Posted on January 25, 2012 by Greg Jacobs

EU Commission sends draft EU General Data Protection Regulation and Directive on Criminal Investigations and Judicial Proceedings to the European Parliament

This post was written by Cynthia O'Donoghue and Nick Tyler

The European Commission today completed its task of reforming the EU Data Protection Directive by sending a draft Regulation to the European Parliament. The draft Regulation contains comprehensive reforms and seeks to harmonise data protection laws across the 27 EU Member States, and to enhance EU citizens' privacy protections in the age of the Internet.

There will be two tiers of compliance obligations and sanctions, with one aimed at small- to medium-sized enterprises and the other at large, multinational organizations. SMEs are entitled to certain exemptions to ease administrative burdens, such as no requirement to appoint a data protection officer and a sanctions cap of up to €1 million. Multinationals with more than 250 employees in the EU will have to appoint a data protection officer and may face sanctions of up to 2 percent of worldwide annual turnover for serious breaches. Multinationals outside the EU will also have to comply with the data protection rules if they seek to market products and services to the EU citizens.

Key provisions include:

A single notification to the data protection authority in the country where an organization has its principle establishment. There remains an obligation to notify and seek prior authorization for a range of processing activity considered to present specific risks, such as systematic and extensive profiling and large-scale video surveillance.

Accountability principle for those processing personal data, including impact assessments for SMEs and top-down accountability for all organisations.

Data breach notification to the national data protection authority if feasible within 24 hours, and to individuals if there is a risk of harm.

Increased individual control over their data includes seeking their explicit consent before data may be processed rather than it being assumed, and their ability to refer matters to the data protection authority in their country even if data is processed by a company based outside the EU.

Data Portability will mean that individuals will have easier access to their own data and be able to transfer it from one service provider to another more easily.

A right to be forgotten allows individuals, including children, the ability to delete their data if an organization does not have any legitimate grounds for retaining it. The right provides exemptions for legitimate historic data such as newspaper archives, and seeks to balance the right to privacy with the right to free speech.

The sanction regime has at least been watered down from the draft Regulation circulated in November 2011, which had proposed sanctions of up to 5 percent of worldwide annual turnover.

There have been some ‘business-friendly’ changes to the draft Regulation as compared with the earlier November draft. The proposal for an opt-in for commercial marketing has been substituted with an opt-out, and the provisions relating to children’s privacy now requires parental consent for under the age of 13, rather than 18.
In addition, while there is an emphasis on binding corporate rules for international data transfers outside of the EU, contractual clauses, EU standard contracts, and findings of adequacy, as well as international commitments by countries or international organizations such as U.S. Safe Harbor, will still apply. Given the changes contemplated under the draft Regulation, existing international data transfer mechanisms may need to be reviewed and amended if the draft Regulation is adopted.
The new European Data Protection Board will no longer act as a supernational regulator in relation to approving enforcement actions and sanctions as proposed in the November version of the draft Regulation. Instead, its powers will be limited to ensuring consistent application of the Regulation without the power to overrule decisions in individual cases.
The Commission's proposed draft Regulation and accompanying Directive now goes to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. The Regulation will only take effect two years after adoption by the European Parliament, and we would expect further changes as it makes its way through the legislative process. That means any changes are probably close to three years down the road.
 

Tags: , , , , , , , ,
Posted on July 5, 2011 by Rosanne Kay

"Stick, Twist or Bust?" UK Minister warns EU Commission not to gamble with the future direction of data protection law.

This post was written by Cynthia O’Donoghue and Nick Tyler.

The UK Minister responsible for government policy on data protection has raised concerns about any proposed “radical rewrite” of the EU Data Protection Directive.

Kenneth Clarke, Lord Chancellor and Secretary of State for Justice, called for both flexibility and a common-sense solution to modernising data protection law. He recognised that “technology has moved on” and that future EU regulation of data protection must address the “broader landscape” without getting caught up in “endless” debate “over the details”.

The flagging at this stage of some fundamental UK opposition to a number of specific reforms does not bode well for a happy consensus emerging from the EU-wide negotiations to follow the hotly anticipated publication of the EU Commission proposals:

What are seen as ‘Bad Ideas’?

  • A new “right to be forgotten” – Worried about its impact on both business and the public, Mr Clarke made it plain that he wants the “right to be forgotten” to be forgotten!
  • Revision of the Data Retention Directive – Mr Clarke staunchly defended the ability of law enforcement authorities across the world to collect, retain and pool data to improve security, in spite of concerns from privacy regulators and advocates.
  • EU extra-territoriality – While acknowledging the aspirational “idea that European standards [of data protection] should apply to any firm processing EU citizens’ data anywhere in the world”, Mr Clarke was withering in his assessment that, on purely legal grounds, the European Commission must be “wrong”:

“I see little sign that the Commission has thought about this sufficiently yet. And how on earth are you going to enforce EU [data] protection on a global basis?”

Any ‘Good’ Ideas?

The Accountability Principle and Binding Corporate Rules –referring to the UK’s consultation on revision of the EU Data Protection Directive, Mr Clarke backed a more business-friendly solution:

“. . . [W]e should consider moving from a system which restricts information based on national standards of data protection, to a system based on the standard of data protection of the particular company involved – far more relevant to modern methods of business.”

Raising the Stakes for the Future of EU Data Protection?

The UK Government position appears against a move toward harmonization. In Mr Clarke’s view sticking to a set of shared principles and values, which at present has been implemented and is enforced in 27 different ways, would allow each country to be true to its own “constitutional and cultural identities”:

“. . . let’s learn to understand each other’s legal systems better, not rewrite our respective statutes and codes from scratch.”

This is a challenging prospect for global businesses trying to understand and comply with local law variations across Europe. They can only hope that the future EU data protection regime delivers some significant improvements to work with, and avoids the imposition of bad ideas in the form of arbitrary, additional and onerous obligations.
 

 

Tags: , , , , , , , , ,