According to TechWeek Europe, the United States Department of Commerce is working with the United States Chamber of Commerce to lobby European Union officials in an effort to change certain provisions of the EU’s proposed General Data Protection Regulation. If enacted, the Regulation, which was published in draft form in January 2012, would supersede the existing EU Data Protection Directive and apply to all EU member states.
As we previously wrote, the Regulation would enact sweeping revisions to the EU’s existing data privacy regime and impose many new obligations on data controllers. The Regulation’s provisions include an obligation to report data breaches to the appropriate national data protection authority within 24 hours, a requirement that companies with more than 250 employees appoint a data protection officer, and new individual rights, such as a right to be forgotten and a right to data portability. The Regulation also provides for substantial fines of up to 2% of global revenue for data protection violations. Moreover, the Regulation would apply to more non-EU companies than the current Directive because it would extend to non-EU companies that target EU citizens by either processing their data or monitoring their activities.
While it is unclear which specific proposals are the focus of the Department of Commerce’s efforts, the Department previously expressed concerns about the 24-hour breach notification requirement, the right to be forgotten, and how the proposals might affect cross-border data transfers. Based on concerns raised by the U.S. Chamber of Commerce, the U.S. government might also be concerned with ensuring that a final Regulation creates a convenient “one-stop shop” for non-EU data controllers by allowing them to be subject to the jurisdiction of a single national data protection authority.
The Department of Commerce is not the only agency trying to amend certain provisions of the proposed Regulation. Last week, a U.S. Deputy Assistant Attorney General expressed concerns about how the Regulation might impact international law enforcement efforts. The Regulation would require review of established agreements that provide for cooperation among law enforcement agencies. In addition, the Regulation might interfere with an EU member state’s ability to request that Interpol issue an arrest warrant because the request would contain personally identifiable information. The director of the Federal Trade Commission’s Bureau of Consumer Protection also expressed concerns that restrictions on cross-border data transfers might impede investigations into fraudulent or deceptive commercial practices.