HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Though considerably longer than the 1995 Directive, the Regulation does not provide a complete code. Much will be left to detailed legislation delegated to the Commission which will no doubt emerge over the next two years.

Key features of the new Regulation include the following:

1. Individuals and organisations will only need to deal with one supervisory authority, located in the country of their main establishment or residence, rather than the fragmentary jurisdiction currently provided by the Directive. The Commission has heralded this as providing a "one-stop shop."
2. Organisations outside the EU will be subject to its provisions if they process personal data to offer goods or services to EU residents, or monitor their behaviour. If they are subject to its rules, then subject to certain exceptions they must appoint a representative.
3. A new principle of accountability will require data controllers to demonstrate their compliance with the law by maintaining extensive documentation on their processing, implementing appropriate security requirements and performing impact assessments when required. This replaces the current requirement of notification. While this removes one bureaucratic procedure, it appears to replace it with something no less time consuming.
4. Organisations with more than 250 employees will need to appoint independent data protection officers whose principal task is to monitor the data processing of the organisation.
5. There are new rights to have data deleted (the "right to be forgotten") and to move data from one service to another ("data portability") which will have a particular effect in relation to social media.
6. Obligations to provide information to data subjects, and to document that information, are expanded and enhanced.
7. Data breaches must be reported to supervisory authorities without undue delay and where feasible within 24 hours. Serious breaches must also be reported to individuals affected.
8. Binding corporate rules are expressly recognised in the Regulation as an appropriate form of compliance for international transfers. They will be subject to approval by only one supervisory authority, thus shortening the current very long approval process.
9. Where consent is to be a ground for data processing, it must be explicit. Implied consent will no longer be possible. Once given, consent can be withdrawn at any time.
10. Fines may be imposed by supervisory authorities for breaches, reaching up to 2% of an organisation's annual turnover in the most serious cases.

An earlier draft of the Regulation was leaked in late November, and there are several differences between that draft and the final version. In particular, there is no requirement for consent to direct marketing in all cases, no provision that compliance with orders of non-EU courts for production of personal data will be unlawful without official sanction, no minimum fines, and the maximum fine is 2% of turnover rather than 5%. In her press conference today, however, Vice-President Viviane Reding, EU Commissioner for Justice, denied that there had been any watering down of her own initial proposals.

The draft Regulation now has to enter the political process of the EU Co-Decision Procedure under which agreement will need to be reached between the European Parliament and the Council. There is no certainty as to how long that process may take, but there will undoubtedly be considerable debate over the coming months.

The first legal instrument is a draft General Data Protection Regulation, which sets forth a general framework for EU data protection and is intended to replace the 16-year-old Data Protection Directive with a region-wide regulation.  The fact that the instrument is fashioned as a regulation is significant. Under EU law, regulations have binding legal force as soon as they are passed, whereas directives must be enacted into law by each individual EU Member State.   A frequent criticism of the Data Protection Directive was that the EU Member States enacted and applied it differently, leading to uneven implementation and forum shopping. By changing the format to a regulation, there is less room for variation between the Member States, which in theory should lead to greater certainty for EU citizens and organizations. 

The draft Regulation contains a number of significant changes to the Data Protection Directive, particularly in the areas of (1) jurisdiction, governance, and cross-border transfers, (2) data subject rights, (3) data controller/processor obligations, and (4) remedies, liability, and sanctions. These changes include:

Jurisdiction / Governance / Cross-Border Transfers

• The declaration that EU data protection law applies to data controllers outside of the EU when processing activities are “directed to” or “serve to monitor the behaviour of” EU data subjects, including for commercial or professional services such as offering products or services. Factors to be considered when determining whether processing activities are “directed to” EU data subjects include (a) the international nature of the activities; (b) the use of a language or a currency other than the language or currency generally used in the country in which the controller is established; and (c) the use of a top-level domain (e.g., “.co.uk” or “.com”) other than that of the country in which the controller is established.
• The use of Binding Corporate Rules (BCRs) to legitimize intra-company cross-border data transfers to countries without data protection laws deemed “adequate” by the EC would be streamlined and extended, including the use of BCRs to cover data processors and groups of companies, and with an eye to covering cloud computing. Unlike the current process, in which BCRs must be reviewed by at least three DPAs (one “lead” and two “reviewers”) and some Member States require additional authorization, BCRs would be validated only by one lead DPA. Once a BCR is validated by the lead DPA, it would be valid for the whole EU without needing authorization from any other Member State.
• Each data controller or processor only will be subject to the enforcement jurisdiction of the one data protection authority (DPA) of the Member State in which the organization has its “main establishment,” which is where the organization’s “central administration” in the EU is located. This usually will be where the organization makes its management decisions regarding the purposes, conditions, and means of processing personal data.
• DPAs would be obligated to carry out investigations and inspections upon request from other DPAs and to mutually recognize each others’ decisions. Rules are provided for joint operations and operations by one Member State within another Member State’s territory.
• To ensure consistent application of the directive, the Article 29 Working Party would be updated to an independent “European Data Protection Board” that, in addition to its current duties, would have the authority to issue official opinions regarding the interpretation of the Regulation. These opinions would be subject to the review of the EC.

Data Subject Rights

• To process personal data for any commercial direct marketing purpose, organizations would need to obtain the explicit, opt-in consent of the data subject.
• Where consent is used to legitimize data processing (even outside the marketing context), it would need to be explicit, opt-in consent. Moreover, consent would not be valid where there is a “significant imbalance” in power between the data subject and data controller. The prime example of this is in the employment relationship. These rules essentially would be a codification of parts of this past summer’s Article 29 Working Party opinion on consent.
• The creation of a “right to be forgotten” that would permit data subjects to request that data controllers erase all personal data relating to them and abstain from further disseminating that information, unless there are legitimate grounds to retain the data. In a particularly controversial portion of this proposal, data controllers would be required to “ensure the erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service which allows or facilitates the search of or access to this personal data.” This proposal is in line with recent statements made by EU authorities regarding the retention of data on social networking sites. Some have doubted the ability to “ensure” such complete erasure, especially when much of the content on the public Internet is shared and backed up.
• The creation of a right to portability, through which data subjects would be able to request a copy of their stored data and move it from one service provider to another, without hindrance.

Data Controller/Processor Obligations

• Data controllers would be required to notify data breaches to both the individuals concerned and data protection authorities within 24 hours of the breach being discovered (although notification to individuals would be required only when the breach "is likely to adversely affect the protection of the personal data or privacy" of the individual, a limitation not present in obligation to notify the data protection authority).  Currently, EU law only requires Member States to enact laws creating a breach notification obligation for telecommunications operators (which some Member States have yet to enact), although some Member States (such as Austria and Germany) do have security breach notification requirements for data controllers other than telecom operators.
• Data controllers would be required to minimize the volume of personal data that they collect and process, and to set default settings so that user personal data will not be made public by default.
• Data controllers and data processors would be required to appoint a data protection officer if (a) they employ over 250 employees or (b) their “core activities” require “regular and systematic” monitoring of data subjects.
• Prior to processing personal data in a way that is “likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes,” organizations would be required to conduct a data protection impact assessment. The draft Regulation does not define exactly what processing would fall into this definition, though it does list a few examples that “likely” would, including (a) running automated models to analyze or predict a person’s performance at work, creditworthiness, economic situation, location, health, personal preferences, reliability, or behavior, where the result will affect the data subject; (b) the processing of certain types of sensitive data; (c) conducting video surveillance; and (d) utilizing large-scale filing systems containing genetic, biometric, or children’s data.
• The elimination of the obligation of organizations to generally notify data protection authorities of any automatic processing of personal data, replacing it with an obligation to maintain documentation on processing operations under their responsibility.

Remedies, Liability, and Sanctions

• Data subjects, and qualified public interest groups on behalf of data subjects or themselves, would have the right to lodge complaints either with DPAs or courts for violations of the Regulation. Currently, some Member States’ DPAs do not have such authority.
• The creation of three levels of fines for intentional or negligent violations of the Regulation, with the maximum penalty for certain offenses being 5% of an organization’s annual worldwide turnover.

Besides the Regulation, the second legal instrument released is a draft Police and Criminal Justice Data Protection Directive. This directive sets forth rules relating to cross-border transfer and other processing of personal data for law enforcement purposes, with an eye toward facilitating the sharing of this information between law enforcement agencies while still complying with data protection law. Though this Directive is directed toward law enforcement and not the private sector, it does apply where personal data may be required and used by law enforcement authorities (e.g., data related to bank transfers, data collected when buying an airline ticket, traffic and telecommunications data), so it will have at least a tangential effect on the private sector.

Notably, these instruments are just preliminary drafts, and may differ when the EC releases the official drafts, which is still slated to happen in January. Even then, the drafts still will need to be debated and passed before coming into law, a process which is likely to at least a couple years. Therefore, there is still time for these legal instruments to be significantly modified before they are ultimately adopted.

SB 24 requires all breach notifications to include the name and contact information of the notifying person or entity and a list of the types of personal information compromised, or reasonably believed to have been compromised. The notifying person or entity must also provide the toll-free telephone numbers and addresses of the three major credit reporting agencies – TransUnion, Equifax and Experian – if the breach exposed a Social Security number, driver’s license, or California card identification number.   Notifications must also be written in “plain language” and provide a general description of the breach if this information has been determined.

If it is possible to determine at the time of the breach, the notification must provide the date of the breach, an estimated date of the breach, or a date range within which the breach occurred. Each notice should include the date of the notice. The notification must also state whether the notification was delayed because of a law enforcement investigation.  The law allows, but does not require, the person or business to provide information regarding what the person or business has done to protect individuals whose information has been breached and recommendations on how individuals can protect themselves.

Special requirements also apply to larger-scale breaches. The law requires any agency, person or business that notifies more than 500 California residents to submit a single sample copy of the notification - excluding any personally identifiable information - to the Attorney General. 

In addition, SB 24 provides that HIPAA covered entities following the HITECH Act breach notice requirements will be deemed in compliance with the SB 24 content requirements, but such entities will still have to comply with the Attorney General notice provision.

SB 24 follows recent proposals at the federal level to implement a nationwide data breach notification requirement. See our recent post here for more information.    

Rep. Bono Mack, the Chairman of the House Subcommittee on Commerce, Manufacturing, and Trade, called the draft bill “an upgraded, 2.0 version of data-security legislation, encompassing many of the lessons learned in the aftermath of massive data breaches at Sony and Epsilon, which put more than 100 million consumer accounts at risk.” The proposed legislation would:

• Preempt the breach notification laws that have been passed in 46 states and the District of Columbia;
• Require companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data (in accordance with regulations that would be issued by the FTC);
• Require covered organizations to establish a data minimization plan providing for the elimination of consumers’ personal data that is no longer necessary for business purposes or other legal obligations;
• Require the notification of law enforcement within 48 hours after discovery of a breach, unless the breach was an innocent or inadvertent breach unlikely to result in harm;
• Require companies and other entities to notify the FTC and to begin notifying consumers 48 hours after completing an assessment of a breach (unless the assessment indicates that there is “no reasonable risk of fraud, identity theft, or other unlawful conduct” from the breach); and
• Allow the FTC to issue regulations modifying the definition of “personal information.”  

These requirements would be enforced by the FTC and state attorneys general. The draft bill does not provide for a private right of action, and it specifically exempts from coverage entities subject to GLBA and HIPAA data security requirements. 

At yesterday’s hearing before the Subcommittee on Commerce, Manufacturing, and Trade—which also held a hearing on June 2 regarding the Sony and Epsilon breaches, as well as a general hearing on May 4 about the ongoing threat of data breaches to consumers—reactions to the Bono Mack proposal were mixed. FTC Commission Edith Rodriguez, a witness at the hearing, expressed concern that the draft bill did not set a specific deadline for the risk assessment that a company must complete following a breach. “There out to be some form of cutoff period to ensure that consumers receive appropriate notification,” Rodriguez said. 

One lawmaker criticized the draft bill’s data minimization requirements, noting that data about consumers may be retained for a long period of time for good reason, while others said the proposal went too far by giving the FTC authority to change the definition of personal information and by requiring notification when there is a “reasonable” risk of harm (instead of the narrower “significant” risk standard). 

If the draft legislation is formally introduced in the House—and Bono Mack has said she is hoping to move the bill through the chamber before the August recess—it will join a growing number of privacy and data security bills that have been introduced in Congress this year. Indeed, on the same day as the hearing on the Bono Mack proposal, Senators John Rockefeller and Mark Pryor introduced legislation that would also require companies to safeguard personal information and inform consumers in the event of a breach.  Separately on that day, Senators Al Franken and Richard Blumenthal introduced a bill that would require mobile device makers and app developers to obtain consumers’ express consent before collecting and sharing their location information.