Out-Law / Your Daily Need-To-Know

Out-Law News 5 min. read

Tougher requirements for obtaining consent unveiled in data protection proposals

Organisations operating in the EU will generally have to obtain explicit, freely given, specific and informed consent from individuals in order to be able to lawfully process their personal data under new EU data protection laws being proposed.

Consent will not be able to be gleaned through silence or inactivity on the part of individuals and instead must be obtained through a statement or "clear affirmative action" before it can be said to have been given, the proposals said.

Under the plans unveiled today by the European Commission public authorities, many large businesses and those with personal data-heavy processing operations will also be required to appoint dedicated data protection officers. A new regime of penalties was also proposed that could see businesses fined up to 2% of their annual global turnover for failure to issue timely notifications about any breaches of data security.

The proposals were contained in a draft General Data Protection Regulation (119-page / 589KB PDF) published by the Commission. It is one of two legislative texts being proposed and, if enforced, would introduce a single data protection law across all 27 EU member states. Companies that process personal data of EU citizens from outside the borders of the trading bloc would also be subject to the rules.

The Commission also proposed a separate draft Directive (55-page / 367KB PDF) setting out rules around personal data processing by "competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data".

The Commission said that the current data protection regime in the EU was fragmented and outdated and that reform was required to bring the rules up-to-date with advancements in technology.

The proposals in the Regulation outline that consent to personal data processing will not be legally valid if there is "a significant imbalance between the position of data subject and the controller". Individuals should also have the right to withdraw their consent at any time, the draft said.

Organisations can justify processing personal data without consent in select circumstances, including if the "legitimate interests" of the organisation outweighs the fundamental rights of the individuals concerned. However, in the case of direct marketing for commercial purposes, consent is required before personal data can be processed, the proposals said.

Companies will be expected to lay out information about the collection and processing of personal data in easy-to-understand language and individuals will also have the right to access data collected about them. The draft also states new rules for gaining consent to personal data relating to children.

The draft requires personal data processing to be done securely. Companies will be required to notify any individuals concerned and regulators with certain information about any data breach "without delay and, where feasible, not later than 24 hours after having become aware of it". The information should include recommendations over what people can do to "mitigate the possible adverse effects of the personal data breach".

Under the plans regulators will have the power to fine businesses up to 2% of their annual global turnover for failing to notify breaches or for other serious breaches of the Regulation. Organisations not engaged in economic activity can be fined up to €1 million for serious breaches.

Business with more than 250 permanent staff, public bodies and organisations with "core activities" that "consist of processing operations which ... require regular and systematic monitoring of data subjects" will be required to appoint a data protection officer. The officers will be responsible for advising the organisations on data protection issues, monitoring the implementation of their data protection policies and adherence with the law and be the point of contact for regulators.

In some circumstances it will be legitimate for public authorities to appoint only one officer to cover "several of its entities". Only one officer needs to be appointed for a business consisting of a "group of undertakings".

Businesses will also be required to keep a record of their personal data processing and provide the information upon request to regulators.

Under the proposed new regime individuals will be given a so-called 'right to be forgotten' that will generally enable them to force organisations to delete personal data stored about them "without delay". Organisations that have made the data public will be liable for the data published by third parties and will be required to "take all reasonable steps, including technical measures" to inform them to delete the information.

Organisations will be able to oppose the deletion of information if they can show they have a right to publish the data under the fundamental principle of freedom of expression or if it is in the public interest for the data to remain in existence.

Consumers will also have a general right to switch electronically processed personal data between rivasl under 'data portability' rules being proposed. Organisations will have to implement a privacy "by default and design" approach to new services they provide that involve personal data processing.

Changes to the rules around data transfers have also been proposed to make it easier for companies to establish a single set of legally-binding corporate rules (BCRs) that apply across the EU. Under the Regulation proposed BCRs approved by one regulator will apply in all other EU countries.

BCRs are legally-binding commitments companies draw up over the transfer and processing of personal data outside of the European Economic Area to a country that is not a European Commission pre-approved country. Currently BCRs are assessed on an individual basis by authorities in member states prompting most companies to use simpler European Commission model contractual clauses instead in order to legalise overseas transfers of data.

Data protection regulators, referred to as "supervisory authorities", will be responsible for regulating companies that have their "main establishment" in that country. 'Main establishment' refers to the premises in which companies in control of personal data take their main decisions around the purposes of personal data processing or if companies take those decisions outside of the EU "the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place," the draft said. In the case of specified processors of personal data, their main establishment is said to be "the place of its central administration" within the EU.

Under the proposed new regulatory regime authorities are required to provide one another with "mutual assistance" so as not to inconsistently apply the laws in different countries. If individuals in more than one member state are likely to be affected by decisions taken by one authority, other authorities in those countries have the right to participate in joint operations. Only the authorities in countries where the organisations have their "main establishment" will take regulatory action, unless the authority confers power to a sister regulator in another state.

Authorities must communicate proposed measures they intend to take following regulatory investigations to a new independent European Data Protection Board. The Board will replace privacy watchdog the Article 29 Working Party.

The Board will provide regulatory oversight and will be made up by the head of each EU member state's data protection authority and European Data Protection Supervisor. The Board, Commission and individual authorities will be able to request that proposed regulatory action is subject to a consistency check to ensure the laws are being applied the same way across the EU.

The Regulation must be approved by both the European Parliament and Council of Ministers before it can come into effect. If that were to happen the Regulation would be effective unilaterally across the EU two years and 20 days after it is published in the Official Journal of the EU.

The text allows the Commission to draft a series of "implementing" or "delegating" acts to provide more detail on the precise workings of some of the draft measures. Member states are also permitted to draw up individual rules around personal data processing in certain sectors, including health and education. The countries can also draft new 'codes of conduct' relevant to specific categories of business in which personal data processing takes place.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.