On February 29, 2012, Hogan Lovells partners Quentin Archer, Roger Tym and Winston Maxwell hosted a London workshop aimed at collecting comments for the UK Ministry of Justice’s public consultation on the proposed EU privacy Regulation.
Workshop participants were particularly interested in the concept of a single data protection authority (DPA) having responsibility for a company’s activities throughout Europe. Would companies pick their country of "main establishment" as a function of which DPA they think would be the most lenient? Will the "home" DPA have discretion to fix the amount of fines?
Quentin Archer commented on the fact that different DPAs currently have different concepts of what constitutes personal data, and it is unclear whether these different interpretations would be eliminated under the Regulation.
Roger Tym led a discussion on the proposed consent requirements. The proposed standards for obtaining explicit consent are so stringent, Tym said, that companies may in the future wish to avoid relying on consent as a basis for processing. An interesting question from of the participants in the workshop pondered whether banks would have to obtain new consents from their customers or whether consents already obtained would remain valid.
Roger Tym’s comments on the data breach notification rules elicited a number of comments. Would data breach notifications lose their effectiveness if customers receive too many of them? How can a company notify a data protection authority within 24 hours when it may take several weeks to fully understand the nature of a data breach and its potential consequences?
Quentin Archer stressed that the new obligations on data controllers will create significant costs for businesses and that it is not clear that the Commission has fully taken into account these additional costs in its impact assessment. A number of large corporations will already have data protection officers and "accountability" procedures in place, but for many businesses, this would be an entirely new concept.
Winston Maxwell pointed out that the proposed Regulation would apply to some businesses outside the EU, but the criterion of "offering goods and services" to EU residents seems to be different from "targeting EU users," the standard developed by the European Court of Justice for IP infringement.