Publications

---

On December 6, Viviane Reding (European Commission Vice-President and Commissioner responsible for justice, fundamental rights and citizenship), announced the long-awaited proposal for a new Data Protection Regulation. The Proposal[1] has now entered into inter-service consultation with other Commission Directorates-General after which the text will be considered by the Parliament and the Council, who may make significant changes. The Regulation would repeal the current Data Protection Directive 95/46. It is expected to become law in two to three years.

DLA Piper had the chance to take a first glance at the draft Regulation before it was leaked on various internet blogs last week. The draft Regulation contains significant changes to the existing law which business communities will need to understand and prepare to adapt to. In some ways the new law should make compliance more achievable by reducing bureaucratic filing requirements and authorisations. However, businesses would have to take additional steps to demonstrate compliance, variations in member state interpretations of the Data Protection Directive would be harmonised in ways that expand the rights of data subjects significantly, and the possible penalties for non-compliance would become much more severe than is currently the case.

Among other features:

• Consent would need to be explicit, involving some affirmative action by the data subject and implied consent relying on inaction by the data subject would no longer be valid
• Employee consent, which is currently valid in a number of EU member states, would no longer be a valid ground for processing personal data 
• As consent is often used as the grounds for complying with non-EU legal requirements that involve the use and disclosure of employee personal data, compliance is likely to become much more difficult for employers 
• Direct marketing and behavioural advertising, which currently occur in a significant minority of member states on an implicit consent basis, would likely require some form of explicit consent 
• Data minimisation requirements in current law would be expanded and would need to be incorporated into internal audit and privacy by design solutions

The remainder of this alert discusses what we see as the most significant changes to be expected in the data protection landscape.

A regulation instead of a directive

As had been widely speculated, the European Commission has chosen to implement the new rules through a regulation rather than a directive. This is the strongest way to increase harmonisation and coherence of the data protection legal framework within the European Union as regulations are directly applicable in the European Union without the requirement for Member States to transpose the European rules in national laws, often adding their own interpretations.

Territorial scope substantially extended

The draft Regulation would expand the rules governing the jurisdictional reach of EU data protection laws. Existing law applies based on the place of establishment of the controller and/or the equipment used by the controller to process the data. The draft Regulation goes beyond that in applying the law to any processing of personal data that is directed to data subjects residing in the EU, or 'serves to monitor the behaviour' of such data subjects. Recital 15 clarifies that, in this context, 'directed to' implies that it should be ascertained whether it is apparent from the controller's overall activity that the controller was envisaging processing of personal data of data subjects residing in the EU. This would be of particular significance to non-EU websites directed in part towards EU citizens. A non-EU controller caught by this provision would be required to designate an EU representative to act on behalf of the controller and to be answerable to the EU data protection authority on behalf of the controller.

Definitions that clarify and expand the scope of the law

The draft Regulation introduces a number of new definitions, such as 'personal data breach', 'genetic data', 'biometric data', 'data concerning health', 'main establishment', 'representative', 'group of undertakings', 'binding corporate rules' and 'child'.

The draft Regulation also modifies existing definitions. For example, the definition of 'data subject' now explicitly refers to 'online identifiers' (such as IP addresses or cookie identifiers) as one of the factors which may entail direct or indirect identification of a data subject. Also, the proposed definition of 'controller' refers to an additional criterion: the controller is the person determining the purposes, means and conditions of the processing of personal data. The draft Regulation also confirms, albeit only in its recitals, that the law should not apply to "data rendered anonymous in such a way that the data subject is no longer identifiable."

Making consent more difficult to obtain

The draft Regulation appears to resolve differences among EU member state laws over whether data subject consent must be implicit or explicit through a definition of 'consent' that requires consent to be explicit. The draft Regulation casts serious doubt on the validity of implied consent by stating that silence or inactivity would not constitute consent. The draft Regulation further puts the burden of proof onto the controller to show that valid consent has been given and significantly. On the other hand, the draft Regulation clarifies that consent may be given by any appropriate method enabling a freely given, specific and informed indication of the data subject's wishes, based on an affirmative action by the data subject, including by ticking a box when visiting a website or by any other statement or conduct which clearly indicates the data subject's acceptance of the proposed processing of their personal data.

Of particular concern to employers, the draft Regulation states that consent can no longer be relied upon as a basis for processing for the purpose of carrying obligations and exercising rights of the controller in employment law or where there is a significant imbalance in the form of dependence between the position of the data subject and the controller. This would require employers to rethink significantly their approach to data protection compliance. As the draft Regulation continues the European Commission’s recognition of exceptions for compliance with legal obligations solely under EU or EU member state laws, rejecting validity of employee consent would create particular complications for multi-national companies’ compliance with non-EU legal obligations, such as OFAC screening, internal investigations, and monitoring.

New data subject rights and controller and processor obligations

The draft Regulation introduces several innovative concepts that would significantly expand both data subjects' rights and controllers’ obligations:

• Right to be forgotten – Data subjects would be entitled to require controllers to erase their personal data when they withdraw their consent for processing or where they object to the processing of personal data concerning them. The draft Regulation stresses that this new right is particularly relevant to data provided by minors
• Privacy impact assessment – Controllers or processors would be required to carry out impact assessments before carrying out processing that is likely to present 'specific risks' (such as processing of sensitive data) 
• Privacy by design and by default – The draft Regulation contains a mandatory requirement for both privacy by design and privacy by default. This would require that (i) the controller prior to and during the processing, implement appropriate technical and organisational measures and procedures so that the processing meets the requirements of the Regulation and ensures the protection of the data subject's rights; and (ii) the controller would need to implement mechanisms that ensure, by default, that only those personal data necessary for each specific purpose of the processing are processed, and that such data are not collected or retained beyond the minimum period necessary for those purposes 
• Data portability – Data subjects would be given a new right to obtain a copy of their data in a 'structured format which is commonly used' and the right to transfer data from one automated processing system (for instance a social network) to another, without being prevented from doing so by the controller.

Harmonisation to simplify compliance for business

The draft Regulation contains several significant changes which are intended to ease the data protection compliance obstacles which businesses face today:

One-stop-shop – The draft Regulation contains significant 'one-stop-shop' provisions that would have a major impact on international organisations with operations across a number of EU member states. The data protection authorities in the 'main establishment' of the controller would be responsible for decisions relating to the controller across its EU operations. This could see, for example, the UK operations of a pan-European business, falling under the control of the Spanish, French or German data protection authority, depending on the location of the main establishment. This should offer greater harmonisation and certainty for controllers. However, bearing in mind the very different approaches to enforcement shown by EU data protection authorities to date it will be very interesting to see how this develops in practice

International transfers - The draft Regulation contains a significant change to existing law which would enable controllers to make certain transfers of data outside of the European Economic Area (EEA) where it is in the legitimate interests of the controller or the processor. This would only apply where the transfer is not 'frequent, massive, or structural' but will, nevertheless, be welcomed by international businesses. In addition, the draft Regulation envisions binding corporate rules for processors, approval of additional standard data transfer clauses beyond the model clauses and flexibility for the Commission to determine jurisdictions’ 'adequacy' to receive international data transfers for particular industry sectors or territories within a country.

New obligations for controllers and processors

If the draft Regulation becomes law many of the obligations that are currently imposed by the Directive only on controllers would also be imposed on processors. This would be of some concern to service providers and outsourcing entities and is likely to require a reassessment of the standard approach to the allocation of obligation and liability in standard outsourcing arrangements.

In addition, a number of new obligations are introduced by the draft Regulation:

• Documentation – One of the key issues under the current European data protection regime is the administrative burden imposed on controllers to register all data processing activities with the local data protection authority. The draft Regulation would replace this notification obligation with an obligation for controllers and processors to keep extensive documentation to demonstrate that the processing operations under their responsibility are compliant. This embodies the 'accountability principle' which was much discussed in the review of the Directive leading up to the release of the draft Regulation
• Data protection officer – For processing activities carried out by the public sector, or by a private sector large enterprise (over 250 employees) or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring, an independent data protection officer must be appointed to monitor whether the processing activities are carried out in compliance with the data protection policy and the Regulation 
• Security breach notification – The draft Regulation would impose an extremely broad security breach notification requirement to notify both data protection authorities and data subjects within 24 hours of a data security breach. The security breach notice requirement would apply to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any personal data. Unlike many existing breach notice laws, the requirement to notify the data protection authority would apply regardless of any risk of harm to data subjects. However, the requirement to notify data subjects requires some harm to the privacy of data subjects and does not apply where the controller can demonstrate that all the data was encrypted or otherwise rendered unintelligible
• Agreement between joint controllers – Joint controllers would have to sign an agreement allocating responsibility between them. In the absence of such agreement, the controllers would be jointly liable for all processing activities
• Data subject's requests – In the event the data subject introduces a request to exercise its rights, the controller is obliged to respond to such request within a fixed deadline. In the event the controller is not to comply with the data subject's request, the controller must still respond within the deadline and provide reasons.

Increased enforcement

One of the key objectives of the Regulation is to harmonise the enforcement powers of the local data protection authorities, and to make remedies and sanctions more effective:

• Fines – A feature of the draft Regulation which may be of most interest to businesses is the new fining powers. Data protection authorities would be empowered to impose fines of 100,000 to 1 million Euros or, in the case of 'an enterprise', up to 5% of the annual worldwide turnover for a broad range of negligent or intentional violations of Regulation requirements. 

This alert is intended to provide a general overview of the most significant modifications in the draft Regulation. Should you be interested in commenting on the draft Regulation, require any assistance in preparing for these modifications or have any further questions, please do not hesitate to contact ,  or .

DLA Piper is hosting a webinar on January 10, 2012 at 8 PST, 11 EST, 16h GMT and 17h CET to discuss the implementation of the draft Regulation and what it will mean for business. If you would like to join this then please contact any of the authors using the email address shown above.

________________________________________
[1] Two legal instruments were introduced, namely the 'Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data' (General Data Protection Regulation) and the 'Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of intervention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data' (Police and Criminal Justice Data Protection Directive). This client alert only discusses the General Data Protection Regulation.