In December we reported on the EU Commission's unofficial
draft of the reform of the European Data Protection Directive
95/46/EU. On 25 January 2012 the Commission's official proposal for the Regulation was
presented. We have analysed this 119-page draft and have summarised
its main aspects in this Newsletter. Although there will be further
changes to the draft before its envisaged entry into force in
2015/2016, the decisive legislative phase begins now, with the
possibility for interest groups to exert their influence.
On the whole, the Regulation is essentially in line with the law
applicable in Germany to date. Nevertheless, there will be numerous
significant amendments in future:
- There are substantial amendments concerning the scope
of application. The Regulation shall apply to private
enterprises directly and throughout Europe, hence the German
Federal Data Protection Act [Bundesdatenschutzgesetz,
BDSG] will lose its applicability insofar. The geographic
scope of application will be extended, i.e. the Regulation will
also apply to non-European enterprises, insofar as the offering of
their goods or services is aimed at EU citizens. It is expected
that the definition of personal data will be extended, therewith
widening the material scope of application.
- The range of duties of enterprises will be
extended: Any processing of personal data will still be subject to
the need of authorisation, with it being understood that the
statutory authorisation criteria substantially correspond to those
of the BDSG. Several points are to be clarified with respect to
consent, which does not constitute a major change in relation to
German law, but will provide for greater equality within Europe.
Moreover, in future enterprises will have to observe the
accountability principle, i.e. ensure compliance with data
protection law by means of internal guidelines and corporate
processes, document such compliance and, in cases of doubt, also
furnish proof to this effect. In addition thereto, preventative
data protection measures will be distinctly increased. Besides an
obligation to carry out a data protection impact assessment in case
of sensitive data processing, general principles are to be
introduced for structuring data processing systems in a manner
compliant with data protection law (privacy by design, privacy
by default).
- In order to cut through red tape, most of the
disclosure, notification and approval obligations are being
abolished, with it being understood that these already do not apply
at present in Germany if an enterprise has appointed a company data
protection officer. Measures to ease the burden upon small and
medium-sized enterprises are to be introduced, in particular the
obligation to appoint a company data protection officer will be
confined to enterprises with at least 250 employees. Both this and
the express possibility of appointing a group data protection
officer should provide distinct relief.
- Restrictions are expected in the advertising
industry and in the area of profiling, which is a
particularly common practice on the Internet. At least the consent
requirement for marketing measures that was discussed in the
unofficial draft has already been transformed into an opt-out
right.
- Collaborations with other enterprises must
always be contractually regulated, even if they are both
controllers. Contracts with processors are to resemble the
requirements laid down thus far in the BDSG on a pan-European
level.
- The rights of data subjects are to be
reinforced. Insofar, this will give rise to a variety of
implementation difficulties in practice: For example, this will be
the case with respect to data processing transparency requirements
and to simple technical information possibilities, or to the newly
introduced rights "to be forgotten" and to "data
portability".
- The previously applicable system and instruments for
transfers to third countries outside of the
European Economic Area will essentially be maintained, with the aim
here being to make more flexible instruments available.
- Finally, stricter data protection supervision
can be expected. Hence, the competencies of the national
supervisory authorities are being standardised and strengthened,
and the international cooperation and coordination between the
European data protection authorities is being regulated and
simplified.
- Ultimately, drastic possible fines of up to 2
% of the worldwide annual turnover of the respective enterprise are
to be introduced.
Please find below more detailed information on the new provisions and answers to the following questions:
1) What are the primary aims of the reform of data protection
law?
2) What is the legislative procedure and when will the Regulation
enter into force?
3) What European acts will be introduced and to whom will they
apply?
4) Will the Regulation only apply to European enterprises?
5) Will the definition of personal data change?
6) Which general basic principles will apply?
7) What are the requirements for declarations of consent?
8) What does "accountability principle" mean?"
9) What about the bureaucratic notifications etc. in future?
10) Who requires a company data protection officer and what has to
be borne in mind in this connection?
11) What are the restrictions concerning (direct) marketing and
profiling?
12) What needs to be considered in cooperations with third
parties?
13) What are the changes to technical and organisational
measures?
14) How will the rights of data subjects change?
15) What does "right to be forgotten" and "right to
data portability" mean?
16) When can data be transferred to third countries?
17) What relief is available to small and medium-sized
enterprises?
18) What supervisory authorities will there be in Germany?
19) How should the supervisory authorities cooperate at European
level?
20) What are legal consequences of breaches and what will the fines
be?
1) What are the primary aims of the reform of data protection law?
The primary aims of the EU Commission's reform of data protection law are: greater harmonisation of the law to simplify the international traffic of data with applicability throughout the EU (recitals 6, 7, 8), alignment with technical developments and globalisation (recital 5), increasing the users' trust in the offering of goods and services on the Internet (recital 6), abolition of bureaucratic obstacles (recital 70) as well as a more efficient enforcement of the law by data subjects and supervisory authorities (recitals 6, 10).
2) What is the legislative procedure and when will the Regulation enter into force?
In 2010 the EU Commission presented its first deliberations on
the reform of data protection law, followed by a public
consultation. The unofficial draft of the Directorate-General for
Justice of the EU Commission announced in December 2011 partially
came up against severe criticism from other Directorates. The
official draft therefore contains numerous changes vis-à-vis
the unofficial draft (e.g. concerning the right to be forgotten and
the right to data portability, the approval obligation for the
provision of personal data to courts and authorities of third
countries, the consent requirement for direct marketing or the
declarations of consent of data subjects).
The proposals are now being presented to the European Council of
Ministers and the European Parliament. These institutions must
subsequently approve the draft, which will doubtlessly have changed
yet again. The time until its entry into force depends on the
number of required readings in the European Parliament. It is
expected not to enter into force until probably 2013 or 2014. The
present draft provides for a two-year transition period between its
announcement in the European Law Gazette and the date of its entry
into force. Hence, this cannot be expected before 2015 or
2016.
3) What European acts will be introduced and to whom will they apply?
In order to achieve a greater harmonisation of data protection
law in the Member States, private enterprises are to be governed by
a directly applicable EU Regulation with numerous executive acts of
the EU Commission. Internationally operating enterprises in
particular will then be able to apply the same law within the EU.
The German Federal Data Protection Act will therewith (essentially)
expire for the private sector. However, according to the previous
proposal, the E-Privacy-Directive 2002/58/EU is not being touched,
which would mean that there will still be a patchwork of
regulations at European level in the important telecommunications
and telemedia sectors.
Part of the data protection package which has now been presented is
also a EU Directive (which we do not address in greater detail) for
data protection in the public sector, which also regulates the
competencies of supervisory authorities (financial supervisory
authorities, cartel authorities, etc.) and law enforcement
authorities. At least insofar, the German Federal Data Protection
Act and the corresponding data protection laws of the
Länder in Germany will retain their right to
exist.
4) Will the Regulation only apply to European enterprises?
To date, the territoriality principle was the jurisdictional
basis for international applicability, i.e. European data
protection law was only applicable if the controller either had its
seat in the European Union or if the technical equipment for the
data processing (in particular servers) was located there.
Especially with respect to the Internet giants (Facebook, Google,
Apple etc.), difficulties arose in individual cases as to whether
European data protection law was actually applicable and protected
European citizens.
This is to change. Pursuant to Art. 3 (2), the Regulation shall
also apply to non-European enterprises as long as the offering of
their goods or services is targeted at EU citizens (e.g. Facebook)
or the monitoring of their behaviour. In this case, controllers
from third countries (with a few exceptions) will have to designate
a representative in the European Union (Art. 25).
In practical terms, this will lead to the question of when such
"targeting" exists. The official draft contains very
little interpretation aid in this respect (recital 20). The
unofficial draft (recital 15), however, gave the following as
criteria: internationality of the offering of goods or services,
use of a top-level domain of the respective country or presenting
the offering of goods or services in the corresponding language and
currency of the country. Such jurisdictional bases are familiar to
German parties who apply the law, for example from international
competition law. The "monitoring of the behaviour" will
include techniques frequently used on the Internet such as tracking
and profiling (recital 21), which should cover the use of these
techniques for advertising purposes.
Fact is, the scope of application of the Regulation is particularly
far-reaching and this gives rise to the question of how the
Regulation is going to be enforced in case of enterprises without a
registered seat or branch office in the EU (possibly via the
representative to be appointed).
5) Will the definition of personal data change?
Following the Regulation, it will hardly be possible to uphold
the subjective definition of personal data that has been
represented by prevailing opinion in Germany to date: pursuant
thereto, the existence of personal data (and therewith the
applicability of data protection law) could be negated if the
respective holder of the data was unable to create a link to a
specific person with the means available to him. The basis for the
definition in the Regulation (Art. 4 (1), (2)), in contrast, is
only whether the holder or a third party can establish the personal
link. This broadens the definition of personal data, in particular
on the Internet and for the advertising sector.
On the other hand, it expressly states (recital 24) that technical
identifiers such as IP addresses or information stored in cookies
do not always have to contain a personal reference, rather that
this must be examined in the individual case.
6) Which general basic principles will apply?
The general basic principles (Art. 5) for all types of
processing are to be included virtually without change
vis-à-vis the previous Directive and will be supplemented by
additional elements such as transparency, data economy and the
comprehensive responsibility of the controller.
The most relevant authorisation criteria for practical and routine
work purposes (Art. 6) are to remain essentially unaltered:
consent, performance of a contract, legitimate business interests,
fulfilment of statutory obligations, protection of vital interests,
public interest. There will still be special consent criteria for
sensitive data (Art. 9). At least with respect to employee data,
the Regulation will give enterprises an advantage: here, the
processing of sensitive data (e.g. sick notes) will be permitted in
the required scope, whereas the FDPA has thus far contained no
clearly relevant consent criterion (possibly on grounds of a
deficient transformation of the present Directive into German
law).
Moreover, in various parts of the Regulation the personal data of
children (recital 29) is placed under particular protection (in
particular in Arts. 6 (1) (f), 8, 11 (2), 17 (1), 33 (2) (d), 38
(1) (e), 52 (2)).
Besides the general consent criteria, there will be special
(national) regulations for the freedom of expression and for
journalism (Art. 80), the processing of personal data concerning
health (Art. 81), processing in the employment context (Art. 82),
processing for statistical and scientific research purposes (Art.
83), in relation to professional secrecy obligations of lawyers,
tax advisors, auditors, doctors etc. (Art. 84) as well as religious
associations (Art. 85). Opening up specific areas for regulation by
the national legislators, in particular with respect to the
processing of personal data concerning health and processing in the
employment context could, contrary to initial expectations (or
hopes), result in a German data protection act regulating
processing in the employment context (should such still come)
"outliving" the EU Regulation. However, particularly in
view of the ECJ decision dated 24 November 2011 (docket no.
C-468/10 and C-469/10), this raises the question of the extent to
which such legislation may deviate from the provisions of the
Regulation (recital 124). The ECJ had decided that the purpose of
the Data Protection Directive 95/46/EC was full harmonisation, that
it is fundamentally exhaustive and that further-reaching
restrictions of the permissible handling of personal data in
national regulations could be prohibited.
7) What are the requirements for declarations of consent?
The requirements for declarations of consent will be regulated
in greater detail: The Regulation demands an explicit affirmative
expression of intent by declaration or other confirmative action
(Art. 4 (8)). This therewith excludes consent through mere silence
(recital 25). Whereas this has already been the rule pursuant to
German law to date, this was handled more generously by other
European countries. A big advantage from a German perspective will
be that the written form requirement of the BDSG will no longer
apply.
Whereas the unofficial draft still provided that, in accordance
with previous practice of the European supervisory authorities,
consents of employees should generally be invalid, the present
draft contains a more general provision to the effect that a
consent can be invalid in case of a severe imbalance between the
position of the data subject and the controller (Art. 7 (4)).
Special rules apply to declarations of consent of children below
the age of 13 (Art. 8), and the EU Commission intends to define
more closely here how one can prove that valid consent has been
given.
8) What does "accountability principle" mean?
The Directive will introduce a general accountability principle.
It will be intriguing to see where exactly this will be reflected
in German law. The terms "liability" or
"responsibility" cannot adequately describe this concept,
but are fundamental elements pursuant to Art. 5 (f). However, the
Regulation will additionally provide for an "obligation to be
accountable" and "verifiability": The controller
must ensure and be able to demonstrate compliance with data
protection (Art. 5 (f)). What is meant hereby in particular is that
enterprises are to ensure compliance with data protection law
through internal guidelines and procedures (Art. 22). The data
processing and measures must be (comprehensively) documented and
verifiable (Art. 28), with the information demanded in this
connection partially being extremely similar to that of the current
German register of processing operations.
It remains to be seen whether this will ultimately lead to
additional substantive obligations pursuant to German law, for a
well-run enterprise is currently also well advised to take
corresponding preventative measures and to document such
measures.
The introduction of this control mechanism has been met with
criticism, however: in other legal circles (e.g. pursuant to
Canadian data protection law (PIPEDA) or pursuant to the APEC
Privacy Framework) the accountability principle has given
enterprises flexibility. There, enterprises must define their
mutual responsibilities within the scope of a cooperation. The
draft Regulation, in contrast, upholds the previous differences in
the roles (data processor, controller) and additionally imposes
these measures upon the enterprise.
9) What about the bureaucratic notifications etc. in future?
A major aim of the reform of data protection law is to cut
through unnecessary red tape. Both enterprises as well as data
protection authorities criticise the countless and always differing
obligations to disclose, notify and consent which current exist in
Europe and which afford data subjects little if any protection
(recital 70). In Germany, for example, hardly anyone has inspected
the officially run notification register. Insofar, the extensive
abolition of notification obligations would represent a major
facilitation vis-à-vis previous practice. Only in
particularly high-risk cases does an obligation exist to notify,
respectively obtain authorisation, on a standard form that has yet
to be drafted by the EU Commission (Art. 34).
It is questionable whether the goal of cutting through the red tape
will truly be achieved, as the density of regulations will
doubtlessly increase: The draft Regulation encompasses 91 Articles
(as opposed to the ca. 50 sections of the BDSG, which are
applicable to private enterprises). This is to be supplemented by
26 executive regulations and forms which can be adopted by the EU
Commission ("delegated acts" in the sense of Art. 86).
Although their purpose of standardising certain notifications,
investigations, etc. is understandable (recitals 129-131); it is
unlikely, however, that the volume of required "paper"
will decline.
10) Who requires a company data protection officer and what has to be borne in mind in this connection?
For enterprises with at least 250 employees (or smaller
enterprises, insofar as their core activity comprises the regular,
systematic monitoring of data subjects), a pan-European obligation
to designate a data protection offer is to be introduced (Art. 35).
Unlike in Germany, such designation has not been obligatory to date
in the majority of other European countries.
In Germany, the 250-employee threshold will give rise to
discussions because a data protection officer already has to be
designated as of ten employees pursuant to the BDSG. From the
enterprise's perspective, this increased threshold can
fundamentally be welcomed, although the interest groups of the data
protection officers in Germany naturally do not share this opinion.
Especially in case of small businesses, it proved to be difficult
if not impossible to develop sufficient data protection expertise
amongst one's own staff. However, small and medium-sized
enterprises are nevertheless required to comply with data
protection law. Whether or not they can achieve this without a
company data protection officer will indeed be up to them after the
Regulation.
A positive development is the express regulation of the following
issues that are presently either controversial or unclear:
- In a group of undertakings the same person can be appointed
data protection officer for various group enterprises (group data
protection officer).
- Conflicts of interest with other activities of the data
protection officer must be avoided.
Other areas are regulated in an identical or similar manner to German law: appointment according to expertise, protection against dismissal during the term of office (with a minimum term of office of two years), obligation to involve the data protection officer in matters concerning data protection, his functional independence and a direct link to the management as well as the provision of reasonable equipment (Art. 36), duties such as clarification, checks, contact point vis-à-vis the supervisory authorities (Art. 37).
11) What are the restrictions concerning (direct) marketing and profiling?
Far-reaching restrictions can be expected in the area of
marketing and profiling. Firstly, this applies to the requirements
in respect of direct marketing measures. The unofficial draft still
demanded express consent in this case (Article 6.2). This would
have meant that the statutory consent criteria (for example the
exceptions to date in Sec. 28 para. 3 BDSG) would no longer be
applicable. Instead, Article 19 (2) now envisages a right of
revocation, as was the case in previous law, (with it being
understood that the provisions in Sec. 7 German Unfair Competition
Act [Gesetz gegen den unlauteren Wettbewerb, UWG] on a
consent requirement in case of specific forms of direct marketing
remain unaffected hereby). Still, the law in Germany will become a
lot simpler, compared to the current Sec. 28 (3) BDSG.
It will be interesting to see how the requirements of clear and
easily accessible information and a simple possibility of
exercising the right of revocation will be implemented in practice.
New solutions are especially demanded in the area of online
advertising where, as we had mentioned above, the provisions of the
E-Privacy Directive 2002/58/EC are primarily to apply in any event
as opposed to the Regulation. Above all Art. 5 para. 3, which
revised by the Directive 2009/136/EG, generally requires a prior
informed consent for all cookies. The Article 29 Data Protection
Working Party already made specific proposals on its implementation in WP 188 in
dialogue with the online advertising industry.
There will be a general provision on the permissibility of
profiling (Article 20). According hereto, automated profiling which
has a legal impact upon the data subject and which refers to his
work performance, financial situation, location, health, personal
preferences, reliability or behaviour, may only be conducted for
purposes of performance of contract or on grounds of a consent.
Whereas this subject has already been legislated in full in the
BDSG through the reforms in the year 2009 for the case of scorings,
it is questionable what effect this requirement will have in other
areas of life, in particular, whether a profiling for advertising
purposes will fall under its scope. The similarity of the terms in
the provisions on profiling ("analyse
behaviour") and in the definition of the scope of
application in Art. 3 ("monitor behaviour")
would suggest this, because the monitoring of behaviour on the
Internet is to include frequently used techniques such as tracking
and profiling (recital 21).
12) What needs to be considered in cooperations with third parties?
If several enterprises act as controllers in a data processing
operation, they must clearly define their responsibilities in
contractual form (Art. 20). It is unclear what the consequences
will be if they do not do so or if they exceed their contractually
defined powers (but where another consent criterion applies).
Whereas the unofficial draft still provided that in cases of doubt
they are to be seen as (joint) controllers and are jointly and
severally liable, the Regulation now lacks any regulation of the
consequences. However, the general provision in Art. 77 applies,
which provides for a joint and several liability for damages
irrespective of such agreements.
For commissioned data processing, the need for a written contract
and its minimum content will now be stipulated at European level as
already provided for in Sec. 11 para. 2 BDSG. After the Regulation,
as is the case in the BDSG, the consent of the principal will be
required for the retention of sub-contractors. Great value is
placed upon the stipulation of the principal's instructions (in
writing) and that a commissioned data processor will itself become
the controller in case of its failure to follow these instructions
(Article 26 (4)).
13) What are the changes to technical and organisational measures?
The obligation to implement appropriate technical and
organisational measures (Article 30) does not fundamentally
represent a change. However, the EU Commission is to be given a
possibility of stipulating measures for specific sectors and in
specific data processing situations more precisely, in particular
to define the respective state of the art. These are welcome
specifications which will make it easier for enterprises to
understand the specific requirements.
New activities must be included in the data protection measures
when preparing internal planning. Firstly, when planning or setting
up systems, services or offers, a structure that is data-protection
compliant, or even data-protection friendly, must always be chosen
(privacy by design, privacy by default, Art. 23).
Moreover, in case of planned processing in particularly sensitive
cases (which will be clearly listed and will, for example, include
the processing of special types of personal data) a documented
assessment of the impact upon data protection is required (data
protection impact assessment) (Art. 33). If the assessment
concludes that there are high risks, authorisation from or
consultation with the data protection authorities is required (Art.
34).
As in the first draft, the Regulation envisages the possibility
that industries can issue branch-specific codes of conduct (Art.
38), although it is still unclear whether individual enterprises
gain tangible advantages through the use of such codes of conduct
(apart from a certain degree of legal certainty gained from the
opinion issued by the supervisory authority). The situation is
similar in case of national and pan-European certifications (Art.
39): It is still doubtful whether it will be possible to agree at a
European level more quickly than in Germany (most recently the
draft bill for the reform of the BDSG 2009, which encompassed a
data protection audit act, failed due to the lack to agree on
practical measures) on a certification mechanism and what (legal)
advantages can be gained through certification.
14) How will the rights of data subjects change?
The rights of data subjects are to be reinforced: The principle
of transparency has priority (Art. 11). This is particularly
necessary in the area of online advertising, e.g. for the data used
in behavioural targeting (recital 46). Left unclear insofar is
whether or not the E-Privacy Directive 2002/58/EU still
applies.
It will be possible to assert rights to information on standard
forms and in electronic form (Art. 12). Controllers' duties to
inform or notify data subjects will be implemented using simple
technical means and are to be extended in terms of storage
duration, rights to lodge a complaint, international transfers and
the origin of data (Art. 14).
There will be more precise requirements in the area of judicial
remedies for data subjects. Starting with a right to lodge a
complaint (Art. 73) and right to a judicial remedy against
supervisory authorities directly (Art. 74), i.e. administrative
legal proceedings, and extending to judicial remedies against
controllers and processors (Art. 75), comprehensive principles are
to be established. In each case the provisions will take into
consideration that, within the meaning of the uniform handling or
interpretation of the Regulation, all data subjects are also
entitled to take action against decisions in other Member States.
Moreover, compulsory legal process is envisaged in cases of dispute
(Art. 76). Ultimately, a right to lodge a complaint is also
expressly introduced for consumer protection organisations (recital
114) (Art. 73 (2)).
15) What does "right to be forgotten" and "right to data portability" mean?
The Regulation envisages entirely new laws: For example, there
will be a "right to be forgotten and to erasure" (Art.
17) particularly on the Internet (relevant above all in social
networks and search engines). These obligations will give rise to
many questions concerning their practical implementation. It is
unclear, for example, whether the "right to be forgotten"
only covers data which are stored by a provider itself or stored on
the basis of this offer by third parties on other web servers (e.g.
search engines). The provision contained in the original unofficial
draft has been distinctly relaxed, as it remains unclear how a
provider can influence what data is stored by others. Still, in the
event of the publication of personal data, a provider must inform
third parties of the erasure request and remains responsible for
the erasure if he has given the third party permission to publish
(recital 54).
The Regulation also envisages a right to the transfer of data,
respectively to "data portability" (Art. 18),
which will be of relevance, for example, in case of cloud computing
or outsourcing. The right to the transfer of data has, in relation
to the unofficial draft, been confined to the usual data
formats.
16) When can data be transferred to third countries?
The requirements for ensuring an adequate level of data
protection when transferring personal data to third countries
outside the European Economic Area (EEA) have been fundamentally
upheld. However, the Regulation clarifies (Art. 40) that these
principles also apply to further transfers, so-called
"onward transfers".
The Regulation still provides for the following mechanisms, with a
few changes, with it being understood that previous decisions of
the EU Commission (for example on the recognition of safe third
countries, safe harbour or standard contracts) will remain in force
(recital 134):
- Recognition of an adequate level of protection in third
countries by the EU Commission, with the criteria and competencies
of the EU Commission now being expressly regulated (Art. 41). New,
first of all, is that individual parts or sectors of a third
country can also be recognised; secondly, however, that transfers
to certain third countries can be prohibited (recitals 80,
82).
- Recognition of binding corporate rules ("BCRs") in
groups of undertakings by the supervisory authorities (Art. 43). In
contrast to the Directive (or Sec. 4c BDSG), the Regulation
contains criteria on their content. It remains to be seen to what
extent the newly envisaged coordination process via the
European Data Protection Board with its (simple) majority
system in decisions will function in comparison with previous
mutual recognition procedures (cf. most recently WPs 153, 154 and
155 of the Article 29 Data Protection Working Group). A
considerable development is that BCRs will also be possible for
processors in future, which should be of considerable practical
relevance in the areas of outsourcing and cloud computing in
particular.
- Also in all other respects, there will be an increase in
standard contractual provisions. Here - as was previously the case
– the EU Commission shall be empowered to adopt such
standard contracts (Art. 42 (2) (b)). Additionally, it will
possible for national supervisory authorities to propose clauses
with pan-European validity (Art. 42 (2) (c)), which then have to be
coordinated and adopted by the EU Commission.
- The pleading of statutory exceptions (similar to Sec. 4c para.
1 BDSG) is still possible (Art. 44). An important factor in this
connection is that – in less frequent or massive cases
(recital 88) – a transfer should be possible if
prevailing legitimate interests exist (Art. 44 (h)).
- Finally, there is still the possibility of obtaining
authorisation from the national authorities in an individual case
(Art. 42 (5)).
The EU Commission shall also be empowered to encourage international cooperations with third countries and international organisations which should facilitate the exchange of data with third countries (Art. 45). The unofficial draft still contained a provision which received severe criticism from other Directorates of the EU Commission, pursuant to which controllers were only allowed to follow court judgements or decisions of authorities of third countries insofar as the supervisory authorities agreed hereto. This restriction, which is of major practical relevance, has since been dropped, in particular because other Directorates pointed out that this would make the present cooperation with other supervisory authorities (cartel authorities, financial supervisory authorities) distinctly more difficult, and would make a relationship based on mutual trust impossible, especially with the USA.
17) What relief is available to small and medium-sized enterprises?
The burden upon small and medium-sized enterprises (SMEs) is to be relieved according to the aims of the EU Commission (recital 11), i.e. there are several exceptions for enterprises employing less than 250 people. For example, they are generally released from the obligation to designate a data protection officer. Additionally, the documentation required for accountability purposes pursuant to Art. 28 does not have to be provided. Enterprises from third countries do not have to designate a representative in the EU. Here, supervisory authorities can issue a mere warning instead of imposing sanctions.
18) What supervisory authorities will there be in Germany?
The enforcement of the legal provisions shall be reinforced at
national level by independent supervisory authorities with
far-reaching powers. Although there will be no fundamental change
here, and the previous supervisory authorities could remain in
operation (with it being understood that in this case a German
representative would have to be designated at European level and
the adherence to the decisions by the other data protection
authorities (which are not represented themselves at European
level) would have to be regulated by law (Art. 46)), there will be
detailed provisions (Arts. 47-50) on the independence of and
requirements to be fulfilled by the data protection authorities. In
the past, the ECJ already complained in its decision dated 9 March
2010 of the lack of independence of several German authorities. The
official duties pursuant to the Regulation (Arts. 51, 52) encompass
far-reaching powers ranging from comprehensive rights to
information and data (Art. 29) to the right to order a party to
refrain from processing or transferring data (Art. 53) and to the
sanctions (cf. below). Noteworthy in this connection is that in
case of a processor or controller situated in several Member
States, one supervisory authority shall be deemed the leading
authority ("one stop shop", recital 97).
As has already been essentially implemented in Germany in Sec. 42a
BDSG, in case of personal data breaches the controller shall have a
comprehensive obligation to alert and inform the authorities of the
breach (Art. 31) and to thereafter communicate such personal data
breach to the data subject (Art. 32). The notification period
vis-à-vis the authorities of 24 hours after having gained
knowledge of the breach will lead to difficulties in practice. Even
if a corresponding breach is immediately noticed, in large
organisations it will doubtlessly be difficult to meet this
deadline. Now at least, in contrast to the unofficial draft, the
Regulation provides the possibility of excusing any delays with
reasoned justification. However, this only works if the
company's own organisation has fundamentally established an
adequate internal reporting system (recital 68).
19) How should the supervisory authorities cooperate at European level?
In order to ensure a uniform application and enforcement of the
law, the cooperation and coordination of the supervisory
authorities of various states amongst themselves and with the
Commission are to be distinctly intensified and institutionalised
(Arts. 55 – 72).
The authorities will be obliged to exchange information, provide
administrative assistance and to cooperate effectively (Art. 55).
Should administrative assistance not be given (or not be given in a
timely manner), a provision is made for escalation procedures
before the European Data Protection Board. Various national
supervisory authorities are to be able to carry out joint
investigative tasks (joint operations, Art. 56). In this
connection, the host authority can even transfer executive powers
to a seconding authority. The exercise of sovereign rights by
foreign authorities in Germany and a corresponding liability will
doubtlessly still need to be measured against German constitutional
law.
For the cooperation between the supervisory authorities and with
the Commission, a consistency mechanism shall be introduced (Arts.
57 – 63). Cross-border matters are to be coordinated with
the European Data Protection Board and the EU Commission, i.e.
under certain circumstances the supervisory authority will have to
give consideration to their opinion (Arts. 58 and 59).
The European Data Protection Board (Art. 64 – 72), as
successor to the previous Article 29 Data Protection Working Group,
consists of the head of a supervisory authority of each Member
State and of the European Data Protection Officer. Its tasks
include the coordination and preparation of opinions and
recommendations; however it has little decision-making powers of
its own.
20) What are legal consequences of breaches and what will the fines be?
As in previous law, a compensation claim exists (Art. 77),
albeit that this is only aimed at the compensation of material
damages. In case several parties are involved (irrespective of
whether they are controllers and/or processors), they are jointly
and severally liable.
The respective Member States will be able to introduce penalties
(Art. 78). Moreover, pursuant to Art. 79 the supervisory
authorities will be given the competence to impose fines. Other
than as envisaged in the original unofficial draft, here the
supervisory authorities will have the possibility of and obligation
to stipulate and grade the penalties according to various criteria.
The Regulation subsequently contains a catalogue listing various
offences which can be graded and fined according to their gravity.
At the lowest level a penalty of up to EUR 250,000 or in case of an
enterprise up to 0.5 % of its annual worldwide turnover can
suffice, at the second level up to EUR 500,000 or in case of an
enterprise up to 1 % of its annual worldwide turnover, as well as
in the severest cases up to EUR 1 million or in case of an
enterprise up to 2 % of its annual worldwide turnover. The severest
level also encompasses, for example, purely formal offences such as
the failure to designate a data protection officer or a lack of
internal data protection guidelines. The annual turnover is in each
case that of the respective enterprise which perpetrated the
breach.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.