Recently the European Commission unveiled a proposal for a comprehensive and significant reform of the existing EU data protection framework. The proposed data protection framework, which consists of a General Data Protection Regulation that sets forth the general data protection framework (the Regulation) and a Directive that applies to the processing of personal data by police and judicial authorities in criminal matters, is intended to replace the existing Data Protection Directive 95/46/EC and the data protection laws of each EU Member State with a single set of rules that would apply across the 27 EU Member States.

The fact that the existing Data Protection Directive is to be replaced by a Regulation is very important. EU Directives must be implemented by each EU Member State via national legislation, which can give rise to different flavors of the legislation and require a country-by-country analysis of the specific legal requirements. Regulations, on the other hand, have the immediate effect of law throughout the EU. Replacing the existing Data Protection Directive with a Regulation means there is no wiggle room for individual countries to tailor the law in any way – but it also means that European law on data protection (other than for criminal justice matters) will be uniform. So it will require less effort to figure out how to bring your European operations into compliance with the new data protection law – but the standards have also been tightened up in many respects.

Viviane Reding, the EU Commissioner for Justice, Fundamental Rights and Citizenship and Vice-President of the Commission, identified the following key goals of the proposed reform in her press release: (1) to update and modernize the existing EU data protection rules in light of technological developments to address, among other things, online privacy, in order to improve the protection of personal data processed both inside and outside the EU; (2) to address the protection of personal data processed by law enforcement and judicial authorities; (3) to give individuals more control over their personal data and facilitate access to and transfer of such data; (4) to harmonize data protection rules across the EU by establishing a "strong, clear, and uniform data protection framework" with a single set of data protection rules and a single national data protection authority (i.e., the national data protection authority of the EU member state where the company has its "main establishment" as defined in the General Data Protection Regulation); and (5) to boost the EU digital economy and foster economic growth, innovation, and job creation in the EU (as an example, per Commissioner Reding, the new framework would eliminate certain administrative requirements that would save businesses around 2.3 billion euros a year).

Please note that any business outside of the EU that either processes personal data of EU residents in connection with offering goods or services to such individuals or monitors the behavior of such individuals will be subject to the provisions of the Regulation. The proposed Regulation defines "processing" very broadly as "any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction."

Below are some of the provisions of the proposed Regulation that would most likely have a significant impact on U.S. companies that would be subject to the Regulation:

1. Expansion of Definition of "Personal Data"

"Personal data" is defined in Article 4 of the Regulation as "any information relating to a 'data subject.'" The definition of "data subject" has been broadened so that a "data subject" can now be identified by means reasonably likely to be used by the controller or by any other natural or legal person, by reference to not just an identification number but also to location data and online identifiers or to additional factors like genetic and mental identity, among other factors. The Commission's extremely broad interpretation of what constitutes "personal data" is reflected in a recently published factsheet on the proposed data protection reform where "personal data" is defined as "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, your bank details, your posts on social networking websites, your medical information, or your computer's IP address."

2. Express Consent Requirement to Process Personal Data

Covered businesses are required to obtain (and not assume) the express consent of the data subject to the processing of his/her personal data for one or more specific purposes, unless processing is required for certain limited purposes such as compliance with a legal obligation of the business or to protect the vital interests of the data subject. If consent is required as a part of a written document which also covers another matter, the consent requirement must be clearly distinguished from the other matter. The data subject may withdraw the consent at anytime and consent is essentially not valid where there is an "imbalance" between the position of the data subject and the business. These provisions make it very difficult to assess from a practical perspective whether a business truly has a legal basis for the processing of personal information of EU residents.

3. Breach Notification Requirement

Businesses must notify the supervisory authority (i.e., the public authority established by each Member State) of a "personal data breach" "without undue delay and, where feasible, not later than 24 hours" after becoming aware of the breach. "Personal data breach" is defined very broadly as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." After notifying the applicable supervisory authority, companies must also notify the affected data subject of a personal security breach "without undue delay" if the personal security breach "is likely to adversely affect the protection of the personal data or privacy of the data subject."

4. Requirement to Adopt Policies and Implement Measures to Ensure and Demonstrate Compliance with the Regulation

Businesses must adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the Regulation, including maintaining documentation of processing activity. Businesses must have transparent and easily accessible policies regarding the processing of personal data that are clearly presented to data subjects which, among other things, provide the identity and contact information of the business, identify the purpose of processing the personal data, set forth the data subject's right to access, correct or have the personal data deleted, set forth the right of the data subject to complain to supervisory authority, specify the period during which the personal data will be stored by the business, and specify whether the personal data will be disclosed to third parties and/or transferred to third countries.

5. Binding Corporate Rules (BCRs)

Under the new Regulation, Binding Corporate Rules, the tool uses by companies with global operations to transfer personal data of EU residents within their corporate group to entities located in countries which do not have an adequate level of data protection, will no longer need to be approved by each Data Protection Authority in each applicable EU Member State. Under the proposed regime, BCRs that meet the requirements described in the Regulation will need to be approved by one authority and, once approved; the BCRs will be recognized by the rest of the authorities in each applicable Member State. More importantly, the approved BCRs would also cover third parties that process personal data of EU residents on behalf of the business, such as cloud service providers, for example.

6. Data Security Obligations

Businesses are required to implement appropriate technical and organizational measures "to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation."

7. Data Protection Impact Assessment Requirement

Businesses with processing operations that "present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes" are required to conduct a data protection impact assessment.

8. Requirement to Appoint Data Protection Officer

Businesses with more than 250 employees and certain other organizations are required to appoint a data protection officer responsible for monitoring data processing activities.

9. Significant Penalties

Penalties for violations of the Regulation range, based on the type of violation, from a written warning to fines for intentional or negligent conduct of anywhere from 250,000 euros or 0.5 % of the annual worldwide turnover of a company up to 1,000,000 euros or 2% of the annual worldwide turnover of a company.

10. Transfers of Personal Data to Third Countries

Although the restriction on the transfer of personal data to third countries that do not offer an adequate level of protection, as determined by the Commission, remains in place, under the proposed Regulation, transfers based on standard data protection clauses adopted by the Commission or a supervisory authority or based on binding corporate rules that now must be approved by just one supervisory authority will not require further authorization.

* * * * * * * * * *

The proposed data protection framework will be evaluated by the European Parliament and the EU Member States and if adopted, the Regulation will go into effect and the Directive will be required to be incorporated into the national law of each Member State, within two years from the date of adoption. At this point, it is still possible that the proposed Regulation and the Directive could be modified before adoption.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.