By Dan Cooper and Kristof Van Quathem
A widely-leaked version of the first legislative proposal for a General Data Protection Regulation is making its way through Brussels and beyond. The draft Regulation — which, among other things, aims to apply a harmonized and updated set of core data protection rules across the EU — will be reviewed by the different Directorates-General of the European Commission in the coming weeks, and thus could be liable to change. The Commission is not expected to release its final proposal until late January 2012.
Although implementation of the Regulation is not expected for some time, it will eventually replace Data Protection Directive 95/46 and be directly applicable in all European Member States. One of the chief criticisms of the existing EU data protection regime is that EU Member States have implemented the Directive in a divergent fashion. The Regulation would remedy this problem and establish a common set of standards applicable across the entire EU. Highlighted below are some of the more notable aspects of the draft Regulation. That said, with over 91 articles, the Regulation contains a great deal, including a number of radically new concepts. It also envisions the Commission enacting a large number of delegated acts intended to furnish additional guidance and detail on particular matters.
Application. The draft Regulation provides that the supervisory data protection authority of the Member State where a data controller’s main establishment is based shall serve as its lead authority, avoiding situations where a controller may be subject to the competing jurisdictions of multiple EU authorities. The Commission has included a new mandatory mutual assistance obligation intended to address forum shopping concerns.
Scope. The new Regulation also will apply to non-EU companies that “direct” their processing activities to data subjects residing in the EU or whose activities serve to monitor the behavior of data subjects, replacing the current “making use of equipment” test with a new “targeting” test. The new standard will impact online service providers, in particular, and proposed recitals clarify that relevant factors include whether services are provided in European languages or currencies or involve local domain names. Websites merely accessible to European users, however, will not be caught.
Definitions. The definition of “data subject” is expanded by incorporating language previously found in Recital 26 of the Directive. A data subject is now someone who can be identified (directly or indirectly) by the controller directly or “any other natural or legal person”. Identification may occur by reference to an identification number, location data or online identifier, amongst other things. The proposal also introduces a host of new definitions, including ones for “personal data breach”, “biometric data”, “genetic data”, “main establishment”, and “child”.
European Data Protection Board. The proposal establishes a European Data Protection Board, consisting of the heads of the supervisory authority of each Member State and of the European Data Protection Supervisor. The Board is intended to replace the existing Article 29 Working Party, and will have a similar role, broadly speaking.
Consent. The draft law contains a stand-alone section on consent, which is now defined as any “freely given specific, informed and explicit indication of will”. Consent cannot be used as a legal basis for processing personal data where “significant imbalance in the form of dependence between the position of the data subject and the data controller” exists. Data protection authorities have traditionally advised against the use of consent as a legal basis for processing and this mentality is reflected in the draft Regulation. In addition, the consent of a child (defined as any person below the age of 18 years) will only be valid when authorized by the child’s parent or custodian.
New rights for data subjects. The draft contains a heavily caveated “right to be forgotten” that imposes a specific obligation on a controller to render inaccessible certain data, including such data when it appears on the Internet. A new data portability right will enable data subjects to request that their data be held by a data controller, such as a social network service provider, in a format that allows them to transfer that data to another service provider. The Commission reserves the right to specify the electronic format and technical standards to enable such transmission.
Impact assessments and prior authorization/consultation. The proposal also appears likely to increase the administrative burden for data controllers in certain respects, although it does dispose of the current national notification regimes. Controllers must carry out data protection impact assessments where processing operations are likely to put the rights of data subjects at risk by virtue of their nature, scope and purposes. In addition, controllers with more than 250 employees must appoint a qualified data privacy officer. In limited cases — where processing is likely to pose a high degree of risk to data subjects — data controllers will have to obtain an authorization from or consult with their supervisory authority prior to processing the personal data. Apart from the duty to appoint a privacy officer, these new obligations appear to apply equally to large multi-nationals and small and medium enterprises.
Breach notification. The draft Regulation, as was expected, introduces a comprehensive breach notification regime. Rules similar to those found in the e-Privacy Directive (applicable to providers of publicly available electronic communications services and networks) have been proposed. Data controllers would be required to notify any data breach to their data protection authority, notwithstanding the fact that protective measures, such as encryption, are in place or the likelihood of harm is low. Data controllers must notify data subjects when a data breach is likely to “adversely affect” the protection of their personal data unless the data controller can demonstrate, to the satisfaction of the supervisory authority, that they have implemented appropriate technological protection measures.
Disclosure. The provisions that will govern future foreign e-discovery exercises are likely to attract much attention and comment. Controllers will first be required to seek authorization from their data protection authority before they can make personal data available in response to a court judgment or decision by an administrative authority in a third country. These provisions, together with the higher monetary penalties envisioned by the Regulation, are clearly intended to serve as a counterweight to pressures exerted under foreign legal regimes, such as those in the U.S.
Data transfers. The existing EU restriction on data transfers to countries that do not offer adequate protection remains in place. However, the use of standard contractual clauses will no longer be subject to prior authorization or approval by data protection authorities. Also, the adoption of binding corporate rules (BCR) would be made easier, and an entire section is devoted to the concept. The draft Regulation retains the original derogations for transfers to third countries, such as consent, but adds a new derogation for transfers necessary for the legitimate interests of a data controller, although this must be balanced against the rights of the data subject.
Sanctions. The draft Regulation contains an elaborate section on administrative sanctions. Mirroring sanctions for violations of EU competition law, each competent authority would now have the power to impose administrative sanctions and to tailor these sanctions according to a company’s annual turnover. For certain types of intentional or negligent violations, supervisory authorities will be able to impose fines of between 100,000 and 1,000,000 Euros, or as much as 5% of an enterprise’s annual worldwide turnover.