On January 25, 2012, the EU Commission proposed a comprehensive reform of existing EU data protection rules.

Whereas the aim of the draft is to simplify existing legislation, which the draft does i.a. via the abolition of the obligation to notify all data processing to the various national data protection authorities, the draft does create several new rights for data subjects as well as new obligations for companies doing business in Europe. These may become very onerous for companies and may create new compliance concerns for multi-national operations.

The new obligations include an obligation to notify the national supervisory authority of serious data breaches without undue delay (if feasible, within 24 hours ...) and the obligation to appoint a Data Protection Officer for companies employing 250 employees or more and for companies involved in "risky processing."

Also, whenever consent is required for data to be processed, it will have to be given explicitly, which may have a significant impact on current practices (where consent is often assumed or obtained implicitly, via general terms and conditions of sale).

The draft also provides for a general obligation on companies to adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the Regulation.

In case of violation, the draft Regulation introduces important (administrative) sanctions. For non-intentional first offences by certain controllers, the national supervisory authorities may still send a warning letter. For other violations and/or violations by certain other controllers, the supervisory authorities shall immediately impose penalties of up to €1 million or up to 2% of the global annual turnover of a company.

The EU Commission's proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. It is the EU Commission's intention to work closely with the European Parliament and the Council to ensure an agreement on the new data protection framework by the end of this year, but it is likely that this will take more time. The Regulation will enter into force the twentieth day after its publication in the EU Official Journal and take effect two years after that date.

It is likely that there will still be various changes to the present text. However, it is clear that the final text will in any event have a serious impact on the way companies doing business in Europe – including companies not established in the EU, but offering goods or services in the EU or monitoring the online behavior of citizens - will be able to process personal data.

EU Commission proposes new General Data Protection Regulation including new obligations for companies and strong enforcement rules

1. On January 25, 2012, the EU Commission proposed a comprehensive reform of existing data protection rules.

The core of the currently existing EU data protection legislation, EU Directive 95/46/EC, was adopted more than 15 years ago. At that time, the internet was still in its infancy. Technological progress and globalization have now profoundly changed the way personal data is processed and the amount of personal data that circulates around the globe. Moreover, the 1995 Directive has been implemented in the various Member States in different ways, leading to fragmentation and costly administrative burdens for companies, which currently still have to examine and comply with different obligations in the various Member States. Moreover, the powers of national data protection authorities are not harmonized enough to ensure consistent and efficient application of the rules.

This is why the EU Commission wants to update and modernize the principles enshrined in the 1995 Data Protection Directive.

With this proposal, the EU Commission wants to develop a stronger and more coherent data protection framework in the EU, backed by strong enforcement rules. The direct applicability of a Regulation should reduce legal fragmentation and provide greater legal certainty by introducing a harmonized set of rules.

The Regulation will apply to companies doing business in Europe, including companies not established in the EU, but offering goods or services in the EU or monitoring the online behavior of citizens.

2. Key changes in the proposed reform include:

2.1. Scope

  • A single set of rules on data protection will be imposed via a Regulation valid across the EU and no longer via a Directive, which had to be implemented by the various Member States. This will put an end to the cumulative application of different national data protection laws.
  • The new EU rules will apply to companies not established in the EU, when they offer goods or services in the EU or monitor the online behavior of citizens.

2.2. A few important changes for companies doing business in the EU

  • The current obligation for companies to notify all their data processing activities to the various data protection supervisors in the different Member States is removed. According to the EU Commission, this simplification alone would result in net savings of €130 million per year in terms of administrative burdens alone. Whereas it may be true that the abolition of the notification duty may save money, we anticipate that cost for compliance with other obligations in the proposed Regulation may very well reverse those savings.
  • Instead of the notification duty, the Regulation provides for increased responsibility and accountability for the entities processing personal data (as a controller or as a processor). For example, companies must notify the national supervisory authority of serious data breaches without undue delay (if feasible, within 24 hours ...) and, if the data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the data subjects concerned. This obligation to notify serious data breaches within 24 hours (and to provide all the data required such as the details of the data lost, a description of the consequences of the breach and steps taken to mitigate those consequences), does not seem to be very realistic.
  • Instead of having to deal with a national data protection authority in each Member State where a company does business, companies will only have to deal with a single national data protection authority, i.e. in the EU country where they have their main establishment.
  • There will be a general obligation on companies to adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the Regulation. This will without a doubt lead to increased compliance costs.
  • Companies employing 250 employees or more appoint a data protection officer. Companies which do not reach this threshold but which are involved in processing operations which, by virtue of their nature, their scope or their purpose, present specific risks to the rights and freedoms of individuals ("risky processing") should also appoint a data protection officer. A group of undertakings may appoint a single data protection officer.
  • Companies involved in risky processing should also carry out an assessment of the impact of the envisaged processing operations on the protection of personal data ("Data Protection Impact Assessments").
  • Wherever consent is required for data to be processed, it will have to be given explicitly, rather than assumed as is sometimes the case now. This means that a data subject's consent should be based either on a statement or a clear affirmative action by the person concerned and should be given freely. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented in a form distinguishable in its appearance from this other matter. This means that current practices to obtain consent via statements in the general terms and conditions of companies, will no longer be sufficient.
  • Data flows to third countries outside the European Economic Area will, according to the EU Commission, be made easier by reinforcing and simplifying rules on international transfers. However, the restriction of transferring personal data to countries outside the EEA that are not considered to provide an adequate level of protection (including the United States) is maintained. Next to transfers to countries covered by an adequacy decision of the EU Commission, transfers via appropriate safeguards (binding corporate rules, EU standard contractual clauses) are provided. There do not seem to be significant changes. The changes are, inter alia, that the EU Commission may recognize the adequacy of certain sectors within a third country.
  • The "privacy by design principle" is introduced to make sure that data protection safeguards are taken into account at the planning stage of procedures and systems. Hence companies should, both at the time of the determination of the means of processing and at the time of the processing itself, implement appropriate technical and organization measures and procedures.
  • Under the 'right to be forgotten' data subjects will be able to ask for the deletion of their data if there are no legitimate grounds for retaining it. The controller, who has made the personal data public, will be under the obligation to take all reasonable steps to inform third parties which are processing such data, that a data subject requested them to erase any links to, or copy or replication of, that personal data. The controller who has authorized a third party publication of personal data shall be considered responsible for that publication.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). They have a right to be provided with a copy of that data in a commonly used format.

2.3. Other important changes

  • The Members States, supervisory authorities and the EU Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of the Regulation. Associations and other bodies representing categories of controllers or processers in one Member State may submit them for an opinion of the supervisory authority, and associations and other bodies representing categories of controllers or processers in several Member States may submit draft codes to the EU Commission which may adopt implementing acts which stipulate that these have general validity within the Union.
  • The Members States and the EU Commission shall encourage the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided.
  • The new Regulation focusses specifically on the protection of the personal data of children, for which specific conditions apply.
  • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.

2.4. Powers of the national data protection authorities - enforcement and judicial remedy

  • The national data protection authorities will be strengthened so they can better enforce the EU rules. The national data protection authorities will be empowered to i.a. (i) notify the controller or processor of an alleged breach and, where appropriate, order them to remedy that breach in a specific manner, (ii) order the controller or processor to comply with a data subject's request, (iii) warn or admonish the controller or processor, (iv) order the rectification, erasure or destruction of data when processed in breach of the Regulation, (v) impose a temporary or definitive ban on processing, (vi) suspend data flows to a recipient in a third country and (vii) impose administrative sanctions on companies that violate EU data protection rules.

    The latter can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
  • Data subjects will have a general right to judicial remedy against controllers or processors if they consider that their rights have been infringed. Proceedings shall be brought before the courts of the Member State where the controller or processor has an establishment and, alternatively, before the courts of the Member State where the data subject has its habitual residence.
  • Bodies, organizations or associations which aim to protect the data subject's rights shall have the right to initiate legal actions on behalf of one or more data subjects, which opens the door for class actions.

Although reducing complexity is one of the aims of the proposed Regulation, the present proposal seems to go too far in the direction of imposing yet another set of prescriptive measures towards companies.

It is the EU Commission's intention to work closely with the European Parliament and the Council to ensure an agreement on the new data protection framework by the end of this year. It is therefore likely that there will still be various changes to the present text. However, it is clear that the final text will in any event have a serious impact on the way companies doing business in Europe – including companies not established in the EU, but offering goods or services in the EU or monitoring the online behavior of citizens - will be able to process personal data. Businesses should already consider implementing systems and structures in line with what can be expected to become obligatory in the years to come.

The Regulation will enter into force the twentieth day after its publication in the EU Official Journal but will only take effect two years after that date.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.