What is this all about?
The EU is in the process of reforming its existing data protection rules. Unfortunately these reforms are currently subject to significant delay. But despite this set-back Cordery strongly recommends that businesses keep an eye firmly on the ball as the reforms go well beyond an upgrade – good planning ahead will pay off to meet the eventual major compliance impact.
What is EU data protection?
The right to privacy is mainly regulated in the EU under a 1995 Directive that controls the processing of personal data. These rules are of very wide effect with major compliance requirements placed on businesses inside and outside the EU.
Why is this change happening?
Three years ago the European Commission officially began the legislative reform process with the overall objective of significantly overhauling the 1995 rules, the mantra being to catch up with the huge advances of the digital age. Other aims include a less administratively burdensome and costly regime for businesses, an extension and expansion of rights, and, making privacy by design the norm.
Are these completely new rules?
Yes and no. Yes, the 1995 rules are being completely replaced. No, not only will the fundamental aspects of privacy continue to be protected, they will also be extended. The reforms essentially build on the current structure, but, the 1995 rules will at least triple in length – or even more depending on the number of amendments that are eventually accepted under the EU legislative process.
What new rules will there be?
There are in fact two proposed sets of new rules as follows.
Firstly, there is a Regulation, which sets out a general EU framework for data protection, i.e. to replace the 1995 Directive. A Regulation has been chosen because this format will be immediately applicable law once adopted, i.e. it will not require EU Member States to pass further legislation. This said, there has been debate and speculation as to whether there might be a switch to a Directive format. Even if a Regulation remains the chosen format, Member States like the UK will still face legislative issues about what to do with aspects of their national data protection rules that are additional to the EU rules.
Secondly, there is a Directive, which specifically deals with protecting personal data processed in a law enforcement context. Most businesses do not need to be substantively concerned about the Directive but it forms part of a package with the Regulation, and because the Directive is also subject to its own significant procedural delay this raises questions about the timing and adoption of the Regulation.
Where do things currently stand?
A year ago the European Parliament adopted its amendments to the Commission’s proposed Regulation, leaving the main elements of the proposal in place but adding a significant amount of further detail. Since then the proposed Regulation has been with the (EU) Council of Ministers (consisting of all 28 EU Member States) who have issued their work-in-progress amended version of the Regulation. This text reveals that there are many divergent views and concerns within the Council who still therefore seem to be some way off agreement. In this alert we have done our best to guess at where these negotiations will end up but this is still a work in progress – do check the Data Protection & Privacy section of our website where we post regular updates.
How many data protection regulators will I have to deal with?
A key aspect of the reforms is that a business which is in several EU Member States should only have to deal with one data protection regulator – most likely this will be in the country where the business is based. However, this purported “one-stop-shop” system may in reality be limited for two reasons:
- Only important cross-border situations may be covered by the “one-stop-shop”. There could even be a further limit because in these cross-border situations there may simply be a lead regulator acting more as a coordinator than as a single decision-maker; and,
- The European Data Protection Board (a body being proposed under the reforms) may act as decision-maker itself over “one-stop-shop” inter-regulator disputes, and, also act as an appeal body for parties objecting to a regulator’s ruling.
As a result, the implementation of this system, in whatever form it is eventually agreed, is expected to be complicated and perhaps represents the greatest challenge of all the reforms for a business.
Will I have to register with a regulator?
No. There will no longer be a requirement for a data controller (the person determining the purposes for and manner in which personal data are processed) to register with a data protection regulator, and consequently the payment of a fee for the privilege of registering will also disappear.
But, whilst one administrative burden goes another one apparently appears as data controllers will have the obligation of implementing appropriate measures to be able to demonstrate that the processing of personal data is in compliance with the Regulation. Further, the disappearance of registration will pose a challenge for many Member State regulators who will lose an income stream from fees for registrations. How will their budgets be impacted and how will this affect their administrative and enforcement capabilities? Will they have to fine more just to fund themselves?
My business is not in the EU so will these rules still affect me?
Yes. The new rules will apply not only to businesses which are actually located in an EU Member State, but, also, to businesses located completely outside the EU where they process the personal data of EU residents and offer them goods and services. The above-mentioned “one-stop-shop” system may apply here too. This extra-territorial dimension is a very significant change and very controversial. A key issue is that it may prove very difficult, if not impossible, to actually enforce this.
Will I have to make privacy an integral compliance element in my business?
Yes. Privacy by design and/or default will not be an add-on, but, instead, will become the norm as businesses will have to incorporate data protection safeguards into their products and services from the beginning. This might sound fine as a policy aspiration but its practical application will not always be so straightforward.
Will consent be required for data processing?
The requirements for consent have been recalibrated. Unambiguous consent will have to be given by a person in order for their data to be processed – there are still some differences though between the Commission, the Parliament and the Council on the way this is worded. Businesses will not be able to rely on silence or opt-outs and instead an active process such as box-ticking will have to be put in place.
Are there any new rights?
Yes. A series of new rights are introduced including the right to portability (transmitting personal data from one data controller to another), and, the right to not be subject to profiling (subject to certain exceptions). Perhaps most controversial, mainly due to the highlighting of the issue in last year’s European Court of Justice ruling concerning Google, is the introduction of a legislative right to be forgotten, i.e. the right to have data erased without undue delay where the data are no longer necessary in relation to the purpose for which they were collected or otherwise processed. Much ink has been spilled on the seriously problematic nature of this right, e.g. the technical, logistical and financial costs involved, the possible hampering of law enforcement/regulatory bodies in their investigations, the ability to hide an unsavoury past, and, the impact on free speech. There will also be a more expanded right for people to be provided with information about how their data is used. There’s more on the original Google right to be forgotten case here.
Will I need to appoint a data protection officer?
Probably. A special data protection officer may have to be appointed to deal with data protection compliance – there are differences between the proposals of the Commission, the Parliament and the Council so comment at this point about the end result can only be very speculative at best.
When will I have to report data breaches?
There are two reporting obligations. Significant changes concerning the mandatory reporting of data breaches are to be introduced. Data breaches will have to be reported to data protection regulators in each country affected without delay and, where possible, not later than a period to be set under the new rules, which in the Council proposal is currently set at 72 hours but in the final version this may yet change due to differences on this especially between the Council, the Parliament and the Commission where the other two bodies favour 24 hours. The notification to the regulator will have to be accompanied by a reasoned justification in cases where it is not made within the set period. This does not seem likely to be a one-stop shop system so if you have a breach affecting 12 EU countries you will likely have to make 12 separate reports within the 24 or 72 hours allowed. There is a separate obligation to notify those affected which is not as clear as it might be in the Commission’s draft.
Two particular issues that are not addressed for the moment and will prove a challenge is:
- Whether there might be a threshold, i.e. if a breach is minor whether it will have to be notified or not; and,
- Whether technical measures to secure the data – such as encryption – will mean that a breach need not be reported and if so what those acceptable technical measures will be. This is important for multinationals as US data breach laws commonly provide exceptions for data which is sufficiently encrypted.
Will there be mandatory audits?
Probably. Under the new rules regulators may be given the power to carry out surprise audits on businesses. Businesses will have to train staff to deal with this.
What kind of fines can my business face for breaching the rules?
Under the new rules, data protection regulators will have the power to impose fines for infringing the data rules. In the original proposal this is up to Euro 1 million or up to 2% of the global annual turnover of a business, whichever is the greater. This too is the subject of differences between the Commission, the Parliament and the Council with the Parliament in particular seeking higher figures.
Will some kind of other assessments have to be made?
Where processing operations present specific risks, an assessment of the impact of the envisaged processing operations on the protection of personal data will have to be carried out. There are major differences between the Council and the Parliament on the applicable risk situation, but whatever the final outcome, an assessment will have to address the envisaged processing and evaluate the risks and the measures that would address them.
Has anything changed as regards data transfers to third countries?
The core principles concerning the transfer of data from EU Member States to third countries (including the US) will remain in place, including the requirement that those data flows can only occur where an adequate level of protection is assured by these third countries. What the reforms mainly introduce is an extension and more detailed treatment of these existing principles, notably: the criteria against which protection adequacy are considered; so-called “Binding Corporate Rules”; and, so-called Commission-approved “Model Clauses”. Whatever the final outcome, these details will have to be checked against existing arrangements.
What are the next steps?
When there is agreement within the Council, the Council and the Parliament will then have to agree on the final version (with the European Commission acting as a kind of intermediary) so that the proposed reforms can become law. This process is not expected to be smooth, both among the EU Member States within the Council, and between the Council and the Parliament – there will be much horse-trading. Some even speculate that there will be no final deal whilst others say that there is too much at stake for the EU to not adopt new data protection rules.
The full application of the new Regulation (and Directive) is not anticipated until 2017 or even 2018.
What should I do now?
Assuming that the new rules are finally adopted, they will bring a high level of compliance obligations, with significant financial, resource (including IT) and administrative costs. Although finalization of the reforms may seem to be some time ahead, the following are ten compliance issues to start considering:
- Thoroughly review vendor contracts – you will need your vendors help especially in reporting security breaches very quickly. Make sure that you have the contractual rights to insist on this and make sure that you can hold your vendors to account;
- Prepare to update everything and prepare new detailed documentation and records ready for production for regulatory inspection – factor this into overhead costs;
- Review all key practical aspects such as data retention, destruction etc. through all means of collecting data used by the business;
- Ensure that new aspects such as explicit consent, the right to be forgotten and erasure, and, the right to not be subject to profiling are all included in policies and procedures;
- Put in place a data breach notification procedure, including detection and response capabilities – consider purchasing special insurance;
- If applicable, appoint a data protection officer;
- If applicable, put in place an impact assessment and/or risk analysis policy;
- Create compliance statements for annual business reports;
- Train staff on all of the above; and,
- Set up and undertake regular compliance audits in order to identify and rectify issues.
André Bywater is Principal Adviser – European Regulatory with Cordery in London where his focus is on compliance. This article was first published on 02/04/2015 by Cordery at http://www.corderycompliance.com/…
Related material is available here