The DP Regulation was published on 25 January 2012. It will not come into force before 2014. First it must pass through a legislative process in the European Council and Parliament. A Regulation (as distinct from a Directive) is directly binding on Member States without any requirement for implementation into national law, so will apply directly to data controllers and data processors and will mean a single set of rules across the European Union. Comment: This is good news for virtually everyone. The current Data Protection Directive 95/46 singularly fails to achieve a harmonised European Union data protection regime, despite that being one of its two main aims, and this has cost business hugely. Commissioner Reding (the Commissioner behind the DP Regulation) is right about this.
However, as the accompanying objectives statement makes clear: the new Regulation is designed to increase the effectiveness of individuals' DP rights by "putting individuals in control of their data, particularly in the context of technological developments and increased globalisation." The necessary corollary of stronger rights for data subjects is more onerous obligations for data controllers, and for the first time, data processors.
There are two goals for organisations impacted by the Regulation:
- seek to influence the text of the DP Regulation as it makes its way through the EU legislative process; and
- seek to reduce the number and impact of the many "delegated acts" and "implementing acts" under which the Commission would in due course, and promulgate more detailed rules for data controllers and processors (very broadly, similar to UK secondary legislation).
Key changes proposed in the DP Regulation include:
- Territorial Scope: The DP Regulation applies to processing of personal data by data controllers outside the European Union, where the processing activities are related to goods or services offered to data subjects in the European Union, or the monitoring of their behaviour. Comment: Non-European Union data controllers take note. This is much wider than the current position. Offshore cloud services, 'information society' services and a host of other services will be caught. Watch this space for how the Commission foresees enforcement under international conflict of law rules.
- Breach Notification: Data controllers now have to notify the regulator (and in some cases, the affected data subjects) of a breach within 24 hours of becoming aware of it, "where feasible". And processors have to notify their data controller "immediately". Comment: Outside the telecoms sector, this is, firstly, not currently a mandatory requirement in the UK. Secondly, these tight timescales will require a review of procedures for many data controllers, and for processors. Sufficient investigation of the nature and extent of the incident, let alone the requirement to outline in the notification recommended mitigating action, will entail a closer working co-operation for many data controllers than is currently the case, between Legal, IT Security, HR and senior management and PR.
- Consent: 'Explicit consent' is now required. It is up to the data controller to demonstrate that explicit consent has been obtained. Consent will not provide a legal basis for processing where there is a 'significant imbalance' between the position of the data subject and data controller (as clarified elsewhere: the employment relationship is a prime example). Comment: The requirement for the data controller to bear the burden of proof for demonstrating the data subject's consent is in line with the broader shift in emphasis under the DP Regulation, under which the new regime will be all about demonstrating compliance, through production of appropriate procedures and policies, and adequate trails of consent and other matters.
- Right to be forgotten: Data controllers must delete personal data relating to a data subject where the individual withdraws consent, objects to that data controller’s processing of his information, or where his personal data is no longer needed. Comment: We have little indication of how this provision will be enforced and how low will be the threshold to satisfy the conditions to exercise this right.
- Data portability: The data subject has the right (where personal data are processed by electronic means and in a structured and commonly used format) to obtain from the data controller a copy of data undergoing processing in an electronic and structured format, which is commonly used and allows for further use by the data subject. Comment: This is not really a data protection measure as such. At first glance, one for online social networks, but on closer inspection any financial services provider, the energy sector and a host of other types of service providers, will wish to take note how they design their platforms to accommodate this requirement.
- Binding Corporate Rules: Binding Corporate Rules, which allow for data to be transferred internationally across a corporate group, can be approved by one regulator across multiple jurisdictions. Comment: A welcome change to a currently cumbersome and expensive process. How are national data protection regulators gearing up for resourcing requirements to deal with increased intra-EU co-operation and any increase in take up by data controllers?
- Data Protection Officers ("DPO"): Public authorities and private companies with 250 or more staff must formally appoint data protection officers for a term of two years to ensure compliance. Comment: This is all part of the new approach to 'accountability' (as evidenced by the 'family' of Articles 28, 30, 33, 34 and 35). The DPO requirement looks disproportionate for data controllers who meet the size requirement but do not do much processing.
- Data Protection Impact Assessments ("DPIA"): Data controllers carrying out high-risk processing will have to carry out a review of their processing activities before being able to process data under the DP Regulation. Comment: Although privacy impact assessments (as they were previously known) are not new, they are now hard-coded into the law. Their potential impact on data controllers is, in our view, not yet properly understood. Trade bodies and individual data controllers will wish to consider what kind of guidance and skillsets will be necessary actually to carry out a DPIA in accordance with the new requirement, and particularly how to deal with outcomes where structural or 'privacy by design' changes are needed to the business model, or the processing operation, to ensure compliance.
- Accountability Measures: There are stricter rules on what kind of documentation about processing must be kept to ensure, and to be able to demonstrate compliance with, the new DP Regulation. Comment: As discussed above. At first glance this looks relatively innocuous. DPOs and their colleagues are likely to be very busy updating (or in some cases creating) the relevant documentation.
- Notification: The DP Regulation removes the requirement for data controllers to register with the regulator, but the data controller must provide the regulator with details of the appointed data protection officer. Comment: At last. The welcome end of unnecessary red tape.
- Fines: The DP Regulation introduces a new regime of administrative sanctions of up to 1 000 000 EUR or, if a private sector entity, 2% of its annual worldwide turnover. Non-compliant responses to a subject access request are likely to attract lower fines; whereas, serious data security breaches are likely to attract the maximum fine. Comment: All organisations will be impacted by the toughening of the sanctions regime, but for global organisations, this could represent fines that are closer to the FSA regime where fines run into the millions. For public sector, the 100% increase in the fine could lead to an unbearable cost for already stretched budgets.
- Expanded definition of personal data: 'personal data' has been broadened to cover any information related to living individuals, and has specific definitions for genetic data and biometric data. Comment: The UK's RAND report raised the question why in the existing Data Protection Directive there is not a closer link between harm (to the data subject) and the data protection principles. That opportunity has been overlooked. Instead, data controllers are simply going to have to continue to grapple with what is – in practice – often one of the hardest questions: is it personal data? And to do so using a substantially broadened definition.
- New protections for children: There are new provisions in the DP Regulation for data controllers processing personal data of children under 13. Comment: This is a concession compared to the Under 18 threshold in the leaked draft. Relevant data controllers verification and consent procedures will need attention.
- Statutory liability for data processors: Data processors now have a statutory liability to implement appropriate security measures when processing personal data on behalf of a data controller, as well as to follow the instructions of the data controller and ensure the reliability of its staff involved in processing the personal data. In addition, they have an express obligation, as noted above, in relation to notification of security incidents. Comment: IT and services suppliers as well as customer organisations will all need in due course to look carefully at their contractual arrangements, overhaul their templates and re-examine their internal reporting procedures.
Contacts
For more information, please contact Marc Dautlich at marc.dautlich@pinsentmasons.com (DD: 0207 490 6533) or Kathryn Wynn at kathryn.wynn@pinsentmasons.com (DDI: 0131 225 0043).
This briefing is not an exhaustive summary of the new DP Regulation. It is an overview of specific issues only and does not constitute legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter.