A draft version of the European Commission's legislative proposal for a General Data Protection Regulation has been leaked from Brussels. The draft Regulation will be the subject of various discussions and reviews by the Directorates-General of the European Commission ("Commission"), with the final proposal anticipated by late January 2012, and is ultimately intended to replace Data Protection Directive 95/46/EC. Whilst the leaked version could be liable to change, it does provide a first glimpse into the Commission's approach to the new European data protection framework. It provides for wholesale changes to data protection law and suggests an even tougher regime going forwards.
To view the article in full, please see below:
Full Article
A draft version of the European Commission's legislative
proposal for a General Data Protection Regulation has been leaked
from Brussels. The draft Regulation will be the subject of various
discussions and reviews by the Directorates-General of the European
Commission ("Commission"), with the final proposal
anticipated by late January 2012, and is ultimately intended to
replace Data Protection Directive 95/46/EC. Whilst the leaked
version could be liable to change, it does provide a first glimpse
into the Commission's approach to the new European data
protection framework. It provides for wholesale changes to data
protection law and suggests an even tougher regime going
forwards.
A common criticism of the existing European Union
("Union") data protection regime is that, because the
core set of rules for the protection of personal data are contained
within a Directive, Union Member states have interpreted and
implemented the rules in a fragmented manner. Divergence is almost
inevitable where the source of the data protection rules is a
Directive because, to give effect to the rules at a national level,
each Member State is required to perform a further legislative act.
However under the new framework, the Commission's legal
instrument of choice is a Regulation which will be directly
applicable in all Union Member States. Therefore, the core set of
rules for the protection of personal data should be generally
consistent in each Member State. (It appears that only the rules
governing processing of personal data by competent authorities in
relation to criminal offences and penalties will be set out in a
Directive). This should satisfy one of the Commission's
objectives to harmonise data protection rules, creating a uniform
set of standards across the Union.
The draft Regulation is wider in scope than the existing
legislation, as it not only applies to controllers established in
the Union, but also to non-Union controllers where the processing
activities are "directed" to data subjects residing in
the Union, or serve to monitor their behaviour, including for
commercial or professional activities such as offering products or
services.
The draft Regulation adopts some definitions from Data Protection
Directive 95/46/EC; however other definitions have been amended,
expanded or newly introduced. New definitions include
"personal data breach", "genetic data",
"biometric data", "data concerning health",
"main establishment", "representative",
"enterprise", "group of undertakings",
"binding corporate rules" and "child". Of
particular interest are the definitions of "data subject"
and "consent".
- The definition of "data subject" is now more detailed
and extensive. It covers someone who can be identified, directly or
indirectly, not only by the controller but by any other natural or
legal person. Such identification could be based on an
identification number, location data, online identifier or any
factor that is specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that person.
- The definition of "consent" now requires that consent
be explicit. This definition has been altered to ensure that the
data subject is aware that s/he is giving consent and in respect of
what that consent is being given. The Commission has acknowledged
that children deserve specific protection of their personal data.
Therefore consent from a child (being any person under the age of
18) will only be valid when it is given or authorised by the
child's parent or custodian.
New rights have been introduced for data subjects,
including:
- Article 15 gives the data subject a right to be forgotten and
to erasure. The data subject has the right to erasure of his/her
personal data where: the data is no longer necessary in relation to
the purposes that it was collected or processed for; the data
subject withdraws consent or the storage period has expired; the
data subject objects to the processing of the data; or the
processing does not otherwise comply with the Regulation. If the
data is in the public arena, there is an obligation on the
controller to erase or restrict the processing of that data,
including where links to or copies of the data can be found on the
internet.
- Article 16 establishes a right to data portability where data are processed by automated means, allowing a data subject to transfer their personal data from one service provider to another without hindrance. In certain circumstances, Article 16 provides the right to obtain from the controller those data in a commonly used format.
The obligations placed on both controllers and processors have
been increased.
- Article 25 obliges each controller, processor and, if any, the
controller's representative, to maintain documentation of all
processing operations under its responsibility and specifies the
minimum content of such documentation.
- Article 27 requires controllers and processors to implement
appropriate security measures. This requirement extends to all
processors, regardless of the contract that they have entered into
with the controller.
- Articles 28 and 29 build upon the existing personal data breach
notification regime, establishing an obligation on the processor to
alert and inform the controller of any personal data breach
immediately after its establishment, and an obligation on the
controller to notify the personal data breach to the supervisory
body without undue delay and, as a rule, not later than 24 hours
after the breach has been established. The breach must also be
communicated to the data subject without undue delay and again, as
a rule, not later than 24 hours after the breach has been
established, unless the supervisory authority is satisfied that
appropriate technological protection measures (which would render
the data unintelligible to those not authorised to access it) were
implemented in respect of that data.
- Article 30 states that controllers must carry out data
protection impact assessments prior to risky processing operations.
A processing operation might be deemed risky based on its nature,
scope or purpose and Article 30 offers examples of transactions
that are likely to present specific risks.
- Article 32 introduces the requirement for companies and authorities to designate a data protection officer in both the public sector, and in the private sector, to the extent that the private enterprise employs more than 250 persons permanently or the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects.
In line with the Commission's acknowledgement that
international data transfers are essential for doing business in
today's global economy, the Commission has looked further at
the Binding Corporate Rules ("BCRs") model. Article 40
states that the relevant supervisory authority will approve a
controller's or processor's BCRs, provided that they are
legally binding and apply to and are enforced by every member
within the controller's or processor's group of
undertakings, and include their employees; they expressly give
enforceable rights to data subjects; and they satisfy a list of
specific requirements.
The draft Regulation imposes administrative sanctions that can be
tailored according to the enterprise's annual worldwide
turnover. Certain breaches with an intentional or negligent element
could lead to fines of up to 1,000,000 EUR or, in the case of an
enterprise, up to five percent of its annual worldwide turnover.
These sanctions bring data protection in line with other areas of
regulation, such as competition law.
This article provides a brief overview of some of the provisions of
the draft Regulation and industry awaits the Commission's final
proposal. For a more in-depth analysis and advice on complying with
data protection legislation, please contact us.
This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.
The original publication date for this article was 09/12/2011.