Return To Mondaq Homepage Privacy
Preview most recent added content
Providing your articles to Mondaq
Crowell & Moring

European Union: EU Commission Proposes New Data Protection Regulation Including Various New Obligations For Companies And Stringent Enforcement Rules

29 May 2012
Article by Frederik Van Remoortel

On January 25, 2012, the EU Commission proposed a comprehensive reform of existing EU data protection rules.

Whereas the aim of the draft is to simplify existing legislation, which the draft does i.a. via the abolition of the obligation to notify all data processing to the various national data protection authorities, the draft does create several new rights for data subjects as well as new obligations for companies doing business in Europe. These may become very onerous for companies and may create new compliance concerns for multi-national operations.

The new obligations include an obligation to notify the national supervisory authority of serious data breaches without undue delay (if feasible, within 24 hours ...) and the obligation to appoint a Data Protection Officer for companies employing 250 employees or more and for companies involved in "risky processing."

Also, whenever consent is required for data to be processed, it will have to be given explicitly, which may have a significant impact on current practices (where consent is often assumed or obtained implicitly, via general terms and conditions of sale).

The draft also provides for a general obligation on companies to adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the Regulation.

In case of violation, the draft Regulation introduces important (administrative) sanctions. For non-intentional first offences by certain controllers, the national supervisory authorities may still send a warning letter. For other violations and/or violations by certain other controllers, the supervisory authorities shall immediately impose penalties of up to €1 million or up to 2% of the global annual turnover of a company.

The EU Commission's proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. It is the EU Commission's intention to work closely with the European Parliament and the Council to ensure an agreement on the new data protection framework by the end of this year, but it is likely that this will take more time. The Regulation will enter into force the twentieth day after its publication in the EU Official Journal and take effect two years after that date.

It is likely that there will still be various changes to the present text. However, it is clear that the final text will in any event have a serious impact on the way companies doing business in Europe – including companies not established in the EU, but offering goods or services in the EU or monitoring the online behavior of citizens - will be able to process personal data.

EU Commission proposes new General Data Protection Regulation including new obligations for companies and strong enforcement rules

1. On January 25, 2012, the EU Commission proposed a comprehensive reform of existing data protection rules.

The core of the currently existing EU data protection legislation, EU Directive 95/46/EC, was adopted more than 15 years ago. At that time, the internet was still in its infancy. Technological progress and globalization have now profoundly changed the way personal data is processed and the amount of personal data that circulates around the globe. Moreover, the 1995 Directive has been implemented in the various Member States in different ways, leading to fragmentation and costly administrative burdens for companies, which currently still have to examine and comply with different obligations in the various Member States. Moreover, the powers of national data protection authorities are not harmonized enough to ensure consistent and efficient application of the rules.

This is why the EU Commission wants to update and modernize the principles enshrined in the 1995 Data Protection Directive.

With this proposal, the EU Commission wants to develop a stronger and more coherent data protection framework in the EU, backed by strong enforcement rules. The direct applicability of a Regulation should reduce legal fragmentation and provide greater legal certainty by introducing a harmonized set of rules.

The Regulation will apply to companies doing business in Europe, including companies not established in the EU, but offering goods or services in the EU or monitoring the online behavior of citizens.

2. Key changes in the proposed reform include:

2.1. Scope

  • A single set of rules on data protection will be imposed via a Regulation valid across the EU and no longer via a Directive, which had to be implemented by the various Member States. This will put an end to the cumulative application of different national data protection laws.
  • The new EU rules will apply to companies not established in the EU, when they offer goods or services in the EU or monitor the online behavior of citizens.

2.2. A few important changes for companies doing business in the EU

  • The current obligation for companies to notify all their data processing activities to the various data protection supervisors in the different Member States is removed. According to the EU Commission, this simplification alone would result in net savings of €130 million per year in terms of administrative burdens alone. Whereas it may be true that the abolition of the notification duty may save money, we anticipate that cost for compliance with other obligations in the proposed Regulation may very well reverse those savings.
  • Instead of the notification duty, the Regulation provides for increased responsibility and accountability for the entities processing personal data (as a controller or as a processor). For example, companies must notify the national supervisory authority of serious data breaches without undue delay (if feasible, within 24 hours ...) and, if the data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the data subjects concerned. This obligation to notify serious data breaches within 24 hours (and to provide all the data required such as the details of the data lost, a description of the consequences of the breach and steps taken to mitigate those consequences), does not seem to be very realistic.
  • Instead of having to deal with a national data protection authority in each Member State where a company does business, companies will only have to deal with a single national data protection authority, i.e. in the EU country where they have their main establishment.
  • There will be a general obligation on companies to adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the Regulation. This will without a doubt lead to increased compliance costs.
  • Companies employing 250 employees or more appoint a data protection officer. Companies which do not reach this threshold but which are involved in processing operations which, by virtue of their nature, their scope or their purpose, present specific risks to the rights and freedoms of individuals ("risky processing") should also appoint a data protection officer. A group of undertakings may appoint a single data protection officer.
  • Companies involved in risky processing should also carry out an assessment of the impact of the envisaged processing operations on the protection of personal data ("Data Protection Impact Assessments").
  • Wherever consent is required for data to be processed, it will have to be given explicitly, rather than assumed as is sometimes the case now. This means that a data subject's consent should be based either on a statement or a clear affirmative action by the person concerned and should be given freely. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented in a form distinguishable in its appearance from this other matter. This means that current practices to obtain consent via statements in the general terms and conditions of companies, will no longer be sufficient.
  • Data flows to third countries outside the European Economic Area will, according to the EU Commission, be made easier by reinforcing and simplifying rules on international transfers. However, the restriction of transferring personal data to countries outside the EEA that are not considered to provide an adequate level of protection (including the United States) is maintained. Next to transfers to countries covered by an adequacy decision of the EU Commission, transfers via appropriate safeguards (binding corporate rules, EU standard contractual clauses) are provided. There do not seem to be significant changes. The changes are, inter alia, that the EU Commission may recognize the adequacy of certain sectors within a third country.
  • The "privacy by design principle" is introduced to make sure that data protection safeguards are taken into account at the planning stage of procedures and systems. Hence companies should, both at the time of the determination of the means of processing and at the time of the processing itself, implement appropriate technical and organization measures and procedures.
  • Under the 'right to be forgotten' data subjects will be able to ask for the deletion of their data if there are no legitimate grounds for retaining it. The controller, who has made the personal data public, will be under the obligation to take all reasonable steps to inform third parties which are processing such data, that a data subject requested them to erase any links to, or copy or replication of, that personal data. The controller who has authorized a third party publication of personal data shall be considered responsible for that publication.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). They have a right to be provided with a copy of that data in a commonly used format.

2.3. Other important changes

  • The Members States, supervisory authorities and the EU Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of the Regulation. Associations and other bodies representing categories of controllers or processers in one Member State may submit them for an opinion of the supervisory authority, and associations and other bodies representing categories of controllers or processers in several Member States may submit draft codes to the EU Commission which may adopt implementing acts which stipulate that these have general validity within the Union.
  • The Members States and the EU Commission shall encourage the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided.
  • The new Regulation focusses specifically on the protection of the personal data of children, for which specific conditions apply.
  • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.

2.4. Powers of the national data protection authorities - enforcement and judicial remedy

  • The national data protection authorities will be strengthened so they can better enforce the EU rules. The national data protection authorities will be empowered to i.a. (i) notify the controller or processor of an alleged breach and, where appropriate, order them to remedy that breach in a specific manner, (ii) order the controller or processor to comply with a data subject's request, (iii) warn or admonish the controller or processor, (iv) order the rectification, erasure or destruction of data when processed in breach of the Regulation, (v) impose a temporary or definitive ban on processing, (vi) suspend data flows to a recipient in a third country and (vii) impose administrative sanctions on companies that violate EU data protection rules.

    The latter can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
  • Data subjects will have a general right to judicial remedy against controllers or processors if they consider that their rights have been infringed. Proceedings shall be brought before the courts of the Member State where the controller or processor has an establishment and, alternatively, before the courts of the Member State where the data subject has its habitual residence.
  • Bodies, organizations or associations which aim to protect the data subject's rights shall have the right to initiate legal actions on behalf of one or more data subjects, which opens the door for class actions.

Although reducing complexity is one of the aims of the proposed Regulation, the present proposal seems to go too far in the direction of imposing yet another set of prescriptive measures towards companies.

It is the EU Commission's intention to work closely with the European Parliament and the Council to ensure an agreement on the new data protection framework by the end of this year. It is therefore likely that there will still be various changes to the present text. However, it is clear that the final text will in any event have a serious impact on the way companies doing business in Europe – including companies not established in the EU, but offering goods or services in the EU or monitoring the online behavior of citizens - will be able to process personal data. Businesses should already consider implementing systems and structures in line with what can be expected to become obligatory in the years to come.

The Regulation will enter into force the twentieth day after its publication in the EU Official Journal but will only take effect two years after that date.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Specific Questions relating to this article should be addressed directly to the author.

View Popular Related Articles on Privacy from Europe
Knock Knock, Who’s At The Door? The Police Or The DPA? How Data Retention Obligations Place ISPs Under Crossfire
The recent "Data Retention Operation" by the Italian DPA revealed that compliance with data retention legislation among telecom and internet service providers is still considerably low.
After Redigi: Contrasting The EU And US Approaches To The Re-Sale Of Second-Hand Digital Assets
A US district court in New York has recently ruled that ReDigi, the operator of an online marketplace for pre-owned music downloads, is liable for copyright infringement. In a decision earlier this month, a US district court in New York has ruled that ReDigi, the operator of an online marketplace for pre-owned music downloads, is liable for copyright infringement.
Europe - Recent Data Protection Developments At EU Level
On 21 December 2012, the Article 29 Working Party, an independent European advisory body on data protection and privacy comprised of a representative of the national data protection authorities of the EU Member States, issued a press release announcing the possibility to adopt Binding Corporate Rules for processors.
Data Protection Laws of the World Handbook: Second Edition - Switzerland
The processing of personal data is regulated by the Federal Act on Data Protection, its ordinances and by other laws.
Data Protection Laws of the World Handbook: Second Edition - Luxembourg
2002 and 2005 laws protect Persons with regard to the Processing of Personal Data, including electronic communications.
Data Protection Laws of the World Handbook: Second Edition - Austria
Austria implemented the EU Data Protection Directive 95/46/EC with the Data Protection Act in 1999. .
Data Protection Laws of the World Handbook: Second Edition - Netherlands
The Netherlands implemented the EU Directive 95/46/EC on 1 September 2001 with the Dutch Personal Data Protection Act.
Arcelormittal's Binding Corporate Rules To Facilitate Intra-Group Data Flows Outside The EU: An Example To Be Followed
It is well known that the EU rules on personal data protection (set out in Directive 95/46/EC and implementing national law) are rather stringent when it comes to the transfer of personal data outside the European Economic Area (EEA), including the input of personal data originating in the EU on a server outside the EEA.
Login
Register for Free
First Time Here?
 
Mondaq Topics
 
Our Services
 
About This Site
 
Advertise with Us
Unsubscribe
Copyright
Close Me
Register for Access and our Free Biweekly Alert
About You
Title Forename Surname
Email Address
Company Name
Password Confirm
Mondaq Topics --Select your interest
Accounting and Audit Anti-trust/Competition Law Consumer Protection Corporate/Commercial Law
Criminal Law Employment and HR Energy and Natural Resources Environment
Family and Matrimonial Finance and Banking Food, Drugs, Healthcare, Life Sciences Government, Public Sector
Immigration Insolvency/Bankruptcy, Re-structuring Insurance Intellectual Property
International Law Litigation, Mediation & Arbitration Media, Telecoms, IT, Entertainment Privacy
Real Estate and Construction Strategy Tax Transport
Wealth Management  

Regions
Worldwide Updates Africa Asia Asia Pacific
Australasia Canada Caribbean Europe
European Union Latin America Middle East U.K.
United States  

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.

Mondaq 1994-2013.
All Rights Reserved