Anticipating changes

Earlier this year, the European Commission presented its proposals for a radical overhaul of data protection rules in the European Union. Should the proposals become legislation, they will increase data protection compliance obligations for companies and will introduce the possibility of the imposition of fines of up to 2 percent of global turnover for certain breaches of the Regulations.

The proposed changes represent the first significant revamp of EU data protection rules since 1995. These proposals are timely as the 1995 Data Protection Directive, on which Ireland's Data Protection Acts 1988 and 2003 are based, has arguably become ill equipped to address modern data processing activities, e.g. consider the rapid changes in data use since 1995 arising from cloud computing, social networking, etc.

The 1995 Directive has been implemented in a somewhat divergent manner across the EU Member State. This has meant varied compliance requirements and inconsistent approaches to enforcement by Member States. As a result the European Commission has proposed introducing the new law by Regulation, a legislative tool which will not require national implementing legislation to give effect to the law in each Member State.

Key reforms

Discussed below are some key proposals that companies should be aware of in order to prepare for compliance with the Regulation:

  • Supplementing the existing data protection principles (for example, that processing be for "limited purpose", be "not excessive", etc.), several new processing principles have been introduced, including that where processing of data presents specific risks to the rights and freedoms of individuals due to its nature, scope or purpose, the data controller shall undertake an impact assessment before the processing takes place.
  • Public authorities, businesses employing more than 250 people and companies where the core activities consist of processing activities shall be required to have a designated "Data Protection Officer". Groups of undertakings can appoint a single Data Protection Officer to represent them collectively. Notably, where a business is based outside of the EU but offers goods or services for sale to, or monitors the behaviour of, consumers in the EU, then that business must have a nominated representative based within an EU Member State.
  • A business suffering a data breach will be obliged to notify both the regulator and the affected individuals if there is a possibility that there will be an adverse affect on that person's privacy. This change would effectively place key principles of the Irish Data Protection Commissioner's existing Data Breach Code of Practice on a statutory footing.
  • The Regulation has also introduced the somewhat controversial "right to be forgotten" whereby an individual can, subject to limited exceptions, withdraw their consent to have their data processed, resulting in a requirement that information held about them be erased by the processing party.
  • The Regulation is particularly strict in relation to the gathering of personal data from children arising from concern within the Commission regarding lack of protection of children in the digital age.
  • As mentioned above, a key discussion point regarding the Regulations has been that breach of a number of the proposed regulations would result in fines of amounts between 0.5 percent and 2 percent of the global annual turnover of the entity in breach.

Looking ahead

Clearly the draft Regulations provide much food for thought. While the aim of the proposed Regulations appears to simplify and standardise applicable law, whether this is achievable remains to be seen, not least as the draft Regulations progress through the legislative process.

If the changes are adopted in their current form, companies will deal with a single national data protection authority in the EU country in which they have their main base. This represents an opportunity for Ireland to position itself as a "one stop shop" for data controllers in the EU who have an establishment in Ireland.

The proposals will now be passed on to the European Parliament and Member States (at EU council level)and are planned to take effect two years after they have been adopted. Given the degree of change that is proposed, organisations with significant data processing operations need to begin preparation for the proposed changes now.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.