On 25 January 2012 the Commission's official proposal for the reform of the European Data Protection Directive 95/46/EU was presented. We have analysed this 119-page draft and have summarised its main aspects. Although there will be further changes to the draft before its envisaged entry into force in 2015/2016, the decisive legislative phase begins now, with the possibility for interest groups to exert their influence.
On the whole, the Regulation is essentially in line with the law applicable in Germany to date. However, there will be numerous significant amendments in future:
- There are substantial amendments concerning the scope of application. The Regulation shall apply to private enterprises directly and throughout Europe, hence the German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG] will lose its applicability insofar. The geographic scope of application will be extended, i.e. the Regulation will also apply to non-European enterprises, insofar as the offering of their goods or services is aimed at EU citizens. It is expected that the definition of personal data will be extended, therewith widening the material scope of application.
- The range of duties of enterprises will be extended: Any processing of personal data will still be subject to the need of authorisation, with it being understood that the statutory authorisation criteria substantially correspond to those of the BDSG. Several points are to be clarified with respect to consent, which does not constitute a major change in relation to German law, but will provide for greater equality within Europe. Moreover, in future enterprises will have to observe the accountability principle, i.e. ensure compliance with data protection law by means of internal guidelines and corporate processes, document such compliance and, in cases of doubt, also furnish proof to this effect. In addition thereto, preventative data protection measures will be distinctly increased. Besides an obligation to carry out a data protection impact assessment in case of sensitive data processing, general principles are to be introduced for structuring data processing systems in a manner compliant with data protection law (privacy by design, privacy by default).
- In order to cut through red tape, most of the disclosure, notification and approval obligations are being abolished, with it being understood that these already do not apply at present in Germany if an enterprise has appointed a company data protection officer. Measures to ease the burden upon small and medium-sized enterprises are to be introduced, in particular the obligation to appoint a company data protection officer will be confined to enterprises with at least 250 employees. Both this and the express possibility of appointing a group data protection officer should provide distinct relief.
- Restrictions are expected in the advertising industry and in the area of profiling, which is a particularly common practice on the Internet. At least the consent requirement for marketing measures that was discussed in the unofficial draft has already been transformed into an opt-out right.
- Collaborations with other enterprises must always be contractually regulated, even if they are both controllers. Contracts with processors are to resemble the requirements laid down thus far in the BDSG on a pan-European level.
- The rights of data subjects are to be reinforced. Insofar, this will give rise to a variety of implementation difficulties in practice: For example, this will be the case with respect to data processing transparency requirements and to simple technical information possibilities, or to the newly introduced rights "to be forgotten" and to "data portability".
- The previously applicable system and instruments for transfers to third countries outside of the European Economic Area will essentially be maintained, with the aim here being to make more flexible instruments available.
- Finally, stricter data protection supervision can be expected. Hence, the competencies of the national supervisory authorities are being standardised and strengthened, and the international cooperation and coordination between the European data protection authorities is being regulated and simplified.
- Ultimately, drastic possible fines of up to 2 % of the worldwide annual turnover of the respective enterprise are to be introduced.
Please find below more detailed information on the new provisions and answers to the following questions:
- What are the primary aims of the reform of data protection law?
- What is the legislative procedure and when will the Regulation enter into force?
- What European acts will be introduced and to whom will they apply?
- Will the Regulation only apply to European enterprises?
- Will the definition of personal data change?
- Which general basic principles will apply?
- What are the requirements for declarations of consent?
- What does "accountability principle" mean?"
- What about the bureaucratic notifications etc. in future?
- Who requires a company data protection officer and what has to be borne in mind in this connection?
- What are the restrictions concerning (direct) marketing and profiling?
- What needs to be considered in cooperations with third parties?
- What are the changes to technical and organisational measures?
- How will the rights of data subjects change?
- What does "right to be forgotten" and "right to data portability" mean?
- When can data be transferred to third countries?
- What relief is available to small and medium-sized enterprises?
- What supervisory authorities will there be in Germany?
- How should the supervisory authorities cooperate at European level?
- What are legal consequences of breaches and what will the fines be?
The primary aims of the EU Commission's reform of data protection law are: greater harmonisation of the law to simplify the international traffic of data with applicability throughout the EU (recitals 6, 7, 8), alignment with technical developments and globalisation (recital 5), increasing the users' trust in the offering of goods and services on the Internet (recital 6), abolition of bureaucratic obstacles (recital 70) as well as a more efficient enforcement of the law by data subjects and supervisory authorities (recitals 6, 10).
In 2010 the EU Commission presented its first deliberations on the reform of data protection law, followed by a public consultation. The unofficial draft of the Directorate-General for Justice of the EU Commission announced in December 2011 partially came up against severe criticism from other Directorates. The official draft therefore contains numerous changes vis-à-vis the unofficial draft (e.g. concerning the right to be forgotten and the right to data portability, the approval obligation for the provision of personal data to courts and authorities of third countries, the consent requirement for direct marketing or the declarations of consent of data subjects).
The proposals are now being presented to the European Council of Ministers and the European Parliament. These institutions must subsequently approve the draft, which will doubtlessly have changed yet again. The time until its entry into force depends on the number of required readings in the European Parliament. It is expected not to enter into force until probably 2013 or 2014. The present draft provides for a two-year transition period between its announcement in the European Law Gazette and the date of its entry into force. Hence, this cannot be expected before 2015 or 2016.
In order to achieve a greater harmonisation of data protection law in the Member States, private enterprises are to be governed by a directly applicable EU Regulation with numerous executive acts of the EU Commission. Internationally operating enterprises in particular will then be able to apply the same law within the EU. The German Federal Data Protection Act will therewith (essentially) expire for the private sector. However, according to the previous proposal, the E-Privacy-Directive 2002/58/EU is not being touched, which would mean that there will still be a patchwork of regulations at European level in the important telecommunications and telemedia sectors.
Part of the data protection package which has now been presented is also a EU Directive (which we do not address in greater detail) for data protection in the public sector, which also regulates the competencies of supervisory authorities (financial supervisory authorities, cartel authorities, etc.) and law enforcement authorities. At least insofar, the German Federal Data Protection Act and the corresponding data protection laws of the Länder in Germany will retain their right to exist.
To date, the territoriality principle was the jurisdictional basis for international applicability, i.e. European data protection law was only applicable if the controller either had its seat in the European Union or if the technical equipment for the data processing (in particular servers) was located there. Especially with respect to the Internet giants (Facebook, Google, Apple etc.), difficulties arose in individual cases as to whether European data protection law was actually applicable and protected European citizens.
This is to change. Pursuant to Art. 3 (2), the Regulation shall also apply to non-European enterprises as long as the offering of their goods or services is targeted at EU citizens (e.g. Facebook) or the monitoring of their behaviour. In this case, controllers from third countries (with a few exceptions) will have to designate a representative in the European Union (Art. 25).
In practical terms, this will lead to the question of when such "targeting" exists. The official draft contains very little interpretation aid in this respect (recital 20). The unofficial draft (recital 15), however, gave the following as criteria: internationality of the offering of goods or services, use of a top-level domain of the respective country or presenting the offering of goods or services in the corresponding language and currency of the country. Such jurisdictional bases are familiar to German parties who apply the law, for example from international competition law. The "monitoring of the behaviour" will include techniques frequently used on the Internet such as tracking and profiling (recital 21), which should cover the use of these techniques for advertising purposes.
Fact is, the scope of application of the Regulation is particularly far-reaching and this gives rise to the question of how the Regulation is going to be enforced in case of enterprises without a registered seat or branch office in the EU (possibly via the representative to be appointed).
Following the Regulation, it will hardly be possible to uphold the subjective definition of personal data that has been represented by prevailing opinion in Germany to date: pursuant thereto, the existence of personal data (and therewith the applicability of data protection law) could be negated if the respective holder of the data was unable to create a link to a specific person with the means available to him. The basis for the definition in the Regulation (Art. 4 (1), (2)), in contrast, is only whether the holder or a third party can establish the personal link. This broadens the definition of personal data, in particular on the Internet and for the advertising sector.
On the other hand, it expressly states (recital 24) that technical identifiers such as IP addresses or information stored in cookies do not always have to contain a personal reference, rather that this must be examined in the individual case.
The general basic principles (Art. 5) for all types of processing are to be included virtually without change vis-à-vis the previous Directive and will be supplemented by additional elements such as transparency, data economy and the comprehensive responsibility of the controller.
The most relevant authorisation criteria for practical and routine work purposes (Art. 6) are to remain essentially unaltered: consent, performance of a contract, legitimate business interests, fulfilment of statutory obligations, protection of vital interests, public interest. There will still be special consent criteria for sensitive data (Art. 9). At least with respect to employee data, the Regulation will give enterprises an advantage: here, the processing of sensitive data (e.g. sick notes) will be permitted in the required scope, whereas the FDPA has thus far contained no clearly relevant consent criterion (possibly on grounds of a deficient transformation of the present Directive into German law).
Moreover, in various parts of the Regulation the personal data of children (recital 29) is placed under particular protection (in particular in Arts. 6 (1) (f), 8, 11 (2), 17 (1), 33 (2) (d), 38 (1) (e), 52 (2)).
Besides the general consent criteria, there will be special (national) regulations for the freedom of expression and for journalism (Art. 80), the processing of personal data concerning health (Art. 81), processing in the employment context (Art. 82), processing for statistical and scientific research purposes (Art. 83), in relation to professional secrecy obligations of lawyers, tax advisors, auditors, doctors etc. (Art. 84) as well as religious associations (Art. 85). Opening up specific areas for regulation by the national legislators, in particular with respect to the processing of personal data concerning health and processing in the employment context could, contrary to initial expectations (or hopes), result in a German data protection act regulating processing in the employment context (should such still come) "outliving" the EU Regulation. However, particularly in view of the ECJ decision dated 24 November 2011 (docket no. C-468/10 and C-469/10), this raises the question of the extent to which such legislation may deviate from the provisions of the Regulation (recital 124). The ECJ had decided that the purpose of the Data Protection Directive 95/46/EC was full harmonisation, that it is fundamentally exhaustive and that further-reaching restrictions of the permissible handling of personal data in national regulations could be prohibited.
The requirements for declarations of consent will be regulated in greater detail: The Regulation demands an explicit affirmative expression of intent by declaration or other confirmative action (Art. 4 (8)). This therewith excludes consent through mere silence (recital 25). Whereas this has already been the rule pursuant to German law to date, this was handled more generously by other European countries. A big advantage from a German perspective will be that the written form requirement of the BDSG will no longer apply.
Whereas the unofficial draft still provided that, in accordance with previous practice of the European supervisory authorities, consents of employees should generally be invalid, the present draft contains a more general provision to the effect that a consent can be invalid in case of a severe imbalance between the position of the data subject and the controller (Art. 7 (4)).
Special rules apply to declarations of consent of children below the age of 13 (Art. 8), and the EU Commission intends to define more closely here how one can prove that valid consent has been given.
The Directive will introduce a general accountability principle. It will be intriguing to see where exactly this will be reflected in German law. The terms "liability" or "responsibility" cannot adequately describe this concept, but are fundamental elements pursuant to Art. 5 (f). However, the Regulation will additionally provide for an "obligation to be accountable" and "verifiability": The controller must ensure and be able to demonstrate compliance with data protection (Art. 5 (f)). What is meant hereby in particular is that enterprises are to ensure compliance with data protection law through internal guidelines and procedures (Art. 22). The data processing and measures must be (comprehensively) documented and verifiable (Art. 28), with the information demanded in this connection partially being extremely similar to that of the current German register of processing operations.
It remains to be seen whether this will ultimately lead to additional substantive obligations pursuant to German law, for a well-run enterprise is currently also well advised to take corresponding preventative measures and to document such measures.
The introduction of this control mechanism has been met with criticism, however: in other legal circles (e.g. pursuant to Canadian data protection law (PIPEDA) or pursuant to the APEC Privacy Framework) the accountability principle has given enterprises flexibility. There, enterprises must define their mutual responsibilities within the scope of a cooperation. The draft Regulation, in contrast, upholds the previous differences in the roles (data processor, controller) and additionally imposes these measures upon the enterprise.
A major aim of the reform of data protection law is to cut through unnecessary red tape. Both enterprises as well as data protection authorities criticise the countless and always differing obligations to disclose, notify and consent which current exist in Europe and which afford data subjects little if any protection (recital 70). In Germany, for example, hardly anyone has inspected the officially run notification register. Insofar, the extensive abolition of notification obligations would represent a major facilitation vis-à-vis previous practice. Only in particularly high-risk cases does an obligation exist to notify, respectively obtain authorisation, on a standard form that has yet to be drafted by the EU Commission (Art. 34).
It is questionable whether the goal of cutting through the red tape will truly be achieved, as the density of regulations will doubtlessly increase: The draft Regulation encompasses 91 Articles (as opposed to the ca. 50 sections of the BDSG, which are applicable to private enterprises). This is to be supplemented by 26 executive regulations and forms which can be adopted by the EU Commission ("delegated acts" in the sense of Art. 86). Although their purpose of standardising certain notifications, investigations, etc. is understandable (recitals 129-131); it is unlikely, however, that the volume of required "paper" will decline.
10) Who requires a company data protection officer and what has to be borne in mind in this connection?
For enterprises with at least 250 employees (or smaller enterprises, insofar as their core activity comprises the regular, systematic monitoring of data subjects), a pan-European obligation to designate a data protection offer is to be introduced (Art. 35). Unlike in Germany, such designation has not been obligatory to date in the majority of other European countries.
In Germany, the 250-employee threshold will give rise to discussions because a data protection officer already has to be designated as of ten employees pursuant to the BDSG. From the enterprise's perspective, this increased threshold can fundamentally be welcomed, although the interest groups of the data protection officers in Germany naturally do not share this opinion. Especially in case of small businesses, it proved to be difficult if not impossible to develop sufficient data protection expertise amongst one's own staff. However, small and medium-sized enterprises are nevertheless required to comply with data protection law. Whether or not they can achieve this without a company data protection officer will indeed be up to them after the Regulation.
A positive development is the express regulation of the following issues that are presently either controversial or unclear:
- In a group of undertakings the same person can be appointed data protection officer for various group enterprises (group data protection officer).
- Conflicts of interest with other activities of the data protection officer must be avoided.
Other areas are regulated in an identical or similar manner to German law: appointment according to expertise, protection against dismissal during the term of office (with a minimum term of office of two years), obligation to involve the data protection officer in matters concerning data protection, his functional independence and a direct link to the management as well as the provision of reasonable equipment (Art. 36), duties such as clarification, checks, contact point vis-à-vis the supervisory authorities (Art. 37).
Far-reaching restrictions can be expected in the area of marketing and profiling. Firstly, this applies to the requirements in respect of direct marketing measures. The unofficial draft still demanded express consent in this case (Article 6.2). This would have meant that the statutory consent criteria (for example the exceptions to date in Sec. 28 para. 3 BDSG) would no longer be applicable. Instead, Article 19 (2) now envisages a right of revocation, as was the case in previous law, (with it being understood that the provisions in Sec. 7 German Unfair Competition Act [Gesetz gegen den unlauteren Wettbewerb, UWG] on a consent requirement in case of specific forms of direct marketing remain unaffected hereby). Still, the law in Germany will become a lot simpler, compared to the current Sec. 28 (3) BDSG.
It will be interesting to see how the requirements of clear and easily accessible information and a simple possibility of exercising the right of revocation will be implemented in practice. New solutions are especially demanded in the area of online advertising where, as we had mentioned above, the provisions of the E-Privacy Directive 2002/58/EC are primarily to apply in any event as opposed to the Regulation. Above all Art. 5 para. 3, which revised by the Directive 2009/136/EG, generally requires a prior informed consent for all cookies. The Article 29 Data Protection Working Party already made specific proposals on its implementation in WP 188 in dialogue with the online advertising industry.
There will be a general provision on the permissibility of profiling (Article 20). According hereto, automated profiling which has a legal impact upon the data subject and which refers to his work performance, financial situation, location, health, personal preferences, reliability or behaviour, may only be conducted for purposes of performance of contract or on grounds of a consent. Whereas this subject has already been legislated in full in the BDSG through the reforms in the year 2009 for the case of scorings, it is questionable what effect this requirement will have in other areas of life, in particular, whether a profiling for advertising purposes will fall under its scope. The similarity of the terms in the provisions on profiling ("analyse behaviour") and in the definition of the scope of application in Art. 3 ("monitor behaviour") would suggest this, because the monitoring of behaviour on the Internet is to include frequently used techniques such as tracking and profiling (recital 21).
If several enterprises act as controllers in a data processing operation, they must clearly define their responsibilities in contractual form (Art. 20). It is unclear what the consequences will be if they do not do so or if they exceed their contractually defined powers (but where another consent criterion applies). Whereas the unofficial draft still provided that in cases of doubt they are to be seen as (joint) controllers and are jointly and severally liable, the Regulation now lacks any regulation of the consequences. However, the general provision in Art. 77 applies, which provides for a joint and several liability for damages irrespective of such agreements.
For commissioned data processing, the need for a written contract and its minimum content will now be stipulated at European level as already provided for in Sec. 11 para. 2 BDSG. After the Regulation, as is the case in the BDSG, the consent of the principal will be required for the retention of sub-contractors. Great value is placed upon the stipulation of the principal's instructions (in writing) and that a commissioned data processor will itself become the controller in case of its failure to follow these instructions (Article 26 (4)).
The obligation to implement appropriate technical and organisational measures (Article 30) does not fundamentally represent a change. However, the EU Commission is to be given a possibility of stipulating measures for specific sectors and in specific data processing situations more precisely, in particular to define the respective state of the art. These are welcome specifications which will make it easier for enterprises to understand the specific requirements.
New activities must be included in the data protection measures when preparing internal planning. Firstly, when planning or setting up systems, services or offers, a structure that is data-protection compliant, or even data-protection friendly, must always be chosen (privacy by design, privacy by default, Art. 23).
Moreover, in case of planned processing in particularly sensitive cases (which will be clearly listed and will, for example, include the processing of special types of personal data) a documented assessment of the impact upon data protection is required (data protection impact assessment) (Art. 33). If the assessment concludes that there are high risks, authorisation from or consultation with the data protection authorities is required (Art. 34).
As in the first draft, the Regulation envisages the possibility that industries can issue branch-specific codes of conduct (Art. 38), although it is still unclear whether individual enterprises gain tangible advantages through the use of such codes of conduct (apart from a certain degree of legal certainty gained from the opinion issued by the supervisory authority). The situation is similar in case of national and pan-European certifications (Art. 39): It is still doubtful whether it will be possible to agree at a European level more quickly than in Germany (most recently the draft bill for the reform of the BDSG 2009, which encompassed a data protection audit act, failed due to the lack to agree on practical measures) on a certification mechanism and what (legal) advantages can be gained through certification.
The rights of data subjects are to be reinforced: The principle of transparency has priority (Art. 11). This is particularly necessary in the area of online advertising, e.g. for the data used in behavioural targeting (recital 46). Left unclear insofar is whether or not the E-Privacy Directive 2002/58/EU still applies.
It will be possible to assert rights to information on standard forms and in electronic form (Art. 12). Controllers' duties to inform or notify data subjects will be implemented using simple technical means and are to be extended in terms of storage duration, rights to lodge a complaint, international transfers and the origin of data (Art. 14).
There will be more precise requirements in the area of judicial remedies for data subjects. Starting with a right to lodge a complaint (Art. 73) and right to a judicial remedy against supervisory authorities directly (Art. 74), i.e. administrative legal proceedings, and extending to judicial remedies against controllers and processors (Art. 75), comprehensive principles are to be established. In each case the provisions will take into consideration that, within the meaning of the uniform handling or interpretation of the Regulation, all data subjects are also entitled to take action against decisions in other Member States. Moreover, compulsory legal process is envisaged in cases of dispute (Art. 76). Ultimately, a right to lodge a complaint is also expressly introduced for consumer protection organisations (recital 114) (Art. 73 (2)).
The Regulation envisages entirely new laws: For example, there will be a "right to be forgotten and to erasure" (Art. 17) particularly on the Internet (relevant above all in social networks and search engines). These obligations will give rise to many questions concerning their practical implementation. It is unclear, for example, whether the "right to be forgotten" only covers data which are stored by a provider itself or stored on the basis of this offer by third parties on other web servers (e.g. search engines). The provision contained in the original unofficial draft has been distinctly relaxed, as it remains unclear how a provider can influence what data is stored by others. Still, in the event of the publication of personal data, a provider must inform third parties of the erasure request and remains responsible for the erasure if he has given the third party permission to publish (recital 54).
The Regulation also envisages a right to the transfer of data, respectively to "data portability" (Art. 18), which will be of relevance, for example, in case of cloud computing or outsourcing. The right to the transfer of data has, in relation to the unofficial draft, been confined to the usual data formats.
The requirements for ensuring an adequate level of data protection when transferring personal data to third countries outside the European Economic Area (EEA) have been fundamentally upheld. However, the Regulation clarifies (Art. 40) that these principles also apply to further transfers, so-called "onward transfers".
The Regulation still provides for the following mechanisms, with a few changes, with it being understood that previous decisions of the EU Commission (for example on the recognition of safe third countries, safe harbour or standard contracts) will remain in force (recital 134):
- Recognition of an adequate level of protection in third countries by the EU Commission, with the criteria and competencies of the EU Commission now being expressly regulated (Art. 41). New, first of all, is that individual parts or sectors of a third country can also be recognised; secondly, however, that transfers to certain third countries can be prohibited (recitals 80, 82).
- Recognition of binding corporate rules ("BCRs") in groups of undertakings by the supervisory authorities (Art. 43). In contrast to the Directive (or Sec. 4c BDSG), the Regulation contains criteria on their content. It remains to be seen to what extent the newly envisaged coordination process via the European Data Protection Board with its (simple) majority system in decisions will function in comparison with previous mutual recognition procedures (cf. most recently WPs 153, 154 and 155 of the Article 29 Data Protection Working Group). A considerable development is that BCRs will also be possible for processors in future, which should be of considerable practical relevance in the areas of outsourcing and cloud computing in particular.
- Also in all other respects, there will be an increase in standard contractual provisions. Here - as was previously the case – the EU Commission shall be empowered to adopt such standard contracts (Art. 42 (2) (b)). Additionally, it will possible for national supervisory authorities to propose clauses with pan-European validity (Art. 42 (2) (c)), which then have to be coordinated and adopted by the EU Commission.
- The pleading of statutory exceptions (similar to Sec. 4c para. 1 BDSG) is still possible (Art. 44). An important factor in this connection is that – in less frequent or massive cases (recital 88) – a transfer should be possible if prevailing legitimate interests exist (Art. 44 (h)).
- Finally, there is still the possibility of obtaining authorisation from the national authorities in an individual case (Art. 42 (5)).
The EU Commission shall also be empowered to encourage international cooperations with third countries and international organisations which should facilitate the exchange of data with third countries (Art. 45). The unofficial draft still contained a provision which received severe criticism from other Directorates of the EU Commission, pursuant to which controllers were only allowed to follow court judgements or decisions of authorities of third countries insofar as the supervisory authorities agreed hereto. This restriction, which is of major practical relevance, has since been dropped, in particular because other Directorates pointed out that this would make the present cooperation with other supervisory authorities (cartel authorities, financial supervisory authorities) distinctly more difficult, and would make a relationship based on mutual trust impossible, especially with the USA.
The burden upon small and medium-sized enterprises (SMEs) is to be relieved according to the aims of the EU Commission (recital 11), i.e. there are several exceptions for enterprises employing less than 250 people. For example, they are generally released from the obligation to designate a data protection officer. Additionally, the documentation required for accountability purposes pursuant to Art. 28 does not have to be provided. Enterprises from third countries do not have to designate a representative in the EU. Here, supervisory authorities can issue a mere warning instead of imposing sanctions.
The enforcement of the legal provisions shall be reinforced at national level by independent supervisory authorities with far-reaching powers. Although there will be no fundamental change here, and the previous supervisory authorities could remain in operation (with it being understood that in this case a German representative would have to be designated at European level and the adherence to the decisions by the other data protection authorities (which are not represented themselves at European level) would have to be regulated by law (Art. 46)), there will be detailed provisions (Arts. 47-50) on the independence of and requirements to be fulfilled by the data protection authorities. In the past, the ECJ already complained in its decision dated 9 March 2010 of the lack of independence of several German authorities. The official duties pursuant to the Regulation (Arts. 51, 52) encompass far-reaching powers ranging from comprehensive rights to information and data (Art. 29) to the right to order a party to refrain from processing or transferring data (Art. 53) and to the sanctions (cf. below). Noteworthy in this connection is that in case of a processor or controller situated in several Member States, one supervisory authority shall be deemed the leading authority ("one stop shop", recital 97).
As has already been essentially implemented in Germany in Sec. 42a BDSG, in case of personal data breaches the controller shall have a comprehensive obligation to alert and inform the authorities of the breach (Art. 31) and to thereafter communicate such personal data breach to the data subject (Art. 32). The notification period vis-à-vis the authorities of 24 hours after having gained knowledge of the breach will lead to difficulties in practice. Even if a corresponding breach is immediately noticed, in large organisations it will doubtlessly be difficult to meet this deadline. Now at least, in contrast to the unofficial draft, the Regulation provides the possibility of excusing any delays with reasoned justification. However, this only works if the company's own organisation has fundamentally established an adequate internal reporting system (recital 68).
In order to ensure a uniform application and enforcement of the law, the cooperation and coordination of the supervisory authorities of various states amongst themselves and with the Commission are to be distinctly intensified and institutionalised (Arts. 55 – 72).
The authorities will be obliged to exchange information, provide administrative assistance and to cooperate effectively (Art. 55). Should administrative assistance not be given (or not be given in a timely manner), a provision is made for escalation procedures before the European Data Protection Board. Various national supervisory authorities are to be able to carry out joint investigative tasks (joint operations, Art. 56). In this connection, the host authority can even transfer executive powers to a seconding authority. The exercise of sovereign rights by foreign authorities in Germany and a corresponding liability will doubtlessly still need to be measured against German constitutional law.
For the cooperation between the supervisory authorities and with the Commission, a consistency mechanism shall be introduced (Arts. 57 – 63). Cross-border matters are to be coordinated with the European Data Protection Board and the EU Commission, i.e. under certain circumstances the supervisory authority will have to give consideration to their opinion (Arts. 58 and 59).
The European Data Protection Board (Art. 64 – 72), as successor to the previous Article 29 Data Protection Working Group, consists of the head of a supervisory authority of each Member State and of the European Data Protection Officer. Its tasks include the coordination and preparation of opinions and recommendations; however it has little decision-making powers of its own.
As in previous law, a compensation claim exists (Art. 77), albeit that this is only aimed at the compensation of material damages. In case several parties are involved (irrespective of whether they are controllers and/or processors), they are jointly and severally liable.
The respective Member States will be able to introduce penalties (Art. 78). Moreover, pursuant to Art. 79 the supervisory authorities will be given the competence to impose fines. Other than as envisaged in the original unofficial draft, here the supervisory authorities will have the possibility of and obligation to stipulate and grade the penalties according to various criteria. The Regulation subsequently contains a catalogue listing various offences which can be graded and fined according to their gravity. At the lowest level a penalty of up to EUR 250,000 or in case of an enterprise up to 0.5 % of its annual worldwide turnover can suffice, at the second level up to EUR 500,000 or in case of an enterprise up to 1 % of its annual worldwide turnover, as well as in the severest cases up to EUR 1 million or in case of an enterprise up to 2 % of its annual worldwide turnover. The severest level also encompasses, for example, purely formal offences such as the failure to designate a data protection officer or a lack of internal data protection guidelines. The annual turnover is in each case that of the respective enterprise which perpetrated the breach.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.