Out-Law Analysis 5 min. read
25 Jan 2012, 4:52 pm
The change that ought to please businesses most is that one law will apply across the whole of the EU which will make doing business across Europe much easier from a data protection perspective.
As Out-Law reported, EU Justice Commissioner Viviane Reding today published (119-page / 589KB PDF) a long-awaited draft of a new EU data protection law.
The proposal, if approved, will provide welcome consistency for businesses. The Commission has proposed replacing a Directive, which each country must turn into its own law, with a Regulation, which automatically comes into force in all 27 EU member states.
If the Commission can get political backing for this, which may be problematic, then it will at least give certainty for organisations on their data protection obligations across Europe. Instead of 27 confusing, sometimes conflicting implementations of a Directive, organisations will be faced with a single law that applies across the whole single market.
Reding’s view is that this allows for major cost savings and process improvements for organisations that process personal data in the course of their activities in Europe. They would be able to set their policies, process data and deal with data protection problems in a single way across all of the EU. This is a major improvement.
There are problems for businesses with the proposal, though. Some affect large organisations and some affect small ones, but the overall picture is the same: the law is being introduced in part for the purpose of “increasing the effectiveness of the fundamental right to data protection and putting individuals in control of their data”, as the proposal makes clear, and organisations face potentially significant costs and other challenges implementing the new measures.
One area of the proposal that certainly is not going to be welcome to any organisation is the sanctions regime. In the case of companies the sanctions are potentially levied by reference to global annual turnover in a way similar to the regime in place for competition law offences. It appears that Reding has made some concessions on the issue, however. Whilst the potential size of the fines, which could reach 2% of turnover for businesses and €1 million for public bodies, will alarm organisations across the sectors, it represents a climb-down from the proposed 5% figure contained in an earlier leaked draft that was under consideration. Indeed, an unofficial copy of the new Regulation in circulation a short while before publication of the final Regulation on 25 January suggested fines of up to 4% of global turnover could be levied on businesses.
Calculation of fines in competition cases is a well-developed science, and national data protection regulators will have some catching up to do to administer these sanctions proportionately and wisely. Does it apply to the data controller entity only, which may be a small subsidiary, or to the turnover of the whole group of companies? Which year is the relevant year for calculating the turnover? These important questions need clear answers.
Another area of the proposal that has been the subject of much discussion ever since it was dropped from the ePrivacy Directive, where it only applies to organisations in the telecoms sector, is the data breach notification requirement. This requires the data controller to report a breach in data security to its national supervisory authority not later than 24 hours after having become aware of it, where feasible.
Under the proposed new law, where the breach is likely adversely to affect individuals the controller must also communicate the breach to the data subject “without undue delay”. Reding said this weekend that this should mean "within 24 hours". Finally, processors must alert the controller on whose behalf they are handling data “immediately” after the establishment of a personal data breach.
These timescales will be challenging for some organisations, because there is a lot more to do than simply notify the supervisory authority and individuals, or the controller. Not every organisation will have a clear view itself of exactly what has happened and how serious the problem is within 24 hours nor, within that timescale, what measures to recommend to mitigate the adverse consequences. As for processors, who have to notify the controller “immediately”, they first have to work out when the breach has been “established”, which is a new concept.
It is in everyone's interests that organisations act quickly, but it will be counterproductive if affected individuals are left either indifferent or confused about what practical steps they need to take following notification that their data is no longer secure. Certainly the experience of consumers in the US, where most states now have data breach laws, has been mixed in this regard.
The problem with notifications is that they can desensitise the public and organisations to the seriousness of data protection issues. If every breach is reported and nothing terrible seems to happen, the impression can be given that data breaches are not that big a problem. The UK's Information Commissioner, for example, does not appear convinced that a breach notification requirement is as effective as the Commission believes.
When the Commission specifies the criteria and procedures for this requirement they should adopt the kind of clarity that applies to product recalls in health and safety legislation. These leave very little to doubt about exactly what a consumer who has purchased a faulty or dangerous product must do.
Medium sized companies will balk at the requirement that every organisation with 250 or more employees should have a data protection officer. This will be the case even if they do not process very much personal data. All public bodies will have to have a DP officer. It is right that organisations take responsibility for the way they handle data, but any requirement that imposes a fixed cost in this broad way is disproportionate.
One part of the proposed law that is certain to cause yet more debate is the 'right to be forgotten'. Reding wants people to be able to delete information about them held by others that they had supplied in the first place.
This idea, first floated last year, is highly controversial. The impact of the right to be forgotten on the big internet platform businesses, such as Facebook, LinkedIn and Twitter, has of course received a lot of attention and will rightly continue to do so. But the right imposes obligations on all sorts of publishing businesses, and other sectors too.
The draft Regulation provides that the right is a 'qualified' right and that it applies only where certain grounds have been met, such as where the data is no longer necessary for the original purpose of collection or the individual has withdrawn consent or objected to the processing. Objections must be upheld unless the controller demonstrates "compelling legitimate grounds" for the processing.
But what is the threshold for 'necessary'? What if the individual's withdrawal is unreasonable? How does a controller demonstrate 'compelling legitimate grounds'? How long will it take for enough decisions to be made to give organisations a concrete idea of what they can and cannot store?
Another source of significant future activity is the legal process involved here. It is relatively new and has not been used yet in this area of law since it was introduced by 2009's Lisbon Treaty.
The Regulation is full of 'implementing acts' and 'delegated acts'. These acts give the Commission the power to specify detail about how a particular article of the Regulation should work. How it uses this power must be closely scrutinised.
These processes are likely to become a battleground between the Commission, the European Parliament and the Council Of Ministers if the latter two don’t like the Commission’s overall approach to data protection law reform.
Marc Dautlich is a data protection law expert at Pinsent Masons, the law firm behind Out-Law.com
