This blog post was provided by Quentin Archer, a partner in the London office of Hogan Lovells
The European Commission today published its proposal for a new Data Protection Regulation. The Regulation, which is not likely to come into force before 2014, is intended to harmonise data protection law in all 27 EU Member States and thus remove current differences which have proved problematic for business and individuals. Upon final passage of the Regulation, the current 1995 Data Protection Directive will be repealed.
Though considerably longer than the 1995 Directive, the Regulation does not provide a complete code. Much will be left to detailed legislation delegated to the Commission which will no doubt emerge over the next two years.
Key features of the new Regulation include the following:
- Individuals and organisations will only need to deal with one supervisory authority, located in the country of their main establishment or residence, rather than the fragmentary jurisdiction currently provided by the Directive. The Commission has heralded this as providing a "one-stop shop."
- Organisations outside the EU will be subject to its provisions if they process personal data to offer goods or services to EU residents, or monitor their behaviour. If they are subject to its rules, then subject to certain exceptions they must appoint a representative.
- A new principle of accountability will require data controllers to demonstrate their compliance with the law by maintaining extensive documentation on their processing, implementing appropriate security requirements and performing impact assessments when required. This replaces the current requirement of notification. While this removes one bureaucratic procedure, it appears to replace it with something no less time consuming.
- Organisations with more than 250 employees will need to appoint independent data protection officers whose principal task is to monitor the data processing of the organisation.
- There are new rights to have data deleted (the "right to be forgotten") and to move data from one service to another ("data portability") which will have a particular effect in relation to social media.
- Obligations to provide information to data subjects, and to document that information, are expanded and enhanced.
- Data breaches must be reported to supervisory authorities without undue delay and where feasible within 24 hours. Serious breaches must also be reported to individuals affected.
- Binding corporate rules are expressly recognised in the Regulation as an appropriate form of compliance for international transfers. They will be subject to approval by only one supervisory authority, thus shortening the current very long approval process.
- Where consent is to be a ground for data processing, it must be explicit. Implied consent will no longer be possible. Once given, consent can be withdrawn at any time.
- Fines may be imposed by supervisory authorities for breaches, reaching up to 2% of an organisation’s annual turnover in the most serious cases.
An earlier draft of the Regulation was leaked in late November, and there are several differences between that draft and the final version. In particular, there is no requirement for consent to direct marketing in all cases, no provision that compliance with orders of non-EU courts for production of personal data will be unlawful without official sanction, no minimum fines, and the maximum fine is 2% of turnover rather than 5%. In her press conference today, however, Vice-President Viviane Reding, EU Commissioner for Justice, denied that there had been any watering down of her own initial proposals.
The draft Regulation now has to enter the political process of the EU Co-Decision Procedure under which agreement will need to be reached between the European Parliament and the Council. There is no certainty as to how long that process may take, but there will undoubtedly be considerable debate over the coming months.