Overview
The proposed EU Data Protection Regulation (the "Regulation") was introduced in January 2012 as "a strong, consistent and future-proof framework for data protection" intended to promote harmonization (through the adoption of a single EU data protection law) and enhance individuals' privacy rights. Finally, after almost four years of political negotiations, in December 2015 an informal agreement was reached on the proposed Regulation which once implemented will replace the twenty-year old EU Data Protection Directive 95/46/EC1 (the "Directive").
As further discussed below, the impact of the proposed Regulation is far-reaching and will effect not only European businesses but also businesses outside the EU that collect and process data on Europeans. In addition, the proposed Regulation introduces new liabilities for data processors (i.e. outsourcing providers). This QuickCounsel examines the key provisions of the proposed Regulation and identifies some of the more relevant obligations which in-house counsel will need to consider under the new regime.
Territorial Scope
A key characteristic of the Regulation is its extraterritorial reach as it brings into scope the processing of personal data of data subjects (i.e. individuals) located in the EU, irrespective of whether or not the controller or processor is established in the EU. Essentially, this means that any non-EU business that processes data of individuals in the EU through the offering of goods or services or the monitoring of their behaviour will need to comply with the requirements under the Regulation. For example, a business in Asia collecting personal data on its EU customers through its website will need to comply with provisions of the proposed Regulation, and failure to do so could lead to significant fines.
Enforcement
A business failing to comply with the proposed Regulation could face considerable fines of up to four per cent of annual worldwide turnover (gross revenue), or EUR 20 million - whichever is higher. In addition, data protection authorities2 in each EU Member State will have significant powers including the ability to impose temporary or definitive bans on processing personal data, enter premises and suspend data flows to a recipient in a country outside of the EU. Individuals may also be awarded compensation for damages they suffered (see Additional Resources - Google Inc. v. Vidal-Hall).
A Strong Focus on Accountability
With accountability being a key driver underpinning the Regulation, businesses will be required to adopt and implement policies and procedures that demonstrate compliance with data privacy obligations. Central to this concept are the requirements that businesses:
(a) carry out privacy impact assessments where the use of personal data is likely to present specific risks to an individual or where new technologies are being used. For example, such an assessment will be required where a business is engaged in the profiling of health data on a large scale or other types of systematic monitoring of the public;
(b) implement "privacy by design" standards throughout each business operation, including the use of technical and organisational measures (e.g. pseudonymisation) to protect personal data and to ensure that, by default, only a minimum amount of personal data is processed;
(c) appoint a data protection officer ("DPO") (see below); and
(d) maintain detailed records of the personal data used by the business.
Data Protection Officer
Under the proposed Regulation, businesses subject to the proposed Regulation will have to appoint a DPO where the core activities of the controller or the processor consist of regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller or the processor consist of large-scale processing of special categories of data (e.g. that relating to health, criminal activities, sexual life or religion). Corporate groups may appoint a single DPO provided that the DPO is easily accessible by all relevant corporate entities.
Data Breach Notification
Businesses in all sectors will have to notify data breaches to their relevant data protection authority without undue delay and where feasible within 72 hours. Businesses will also be required to notify affected individuals of the data breach without undue delay, subject to a limited number of exceptions including where the business has implemented appropriate technological protection measures so as to render the data unintelligible.
Profiling
The proposed Regulation introduces new restrictions on businesses carrying out profiling. Under the Regulation, an individual will have the right not to be "subject to a decision based solely on automated processing, including profiling, which produces legal effects or otherwise similarly significantly affects the individual". This restriction will extend to all forms of data analytics with the only exemptions being where the profiling is necessary for the performance of a contract between the controller and the individual, where authorised by national Member State law or with the explicit consent of the individual. Profiling based on special categories of personal data such as, health data, will only be permitted with the explicit consent of the individual or where it is in the public interest. It is clear that these restrictions are going to have far-reaching consequences from a "Big Data" analytics perspective.
New Rights for Individuals
The Regulation introduces new rights for individuals, including :
(e) Right to Erasure: A data controller is (subject to a limited number of exceptions - including, for example, where the processing is for the defence of legal claims) under an obligation to erase personal data without undue delay where, for example, the data is no longer necessary for the purpose for which it was originally collected or the consent for the processing is withdrawn and there is no other legal basis for the processing. Under the current Directive the erasure of data is limited to where the data is incomplete or inaccurate (see Additional Resources - Right to be Forgotten).
(f) Right to Data Portability: Where personal data is processed in a machine-readable, structured and commonly-used format and the processing is based on consent or on the performance of a contract with the individual, the individual has the right to request that such personal data be transferred from one service provider to another without hindrance.
International Transfers
The proposed Regulation maintains the restriction under the current Directive regarding the transfer of personal data to countries outside the EU that do not provide an equivalent level of protection and as per the Directive there is statutory recognition of certain international data transfer mechanisms. These include, Binding Corporate Rules, EU Standard Contractual Clauses, approved codes of conduct or certification mechanisms. In addition, in limited circumstances, transfers are permitted where necessary for the "legitimate interests" of the controller, where there is a one-off transfer to a non-EU country which concerns only a limited number of individuals, providing the Data Protection Authority has been informed.
Recent developments also have important implications for transatlantic data transfers: the Court of Justice of the European Union issued a judgement in the Max Schrems case (6 October 2015), declaring the EU-US Safe Harbor scheme invalid. Businesses relying on Safe Harbor have been given until the end of January 2016 to re-assess their choice of international data transfer solution. Meanwhile, talks between the European Commission are ongoing in respect of a Safe Harbor version 2.0. It remains to be seen what the full implications of this decision will be.
Foreign Data Requests
Under the Regulation, a new restriction - separate and independent from other provisions on data transfers - will apply to foreign data requests: any judgement of a non-EU court or authority requiring the disclosure of personal data will only be recognised or enforceable if based on an international agreement (e.g. a mutual legal assistance treaty) between the relevant Member State and the requesting country. This provision has the potential to hinder an international businesses global compliance programme and litigation.
Conclusion
The proposed Regulation will likely be formally adopted in the coming months, with implementation in 2018. As such, businesses have approximately two years to bring their policies and procedures into compliance with the requirements under the proposed Regulation. As a first step, businesses should determine whether their processing falls within the scope of the proposed Regulation. If the business finds it is subject to the strict privacy requirements under the proposed Regulation it should undertake a gap analysis of its current data privacy practices as against the new requirements and rights under the proposed Regulation. This will include, for example, a review of the businesses existing data breach reporting procedures (including a review of third party agreements), developing a procedure to ensure privacy impact assessments are carried out as required, a review of any profiling activities to assess compliance with the proposed restrictions and appointing a Data Protection Officer where required.
1Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 2Data protection authorities are the national authorities of each EU Member State tasked with the protection of data and privacy in Europe
Additional Resources
Sidley Austin - Top Ten Data Protection and Privacy Issues to Watch in 2016
Sidley Austin - ICO Orders Google to Remove Links
Sidley Austin - Google Inc. v. Vidal-Hall: Opening the Doors to EU Data Protection Litigation?
