The European Commission has published its proposal for a new data protection law which is intended to sweep away the current law (which flows from a Directive passed back in 1995).
The Commission hopes that the new law (which takes the form of a Regulation) will foster economic growth, and be better able to regulate data transfer in the internet world of huge trans-global data flows, the cloud, social media and behavioural advertising.
The proposed Regulation will have effect without the need for implementation at member state level. Unlike the earlier Directive, the Regulation does not need to be transposed into national law through local legislation. Although the proposed Regulation builds on existing data protection concepts, it does make some radical changes:
1. Home Regulator
Organisations will only have to deal with their “home” regulator (the one operating in the country in which they have their main establishment) for all their EU processing. For organisations that have operations in more than one EU member state, this will be welcome. Regulators in individual member states will be expected to liaise closely to ensure consistency of treatment.
At present, many organisations seek to justify data processing on the basis of consent, despite such consent not being appropriate. The Regulation tightens what constitutes consent, and the circumstances in which it can be relied on. Consent must be given freely, it must be specific, informed, explicit and signified positively (ie not on the basis of “opt out” wording). The burden of proving that consent has been given will lie squarely on the organisation relying on it. Record keeping will be hugely important.
3. Taking data protection more seriously
The proposed Regulation contains provisions requiring organisations:
- to adopt measures “to ensure and be able to demonstrate that the processing of personal data is performed” in accordance with the Regulation
- that are public authorities or commercial organisations that employ over 250 employees to engage (and “adequately resource”) data protection officers
- to maintain documentation of all processing operations under their responsibility.
These are all new requirements, and for many organisations a step change in both process and culture will be needed if they are going to comply.
4. New rights for individuals
The Regulation proposes:
- enhanced rights to access personal data
- enhanced rights to object to data processing, and to have it stopped
- a new right to be “forgotten”, entitling individuals to insist that organisations erase their data where there is no legitimate interest in retaining it
- a right to portability, allowing individuals to obtain their data in a “commonly used” electronic format so they can move easily from one service provider to another with the minimum of inconvenience and delay
- A general right – subject to exceptions – not to be subject to automated profiling to predict creditworthiness, location, health, personal preferences or behaviour
5. Data processors face new responsibilities
Under the proposed Regulation, those who process data on behalf of others (“data processors”) will have various explicit statutory responsibilities, including to protect data and to comply with the new breach notification provisions. The fining regime – see below – will also apply if they fail to discharge these responsibilities. For IT service providers who process data for others, this will be a big change as the risk profile of processing activities will increase substantially.
6. Data breach notification
Organisations will need to notify supervisory authorities of personal data breaches without undue delay (within 24 hours “where feasible”), explaining what actions they have taken to address the breach and mitigate its effects. Organisations will also have an express obligation to notify the data subjects affected where the breach is likely to affect their privacy.
There is a specific exemption from the requirement to notify data subjects where technological measures have been employed to render the data “unintelligible” to anyone not authorised to access it. This should encourage further adoption of encryption and data wiping technologies.
7. International data transfers
The proposed Regulation maintains restrictions on the transfer of personal data to countries or organisations outside the EU. Transfers can take place where:
- the Commission has made a finding of adequacy in respect of the country where the recipient is based, or the recipient itself
- “appropriate safeguards” have been put in place (for example binding corporate rules or standard Commission approved model contact clauses)
- a “derogation” applies. Various derogations apply but it looks as if organisations will only be able to make their own self assessments of adequacy of the data protection in a particular jurisdiction where transfers of data to that jurisdiction are not “frequent or massive”.
Disappointingly for business, as presently drafted, there is no ready-made basis on which to justify the sort of international data flows that underpin outsourcing and cloud services. This has led to fierce criticism in some quarters.
8. Fines increase
The new regime will be backed up by three different levels of potential fine according to the particular breach in question. The potential levels of fine are eye-watering and akin to those which apply in competition law.
The maximum fines are based on a percentage of worldwide annual turnover. They rise to a maximum of 2% of annual worldwide turnover for the most serious violations, including processing personal data without “any or sufficient legal basis”, failing to comply with personal data breach notification obligations and/or failing to adopt internal policies for ensuring and demonstrating compliance.
It is still early days and the draft Regulation is just that – a draft. The UK government has just launched a consultation exercise on the proposed Regulation. Expect further changes to be proposed in the coming months as the legislative process unfolds.
Meantime, though, the proposed Regulation signals a determination by the Commission to implement a harmonised regime with real enforcement “teeth”. For many organisations significant additional resource will be needed to ensure compliance.
Although it will be a year or two before the new law comes into force, for many there will be a lot to do and the required changes to process and culture will have significant lead time – so the new Regulation needs to be on corporate radars now.