(LONDON) Major changes are on the way in Europe that will have a significant impact on companies anywhere in the world that collect or process personal data of residents of the EU. But what will the precise nature of those changes be . . . and when will they arrive? The draft Data Protection Regulation is still being negotiated by the various political institutions of the EU. While there is a slim chance that the final version will be promulgated before the next EU parliamentary elections in 2014, many commentators think that’s unlikely. If the Regulation is not finalized before the elections, it will be subject to further discussion by the new parliamentary members and will roll into 2015. (The political process is recapped below.)

However, even without a final draft of the Regulation, we can be reasonably certain about a number of features of the new legislation. And 2014 will almost certainly see changes to the US Safe Harbor regime in response to the EU’s pointed criticisms and recommendations that need to be addressed (under the threat that the Safe Harbor regime could be revoked by the EU). See our previous commentary on potential Safe Harbor changes and recommendations for action here.

What should US companies who deal with EU personal data do now (well, as soon as the holidays are over)?

Without a definitive draft of the Regulation or confirmation as to how Safe Harbor will change, the best way to prepare for the new Regulation and potential changes to Safe Harbor is to get a very thorough knowledge of data flows within your organization and to or from third parties. Companies should have a comprehensive grasp of what personal data is collected, where it came from, how it is used and for what purposes, whether any consents have been obtained, and how it is stored (including security measures). What contractual protections are in place to govern how data is used and protected when there are transfers between companies (either within a corporate group or outside of a group)? Is any of the data “sensitive” personal data under the current EU Directive? Can you articulate “legitimate purposes” for your use of the data (again, per the current Directive)? Do you have good records of consent that can be tied to particular data?

In other words, if you audit your company’s compliance with the current Directive (and Safe Harbor, if you are registered) and get a thorough understanding of your data flows, it will be much easier to figure out what you might need to change under the new Regulation. Perhaps a good New Year’s resolution for 2014.

After all of the political wrangling of 2013, what’s likely to be in the new Regulation?

The negotiations aren’t over yet, but here are some key principles upon which the Parliament and the Commission seem to generally agree.

  • Substantial fines for non-compliance. The Parliament wants fines of up to 5% of global turnover. The Commission had proposed 2%. Even if the final percentage is between those two figures, the fact that fines can be levied on global turnover means that we are talking about potentially huge fines.
  • Expansion of definition of “Personal Data.” As explained by the Commission, “personal data” is defined as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, your bank details, your posts on social networking websites, your medical information, or your computer’s IP address.” Genetic and biometric data will be specifically addressed in the Regulation.
  • One-Stop Shop. The latest draft of the Regulation keeps the concept of allowing companies to sign up with a single national regulator in the EU, which would greatly simplify compliance in terms of logistics. However, this key pro-business principle was recently attacked by the legal advisor to the Council of the European Union (which is effectively the voice of the individual governments of the Member States) as potentially contrary to European human rights. If the one-stop shop is not included in the Regulation, one of the primary pro-business benefits of the new law will be lost.
  • Express Consent Requirement To Process Personal Data – but you may not be able to rely on consent in many situation. Data controllers (e.g., any company that collects personal information) are required to obtain (and not assume) the express consent of the data subject to the processing of his/her personal data for one or more specific purposes, unless processing is required for certain limited purposes such as compliance with a legal obligation of the business or to protect the vital interests of the individual. However, the individual may withdraw the consent at any time and consent is essentially not valid where there is an “imbalance” between the position of the individual and the business.
  • Breach Notification Requirement: Businesses must notify the supervisory authority (i.e., the public authority established by each Member State) of a personal data breach “without undue delay,” which, per the Parliament’s draft, generally means not later than 72 hours after becoming aware of the breach. 
  • Requirement to Adopt Policies and Implement Measures to Ensure and Demonstrate Compliance with the Regulation. Businesses must adopt policies and implement appropriate measures to ensure and be able to demonstrate that their processing of personal data is performed in compliance with the Regulation, including maintaining documentation of processing activity. The key principle is a high level of transparency so data subjects will know what data are to be collected, and by whom, how and where the data will be used or stored.
  • Binding Corporate Rules. Under the new Regulation, Binding Corporate Rules (“BCRs”), the tool used by companies with global operations to transfer personal data of EU residents within their corporate group to entities located in countries which do not have an adequate level of data protection, will no longer need to be approved by each Data Protection Authority in each applicable EU Member State (unless the “one-stop shop” concept is not adopted, as discussed above). Under the proposed regime, BCRs that meet the requirements described in the Regulation will need to be approved by one authority and, once approved, the BCRs will be recognized by the rest of the authorities in each applicable Member State. More importantly, the approved BCRs would also cover third parties that process personal data of EU residents on behalf of the business, such as cloud service providers.
  • Data Security Obligations. Businesses are required to implement appropriate technical andorganizational measures “to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.”
  • Data Protection Impact Assessment Requirement. Businesses with processing operations that “present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes” are required to conduct a data protection impact assessment.
  • Requirement to Appoint Data Protection Officer. Businesses with more than 250 employees and certain other organizations are required to appoint a data protection officer responsible for monitoring data processing activities. The Parliament’s draft requires even small businesses to appoint a Data Protection Officer if they process the data of more than 5000 individuals.
  • Transfers of Personal Data to Third Countries. Although the restriction on the transfer of personal data to third countries that do not offer an adequate level of protection (as determined by the Commission) remains in place, under the proposed Regulation, transfers based on standard data protection clauses adopted by the Commission or based on binding corporate rules will require approval by just one supervisory authority instead of multiple national authorities.

What needs to happen before we know for sure what the new law is in Europe?

To recap the legislative process very briefly, the Commission was responsible for generating the initial draft. The European Parliament then proposed and discussed over 3,000 amendments, ultimately producing a revised draft with increased protections for individuals and a higher burden on business. Now a parliamentary committee will negotiate with the Council (the forum for the views of the national governments of the Member States) with the goal of having a definitive vote in April 2014. However, there’s a very substantial likelihood that agreement will not be reached with the Council prior to the parliamentary elections in May 2014, which will introduce more uncertainty into the timeline and with respect to the substance of the final Regulation.