In January of this year the European Commission (the 'Commission') proposed a significant reform of the EU's data protection rules. These rules currently stem primarily from Directive 95/46/EC (the '1995 Directive'), as implemented in Ireland by the Data Protection Acts 1988 and 2003.
The Commission has stated that differences in the way that each Member State implemented the 1995 Directive have led to an uneven level of protection for personal data depending on where an individual lives or buys goods and services. This inconsistency, coupled with rapid technological developments and continued globalisation, has caused the Commission to reconsider the 1995 Directive in the context of the 21st century.
The proposed General Data Protection Regulation (the 'Regulation') which is expected to become effective in 2015 is intended to replace the 1995 Directive. Being a regulation, Member States will have no autonomy as to its application and the European Commission hopes this will address the inconsistency of application experienced with the 1995 Directive.
The Regulation will introduce many significant changes for data processors and controllers. The following may be considered as some of the more significant changes:-
The concept of 'consent'
Under the 1995 Directive a distinction is made between the level of consent that must be obtained before personal data and sensitive personal data may be processed (i.e. the latter requiring 'explicit and informed' consent).
Under the Regulation, we will see a move away from this distinction, with explicit and informed consent to processing being required in respect of the processing of both personal and sensitive personal data. Of particular note is the fact that data controllers will no longer be able to rely on 'passive consent' when processing personal data. The Commission states that this is to ensure that data subjects will be aware that, and to what, he or she gives consent to processing.
Consent will not provide a legal basis for processing where there is a significant imbalance between the position of the data subject and the controller. The burden of proof will be on the data controller to illustrate that the requisite consent was obtained prior to processing.
Where it is proposed to transfer personal data to a third country and the Commission has taken no decision on the adequacy of data protection in that third country, the data controller or processor will need to guarantee data subjects that they will continue to benefit from the fundamental rights and safeguards as regards processing of their personal data in the EU once this data has been transferred. In order to do so, the data controller or processor will need to utilise one of the following measures, as appropriate:
(i) incorporate standard data protection clauses in the contract underlying the transfer. Such clauses will be (a) adopted by the Commission or (b) prescribed by the relevant supervisory authority (in accordance with a set consistency mechanism) and declared generally valid by the Commission;
(ii) utilise contractual clauses which have been pre-approved by the relevant supervisory authority. Again, these must meet with the consistency requirement; and/or
(iii) a corporate group will be permitted to use approved 'binding corporate rules' for its international transfers from the EU to group entities, as long as such corporate rules include essential principles and enforceable rights to ensure appropriate safeguards for transfers of personal data.
The right to be forgotten
The right of erasure will be augmented such that data subjects will be granted a 'right to be forgotten'. This right is intended to help people manage their data-protection risks online. Under this right, a data subject will be entitled to have his or her data deleted where there are no legitimate grounds for its retention. A data controller who has made the personal data public will then be obliged to ensure that any relevant third parties erase any links to, or copy or replication of that personal data.
Establishment of the role of 'Data Protection Officer'
The Regulations make provision for a new role in larger/higher risk entities; namely the Data Protection Officer. The Data Protection Officer must be appointed by the Data Controller and/or Data Processor.
The following categories of entities will be required to appoint a Data Protection Officer:
(i) public bodies;
(ii) entities with 250 or more employees (one Data Protection Officer per group may suffice); and
(iii) entities whose core activities involve regular and systematic monitoring of data subjects.
The name of the Data Protection Officer will be a matter of public record and the position will carry significant responsibility, acting as advisor to the entity on all issues relating to data protection and being delegated with responsibility for ensuring compliance with the Regulation.
Additionally, he or she will be responsible for the imposition of data protection policies, the training of staff and will act as contact point for both the Data Protection Commissioner (i.e. for breach notifications) and data subjects for all issues relating to the processing of the data subjects' personal data and access requests.
The appointee must have expert knowledge of data protection law and must not conduct any other professional duties that are incompatible or which might give rise to a conflict of interest with his or her role as Data Protection Officer. In essence, this may mean that the role of Data Protection Officer will be a stand-alone appointment.
A data controller must provide its data subject with a right to access his or her personal data free of charge (except in circumstances where the data subject's request is manifestly excessive) and within a reasonable timeframe, normally within one month. Under the current regime a data controller may impose a maximum fee of Euro 6.35 for such access.
Home state regulation
Entities will only have to deal with a single national data protection authority, that is, the authority in the EU country where the entity has its main establishment.
The Data Protection Commissioner will have its investigative powers strengthened and will be empowered to impose fines up to Euro 1,000,000 or in the case of a company up to 2 per cent of its annual worldwide turnover for negligent or intentional breaches of the Regulations.
The implementation of the proposed new Regulation will lead to a uniform and coherent data protection legal system across all Member States in which entities will only have to deal with the national data protection authority of the Member State in which they have their main establishment.
The Regulation will introduce stricter rules and procedures, which will involve many significant changes and costs for both EU and non-EU companies. As the Regulation will be directly effective, the autonomy of the Data Protection Commissioner will be significantly curtailed.
The increased obligations imposed by the Regulation on data controllers and processors, coupled with the significant sanctions that may be applied for a breach of the Regulation's provisions reflects the Commission's continued commitment to the protection of personal data, rights conferred on people under the EU Charter of Fundamental Rights and the Treaty on the Functioning of the EU.
The Commission's proposals will now be considered by the European Parliament and the Council of Ministers. The proposed changes are unlikely to come into effect before 2015. At this stage, entities should be seeking to familiarise themselves with the provisions of the Regulation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.