On 25 January 2012, the European Commission (the “Commission”) adopted a legislative proposal for a reform of the EU data protection regulatory framework (See, this Newsletter, Volume 2012, No. 1, p. 6).
The proposal consists of a draft Regulation providing for a general framework governing data protection (see at: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf) that would replace the existing EU Data Protection Directive 95/46/EC and a draft Directive setting out the rules on the protection of personal data processed for the purposes of police and judicial co-operation in criminal matters, which would replace the current Framework decision 2008/977/JHA on the same matter. In addition, the European Commission published a Communication and a couple of supplementary documents, which are available at: http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm.
To ensure consistency and uniformity within the EU, the Commission has opted for a Regulation as the most appropriate legal instrument to regulate the private sector. At the same time, Member States will be given the authority to adopt specific laws for data processing in several areas, most notably in employment matters. The Commission will also obtain the power to adopt delegated acts and implementing measures.
The jurisdictional reach of the EU’s data protection rules will be extended to non-EU data controllers whose data processing activities involve the “offering of goods or services” to EU residents, or the “monitoring of their behaviour”. The draft Regulation also contains updated and new definitions of various terms (e.g., “genetic data”, “biometric data”, “personal data breach”, “main establishment” and “binding corporate rules” (“BCRs”)).
The draft Regulation gives data subjects more rights, in particular the right to be forgotten and the right to data portability. In addition, companies acting as data controllers will be obliged to adopt mechanisms to facilitate the exercise of these rights. Furthermore, the principle of transparency will be reinforced (internal policies, accessibility and clarity of information). There will also be additional information obligations vis-à-vis data subjects.
Children will benefit from reinforced protection. The concept of “consent” is redefined and will have to be given “explicitly”. Moreover, the conditions for using consent are defined more restrictively. For example, consent will not be valid as a legal basis in case of a significant imbalance between the position of the data subject and the controller. Also, data subjects’ rights to lodge complaints with national supervisory authorities, to a judicial remedy and to compensation will be further specified.
An independent European Data Protection Board (“EDPB”) will be established, which will replace the Article 29 Working Party. The EDPB will ensure consistency in the application of the new framework. Supervisory authorities must have independence and adequate resources, and will obtain new powers, including powers of investigation (e.g., access rights), decision and sanction.
The draft Regulation introduces a number of additional obligations for controllers (primarily for larger companies, as small and medium-sized enterprises will benefit from a number of exemptions). Controllers will be subject to the principle of accountability (which basically requires compliance with the Regulation and the ability to demonstrate and document such compliance). Data controllers will have to implement the “privacy by design” and the “privacy by default” concepts. The draft Regulation also provides for more prescriptive rules regarding the content of agreements between data controllers and data processors. Primarily large data controllers will also have to carry out data protection impact assessments for forms of high-risk processing and retain extensive documentation of all processing operations. In addition, large enterprises with 250 or more employees or those whose core activities involve regular and systematic monitoring of data subjects, must appoint a data protection officer. Supervisory authorities will need to be informed of any personal data breach without undue delay and, where feasible, within 24 hours after the breach was discovered. In addition, data subjects will need to be informed without undue delay if the breach is likely to affect adversely the protection of their personal data or privacy.
The proposal provides for three categories of administrative offences, with fines ranging from € 250,000 (or 0.5% of an enterprise’s annual worldwide turnover) to € 1 million (or 2% of annual global turnover), depending on the seriousness of the infringements.
On the other hand, companies will benefit from less red tape - in particular, fewer registration requirements. Only in exceptional cases, either prior consultation (high-risk processing) or prior authorisation (in certain cases of international data transfers) will be required. The draft Regulation also streamlines the rules on international data transfers, explicitly acknowledging BCRs as a means for both data controllers and data processors to create appropriate safeguards for such transfers. Most significantly, a ‘one-stop shop’ is envisaged in cases where a data controller or data processor is established in several Member States. Only the national authority where the main establishment of the data controller is located will be competent in terms of supervision.
The draft Regulation will have to be adopted by the Council and the European Parliament under the co-decision procedure, during which both institutions can make changes. It is expected that it will take at least two years before the final text will be adopted. There will probably be an additional transitional period of two years before the draft Regulation will enter into full force.