New draft European data protection regulation analysed

For a printable PDF version of this article, click here.

On 25 January 2012, the European Commission has officially released its proposal for a comprehensive reform of the 1995 data protection rules on personal data processing. The proposed Regulation has been published on the European Commission’s website. Should the proposed Regulation ultimately be adopted, it would then become directly applicable across the whole EU territory after a transition period of two years.

One single European law

One single European legislative text would do away with the fragmentation caused by the diverging implementations of the current Directive in the EU Member States. If adopted, the proposed Regulation would apply across the EU. As a consequence, companies established in more than one EU country would no longer need to cope with the national rules adopted in each Member State. Current national laws on personal data protection, for example the Belgian Privacy Act of 8 December 1992 (NL|FR), but also legal provisions in any other national federal or regional law, relating to the processing of personal data, would be abrogated or automatically invalidated after those two years if they are not in line with  the European Regulation. This also means that some of the current provisions – mainly exemptions that have been introduced by Member States for purely national reasons – would disappear.

Every controller supervised by one data protection commission

Personal data processing by companies established in more than one EU country would be monitored by only one single supervisory authority. In principle this would be the data protection commission of the country where the company has its main establishment. The proposed Regulation contains specific guidelines on how to identify this main establishment. In order to avoid negative impacts on the level of privacy protection for citizens, they would still be allowed to address complaints to the supervisory authority in their country of residence. To facilitate this process, the proposed Regulation establishes closer cooperation and data exchange between the national data protection commissioners, so as to enable them to provide assistance to authorities in another Member State.

Extension of the “household exemption”

The scope of the proposed Regulation excludes processing of personal data by a natural person for exclusively personal or domestic reason in a much more explicit manner than the current Directive. This exclusion covers e.g. correspondence and the holding of addresses, without any gainful interest and thus without any connection to a professional or commercial activity. As a consequence, the provisions of the data protection Regulation, if adopted, would typically not apply to individual users of social networks when they are merely processing personal data relating to their friends, family members or other private contacts. Currently, following the decision of the European Court of Justice in the Lindqvist case, the European rules on personal data protection can be argued to apply to such persons, for example if the data is publicly accessible via the Internet.

Also applicable to companies outside the EU

Theoretically the proposed Regulation would not only be applicable to data controllers established in the EU. As with the current Directive, it also extends its scope of application to the processing of personal data of data subjects residing in the EU by a controller who is not established in the EU. This applicability is linked to cases where the processing activities are related to the offering of goods or services to such European data subjects, or to the monitoring of their behaviour. In these instances, the non-European controller should designate a representative in Europe, to act as a point of contact for data protection issues. This obligation does not apply if the controller is established in a third country ensuring an adequate level of protection, or the controller is a small or medium sized enterprise or a public authority or body or where the controller is only occasionally offering goods or services to such data subjects.

Basic rules remain but would be better implemented and enforced

Based on our initial analysis, the practical consequences of the new Regulation would be fairly limited for most companies operating on a national scale without any establishment abroad, at least if their personal data processing activities are already compliant with the current data protection legislation. If not, the current draft provisions suggest that they will be confronted with a stricter control by the national supervisory authority. The competences of supervisory authorities would be strengthened under the new rules, to improve enforcement and thus compliance. They would be empowered to fine companies that violate EU data protection rules, with penalties of up to €1 million or up to 2% of the global annual turnover of a company. Moreover, the responsibility and liability of the controller for any processing of personal data is more clearly established. In particular, the controller would be required to ensure and be obliged to demonstrate the compliance of each processing operation with the Regulation. This obligation would require much more stringent documentation of processing activities to be kept, which would serve as evidence towards data protection authorities or courts in case of disputes.

Example: opt-out for direct marketing

The majority of the current rules remain essentially as before, but many of them have been formulated more clearly in the proposal, leaving fewer avenues for abuse. For example, the current opt-out rule for direct marketing would be maintained and processing for direct marketing purposes would remain possible without the consent of the data subject. However, information to be given to the data subject about the right to object is more precisely defined, and could for example no longer be hidden in broad terms and conditions.

Abolition of the general obligation to notify

The current data protection legislation contains an obligation to notify processing of personal data to the supervisory authorities, subject to certain exceptions. This obligation produced significant administrative and financial overheads, but did not seem to do much to strengthen the protection of personal data. Therefore the general notification obligation would be abolished in the new proposal, and replaced by procedures and mechanism which focus instead on those processing operations which are likely to present specific risks. In such cases, a data protection impact assessment should be carried out in advance by the controller or processor. This should in particular apply to large scale filing systems, which aim at processing a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects. Thus, administrative procedures would make way for more practice-oriented rules.

Data protection officers

Under the proposed Regulation, the controller and the processor would be required to designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body; or (b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. Group of undertakings may appoint a single data protection officer. Again, the emphasis of European rules would thus shift towards a more pragmatic and operational focus.

Consent: always explicit

Currently, personal data processing is frequently justified on the basis of the data subject’s consent, especially in commercial transactions. One of the most important changes proposed by the European Commission is the requirement that this consent should always be explicit. Tacit consent would no longer be sufficient as a legal ground for data processing. Moreover, it would not be possible to obtain valid consent through generic terms and conditions; rather, the data subject’s choice must be presented in a manner which is distinguishable in appearance from any other matters. The data subject would also have the right to withdraw his or her consent at any time. Last but not least, consent would no longer provide a legal justification for processing activities when there is a significant imbalance between the position of the data subject and the controller. This new rule would exclude consent as a justification in relationships such as employment, insurance, etc.

Right to be forgotten?

The current data protection legislation already contains a right for the data subject to request rectification or deletion of personal data. This right remains essentially as before, but has been further developed and specified. To strengthen this right in an online environment, the right to erasure would be expanded: a controller who has made personal data publicly available would be obliged to inform third parties which are processing that data whenever a data subject requests them to erase it. In this way, a data subject’s request to e.g. remove his data from a website would trickle down to certain other recipients of that data, and would also apply to links to, or copies or replications of that personal data. The controller would have to take all reasonable steps, including technical measures, to ensure the effectiveness of this right in relation to data which has been published under the controller’s responsibility, i.e. in cases where the controller has published the data himself or where he has authorised the publication by a third party.

Data portability

Where personal data are processed by electronic means and in a structured and commonly used format, data subjects would in the future have the right to obtain a copy of their own personal data. They would moreover be allowed to transmit those data from one automated application, such as a social network, into another one. This right would apply in all cases where the data subject provided the data to the automated processing system, based on their valid consent or in the performance of a contract.

Broader security breach notifications

The security breach notification introduced for public network operators and service providers by a European directive of 2009 would be extended to all data controllers. As soon as a controller becomes aware that a personal data breach has occurred, he would be obliged to notify this breach to the competent supervisory authority without undue delay and, where feasible, within 24 hours. The individuals whose personal data could be adversely affected by the breach would also have to be notified without undue delay in order to allow them to take the necessary precautions.

Transfer of data outside the EU

Under existing data protection rules, transferring personal data to a destination outside the EU tends to be a complicated affair, especially in cases where the recipient country has no comparable data protection laws. None the less, the basic rules concerning such transfers have been maintained in the proposal. The Commission would however receive more competences to decide that third countries (or a specific territory or data processing sector within a third country) offer an adequate level of data protection. In these cases, transfers would be permissible without further authorisations. Inversely, the Commission could also declare that a country, territory or processing sector offers no such guarantees, consequently prohibiting transfers to these destinations.

In the absence of an affirmative adequacy decision, the controller or processor would still be required to take measures to compensate for the lack of data protection, as under the current rules. Such appropriate safeguards may consist of the use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority, or other suitable and proportionate measures authorised by a supervisory authority. Last but not least the current derogations that can also be used to justify transfers, for example where the data subject has given his consent, remain largely applicable.

In the coming months the Commission's proposals will be passed on to the European Parliament and to the Council of Ministers for discussion. It is expected that these discussions will take at least a year or two, followed by a transition period of another two years before the rules become applicable. Updates to the proposals will of course be published at www.timelex.eu.

For more information, please contact Jos Dumortier.