What is this all about?
The EU is in the process of reforming its existing data protection rules. These reforms have been moving slowly through the EU legislative pipeline but we seem now to be getting closer to a final agreement. Even though the expected implementation date of these rules is still likely to be two years away we strongly recommend that businesses prepare now as the reforms go well beyond an upgrade. Many deals signed now are likely to be covered by the new rules and most businesses will need to start now to be ready in time.
What is EU data protection?
The right to privacy is mainly regulated in the EU under a 1995 Directive that controls the processing of personal data. These rules are of very wide effect with major compliance requirements placed on businesses inside and outside the EU.
Why is this change happening?
In January 2012 the European Commission introduced the proposed new Regulation with the overall objective of significantly overhauling the 1995 rules, the mantra being to catch up with the huge advances of the digital age. Other aims include a less administratively burdensome and costly regime for businesses, an extension and expansion of rights, and, making privacy by design the norm.
Are these completely new rules?
Yes and no. Yes, the 1995 rules are being completely replaced. No, not only will the fundamental aspects of privacy continue to be protected, they will also be extended. The reforms essentially build on the current structure, but, the 1995 rules will at least triple in length – or even more depending on the number of amendments that are eventually accepted under the EU legislative process – the November 2015 Council text (explained below) consists of around 120 recitals and 91 articles in 186 pages!
What new rules will there be?
There are in fact two proposed sets of new rules as follows.
Firstly, there is a Regulation, which sets out a general EU framework for data protection, i.e. to replace the 1995 Directive. A Regulation has been chosen because this format should be immediately applicable law once adopted – it will not require EU Member States to pass further legislation. This said, the Council revision (see below) allows for plenty of carve-outs for the EU Member States. Further, Member States like the UK will still face legislative issues about what to do with aspects of their national data protection rules that are additional to the EU rules.
Secondly, there is a Directive, which specifically deals with protecting personal data processed in a law enforcement context. Most businesses do not need to be too concerned about the Directive but it forms part of a package with the Regulation, and because the Directive has been subject to procedural delay this will likely impact the timing and adoption of the Regulation.
Where do things currently stand?
In very simple terms, three EU institutions are involved in this legislative process: the European Commission (“the Commission”), which acts as the executive body of the EU, proposes the legislation which is jointly adopted by the Council of the European Union (“the Council”), which represents the executive governments of the 28 EU Member States, and, the European Parliament, which is the directly elected parliamentary institution of the EU.
After the Commission began the process the proposal went to the European Parliament who, after over two years of much debate and lobbying, put forward a huge number of amendments. Then it was the turn of the Council who after over a year of consideration agreed a “general approach” (their proposed amended version from June 2015 can be found here) although it is understood that many divergent views within the Council remained even after their proposals were published.
How many data protection regulators will I have to deal with?
A key aspect of the reforms is that a business which is in several EU Member States should only have to deal with one data protection regulator (called a “supervisory authority” in the Regulation) – most likely this will be in the country where the business is based. Individuals will also only have to deal with their “home” regulator, in their own language, even if their personal data is processed outside their “home” country. But, this one stop shop system is likely to have caveats, for example, under the June 2015 Council text, where there is a cross-border data protection issue (such as within the context of a complaint) businesses may have to deal with several data protection regulators. The June 2015 Council text also beefs up the tasks and powers of the regulators along with the cooperation mechanism between them. The to-be-created European Data Protection Board (to replace the current “Article 29 Working Party”, an important grouping of data protection regulators) will also have as one of its functions to act as a kind of appeals mechanism concerning some issues between the regulators.
It is important to remember however that the one-stop-shop could also face judicial challenge. Decisions of the European Court of Justice (CJEU) in the Google right to be forgotten case; the Schrems Case on Safe Harbor and the Weltimmo case on cross-border commerce have strengthened the power of regulators outside a company’s home country when investigating complaints. Whether a new Regulation can turn back this tide remains to be seen.
Therefore, the implementation of this system, in whatever form it is eventually agreed, is likely to be less of an actual one-stop-shop in reality and perhaps represents the greatest compliance challenge out of all the reforms for a business. Businesses will still have to be prepared to answer to more than one regulator.
Will I have to register with a regulator?
No. There will no longer be a requirement for a data controller (the person determining the purposes for and manner in which personal data are processed) to register with a data protection regulator, and consequently the payment of a fee to register will also disappear.
But, whilst one administrative burden goes another one apparently appears as data controllers will have the obligation of implementing appropriate measures to be able to demonstrate that the processing of personal data is in compliance with the Regulation – data processors (processing means carrying out any operation or set of operations, or obtaining, recording or holding the information or data) will also be subject to certain direct obligations.
Further, the disappearance of registration fees will pose a challenge for many Member State regulators who will lose an income stream. How will their budgets be impacted and how will this affect their administrative and enforcement capabilities? Will fine income have to increase to close this funding gap?
My business is not in the EU so will these rules still affect me?
Yes. The new rules will apply not only to businesses which are actually located in an EU Member State, but, also, to businesses located completely outside the EU where they process the personal data of EU residents and offer them goods and services, which the June 2015 Council text qualifies as being ”irrespective of whether a payment by the data subject [the person concerned] is required”. This extra-territorial dimension is a very significant change and very controversial. A key issue is that it may prove very difficult, if not impossible, to actually enforce this.
Will I have to make privacy an integral compliance element in my business?
Yes. Privacy by design and/or default will not be an add-on, but, instead, will become the norm as businesses will have to incorporate data protection safeguards into their products and services from the beginning, although it should be noted that the June 2015 Council text seems to have put some limit on this. Privacy by design and/or default might sound fine as a policy aspiration but its practical application will not always be so straightforward.
Will consent be required for data processing?
The requirements for consent have been recalibrated. Under the June 2015 Council text “unambiguous” consent will have to be given by a person in order for their personal data to be processed – there are still some differences though between the Commission, the Parliament and the Council on the way this is worded. Businesses will not be able to rely on silence or opt-outs and instead an active process such as box-ticking will have to be put in place – the June 2015 Council text states that “silence or inactivity should therefore not constitute consent”.
Are there any new rights?
Yes. A series of new rights are introduced including the right to portability (transmitting personal data from one data controller to another), and, the right to not be subject to profiling (subject to certain exceptions). Perhaps most controversial, mainly due to the highlighting of the issue in last year’s European Court of Justice ruling concerning Google, is the introduction of a legislative right to be forgotten (albeit not an absolute right), i.e. the right to have data erased without undue delay where the data are no longer necessary in relation to the purpose for which they were collected or otherwise processed. Much ink has been spilled on the seriously problematic nature of this right, e.g. the technical, logistical and financial costs involved, the possible hampering of law enforcement/regulatory bodies in their investigations, the ability to hide an unsavoury past, and, the impact on free speech. There’s more on the original Google right to be forgotten case here.
There will also be a more expanded right for people to be provided with information about how their data is used. Further, it should also be noted that under the reforms so-called “subject access requests”, a process whereby someone can exercise their right to gain access to data held on them, must be answered within one month of receipt of the request but which (under the June 2015 Council text) may be extended to two months where necessary.
We have definitely seen a rise in subject access requests in 2015 amongst our client base. Even 2 months is often insufficient for an organisation to deal properly with a subject access request. Organisations need to plan now to deal with a higher volume of subject access requests, and to deal with each one more quickly than they do currently.
Will I need to appoint a data protection officer?
Possibly. A special data protection officer (DPO) may have to be appointed to deal with data protection compliance – there are differences between the proposals of the Commission, the Parliament and the Council with the latter being more flexible as they suggest making the appointment of data protection officers discretionary unless made mandatory by either EU or EU Member State law. This may prove to be a flashpoint between the EU institutions in the trilogue process (see below). The Council’s November 2015 draft suggests that there is likely to be a compromise with a mandatory DPO being required only for public authorities and certain types of data processing. It also seems likely that a group of companies will be allowed to appoint one DPO for the whole group.
When will I have to report data breaches?
There are two reporting obligations. Significant changes concerning the mandatory reporting of data breaches are to be introduced. Data breaches will have to be reported to data protection regulators in each country affected without delay and, where possible, not later than a period to be set under the new rules, which in the November 2015 Council text is set at 72 hours, but in the final version this may yet change due to differences on this between the Council, the Parliament and the Commission where the other two bodies have previously favoured 24 hours. The notification to the regulator will have to be accompanied by a reasoned justification in cases where it is not made within the set period.
This does not seem likely to be a one stop shop system, so, for example if you have a breach affecting 12 EU countries you will likely have to make 12 separate reports within the 24 or 72 hours allowed.
Two particular contentious issues that may prove a challenge are:
- Whether there will be a threshold, i.e. if a breach is minor whether it will have to be notified or not. The June 2015 Council text is more business-friendly and suggests a threshold qualifiying a breach as one “which is likely to result in a high riskfor the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymisation, damage to the [sic] reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage”; and,
- Whether technical measures to secure the data, such as encryption, will mean that a breach need not be reported and if so what those acceptable technical measures will be. This is important for multinationals as US data breach laws commonly provide exceptions for data which is sufficiently encrypted.
These various issues are likely to be a flashpoint between the EU institutions in the trilogue process (see below).
What about liability and compensation?
Under the reforms, both liability and compensation have been beefed up with the June 2015 Council text providing that any person who has suffered “material or immaterial damage” due to non-compliant data processing has a right to compensation from “the controller or the processor” for damage suffered.
Because of the extra risk that a data breach may now entail under this new formulation, if eventually adopted, businesses will need to do the maximum to minimise the potential for damages claims.
Will there be mandatory audits?
Probably. Under the new rules regulators may be given the power to carry out surprise audits on businesses. This may prove to be a significant new tool in the regulator’s armoury. Businesses should therefore put in place procedures and train staff to deal with this.
What kind of fines can my business face for breaching the rules?
Under the new rules, data protection regulators will have the power to impose high fines for infringing the data rules. Three different bands of fines are proposed in relation to three different categories of infringements. In the original January 2012 Commission proposal and under the June 2015 Council text this is up to Euro 1 million or up to 2% of the global annual turnover of a business, whichever is the greater, in the highest category of the three bands and infringements, for example those concerning consent, profiling and breach notifications. Under the June 2015 Council text, the to-be-created European Data Protection Board will draw up guidelines for fines for the supervisory authorities. It also seems that a procedure on the lines of EU competition/anti-trust enforcement is being envisaged as the process for imposing fines including as regards aggravating and mitigating factors.
The subject of fines has been the subject of much debate in the trilogue process (see below), perhaps a major one, notably because the Parliament in particular is seeking higher figures. Some sources have reported that the Parliament have been holding out for a 5% threshold but that the Council has recently been asked to agree a 4% threshold for most businesses.
Will some kind of other assessments have to be made?
Where processing operations present specific risks, an assessment of the impact of the envisaged processing operations on the protection of personal data will have to be carried out. There are major differences between the Council and the Parliament on the applicable risk situation, but whatever the final outcome, an assessment will have to address the envisaged processing and evaluate the risks and the measures that would address them.
The June 2015 Council text qualifies a “type of processing” for privacy impact assessment as one which in particular uses new technologies and “which is likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, damage to the [sic] reputation, unauthorized reversal of pseudonymisation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage”.
Has anything changed as regards data transfers to third countries?
The core principles concerning the transfer of data from EU Member States to third countries (including the US) will remain in place, including the requirement that those data flows can only occur where an adequate level of protection is assured by these third countries. The European Data Protection Board may also play a role in this process by advising the Commission.
Data transfer has been the hot compliance topic in 2015 with the Schrems decision and it is hard to see how the Regulation can solve this problem is a fail-safe manner.
The Regulation does seek to support so-called “Binding Corporate Rules”, which are discussed extensively in both the original 2012 draft Regulation and the Council’s June 2015 revision.
Whatever the final outcome, businesses’ existing arrangements will have to be checked against these. Change is likely.
What are the next steps?
Sources suggest that we’re getting close to a deal between the Council and the Parliament (with the European Commission acting as a kind of intermediary) so that the proposed reforms can become law. This process is officially called the “trilogue”.
It should also be noted that it is envisaged that once the Regulation has been adopted the so-called EU Cookies Directive (2002/58) should be reviewed in order to clarify the relationship between the two sets of legislation.
In this alert we have done our best to guess at where these negotiations will end up but this is a work in progress still – do check our website at http://www.corderycompliance.com/category/data-protection-privacy/ where we post regular updates.
What should businesses do now?
Assuming that the new rules are finally adopted, they will bring a high level of compliance obligations, with significant financial, resource (including IT) and administrative costs. The following are ten compliance issues to consider now:
- Thoroughly review vendor contracts – you will need your vendors’ help especially in reporting security breaches very quickly. Make sure that you have the contractual rights to insist on this and make sure that you can hold your vendors to account;
- Implement a subject access request procedure if you don’t have one already. You can also use this to deal with right to be forgotten requests. A good subject access request procedure will reduce compliance risks and also act as an early warning radar for other issues in the business.
- Put in place a data breach notification procedure, including detection and response capabilities – consider purchasing special insurance;
- Prepare to update your existing processes and prepare new detailed documentation and records ready for regulatory inspection – factor this into overhead costs;
- Review all key practical aspects such as data retention, destruction etc. through all means of collecting data used by the business;
- Ensure that new aspects such as explicit consent, the right to be forgotten, right of data portability and erasure, and, the right to not be subject to profiling are all included in policies and procedures;
- Put in place a data breach notification procedure, including detection and response capabilities – consider purchasing special insurance;
- If applicable, appoint a data protection officer;
- Put in place a Privacy Impact Assessment (PIA) process if you haven’t got one already. A good PIA process can reduce risk and make your data more valuable and more secure;
- Train staff on all of the above; and,
- Set up and undertake regular compliance audits in order to identify and rectify issues.
Cordery offer a fixed fee registration and renewal service for ICO notifications which can include an annual audit. Details are here.
For more information please contact Jonathan Armstrong, Gayle McFarlane or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH, Office: +44 (0)207 075 1784, firstname.lastname@example.org
Gayle McFarlane, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH, Office: +44 (0)207 075 1786, email@example.com
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH, Office: +44 (0)207 075 1785 firstname.lastname@example.org
Originally published on December 8, 2015, at http://www.corderycompliance.com…
Related material is available here