European data protection control authorities are catching up with the rapid technology evolution which has taken place since the adoption in 1995 of the Directive 95/46/EC on personal data protection (Directive). In early April, various Member States of the European Union (EU)control authorities launched investigations as a result of the new confidentiality policy of a well-known search engine.
Such action is to be linked to the proposed regulation on the protection of individuals with regards to the processing of personal data and on the free movement of such data (Proposal) which was first published on 25 January 2012, and is currently being debated before the European Parliament. The Proposal reflects the growing concern of the EU and its Member States in light of the changes, over the last decade or so, in Internet applications, including the development of social networks (Facebook, Twitter), sharing sites (You Tube, Instagram) and retail websites, albeit they also acknowledge the need to develop the European digital economy.
Hence, the reform contemplated by the Proposal has two stated objectives: building a coherent and more efficient data protection framework throughout the EU, and allowing the digital economy to develop.
It is too early at this juncture to assess whether the Proposal will meet these two objectives, especially pending the finalisation of the draft Report presented to the European Parliament on 10 January 2013 by Jan-Philipp Albrecht, rapporteur for the Civil Liberties, Justice and Home Affairs Committee of the European Parliament (Report). However, it is far from clear, at this juncture, that businesses will indeed benefit from the proposed reform which is to be adopted at the beginning of 2014, with a coming into force two years later in all EU Members States. As a result, businesses processing data of EU subjects should become familiar with the general trends of the new legal framework, as it will bring about significant changes in their responsibilities and obligations.
Here are some highlights of the Proposal, as proposed to be amended by the Report.
- An extensive application: joint obligations of the controller and the processor and wide territorial scope
The proposed regulation changes will impact both the controller, that is the natural person or entity which determines the purposes, conditions and means of the processing of personal data and the processor, that is the natural person or entity which processes personal data on behalf of the controller, as the Proposal imposes a fair number of obligations on both of them and not on the controller only.
The Proposal retains as a basis for its application, the processing of personal data by a controller or a processor from an establishment in the European Union. But the Proposal goes beyond such traditional grounds of jurisdiction: it also applies to a controller not established in the European Union in certain circumstances. A controller not established in the EU will be subject to the regulation, where its processing activities relate to the offering of goods or services to individuals identified or who can be identifies (data subjects) in the European Union. The controller monitoring the behaviour of EU data subjects is also bound by the regulation. The Report goes further by providing that this rule applies where goods or services are offered for free, and by including all collection and processing of personal data about EU residents, and not only monitoring of their behaviour. Also, such controller will have to appoint a representative in the EU unless it falls within limited exceptions, which includes an enterprise employing fewer than 250 persons or, if the amendment proposed in the Report is retained, processing personal data relating to fewer than 500 data subjects per year. A controller not established in the EU will also be caught by the regulation where the law of a Member State applies by virtue of public international law.
- A stronger data protection framework for individuals
Examples of provisions underlying the strengthening of the legal rules are:
- The opt-in principle: where lawful data processing is based on the express consent of the data subject which is the case, most of the time, for businesses - this is the so called opt-in principle where the data subject must expressly consent to the data processing - , the controller of the processing bears the burden of proof for the data subject's proper consent, and conditions for consent are clearly defined.
- A right to be forgotten arising in various circumstances is enshrined in the Proposal, such circumstances including when the data subject withdraws its consent or the processing of data does not comply with the regulation. This is coupled with a right to erasure when the controller has made the personal data public: the controller must take all reasonable steps, including technical measures, to inform third parties of the data subject request and where the controller has authorised a third party publication of personal data, it shall be responsible for that publication. For once, the Report provides some relief to businesses by restricting the above obligations of the controller with respect to personal data made public to circumstances where such publication was not made based on legitimate grounds provided for in the regulation.
- Data subjects also benefit from a right to obtain a copy of personal data processed by electronic means, and from a data portability right, when the processing is based on consent by, or contract with, the data subject, and meets certain technical conditions. The data portability right allows data subjects to transmit their personal data to other platforms or services, reflecting their substantive ownership right in her/his personal data. In the Report, these rights are seen as a part of the right of access, which is enhanced by the requirement that the information be provided in a format which the data subject can use.
- A give and take vis-à-vis businesses
Acknowledging the heavy financial burden resulting from administrative requirements, the Proposal removes the current obligation for businesses, under the Directive, to notify data processing activities to data protection supervisors in applicable Member States.
The price to be paid is, however, not insignificant as the Proposal provides for increased responsibility and accountability for businesses which are processing data. Hence:
- The controller is on the front line in terms of liability and responsibility for data processing performed directly or on its behalf, from the inception of the data processing to the actual processing. This is so, notably, as a result of the introduction of the data protection by design principle pursuant to which the obligation to implement appropriate technical and organisational measures and procedures to satisfy the requirements of the regulation comes into play at the time of the determination of the means for processing. The Report sees this concept as a core innovation of the reform and reinforces the obligations of the controller in that respect.
- The controller is also subject to obligations resulting from the data processing by defaultprinciple. Under this principle, the controller is, among others, bound to implement mechanisms ensuring that by default, personal data are not processed beyond what is necessary for each specific purpose of the processing and not collected or retained beyond the minimum necessary for those purposes. This principle includes the obligation to ensure that by default, personal data are not made accessible to an indefinite number of individuals and, under the Report, that data subjects our able to control the distribution of their data. It also extends this concept to data processors and producers of data processing systems.
- Controllers and processors are subject to various obligations, ranging from maintaining documentation of all processing operations, implementing appropriate measures, both technical and organisational, to maintaining security and preventing processing in breach of the regulation, making risks evaluations, cooperating with the supervisory authority, notifying a personal data breach to both the supervisory authority and the relevant data subject, and carrying out an assessment of the impact of processing operations which present specific risks to the rights and freedoms of data subjects. The Report recommends numerous amendments to provisions of the Proposal relating to the above obligations, with a view to ensure their efficiency, most of the time to the benefit of the data subjects.
Reverting to the objective not to overload companies from an administrative standpoint and to ensure consistency in the application of the regulation, the Proposal provides for a one stop shop when a controller or a processor is established in the Union in more than one Member State, proposing that in such a case, the supervisory authority of the main establishment of the controller or processor is competent. This proposal has been one of the most controversial, with opponents raising the spectre of forum shopping, notably in France. Such opponents have been heard since the Report introduces an alternative mechanism, with the supervisory authority of the main establishment of the controller or processor acting as a single contact point for the controller or processor, but such lead authority must ensure close coordination with the other control authorities of the Member States which are co-competent for supervision when their residents are affected.
- Cross border flows of personal data
The Proposal addresses the issue of transfers, by a controller or a processor, of personal data of EU subjects to countries outside of the EU (third countries), balancing the need for such transfers in international trade and the objective not to dilute the protection of EU subjects. The overriding principle is that transfer of personal data undergoing processing, or intended for processing after transfer, to a third country must be made in compliance with the regulation, including the specific provisions relating to such transfer.
- Transfers to a third country (or a territory thereof) would first be authorized upon a decision by the Commission that the third country offers an adequate level of protection, based on specified criteria, including in terms of rule of law, supervisory authorities and international commitments entered into by the third country in question. Once such favourable decision has been made, transfers from any Member State to the third country concerned would be free, provided the applicable requirements of the regulation are met. The Proposal also empowers the Commission to make an authorization decision for the processing sector within a third country but the Report rejects such provision.
- On the reverse, the Commission would also have the authority to decide that a third country (or a territory thereof) does not offer an adequate level of protection, in which case transfers of personal data to the third country concerned would be prohibited.
- Where no decision has been made by the Commission, transfers to third countries would nonetheless be possible, provided the controller or processor demonstrates appropriate safeguards with respect to the protection of personal data, through a legally binding instrument, which may be in the form of binding corporate rules approved by a supervisory authority, or standard data protection clauses adopted by the Commission. The Report clarifies the concept of "appropriate safeguards", which shall, among others, guarantee the pillars of lawful data processing provided for in the future provisions of the regulation (as amended by the Report), that is, transparency, purpose limitation, data minimisation, integrity, storage minimisation, intervenability (data must be processed in a way that allows the data subject to exercise his/her rights), and accountability, as well as the observance of the principles of privacy by design and by default.
Discussions between the European Commission, the European Parliament and the European Council will begin when the definitive Report is published, which is expected in the next few weeks. While the Report suggests numerous amendments to the regulation, it supports the fundamental positions reflected in the regulation. Third countries, like the United States, have different views as the regulation will broadly impact their businesses. Political and trade discussions will surely take place alongside the official legislative process at the level of the EU.