Summary and implications
The European Parliament has voted − by an overwhelming majority − to significantly overhaul current European Union (EU) data protection laws. As a result, a single data protection law in the EU looks set to replace the existing patchwork of national laws. The new law will impact almost every business operating within the EU and, controversially, many businesses outside the EU.
On 21 October the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (the LIBE Committee) voted to:
- approve a compromise text for the draft General Data Protection Regulation (the Regulation); and
- authorise MEPs Jan-Philipp Albrecht and Dimitrios Droutsas to negotiate directly with the Council of the EU regarding its adoption.
Once adopted, the Regulation will replace and supersede the current EU Data Protection Directive (the Directive).
On 25 January 2012 the European Commission proposed a comprehensive reform of the EU's data protection laws. The centrepiece of the reform package was a new draft General Data Protection Regulation (the Commission Draft). The aim was to update EU dataprotection laws to support a digital single market.
The European Parliament's approval follows months of negotiations between various European Parliament committees. The LIBE Committee has been responsible for shepherding the draft Regulation through the European Parliament. The compromise text is a considerable achievement for what is reputed to be the most intensely lobbied piece of EU legislation.
Key provisions in the Regulation
Most of the general principles in the Regulation are to be welcomed. These are summarised below. However, there are real concerns about how the detail behind the principles will be implemented.
One continent, one law
The Regulation will establish one single data protection law across all EU Member States. This will be a major benefit for international businesses and other organisations which currently have to grapple with 28 different national laws. The reason behind this is that, as a Directive, the European Data Protection Directive required local law implementation. Each Member State implemented the Directive differently. In contrast, the Regulation will have direct effect. Once adopted, it will apply automatically across all the EU Member States.
The Regulation will establish a "one-stop shop" for data protection regulation in the EU Member States. Currently international businesses and other organisations need to deal with each data protection regulator in each Member State. Under the Regulation they will only need to work with a single data protection authority. This should make it simpler to do business in the EU. The Regulation will also result in an end to the red tape of data protection notifications.
Level playing field for all companies – regardless of establishment
The Regulation will extend the territorial scope of EU data protection law. It will apply not only to EU established businesses and other organisations that process personal data but also to those based outside the EU who wish to:
a) offer goods or services to individuals in the EU; or
b) monitor the behaviour of those individuals.
Any non-EU based business or other organisation which considers that it might be caught by these provisions is strongly recommended to seek advice on this point.
Giving individuals greater control over their data
The Regulation will give individuals greater control over their own personal data. Under the Regulation, individuals will have a new right to erasure of their personal data. The Regulation also introduces a new right to data portability.
Key amendments in the Compromise Draft
Although the official version of the draft Regulation has yet to be published, an unofficial version has been circulated by LIBE's lead rapporteur, Jan-Phillipp Albrecht (the Compromise Draft).
Below are the key amendments in the Compromise Draft as compared to the Commission Draft. As a general comment, the provisions in the Regulation have hardened in the Compromise Draft.
- Higher penalties for breach: Any person in breach of the new Regulation will face fines of up to €100m or five per cent of annual worldwide turnover (whichever is the greater). This is a significant increase on the Commission Draft's proposed penalties of up to €1m or two per cent of annual worldwide turnover. It is noticeable that the Compromise Draft does not refer only to data controllers in these provisions. Data processors in breach of their obligations under the Regulation will also be liable.
- Primacy of EU law. In response to the recent US PRISM revelations, the Compromise Draft provides that where there are conflicting compliance requirements between the jurisdiction of the EU and another country, "the Commission should ensure that EU law takes precedence at all times." Furthermore, if a data controller or processor receives a request for disclosure of personal data from a court or administrative authority of another country, it must notify the relevant data protection authority without undue delay and must obtain prior authorisation for the disclosure. These provisions will be challenging for international organisations in highly regulated sectors such as banking.
- Mandatory data protection officers. In the Commission Draft, the appointment of a data protection officer (DPO) was linked to the number of staff employed. Under the Regulation, data controllers and data processors will be required to appoint a DPO if processing personal data for more than 5,000 data subjects. They will also be required to appoint a DPO is they process certain higher risk types of personal data such as sensitive personal data, location data or children's data. In the Compromise Draft DPOs are now required to be appointed for a minimum tenure of four years (as opposed to two years in the Commission Draft). Corporate groups however may appoint one responsible DPO for the group in some circumstances. All public authorities will be required to have a DPO.
- Data breach notification. Data controllers will be required to notify breaches personal data breaches to the relevant data protection authority. However, the Compromise Draft has relaxed the time period for notification as provided in the Commission Draft. In the Compromise Draft, data controllers are obliged to notify their relevant data protection authority "without undue delay". The text states that this will be "presumed to be no later than 72 hours" after the breach. This is more generous than the Commission Draft which provided for notification within "24 hours" "where feasible". However, this amendment does not address the real issue of how personal data breaches are defined and the risk of "over notification" for minor breaches.
- Data protection reviews and privacy impact assessments. The Commission Draft introduced the concept of privacy impact assessments (PIAs) as a core compliance requirement. PIAs , as their name suggests, is a risk analysis of new data processing activities. The Compromise Draft has significantly strengthened these provisions setting out detailed requirements for the performance and documentation of PIAs. The Compromise Draft also now requires data protection compliance policies to be reviewed (and updated, where necessary) every two years.
- New rules for international data transfers: The Regulation introduces a new "European Data Protection Seal" as an adequate basis for transfers of personal data outside the EEA to recipients who hold a seal. The seal will form part of a new certification program whereby controllers and processors can subject their activities to an audit by the data protection authority or an accredited certifier. The seal will be in addition to current international transfer mechanisms such as model contract clauses and binding corporate rules.
There is considerable political will in Brussels to have the text of the Regulation agreed by the Council of the EU in 2014. The EU Parliament LIBE Committee has announced that it intends to hold a plenary vote on the Regulation on 14–17 April 2014. This vote is expected to be a mandate for the Regulation, either in the current form of the Compromise Draft or with those further amendments agreed by the Council of the EU.
Although the UK and Sweden are opposed to this swift timetable, the rest of the Member States appear to be in favour of reaching agreement in 2014. Businesses and other organisations which think they might be impacted by the Regulation are, therefore, advised to keep a close eye on these developments.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.