Originally published on February 8th 2012

On January 25, 2012, the European Commission released its long-awaited proposal to reform its data protection rules, which have been in place since 1995. The "Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data" ("Regulation") will repeal and replace the existing Data Protection Directive (Council Directive 95/46) ("Directive") and the system of country-specific laws that it governs and is the latest step in the European Union's quest for greater harmonization and increased protection of consumers' right to data privacy.

Importantly, this proposal is only a draft. Passage is expected to take at least a year, and the enacted Regulation would not take effect for another two years. However, once enacted, the Regulation will be directly binding upon everyone in the EU Member States, whereas the Data Protection Directive was implemented through Member State law. In support of the single set of rules, the European Commission refers to a recent survey that found that two out of three Europeans are concerned that companies share personal data without permission and that nine out of 10 want the same data protection rights across Europe. While a single set of rules may provide the benefit of standard regulation across the European Union, the Regulation imposes new obligations upon companies that participate in the European market.

Who Is Affected?

  • Companies that target European customers (even without a European presence) are explicitly covered by the Regulation, whereas they were not by the Directive. However, the Article 29 Working Party had previously opined that the Directive applies to entities that affirmatively target EU-based individuals by doing such things as installing cookies on their computers. The Regulation picks up where the Article 29 Working Party left off, and it does not appear to vastly increase the number or types of entities covered by the law. However, because the Article 29 Working Party's recommendations were not binding until enacted into local law, companies that have not yet brought their actions into compliance with those recommendations may wish to keep a keen eye on the proposal and begin considering how to bring their businesses into compliance.
  • Safe Harbor certified companies should monitor the Regulation because the current version does not address the Safe Harbor certification program. It is currently unclear whether the Safe Harbor program will continue. While the Regulation is silent as to Safe Harbor certification, it includes a growing emphasis on the use of binding corporate rules ("BCR"), by formalizing a position that the BCR need only be approved by a single data protection authority in order to have effect throughout the European Union.
  • Companies currently complying with the Directive remain covered and will need to analyze the changes detailed below to determine what parts of their processes may need adjustment.

Major Changes

The Regulation aims to increase protection of personal data by establishing new rights and sanctions (subjects of significant publicity already) and by strengthening and modifying existing obligations, in most cases to incorporate previous Working Party opinions. In addition, administrative burdens have been changed.

New Privacy Requirements and Sanctions

The Regulation proposes several new substantive rights and obligations that, if implemented, would significantly affect business practices for many companies. However, the magnitude of the proposed changes also suggests that they will be heavily debated and quite possibly extensively modified before implementation.

  • The right to be forgotten allows data subjects to demand deletion of their personal data when the purposes of the collection have been accomplished, the data subjects have withdrawn consent and consent was the basis for lawful processing, or when the data subjects object to continued processing. There is an exception for data needed for historical, statistical or research purposes.
  • The right to data portability allows data subjects to request a copy of their personal data in a format that makes further use by the data subjects possible.
  • The right to object strengthens the existing right of data subjects to object to the processing of their personal data by requiring an opportunity to object to data processing for the purposes of direct marketing.
  • Data breach obligations are significant, and if passed, will require notification to the relevant data protection authority without delay and where feasible, within 24 hours of learning of a breach. The required notification must describe the nature and extent of the breach, recommend mitigation measures, describe the consequences of the breach and discuss measures taken to address the breach. Notification to affected individuals is required "without undue delay" where the breach is likely to adversely affect the protection of the personal data or privacy of the data subject.
  • Penalties and sanctions are significant. Failure to abide by the requirements will result in stricter sanctions. Data subjects are entitled to pursue judicial remedies and receive actual damages, with controllers and processors jointly and severally liable. In addition, administrative sanctions of up to 1,000,000 EUR or 2% of an enterprise's worldwide turnover may be imposed.

New Technical Requirements

The Regulation includes definitional and other changes that, for the most part, reflect the already-stated interpretations of the Article 29 Working Party. Examples of these changes include:

  • "Consent" is defined to require an "explicit" indication of user preference. Data controllers have the burden to prove consent, and parents or legal guardians must give verifiable consent to process information regarding children under the age of 13. The changes are intended to ensure that the data subject knows that consent has been given, and for what it has been given.
  • The definition of "child" is broadened to include any person below the age of 18.
  • Data processing is explicitly limited to the "minimum necessary" information rather than a "not excessive" amount of information.
  • Consumer notice requirements are longer and more detailed, and they are explicitly required to be "transparent and easily accessible."
  • Controllers are expected to design privacy-protective defaults into their systems that do not expose data to an indefinite number of individuals.

Administrative Procedures

  • The current filing system and pre-authorization requirements are abolished. Instead, data controllers and processors will be obligated to carefully document each processing operation and to preserve that documentation for a potential audit. Potentially risky processing operations require the controller to undertake a data protection impact assessment and approval before beginning operations.
  • Each controller and processor must appoint a data protection officer when its core processing activities require regular and systemic monitoring or where the processing is carried out by a public authority or an enterprise employing 250 persons or more.
  • The Article 29 Working Party will be elevated to the status of an independent European Data Protection Board. The composition of the board would remain unchanged, and it would be charged with facilitating the consistent application of EU data protection law and cooperation between Member State data protection authorities.

Contact counsel if you have questions about the Regulation and its impact on your company, or questions about current European data protection requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.