Minister Shatter confirmed last week that he is optimistic that by the time the Irish presidency of the EU comes to an end, there will have been very substantial developments made on the proposed new EU data protection framework. The new framework has been outlined in draft Regulations which, if adopted, would repeal the existing Data Protection Directive (95/46/EC). Implementing the framework as a Regulation means that these new rules would be directly applicable in all member states so that a single set of rules on data protection would apply across the EU.
The new framework is to be welcomed by European businesses as it allows for a consistent approach to data protection issues across EU boundaries. In fact the European Commission has anticipated that this harmonized approach will reduce the current fragmentation and costly administrative burdens, leading to an estimated savings for businesses of €2.3 billion a year.
However, if adopted, the proposed Regulations will impose an increased burden of compliance on data controllers in the EU. The below highlights some of the key features set out in the new Regulations:
Under the Regulations, there will be only one responsible data protection authority (DPA) for a data controller; the DPA of the member state in which the company has its main establishment. This greatly simplifies the way businesses and individuals interact with data protection laws, as opposed to the current situation where businesses are supervised by a different DPA in each member state in which they trade.
Right to be forgotten
A reinforced right to be forgotten is proposed under the draft Regulations which will help individuals better manage data protection risks online: individuals can require the erasure of personal data relating to them and require the abstention from further dissemination of such data by the data controller. This will be subject to certain exceptions under the draft Regulations where that data is required for “historical, statistical or research purposes”.
Under the new rules data controllers will no longer be able to rely on “passive consent” whenever consent is required for data to be processed. Consent will have to be given explicitly (either by a statement or by a clear affirmative action), rather than a pre-ticked box or assumption of consent, as is sometimes the case under the current framework. The burden of proof is on the data controller to prove satisfactory evidence of consent having been obtained.
Data breach notifications
Where a data breach occurs, businesses will have to notify the national supervisory authority as soon as possible and if feasible, within 24 hours. Where a breach is likely to affect an individual’s privacy, that individual will also need to be notified. This requirement is already listed as best practice under the code of practice of the Irish Office of the Data Protection Commissioner.
Increased data controller responsibility and accountability
Broadly speaking, under the Regulations data controllers will be required to (i) maintain documentation of all processing undertaken by the data controllers and data processors and (ii) carry out a data protection evaluation to ensure the data will remain safe.
Extended territorial reach
Data controllers outside the EU whose processing activities relate to the offering of goods and services to (“including services offered free of charge”), or monitoring the behavior of, data subjects residing in the EU will also be caught by the Regulation.
European data protection board
An independent European Data Protection Board is to replace the Article 29 Working Party and will be comprised of the heads of the DPAs.
Data Protection Officers
Data controllers and processors employing more than 250 people or more or whose core activities consist of processing activities must appoint a designated Data Protection Officer (DPO). The DPO must be an independent person whom data subjects may contact in relation to any issues they have regarding their data. A group of undertaking may appoint a single DPO between them.
The Regulations introduce a tiered approach to the imposition of penalties. For serious violations (such as processing sensitive data without an individual's consent or on any other legal grounds) the DPA shall impose penalties up to €1 million or up to 2% of the global annual turnover of a company.
The Regulations will now be passed through the European Parliament and the Council of the European Union for amendment and adoption in accordance with EU legislative process.
This legislative wheel is in process, and the proposals and recommendations provided at EU committee stage are to be voted upon by the European Parliament later this month.
Following their adoption, the Regulations will not be binding upon data controllers for a further two years from the date of adoption. Accordingly, it is likely to be at least three years before the Regulations will be enforced.