HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Though considerably longer than the 1995 Directive, the Regulation does not provide a complete code. Much will be left to detailed legislation delegated to the Commission which will no doubt emerge over the next two years.

Key features of the new Regulation include the following:

1. Individuals and organisations will only need to deal with one supervisory authority, located in the country of their main establishment or residence, rather than the fragmentary jurisdiction currently provided by the Directive. The Commission has heralded this as providing a "one-stop shop."
2. Organisations outside the EU will be subject to its provisions if they process personal data to offer goods or services to EU residents, or monitor their behaviour. If they are subject to its rules, then subject to certain exceptions they must appoint a representative.
3. A new principle of accountability will require data controllers to demonstrate their compliance with the law by maintaining extensive documentation on their processing, implementing appropriate security requirements and performing impact assessments when required. This replaces the current requirement of notification. While this removes one bureaucratic procedure, it appears to replace it with something no less time consuming.
4. Organisations with more than 250 employees will need to appoint independent data protection officers whose principal task is to monitor the data processing of the organisation.
5. There are new rights to have data deleted (the "right to be forgotten") and to move data from one service to another ("data portability") which will have a particular effect in relation to social media.
6. Obligations to provide information to data subjects, and to document that information, are expanded and enhanced.
7. Data breaches must be reported to supervisory authorities without undue delay and where feasible within 24 hours. Serious breaches must also be reported to individuals affected.
8. Binding corporate rules are expressly recognised in the Regulation as an appropriate form of compliance for international transfers. They will be subject to approval by only one supervisory authority, thus shortening the current very long approval process.
9. Where consent is to be a ground for data processing, it must be explicit. Implied consent will no longer be possible. Once given, consent can be withdrawn at any time.
10. Fines may be imposed by supervisory authorities for breaches, reaching up to 2% of an organisation's annual turnover in the most serious cases.

An earlier draft of the Regulation was leaked in late November, and there are several differences between that draft and the final version. In particular, there is no requirement for consent to direct marketing in all cases, no provision that compliance with orders of non-EU courts for production of personal data will be unlawful without official sanction, no minimum fines, and the maximum fine is 2% of turnover rather than 5%. In her press conference today, however, Vice-President Viviane Reding, EU Commissioner for Justice, denied that there had been any watering down of her own initial proposals.

The draft Regulation now has to enter the political process of the EU Co-Decision Procedure under which agreement will need to be reached between the European Parliament and the Council. There is no certainty as to how long that process may take, but there will undoubtedly be considerable debate over the coming months.

The first legal instrument is a draft General Data Protection Regulation, which sets forth a general framework for EU data protection and is intended to replace the 16-year-old Data Protection Directive with a region-wide regulation.  The fact that the instrument is fashioned as a regulation is significant. Under EU law, regulations have binding legal force as soon as they are passed, whereas directives must be enacted into law by each individual EU Member State.   A frequent criticism of the Data Protection Directive was that the EU Member States enacted and applied it differently, leading to uneven implementation and forum shopping. By changing the format to a regulation, there is less room for variation between the Member States, which in theory should lead to greater certainty for EU citizens and organizations. 

The draft Regulation contains a number of significant changes to the Data Protection Directive, particularly in the areas of (1) jurisdiction, governance, and cross-border transfers, (2) data subject rights, (3) data controller/processor obligations, and (4) remedies, liability, and sanctions. These changes include:

Jurisdiction / Governance / Cross-Border Transfers

• The declaration that EU data protection law applies to data controllers outside of the EU when processing activities are “directed to” or “serve to monitor the behaviour of” EU data subjects, including for commercial or professional services such as offering products or services. Factors to be considered when determining whether processing activities are “directed to” EU data subjects include (a) the international nature of the activities; (b) the use of a language or a currency other than the language or currency generally used in the country in which the controller is established; and (c) the use of a top-level domain (e.g., “.co.uk” or “.com”) other than that of the country in which the controller is established.
• The use of Binding Corporate Rules (BCRs) to legitimize intra-company cross-border data transfers to countries without data protection laws deemed “adequate” by the EC would be streamlined and extended, including the use of BCRs to cover data processors and groups of companies, and with an eye to covering cloud computing. Unlike the current process, in which BCRs must be reviewed by at least three DPAs (one “lead” and two “reviewers”) and some Member States require additional authorization, BCRs would be validated only by one lead DPA. Once a BCR is validated by the lead DPA, it would be valid for the whole EU without needing authorization from any other Member State.
• Each data controller or processor only will be subject to the enforcement jurisdiction of the one data protection authority (DPA) of the Member State in which the organization has its “main establishment,” which is where the organization’s “central administration” in the EU is located. This usually will be where the organization makes its management decisions regarding the purposes, conditions, and means of processing personal data.
• DPAs would be obligated to carry out investigations and inspections upon request from other DPAs and to mutually recognize each others’ decisions. Rules are provided for joint operations and operations by one Member State within another Member State’s territory.
• To ensure consistent application of the directive, the Article 29 Working Party would be updated to an independent “European Data Protection Board” that, in addition to its current duties, would have the authority to issue official opinions regarding the interpretation of the Regulation. These opinions would be subject to the review of the EC.

Data Subject Rights

• To process personal data for any commercial direct marketing purpose, organizations would need to obtain the explicit, opt-in consent of the data subject.
• Where consent is used to legitimize data processing (even outside the marketing context), it would need to be explicit, opt-in consent. Moreover, consent would not be valid where there is a “significant imbalance” in power between the data subject and data controller. The prime example of this is in the employment relationship. These rules essentially would be a codification of parts of this past summer’s Article 29 Working Party opinion on consent.
• The creation of a “right to be forgotten” that would permit data subjects to request that data controllers erase all personal data relating to them and abstain from further disseminating that information, unless there are legitimate grounds to retain the data. In a particularly controversial portion of this proposal, data controllers would be required to “ensure the erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service which allows or facilitates the search of or access to this personal data.” This proposal is in line with recent statements made by EU authorities regarding the retention of data on social networking sites. Some have doubted the ability to “ensure” such complete erasure, especially when much of the content on the public Internet is shared and backed up.
• The creation of a right to portability, through which data subjects would be able to request a copy of their stored data and move it from one service provider to another, without hindrance.

Data Controller/Processor Obligations

• Data controllers would be required to notify data breaches to both the individuals concerned and data protection authorities within 24 hours of the breach being discovered (although notification to individuals would be required only when the breach "is likely to adversely affect the protection of the personal data or privacy" of the individual, a limitation not present in obligation to notify the data protection authority).  Currently, EU law only requires Member States to enact laws creating a breach notification obligation for telecommunications operators (which some Member States have yet to enact), although some Member States (such as Austria and Germany) do have security breach notification requirements for data controllers other than telecom operators.
• Data controllers would be required to minimize the volume of personal data that they collect and process, and to set default settings so that user personal data will not be made public by default.
• Data controllers and data processors would be required to appoint a data protection officer if (a) they employ over 250 employees or (b) their “core activities” require “regular and systematic” monitoring of data subjects.
• Prior to processing personal data in a way that is “likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes,” organizations would be required to conduct a data protection impact assessment. The draft Regulation does not define exactly what processing would fall into this definition, though it does list a few examples that “likely” would, including (a) running automated models to analyze or predict a person’s performance at work, creditworthiness, economic situation, location, health, personal preferences, reliability, or behavior, where the result will affect the data subject; (b) the processing of certain types of sensitive data; (c) conducting video surveillance; and (d) utilizing large-scale filing systems containing genetic, biometric, or children’s data.
• The elimination of the obligation of organizations to generally notify data protection authorities of any automatic processing of personal data, replacing it with an obligation to maintain documentation on processing operations under their responsibility.

Remedies, Liability, and Sanctions

• Data subjects, and qualified public interest groups on behalf of data subjects or themselves, would have the right to lodge complaints either with DPAs or courts for violations of the Regulation. Currently, some Member States’ DPAs do not have such authority.
• The creation of three levels of fines for intentional or negligent violations of the Regulation, with the maximum penalty for certain offenses being 5% of an organization’s annual worldwide turnover.

Besides the Regulation, the second legal instrument released is a draft Police and Criminal Justice Data Protection Directive. This directive sets forth rules relating to cross-border transfer and other processing of personal data for law enforcement purposes, with an eye toward facilitating the sharing of this information between law enforcement agencies while still complying with data protection law. Though this Directive is directed toward law enforcement and not the private sector, it does apply where personal data may be required and used by law enforcement authorities (e.g., data related to bank transfers, data collected when buying an airline ticket, traffic and telecommunications data), so it will have at least a tangential effect on the private sector.

Notably, these instruments are just preliminary drafts, and may differ when the EC releases the official drafts, which is still slated to happen in January. Even then, the drafts still will need to be debated and passed before coming into law, a process which is likely to at least a couple years. Therefore, there is still time for these legal instruments to be significantly modified before they are ultimately adopted.

The commission issued several recommendations on cloud computing, including a startling suggestion that future legislation should prohibit cloud services located outside the EU from storing sensitive data, such as health data, genetic data, data about children, and financial data. Prohibiting cloud services based outside the EU from handling sensitive data could create a major barrier to the development of cloud computing for the financial services industry and health care industry. The commission also recommended that cloud service providers be required to conduct security audits, and that French and European authorities conduct impact assessments on the risks of cloud computing conducted outside the EU. 

The commission recommended that the Article 29 Working Party be given a budget and personnel of its own in order to ensure the group's independence. Echoing recommendations of the European Commission, the parliamentary commission urged reform of the rules on applicable law, citing diverging court decisions in France on the question of whether French data protection rules apply to Google.  

In an unexpected twist, the French parliamentary commission supported the use of a European Regulation in reforming European privacy rules, so as to ensure proper harmonisation of rules throughout Europe. This recommendation seems surprising coming from members of parliament because national parliaments generally want to maintain freedom to interpret EU rules, and a Directive, as opposed to a Regulation, gives Member States this freedom. Finally, the parliamentarians urge the French government to initiate diplomatic action to encourage the adoption of a new international treaty on data protection, under the auspices of the United Nations. The parliamentary commission echoed remarks of Hogan Lovells partner Christopher Wolf made at the eG8 conference in Paris, finding it highly regrettable that the eG8 had been organized without inviting a single data protection authority to speak.