In the wake of revelations about US surveillance of, in particular, EU public officials, there has been a marked shift in public perception on data privacy and a renewed sense of urgency within the EU to address privacy rules. In October, the European Parliament's Civil Liberties, Justice and Home Affairs Committee (the "Committee") voted to approve reforms to EU data protection rules (the "Proposed Reforms").
The legislative framework, originally proposed in January 2012 (but brought squarely into the spotlight following Edward Snowden's revelations), are intended to strengthen online privacy and address advances in technology and enhanced data generation, storage, sharing and use by overhauling and harmonising the EU data protection regime to replace the current patchwork of European data laws. The Proposed Reforms will take the form of an EU General Data Protection Regulation which will be directly applicable in all EU member states without the need for national implementing legislation, and will impact companies holding personal data most significantly through the imposition of sanctions for non-compliance.
The debate surrounding the Proposed Reforms
European legislators now face a difficult balancing act. On the one hand, a number of large US corporations are lobbying against the Proposed Reforms, citing concerns of damage to business models by imposing additional and costly burdens in relation to data handling and restrictions on data use which would limit their ability to target advertising to users. On the other hand, public officials and individual citizens support enhanced protection for user data. Watchdogs, security services, internet companies and media associations are also insisting their interests be promoted and protected.
Examples of the Proposed Reforms
The Committee has proposed nearly 4,000 amendments to the original framework. Some of the most significant include:
- Imposition of fines of up to 5% of annual worldwide turnover or €100 million, whichever is greater, for any breach of data protection laws. This indicates a hard-line approach to any breach of data privacy laws which should operate as an effective deterrent to any would-be offenders;
- Extension of the territorial scope to any organisation collecting personal data of individuals in the EU when (i) offering products or services to individuals in the EU or (ii) monitoring such individuals. This largely appears to be targeted at addressing concerns regarding US corporations' use of personal data;
- Widened definition of "personal data" to increase the protection offered to consumers in relation to any retained information;
- Restrictions to "consent" which must be explicit and specific to a narrow purpose and which expire when the original purpose of the data collection ceases to exist or where data is used for a secondary purpose;
- Replacement of the "right to be forgotten" by the "right of erasure" limiting consumers' right to remove all digital trace from the Internet. This proposed change has been described as "necessary" as technology companies contend that it would be impossible to eradicate all traces of an individual from the Internet;
- Right to know if personal information has been disclosed to a public authority at the public authority's request. This strengthens the position of consumers vis-à-vis national security authorities;
- Replacement of the "one-stop shop" by a "lead authority"which must consult all other competent authorities. This is intended to make communications regarding data both simpler and cheaper for corporations requiring them to deal with a single supervisory authority, in the country in which they are headquartered; and
- Restrictions on transfer of data to third countries establishing an extra European controlled gateway to personal data. The impact of this is that if, for example, the US wished to access data held by an internet search engine provider about an EU citizen based in Europe, that interent search engine provider would have to seek prior authorisation from a European data authority.
The impact of the Proposed Reforms
The Proposed Reforms illustrate a considered approach to the competing interests of stakeholders. The amendments largely mark the shift towards increased consumer protection, which non-EU based companies contend will place them at a competitive disadvantage because they will be required to comply with at least two standards (domestic and EU) of data protection. However, perhaps the most significant impact is likely to arise from potential costs flowing from adhering to higher standards of protection and potential loss of profits due to a reduced ability to market and utilise user data.
Companies operating in the EU are encouraged by the Commission to welcome the single standard of protection and the communication with a sole supervisory authority. The Commission's view is that compliance with a single law rather than 28 varying standards is likely to be both easier and more cost efficient. In fact, the Commission predict savings of roughly €2.3 billion per year.
The future of the Proposed Reforms
The Proposed Reforms are subject to change: EU member states are in the process of developing their own proposals for data privacy through the Council of Ministers; and the 28 EU governments, the European Commission and the EU Parliament face a difficult challenge in achieving an effective and functioning legislative framework for data privacy which includes a high level of consumer protection, while at the same time balancing competing stakeholder interests.
The Commission's aim is to have the new regime agreed by Spring 2014 and in force by 2016, but such a timeline may be optimistic. We will keep you updated.