After the leak of a work document published on the internet site "www.statewatch.org" at the end of November 2011, the European Commission has issued its official proposal for a regulation on "the protection of individuals with regard to the processing of personal data and on the free movement of such data" (the "Proposal") on 25 January 2012 (see also the European Commission's press release of 25 January 2012).
One of the main reasons for the change are the divergences amongst EU Member States with respect to the implementation and enforcement of the existing rules that are laid down in Directive 95/46/EC (the "Directive"). This also explains why the European Commission has chosen to adopt the new rules under the form of an EU regulation which will be directly applicable in the legal orders of the EU Member States without further implementation. The rapiddevelopment of new technologies and the globalisation further called for a modernisation of the existing rules.
The Proposal builds on the key drivers of the current EU data protection rules, but, if accepted in its actual version, it would substantially alter the existing regulatory framework on the following points:
- a widening of the geographical scope of application to data controllers not established in the EU,
- a reinforcement of the rights of data subjects (introducing a right "to be forgotten", a right to portability, ...),
- new obligations for data controllers (introducing an obligation to carry out an impact assessment for high risk data processing, an obligation to report data leaks, an obligation to appoint a data protection officer for large companies, ...), as well as the abolition of the national notification regimes,
- new powers for the national supervisory authorities and the creation of a European Data Protection Board.
1. Widening of the geographical scope of application
One of the most striking changes suggested by the Proposal is the radical extension of the geographical scope of the EU data protection rules to controllers which are not established in the EU. They will be subject to these rules to the extent that they offer goods or services to data subjects in the EU or monitor the behaviour of the latter. Controllers located in third countries which do not offer an adequate level of protection will be obliged, in certain cases, to designate a representative within the EU.
2. Reinforcement of the rights of data subjects
The Proposal would introduce in favour of the data subjects:
- a right to be forgotten, including the right to obtain erasure of personal data held or made public by the controller (e.g., on the Internet).
- a right to portability, including the right for data subjects to obtain from the controller a copy of their data in a format which enables them to transfer the data to another controller.
- a restrictive definition of consent, which, if required, must be explicit (whilst a more implicit form of consent could in some case be sufficient under the current Directive provisions). The Proposal clearly states that consent to data processing must be distinguished from consent to be given in the context of another matter (e.g., when adhering to general terms and conditions). The Proposal further provides that consent will not constitute a legal basis for the processing where there is a significant imbalance between the position of the data subject (e.g., consumers and employees) and the controller, in which event the latter must find other legitimate reasons than the data subject's consent in order to process personal data. The initial idea to have a general opt-in regime for commercial direct marketing, which figured in the unofficial leaked version, has not been withheld.
- a specific protection for children below the age of 13, when the processing relates to the offering of information society services, imposing requirements concerning the nature of the information to be provided to children as well as their consent (which can only be valid when given or authorised by their parents or custodian).
3. New obligations for data controllers and processors and administrative simplification
As to the obligations for data controllers and processors, the Proposal would introduce:
- an explicit reference to the principle of transparency as well as to the data minimisation principle according to which data controllers must limit the processed personal data to the minimum necessary and be able to demonstrate that the purpose of the processing cannot be fulfilled by other less restrictive means.
- the obligation for data controllers to carry out an impact assessment where processing operations by virtue of their nature, scope and purposes are likely to put the rights of data subjects at risk.
- the abolishing of national notification regimes whereby which a prior authorisation still can be required in certain limited cases and a prior consultation procedure where the processing presents a specific risk for the data subjects.
- the obligation to report data breaches to the supervisory authority within 24 hours, and in certain cases, to the data subjects, when the data breach can "adversely affect" the protection of the personal data or privacy of the data subject.
- the obligation to appoint a data protection officer i.a. for companies having more than 250 employees.
- a general accountability obligation according to which controllers must always be able to demonstrate the compliance of their processing with the regulatory framework.
- the obligation for processors to implement appropriate security measures irrespective of the contract with the controller, as well as the obligation to notify personal data breaches to the controller.
- a new possibility, under certain conditions, to transfer data to third countries not offering an adequate level of protection when the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor.
4. Reinforcement of regulatory bodies
On a procedural level, the Proposal would introduce:
- new powers for national supervisory authorities, including the power to examine complaints lodged by data subjects and to severely sanction administrative offences (up to 1 million EUR or 2 % of the worldwide turnover in case of serious breaches). The cooperation between national supervisory authorities is also significantly reinforced.
- the creation of a European Data Protection Board replacing the Article 29 Data Protection Working Party (an advisory board on EU level); the new board will consist of the heads of the supervisory authorities of all EU Member States and the European Data Protection Supervisor, and will have more powers.
It should be kept in mind that it is likely that the provisions of the Proposal will be subject to changes throughout the EU legislative process - which could last more or less two years - as several of the proposed new provisions most probably will give way to discussion.
If accepted in its current version, the Proposal will certainly impose more obligations on economic operators processing personal data and will introduce rather severe sanctions. Some of the newly introduced obligations already existed according to the practice of some national supervisory authorities, e.g. the obligation to report of data breaches, and/or to the opinions of the Article 29 Data Protection Working Party, but they would at least get a clearer legal basis if the Proposal were to be accepted.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.