2012, page 4).
The Report (which is in excess of 200 pages and contains 350 proposed amendments to the Draft Regulation following the submission of comments on the Draft Regulation by various stakeholders over the last few months) gives broad backing to the proposed framework. As a result, the Report has come in for criticism for not addressing more fully issues of proportionality in relation to some of the more controversial concepts underpinning the proposals, including the broad definition of personal data and the right to be forgotten.
The Report proposes a number of key amendments to the Draft Regulation, of which companies processing personal data in the European Union or data relating to EU citizens should be aware, as discussed below.
When Can ‘Consent’ be Relied upon to Process Personal Data?
The issue of what constitutes consent is a hot topic, being recently considered in an opinion published by the EU Article 29 Data Protection Working Party, which looked at the concept of ‘‘consent’’ in the context of the EU Data Protection Directive (95/46/EC) and the EU e-Privacy Directive (2002/58/EC).
The Report also considers what constitutes consent, which is one way businesses can justifiably process personal data under the current law and the Draft Regulation.
Under the both Draft Regulation and the current law, businesses looking to rely upon consent in order to process an individual’s personal data would be required to ensure that the consent was explicit, freely given, specific and informed, ensuring that it was obtained through a statement or ‘‘clear affirmative action’’.
However, the Report goes one step further and proposes that organisations seeking to rely upon consent should not be able to use ‘‘pre-ticked boxes’’ to gather consent. As Albrecht states in the Report: ‘‘The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent’’.
When Can the ‘Legitimate Interests’ Exception be Relied upon to Process Personal Data?
The Draft Regulation does not significantly depart from the current Data Protection Directive in that it would permit processing of an individual’s personal data if this was in the ‘‘legitimate interests’’ of the data controller and these interests were not overridden by the fundamental rights of the data subject.
The legitimate interests justification has been increasingly relied upon in recent years by businesses to process personal data, particularly as the ability to legitimately rely upon consent has become narrower.
The Report, however, would make it trickier for businesses to rely upon the legitimate interests justification, proposing that a data controller would be obliged to publish the reasons for it relying upon this justification, selecting its reasons from a list of cases where this justification would be deemed to override the fundamental rights of a data subject. As a result, the Report envisages that businesses would be able to rely upon this justification only in ‘‘exceptional circumstances’’, with Albrecht stating that these proposed amendments ‘‘give clearer guidance and provide legal certainty for data processing’’.
Expansion and Qualification of the Right to be Forgotten
The Report suggests that the proposed right for individuals to be forgotten should be reworded to include a right to erasure.
More helpfully, it also suggests that this right should be amended so that data controllers would not be required to take steps to request third parties to erase personal data if the initial processing was conducted with the data subject’s consent or based on another justification envisaged by the Draft Regulation. As Albrecht concludes: ‘‘If publication of personal data took place based on legal grounds, the right to be forgotten is neither realistic nor legitimate’’.
Extension of the Jurisdictional Reach of the Draft Regulation
An important proposal, particularly for those companies based outside the European Union that process the personal data of EU residents, is that the new rules should extend to all of the collection and processing of personal data about EU residents.
Extension of the Time in Which to Notify for Data Breaches
The Report goes on to propose to increase the time within which data controllers must notify data reaches to relevant data protection regulators. The Report proposes that notifications should take place with 72 hours, rather than within 24 hours, as proposed in the Draft Regulation (although the proposed requirement that the notification must be made ‘‘without delay’’ would remain).
Significant Increase in the Information Given to Data Subjects Before Their Data is Processed
Whilst the current legislative regime already provides for detailed and
clear notices to be given to data subjects before their data is processed, the Report proposes that, as a minimum, the following should be communicated to data subjects:
- the reasons for believing that the data controller’s legitimate interests override the interests of the data subject;
- a list of all recipients of the data subject’s personal data (not just a list of the categories of recipients);
- the appropriate safeguards put in place by the data controller in case of personal transfers outside the European Union, along with an explanation as to how data subjects can obtain a copy of the safeguards; and
- information about profiling and how to object to it.
Erosion of the ‘One-Stop Shop’ Principle for Companies Established in More Than One EU Member State
The Report suggests watering down the principle that a single data protection authority, located in the Member State of the data controller’s main establishment, would be responsible for compliance issues throughout the European Union.
Instead, the Report envisages that each applicable national data protection authority would be competent to supervise processing operations within its territory or affecting data subjects resident in its territory.
Where processing was being carried out in various Member States, a single data protection authority would have lead responsibility, and would act as the single point of contact. The lead authority would ensure coordination with all other data protection authorities involved and consult with the other authorities before adopting a measure.
In cases where determining a single lead authority proved difficult, the European Data Protection Board would make a determination as to which supervisory authority was the lead.
All Rules Should Apply to All Data Controllers, Regardless of Size
Whilst the Draft Regulation provides for some exemptions, where micro, small and medium sized enterprises would not need to comply with certain obligations under the new regime (e.g., if an organisation had fewer than 250 employees, there should be no obligation to notify its processing obligations to the relevant data protection authority), the Report considers that ‘‘all rules should apply to every data controller’’.
Expiration for Safe Harbour Agreements and Model Contract Clauses
A further key point to note, particularly for U.S. organisations that process data in the European Union or other organisations that transfer personal data from the European Economic Area, is that the Report proposes to amend the Draft Regulation with respect to transfers based on Safe Harbour agreements or model contract clauses.
The Report suggests that such arrangements should remain in force for only two years after the Draft Regulation is in force, whereas the current proposal in the Draft Regulation would leave such arrangements in effect ‘‘until amended, replaced or repealed by the Commission’’.
Whilst the Report has been welcomed with open arms in some quarters (for example, by France’s Commission nationale de l’informatique et des liberte´s (CNIL) in its response to the Report on January 16, 2013, in which it generally welcomed many key amendments proposed), many others feel that the amendments proposed by Albrecht would damage the interests of businesses and too heavily favour the interests of individuals.
For example, in a recent statement, the Industry Coalition for Data Protection (a body which represents many major business trade bodies, including the American Chamber of Commerce in the European Union, the Internet Advertising Bureau Europe and the Japan Business Council in the European Union), criticised the Report, stating: ‘‘We regret . . . that after months of consultation, the draft report . . . missed an opportunity to reconcile effective privacy safeguards with rules protecting the conduct of business — both fundamental rights under the EU charter’’. It went on: ‘‘[W]e urge members of the European Parliament . . . to take into account the important contributions emanating from other committees, and to enact legislation that maintains user trust while encouraging innovation and entrepreneurship in Europe’’.
Whilst some of the amendments proposed offer a glimmer of hope for companies (e.g., the proposed changes to the Draft Regulation around the rights to erasure and to be forgotten), given the proposed narrowing of the ‘‘legitimate interest’’ justification, the proposed narrowing of the definition of ‘‘consent’’ and other key proposals, in combination with the very significant fines proposed for breaches of the Draft Regulation (up to 2 percent of global turnover), there is certainly a case that the Report is unhelpful for businesses at a time when they need all the help they can to stimulate growth.
Albrecht’s proposed amendments contained in the Report will now be discussed in plenary session by the European Parliament, and the extent to which they are implemented to create a revised draft of the Draft Regulation remains to be seen.
In terms of the bigger picture, it is anticipated that the Draft Regulation should be ready for trilogue between the European Parliament, the European Council and the European Commission in the summer of this year, with it being put to a final vote in the plenary session of the European Parliament by early 2014.
On the assumption that there will be a two year implementation period, it is envisaged that a new EU Data Protection Regulation, however it may look, will be in force around late 2015 or early 2016.
This article first appeared in Bloomberg BNA, January 2013.