Archive for January, 2012

Proposed EU Data Protection Regulation: A New Framework for 2015?

Posted by fgilbert on January 29th, 2012

Data protection may look and feel very different by 2015 if the European Parliament adopts the documents that were published on January 25, 2012 on behalf of the European Commission. These documents outline a drastic change in the manner in which the collection, processing and sharing of personal data is handled in the European Union. The proposed EU Data Protection reform would create a single data protection law that applies directly to all entities and individuals in the Member States, except in the case of criminal investigation and related law enforcement issues. The proposed rules that would applies to companies would create more obligations for companies and more rights for individuals, while some of the current administrative burdens and complexities would be removed.

On January 25, 2012, the European Commission presented a series of legislative texts and documents that are intended to redefine the legal framework for the protection of personal data throughout the European Economic Area. The proposal is to have a Regulation address the general privacy issues, and a Directive address the special issues associated with criminal investigations.

The publication of these drafts signals a very important shift in the way data protection may be handled in the future throughout the European Union. This is consistent with the plan of action that was presented in late 2010 in Communication 609. What is new, and a paradigm shift, is that there would be one single data protection law throughout the European Union.  This means that companies may not longer have to suffer from the fragmentation resulting from the fact that the 27 Member States interpreted and implemented differently the principles set forth in Directive 95/46/EC.  It is not clearl however (and probably unlikely) that the Member States would have to repeal all of the other laws that they have adopted over the years and that apply to different sectors of activities.  For example, there are often special laws that apply to personal information collected by telecom services providers.

US companies that do business in or with the European Economic Area must start preparing for this dramatic change in the data protection landscape. Some of the provisions will require the development of written policies and procedures, documentation, and applications as necessary to comply with the new rules. Security breaches will have to be disclosed, and incident response plans will have be created accordingly. The development of these new structures will require significant investment and resources. IT and IS departments in companies will need to obtain greater, more significant budgets in order to finance the staff, training, policies, procedures and technologies that will be needed to implement the new provisions.

The Foundation Documents

The proposed data protection package contains two important legislative texts:

The draft Regulation and draft Directive will now be discussed by the European Parliament and EU Member States meeting in the Council of Ministers. Thus, there will be more opportunities for discussion, changes, and modifications of the current provisions, and there is currently no certainty that the provisions as stated in the January 25, 2012 draft will remain.

However, given the energy, speed, and determination with which the reform of the EU data protection regime has been handled, it is likely that a final vote will take place sooner than later. Once in their final form and formally adopted by the European Parliament, the rules are expected to take effect two years later. Thus, it is likely that, by the end of 2014, or early 2015, the European Economic Area will be subject to a new, improved, but stricter data protection regime.

This article discusses only the Proposed Regulation.

A Regulation, Not a Directive

The European Union is over 50 years old. For a long time, the Union has functioned as a group of countries operating under a set of rules that attempted to be consistent with each other, in order to ease the flow of people and goods among the Member States. This was achieved by implementing on a piecemeal basis the principles of numerous directives, with each Member State, in fact, retaining a lot of independence and autonomy. While this strategy allowed to slowly create a sense of unity among countries that had different cultures, history and personalities, it ended up creating a patchwork of national laws that had some resemblance but also their own personality. A difficult setting for companies operating in several Member States.

The ratification of the Treaty of Lisbon in late 2009 was a very important milestone in the morphing of the European Union as a united power.  It marked a very important step in the evolution of the Union, creating deep changes in its rules of operation, removing the three-pillar system that fragmented the operations, and moving the federation into a closer, tighter structure. With the Treaty of Lisbon, the European Union moved towards more cohesion, more consistency, and more unity.

With this background in mind, it is logical that the European Commission found that a “Regulation,” as opposed to a “Directive,” was the most appropriate legal instrument to define the new framework for the protection of personal data in the European Union in connection with the processing of these data by companies and government agencies in their day-to-day operations. Due to the legal nature of a regulation under EU law, the proposed data protection Regulation will establish a single rule that applies directly and uniformly.

EU regulations are the most direct form of EU law. A regulation is directly binding upon the Member States and is directly applicable within the Member States. As soon as a regulation is passed, it automatically becomes part of the national legal system of each Member State. There is no need for the creation of a new legislative text.

EU directives, on the other end, are used to bring different national laws in-line with each other. They prescribe only an end result that must be achieved in every Member State. The form and methods of implementing the principles set forth in a directive are a matter for each Member State to decide for itself. Once a directive is passed at the European Union level, each Member State must implement or “transpose” the directive into its legal system, but can do so in its own words. A directive only takes effect through national legislation that implements the measures.

The current data protection regime, which is based on a series of directives – Directive 96/45/EC, Directive 2002/558/EC (as amended) and Directive 2006/2006/24/EC – has proved to be very cumbersome due to the significant discrepancies between the interpretations or implementations of the directive that were made in the various Member State data protection laws. There is currently a patchwork of 27 rules in 27 countries. This fragmentation creates a significant burden on businesses which are forced to act as chameleon, and adapt to the different privacy rules of the countries in which they operate.

Conversely, a regulation is directly applicable, as is, in the Member States. By adopting a Regulation for data protection matters, the EU will equip each of its Member States with the same legal instrument that applies uniformly to all companies, all organizations, and all individuals. The choice of a regulation for the new general regime for personal data protection should provide greater legal certainty by introducing a harmonized set of core rules that will be exactly the same in each Member State. Of course, each country’s government agencies and judicial system are still likely to have their own interpretation of the same text, but the discrepancies between these interpretations should be less significant than those that are currently found among the Member State data protection laws.

Overview of the Draft Regulation

The 119-page draft Regulation lays out the proposed new rules. Among the most significant changes, the Proposed Regulation would shift the consent requirement to that of an “explicit” consent. It would introduce some new concepts that were not in Directive 95/46/EC, such as the concept of breach of security, the protection of the information of children, the use of binding corporate rules, the special status of data regarding health, and the requirement for a data protection officer. It would require companies to conduct privacy impact assessments, to implement “Privacy by Design” rules, and to ensure “Privacy by Default” in their application. Individuals would have greater rights, such as the “Right to be Forgotten” and the “Right to Data Portability.” Some of the key components of the Proposed Regulation are discussed below.

–  New, Expanded Data Protection Principles

Articles 5 through 10 would incorporate the general principles governing personal data processing that were laid out in Article 6 of Directive 95/46/EC and add new elements such as: transparency principle, comprehensive responsibility and liability of the controller, and clarification of the data minimization principle.

One of the significant differences with Directive 95/46/EC is that the notion of consent is strengthened. Currently, in most EU Member States, consent is implied in many circumstances. An individual who uses a website is assumed to have agreed to the privacy policy of that website. Under the new regime, when consent is the basis for the legitimacy of the processing, it will have to be “specific, informed, and explicit.” The controller would have to bear the burden of proving that the data subjects have given their consent to the processing of their personal data for specified purposes. For companies, this means that they may have to find ways to keep track of the consent received from their customers, users, visitors and other data subjects, or will be forced to ask again for this consent.

–  Special Categories of Processing

The rules that apply to special categories of processing would be found in Articles 80 through 85. The special categories would include processing of personal data for:

  • Journalistic purposes;
  • Health purposes;
  • Use in the employment context;
  • Historical, statistical or scientific purposes;
  • Use by individuals bound by a duty of professional secrecy;
  • Public interest.

There are also provisions to protect the rights of a child. A “child” is currently defined as an individual under 13 (Article 8). In addition, the definition of “sensitive data” would be expanded to include genetic data and criminal convictions or related security measures. (Article 9).

–  Transparency and Better Communications

Article 11 of the proposed Regulation would introduce the obligation for transparent and easily accessible and understandable information, while Article 12 would require the controller to provide procedures and a mechanism for exercising the data subject’s rights, including means for electronic requests, requiring that response to the data subject’s request be made within a defined deadline, and the motivation of refusals. Companies will welcome the fact that the rule for handling requests for access or deletion will be the same in all Member States. In the current regime, the time frames for responding to such requests are different, with some Member States requiring action within very short periods of time, and others allowing two months to respond.

–  Rights of the Data Subjects

Articles 14 through 20 would define the rights of the data subjects. In addition to the right of information, right of access, and right of rectification, which exist in the current regime, the Proposed Regulation introduces the “right to be forgotten” as part of the right to erasure. The right to be forgotten includes the right to obtain erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service. It also integrates the right to have the processing restricted in certain cases.

Article 18 would introduce the data subject’s right to data portability, that is, to transfer data from one automated processing system to, and into, another, without being prevented from doing so by the controller. As a precondition, it provides the right to obtain from the controller those data in a commonly used format. The right to object to the processing of personal data would be supplemented by a right not to be subject to measures based on profiling.

The “right to be forgotten” and the “right to portability” reflect the pressure of the current times, and respond to the needs of customers of social networks who have found, to their detriment, that the ease of use of a social network and the access to the service for no fee was tied to a price:  that their personal data could be used in forms or formats that they had not expected, and that the service provider would resist a user’s attempt to move to another service.

–  Obligations of Controllers and Processors

Articles 22 through 29 would define the obligations of the controllers and processors, as well as those of the joint controllers and the representatives of controllers that are established outside of the European Union. Article 22 addresses the accountability of the controllers. These would include for example, the obligation to keep documents, to implement data security measures, and to designate a data protection officer. Article 23 would set out the obligations of the controller to ensure data protection by design and by default.

Articles 24 and 25 address some of the issues raised by outsourcing, offshoring and cloud computing. While these provisions do not indicate whether outsourcers are joint data controllers, they acknowledge the fact that there may be more than one data controller. Under Article 24, joint data controllers would be required to determine their own responsibility for compliance with the Proposed Regulation. If they fail to do so, they would be held jointly responsible. Article 25 would require data controllers that are not established in the European Union and that direct data processing activities at EU residents, or monitor their behavior, to appoint a designated representative in the European Union.

–  Supervision of Data Controllers or Processors by Data Protection Authority

Article 28 would introduce the obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, instead of a general notification to the data protection supervisory authority, as is currently the case under Articles 18 and 19 of Directive 95/46/EC. This provision reflects one of the new guiding principles in the EU Data Protection reform:  that of accountability. In exchange for removing the cumbersome requirement for notification of the data controllers’ personal data handling practices, the new framework require that data controllers be “accountable.” They must create their own structures, and document them thoroughly, must be prepared to respond to any inquiry from the Data Protection Authority and to promptly produce the set of rules with which they have committed to comply.

Article 28 identifies a long list of documents that would have to be created and maintained by data controllers and data processors. This information is somewhat similar to the information that is currently provided in notifications to the data protection authorities―for example, the categories of data and data subjects affected, or the categories of recipients. There are also new requirements such as the obligation to keep track of the transfers to third countries, or to keep track of the time limits for the erasure of the different categories of data.

In the case of data controllers or data processors with operations in multiple countries, Article 51 would create the concept of the “main establishment.” The data protection supervisory authority of the country where the data processor or data controller has its “main establishment” would be competent for the supervision of the processing activities of that processor or controller in all Member States under the mutual assistance and cooperation provisions that are set forth in the Proposed Regulation.

–  Data Security

Articles 30 through 32 focus on the security of the personal data. In addition to the security requirements already found in Article 17 of Directive 95/46/EC and extending these obligations to the data processors, the Proposed Regulation introduces an obligation to provide notification of personal data breaches. In case of a breach of security, a data controller would be required to inform the supervisory authority within 24 hours, if feasible. In addition, if the breach is “likely to adversely affect the protection of the personal data or the privacy of the data subject,” the data controller will be required to notify the data subjects, without undue delay, after it has notified the supervisory authority of the breach.

–  Data Protection Impact Assessment

Article 33 would require controllers and processors to carry out a data protection impact assessment if the proposed processing is likely to present specific risks to the rights and freedoms of the data subjects by virtue of its nature, scope, or purposes. Examples of these activities include: monitoring publicly accessible areas, use of the personal data of children, use of genetic data or biometric data, processing information on an individual’s sex life, the use of information regarding health or race, or an evaluation having the effect of profiling or predicting behaviors.

–  Data Protection Officer

Articles 35 through 37 would require the appointment of a data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations that require regular and systematic monitoring. Under the current data protection regime, several EU Member States, such as Germany, require organizations to hire a Data Protection Officer, who is responsible for the company’s compliance with the national data protection. Article 36 identifies the roles and responsibilities of the data protection officer and Article 37 defines the core tasks of the data protection officer.

–  Crossborder Data Transfers

Articles 40 through 45 would define the conditions of, and restrictions to, data transfers to third countries or international organizations, including onward transfers. For transfers to third countries that have not been deemed to provide “adequate protection,” Article 42 would require that the data controller or data processor adduce appropriate safeguards, such as through standard data protection clauses, binding corporate rules, or contractual clauses. It should be noted, in particular, that:

  • Standard data protection clauses may also be adopted by a supervisory authority and be declared generally valid by the Commission;
  • Binding corporate rules are specifically introduced (currently they are only accepted in about 17 Member States);
  • The use of contractual clauses is subject to prior authorization by supervisory authorities.

Binding corporate rules would take a prominent place in the Proposed Regulation. Their required content is outlined in Article 43. Article 44 spells out and clarifies the derogations for a data transfer, based on the existing provisions of Article 26 of Directive 95/46/EC. In addition, a data transfer may, under limited circumstances, be justified on a legitimate interest of the controller or processor, but only after having assessed and documented the circumstances of the proposed transfer.

–  European Data Protection Board

The “European Data Protection Board” would be the new name for the “Article 29 Working Party.” Like its predecessor, the new Board will consist of the European Data Protection Supervisor and the heads of the supervisory authority of each Member State. Articles 65 and 66 clarify the independence of the European Data Protection Board and describe its role and responsibilities.

–  Remedies and Sanctions

Articles 73 through 79 would address remedies, liability, and sanctions. Article 73 would grant data subjects the right to lodge a complaint with a supervisory authority (which is similar to the right under Article 28 of Directive 95/46/EC). It also would allow consumer organizations and similar associations to file complaints on behalf of a data subject or, in case of a personal data breach, on their own behalf.

Article 75 would grant individuals a private right of action. It would grant individuals the right to seek a judicial remedy against a controller or processor in a court of the Member State where the defendant is established or where the data subject is residing. Articles 78 and 79 would require Member States to lay down rules on penalties, to sanction infringements of the Proposed Regulation, and to ensure their implementation. In addition, each supervisory authority must sanction administrative offenses and impose fines.

The Proposed Regulation introduces significant sanctions for violation of the law. Organizations would be exposed to penalties of up to 1 million Euros or up to 2% of the global annual turnover of an enterprise. This is much more than the penalties currently in place throughout the European Union. Apart from a few cases, the level of fines that have been assessed against companies that violated a country’s data protection laws has been low. The Proposed Regulation signals an intent to pursue more aggressively the infringers and to equip the enforcement agencies with substantial tools to ensure compliance with the law.

Conclusion

For several months, the European Commission has been working on the reform of data protection in the European Union, and has given numerous descriptions of the general lines of the new regime, including through a draft of the documents published in December 2011, which differs slightly from the January 25, 2012 version. It is nevertheless exciting to see, at long last, the materialization of these descriptions, outlines, and wish lists.

If the current provisions subsist in the final draft, the new Regulation will increase the rights of the individuals and the powers of the supervisory authorities. While it create additional obligations and accountability requirements for organizations, the adoption of a single rule throughout the European Union would help simplify the information governance, procedures, record keeping, and other requirements for companies.

It remains to be seen what effect the adoption of the Regulation will have on the data protection laws of these other countries. Directive 95/46/EC has been a significant driving force in the adoption of data protection laws throughout the world. In addition to the 30 members of the European Economic Area, numerous other countries, such as Switzerland, Peru, Uruguay, Morocco, Tunisia, or the Dubai Emirate (in the Dubai International Financial District) have adopted data protection laws that follow closely the terms of Directive 95/46/EC. How will these countries react? And will they give their laws a facelift as well?

 

 

Proposed EU Data Protection Regulation – January 25, 2012 Draft: What US Companies Need to Know

Posted by fgilbert on January 27th, 2012

If the vision of Ms. Reding, Vice-President of the European Commission, as expressed in the January 25, 2012 data protection package is implemented in a form substantially similar to that which was presented in the package, by 2015, the European Union will be operating under a single data protection law that applies directly to all entities and individuals in the Member States and will have removed much of the administrative burden that are currently costing billions of Euros to companies. The saving would allow companies to reinvest in more meaningful, efficient, data protection practices that are better adapted to the uses of personal data, the new technologies and the 21st century way of life.

The series of legislative texts and documents that were published on January 25, 2012 by the European Commission are intended to redefine the legal framework for the protection of personal data throughout the European Economic Area. Ms. Reding’s vision is to have a Regulation address the general privacy issues, and a Directive address the special issues associated with criminal investigations.

The publication of these drafts signal a very important shift in the way data protection will be handled in the future throughout the European Union. The proposed rules would create more obligations for companies and more rights for individuals, while some of the current administrative burdens and complexities would be removed. This is consistent with the plan of action that was presented in late 2010 in Communication 609. What is new, and a paradigm shift, is that there will be one single data protection law throughout the European Union, and companies will not longer have to suffer from the fragmentationresulting from the fact that the 27 Member States interpreted and implemented differently the principles set forth in Directive 95/46/EC.

A single set of rules on data protection, valid across the EU would make it easier for companies to know the rules. Unnecessary administrative burdens, such as notification requirements for companies, would be removed. Instead, the proposed Regulation provides for increased responsibility and accountability for those processing personal data. In the new regime, organizations would only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people would be able to refer to thedata protection authority in their country, even when their data are processed by a company based outside the EU.

US companies that do business in or with the European Economic Area must start preparing for this dramatic change in the data protection landscape. Some of the provisions will require the development of written policies and procedures, documentation, and applications as necessary to comply with the new rules. Security breaches will have to be disclosed, and incident response plans will have be created accordingly. The development of these new structures will require significant investment and resources. IT and IS departments in companies will need to obtain greater, more significant budgets in order to finance the staff, training, policies, procedures and technologies that will be needed to implement the new provisions.

The Foundation Documents

The proposed data protection package contains two important legislative texts:

The draft Regulation and draft Directive will now be discussed by the European Parliament and EU Member States meeting in the Council of Ministers. Thus, there will be more opportunities for discussion, changes, and modifications of the current provisions, and there is currently no certainty that the provisions as stated in the January 25, 2012 draft will remain.

However, given the energy, speed, and determination with which the reform of the EU data protection regime has been handled, it is likely that a final vote will take place sooner than later. Once in their final form and formally adopted by the European Parliament, the rules are expected to take effect two years later. Thus, it is likely that, by the end of 2014, or early 2015, the European Economic Area will be subject to a new, improved, but stricter data protection regime.

This article discusses only the Proposed Regulation.

A Regulation, Not a Directive

The European Union is over 50 years old. For a long time, the Union has functioned as a group of countries operating under a set of rules that attempted to be consistent with each other, in order to ease the flow of people and goods among the Member States. This was achieved by implementing on a piecemeal basis the principles of numerous directives, with each Member State, in fact, retaining a lot of independence and autonomy. While this strategy allowed to slowly create a sense of unity among countries that had different cultures, history and personalities, it ended up creating a patchwork of national laws that had some resemblance but also their own personality. A difficult setting for companies operating in several Member States.

The ratification of the Treaty of Lisbon in late 2009 was a very important milestone in the morphing of the European Union as a united power.  It marked a very important step in the evolution of the Union, creating deep changes in its rules of operation, removing the three-pillar system that fragmented the operations, and moving the federation into a closer, tighter structure. With the Treaty of Lisbon, the European Union moved towards more cohesion, more consistency, and more unity.

With this background in mind, it is logical that the European Commission found that a “Regulation,” as opposed to a “Directive,” was the most appropriate legal instrument to define the new framework for the protection of personal data in the European Union in connection with the processing of these data by companies and government agencies in their day-to-day operations. Due to the legal nature of a regulation under EU law, the proposed data protection Regulation will establish a single rule that applies directly and uniformly.

EU regulations are the most direct form of EU law. A regulation is directly binding upon the Member States and is directly applicable within the Member States. As soon as a regulation is passed, it automatically becomes part of the national legal system of each Member State. There is no need for the creation of a new legislative text.

EU directives, on the other end, are used to bring different national laws in-line with each other. They prescribe only an end result that must be achieved in every Member State. The form and methods of implementing the principles set forth in a directive are a matter for each Member State to decide for itself. Once a directive is passed at the European Union level, each Member State must implement or “transpose” the directive into its legal system, but can do so in its own words. A directive only takes effect through national legislation that implements the measures.

The current data protection regime, which is based on a series of directives – Directive 96/45/EC, Directive 2002/558/EC (as amended) and Directive 2006/2006/24/EC – has proved to be very cumbersome due to the significant discrepancies between the interpretations or implementations of the directive that were made in the various Member State data protection laws. There is currently a patchwork of 27 rules in 27 countries. This fragmentation creates a significant burden on businesses which are forced to act as chameleon, and adapt to the different privacy rules of the countries in which they operate.

Conversely, a regulation is directly applicable, as is, in the Member States. By adopting a Regulation for data protection matters, the EU will equip each of its Member States with the same legal instrument that applies uniformly to all companies, all organizations, and all individuals. The choice of a regulation for the new general regime for personal data protection should provide greater legal certainty by introducing a harmonized set of core rules that will be exactly the same in each Member State. Of course, each country’s government agencies and judicial system are still likely to have their own interpretation of the same text, but the discrepancies between these interpretations should be less significant than those that are currently found among the Member State data protection laws.

Overview of the Draft Regulation

The 119-page draft Regulation lays out the proposed new rules. Among the most significant changes, the Proposed Regulation would shift the consent requirement to that of an “explicit” consent. It would introduce some new concepts that were not in Directive 95/46/EC, such as the concept of breach of security, the protection of the information of children, the use of binding corporate rules, the special status of data regarding health, and the requirement for a data protection officer. It would require companies to conduct privacy impact assessments, to implement “Privacy by Design” rules, and to ensure “Privacy by Default” in their application. Individuals would have greater rights, such as the “Right to be Forgotten” and the “Right to Data Portability.” Some of the key components of the Proposed Regulation are discussed below.

–  New, Expanded Data Protection Principles

Articles 5 through 10 would incorporate the general principles governing personal data processing that were laid out in Article 6 of Directive 95/46/EC and add new elements such as: transparency principle, comprehensive responsibility and liability of the controller, and clarification of the data minimization principle.

One of the significant differences with Directive 95/46/EC is that the notion of consent is strengthened. Currently, in most EU Member States, consent is implied in many circumstances. An individual who uses a website is assumed to have agreed to the privacy policy of that website. Under the new regime, when consent is the basis for the legitimacy of the processing, it will have to be “specific, informed, and explicit.” The controller would have to bear the burden of proving that the data subjects have given their consent to the processing of their personal data for specified purposes. For companies, this means that they may have to find ways to keep track of the consent received from their customers, users, visitors and other data subjects, or will be forced to ask again for this consent.

–  Special Categories of Processing

The rules that apply to special categories of processing would be found in Articles 80 through 85. The special categories would include processing of personal data for:

  • Journalistic purposes;
  • Health purposes;
  • Use in the employment context;
  • Historical, statistical or scientific purposes;
  • Use by individuals bound by a duty of professional secrecy;
  • Public interest.

There are also provisions to protect the rights of a child. A “child” is currently defined as an individual under 13 (Article 8). In addition, the definition of “sensitive data” would be expanded to include genetic data and criminal convictions or related security measures. (Article 9).

–  Transparency and Better Communications

Article 11 of the proposed Regulation would introduce the obligation for transparent and easily accessible and understandable information, while Article 12 would require the controller to provide procedures and a mechanism for exercising the data subject’s rights, including means for electronic requests, requiring that response to the data subject’s request be made within a defined deadline, and the motivation of refusals. Companies will welcome the fact that the rule for handling requests for access or deletion will be the same in all Member States. In the current regime, the time frames for responding to such requests are different, with some Member States requiring action within very short periods of time, and others allowing two months to respond.

–  Rights of the Data Subjects

Articles 14 through 20 would define the rights of the data subjects. In addition to the right of information, right of access, and right of rectification, which exist in the current regime, the Proposed Regulation introduces the “right to be forgotten” as part of the right to erasure. The right to be forgotten includes the right to obtain erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service. It also integrates the right to have the processing restricted in certain cases.

Article 18 would introduce the data subject’s right to data portability, that is, to transfer data from one automated processing system to, and into, another, without being prevented from doing so by the controller. As a precondition, it provides the right to obtain from the controller those data in a commonly used format. The right to object to the processing of personal data would be supplemented by a right not to be subject to measures based on profiling.

The “right to be forgotten” and the “right to portability” reflect the pressure of the current times, and respond to the needs of customers of social networks who have found, to their detriment, that the ease of use of a social network and the access to the service for no fee was tied to a price:  that their personal data could be used in forms or formats that they had not expected, and that the service provider would resist a user’s attempt to move to another service.

–  Obligations of Controllers and Processors

Articles 22 through 29 would define the obligations of the controllers and processors, as well as those of the joint controllers and the representatives of controllers that are established outside of the European Union. Article 22 addresses the accountability of the controllers. These would include for example, the obligation to keep documents, to implement data security measures, and to designate a data protection officer. Article 23 would set out the obligations of the controller to ensure data protection by design and by default.

Articles 24 and 25 address some of the issues raised by outsourcing, offshoring and cloud computing. While these provisions do not indicate whether outsourcers are joint data controllers, they acknowledge the fact that there may be more than one data controller. Under Article 24, joint data controllers would be required to determine their own responsibility for compliance with the Proposed Regulation. If they fail to do so, they would be held jointly responsible. Article 25 would require data controllers that are not established in the European Union and that direct data processing activities at EU residents, or monitor their behavior, to appoint a designated representative in the European Union.

–  Supervision of Data Controllers or Processors by Data Protection Authority

Article 28 would introduce the obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, instead of a general notification to the data protection supervisory authority, as is currently the case under Articles 18 and 19 of Directive 95/46/EC. This provision reflects one of the new guiding principles in the EU Data Protection reform:  that of accountability. In exchange for removing the cumbersome requirement for notification of the data controllers’ personal data handling practices, the new framework require that data controllers be “accountable.” They must create their own structures, and document them thoroughly, must be prepared to respond to any inquiry from the Data Protection Authority and to promptly produce the set of rules with which they have committed to comply.

Article 28 identifies a long list of documents that would have to be created and maintained by data controllers and data processors. This information is somewhat similar to the information that is currently provided in notifications to the data protection authorities―for example, the categories of data and data subjects affected, or the categories of recipients. There are also new requirements such as the obligation to keep track of the transfers to third countries, or to keep track of the time limits for the erasure of the different categories of data.

In the case of data controllers or data processors with operations in multiple countries, Article 51 would create the concept of the “main establishment.” The data protection supervisory authority of the country where the data processor or data controller has its “main establishment” would be competent for the supervision of the processing activities of that processor or controller in all Member States under the mutual assistance and cooperation provisions that are set forth in the Proposed Regulation.

–  Data Security

Articles 30 through 32 focus on the security of the personal data. In addition to the security requirements already found in Article 17 of Directive 95/46/EC and extending these obligations to the data processors, the Proposed Regulation introduces an obligation to provide notification of personal data breaches. In case of a breach of security, a data controller would be required to inform the supervisory authority within 24 hours, if feasible. In addition, if the breach is “likely to adversely affect the protection of the personal data or the privacy of the data subject,” the data controller will be required to notify the data subjects, without undue delay, after it has notified the supervisory authority of the breach.

–  Data Protection Impact Assessment

Article 33 would require controllers and processors to carry out a data protection impact assessment if the proposed processing is likely to present specific risks to the rights and freedoms of the data subjects by virtue of its nature, scope, or purposes. Examples of these activities include: monitoring publicly accessible areas, use of the personal data of children, use of genetic data or biometric data, processing information on an individual’s sex life, the use of information regarding health or race, or an evaluation having the effect of profiling or predicting behaviors.

–  Data Protection Officer

Articles 35 through 37 would require the appointment of a data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations that require regular and systematic monitoring. Under the current data protection regime, several EU Member States, such as Germany, require organizations to hire a Data Protection Officer, who is responsible for the company’s compliance with the national data protection. Article 36 identifies the roles and responsibilities of the data protection officer and Article 37 defines the core tasks of the data protection officer.

–  Crossborder Data Transfers

Articles 40 through 45 would define the conditions of, and restrictions to, data transfers to third countries or international organizations, including onward transfers. For transfers to third countries that have not been deemed to provide “adequate protection,” Article 42 would require that the data controller or data processor adduce appropriate safeguards, such as through standard data protection clauses, binding corporate rules, or contractual clauses. It should be noted, in particular, that:

  • Standard data protection clauses may also be adopted by a supervisory authority and be declared generally valid by the Commission;
  • Binding corporate rules are specifically introduced (currently they are only accepted in about 17 Member States);
  • The use of contractual clauses is subject to prior authorization by supervisory authorities.

Binding corporate rules would take a prominent place in the Proposed Regulation. Their required content is outlined in Article 43. Article 44 spells out and clarifies the derogations for a data transfer, based on the existing provisions of Article 26 of Directive 95/46/EC. In addition, a data transfer may, under limited circumstances, be justified on a legitimate interest of the controller or processor, but only after having assessed and documented the circumstances of the proposed transfer.

–  European Data Protection Board

The “European Data Protection Board” would be the new name for the “Article 29 Working Party.” Like its predecessor, the new Board will consist of the European Data Protection Supervisor and the heads of the supervisory authority of each Member State. Articles 65 and 66 clarify the independence of the European Data Protection Board and describe its role and responsibilities.

–  Remedies and Sanctions

Articles 73 through 79 would address remedies, liability, and sanctions. Article 73 would grant data subjects the right to lodge a complaint with a supervisory authority (which is similar to the right under Article 28 of Directive 95/46/EC). It also would allow consumer organizations and similar associations to file complaints on behalf of a data subject or, in case of a personal data breach, on their own behalf.

Article 75 would grant individuals a private right of action. It would grant individuals the right to seek a judicial remedy against a controller or processor in a court of the Member State where the defendant is established or where the data subject is residing. Articles 78 and 79 would require Member States to lay down rules on penalties, to sanction infringements of the Proposed Regulation, and to ensure their implementation. In addition, each supervisory authority must sanction administrative offenses and impose fines.

The Proposed Regulation introduces significant sanctions for violation of the law. Organizations would be exposed to penalties of up to 1 million Euros or up to 2% of the global annual turnover of an enterprise. This is much more than the penalties currently in place throughout the European Union. Apart from a few cases, the level of fines that have been assessed against companies that violated a country’s data protection laws has been low. The Proposed Regulation signals an intent to pursue more aggressively the infringers and to equip the enforcement agencies with substantial tools to ensure compliance with the law.

Conclusion

The terms of the Proposed Regulation are not really a surprise. For several months, Viviane Reding, Vice-President of the European Commission, and other representatives of the European Union have provided numerous descriptions of their vision for the new regime, including through a draft of the documents published in December 2011, which differs slightly from the January 25, 2012 version. It is nevertheless exciting to see, at long last, the materialization of these descriptions, outlines, and wish lists.

Altogether, if the current provisions subsist in the final draft, the new Regulation will increase the rights of the individuals and the powers of the supervisory authorities. While the Regulation would create additional obligations and accountability requirements for organizations, the adoption of a single rule throughout the European Union would help simplify the information governance, procedures, record keeping, and other requirements for companies.

Finally, it should also be remembered that Directive 95/46/EC has been a significant driving force in the adoption of data protection laws throughout the world. In addition to the 30 members of the European Economic Area, numerous other countries, such as Switzerland, Peru, Uruguay, Morocco, Tunisia, or the Dubai Emirate (in the Dubai International Financial District) have adopted data protection laws that follow closely the terms of Directive 95/46/EC. It remains to be seen what effect the adoption of the Regulation will have on the data protection laws of these other countries.

New Version of Draft Data Protection Directive and Regulation Unveiled in Brussels

Posted by fgilbert on January 25th, 2012

This morning, Mrs. Viviane Reding, Vice-President of the European Commission, unveiled the long awaited documents that are intended to frame the new data protection regime in the European Economic Area, after final approval. There are two principal documents, and a series of background papers:

The next step is for these documents to be discussed by the European Parliament and the EU Member States meeting in the Council of Ministers for discussion. The rules will take effect two years after they have been adopted.

A cursory comparison with the most recent draft of the Regulation – Draft 56, which had been leaked in late November 2011 – shows mostly technical changes resulting from careful proofreading. However, there are also significant changes. For example, the maximum level of penalties has been lowered from 5% of annual turnover to 2%. The security breach must be disclosed within 24 hours if feasible, and to the individuals ‘without undue delay’ (the prior draft included a 24 hour notice requirement).

Key aspects of the Draft Regulation include:

Data Subjects would have more rights:

  • Wherever consent is required for data to be processed, it would have to be given explicitly, rather than assumed.
  • Individuals would have a “right to data portability,” which would allow them to transfer personal data from one service provider to another more easily.
  • Individuals would have a “right to be forgotten” which would allow them to obtain the deletion of the data that they furnished online if there are no legitimate grounds for retaining it (with exceptions).
  • Individuals would be able to refer to the data protection authority in their country, even when their data is processed by a company based outside the EU.

Organizations would have more obligations and responsibilities:

  • Organizations would be required to conduct Privacy Impact Assessment, and to bake privacy into their developments and their product and services to fulfill their ‘Privacy by Design’ and ‘Privacy by Default’ obligations
  • Organizations would be required to notify the national supervisory authority of data security breaches if feasible within 24 hours; and if the breach would adversely affect the protection of the personal data or privacy of individuals, the controller would be required to communicate the personal data breach to the data subjects without undue delay.
  • Organizations would only have to deal with a single national data protection authority in the EU country where they have their main establishment.
  • Organizations would no longer have to notify their data protection practices to national data protection authorities, but would still have to obtain permission for some categories of processing.
  • Instead of notification, there would be increased responsibility and accountability for those processing personal data; including significant disclosure and record keeping requirements.

EU rules would apply after crossborder transfer of personal data:

  • EU rules would apply if personal data were handled abroad by companies that are active in the EU market and offer their services to EU citizens.

Enforcement would be strengthened:

 

  • Organizations would be exposed to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
  • The role of national Data Protection Authorities would be strengthened so they can better enforce the EU rules at home.

These documents will now be discussed by the European Parliament and EU Member States meeting in the Council of Ministers for discussion. Thus, it is likely that there will be more opportunities for discussion, changes, and modifications of the current provisions. However, given the energy, speed, and determination with which the reform of the EU data protection regime has been handled, it is likely that the final documents should be substantially similar to what was published on January 25, 2012, and that a final vote will take place sooner than later. Once adopted, the rules will take effect two years later. Thus, we can expect that by the end of 2014, Europe will be subject to a new, improved, but stricter data protection regime.

EU Data Protection Framework as explained by Ms. Reding

Posted by fgilbert on January 24th, 2012

I have previously commented on the proposed Data Protection Regulation to be unveiled at a press conference on January 25, 2012.  The document will be part of Version 2.0 of the EU Data Protection Framework that will be implemented throughout the European Economic Area within the next two years.

In her speech “The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules”, given on January 22, 2012, Mrs. Viviane Reding, Vice-President of the European Commission and EU Justice Commission, provided an excellent description of the background and reasons for the choices made when framing the new EU Data Protection framework, and drafting the upcoming Data Protection Regulation.

Rather than summarizing her thoughts, I provide below an extract of the text of Ms. Reding’s presentation.  All bolding and emphasis are in the original text of her prepared remarks.

I will propose this week a comprehensive reform of the data protection rules. There will be two legislative texts to accomplish these goals:

First, a Regulation to enhance opportunities for companies that want to do business in the EU’s internal market, while ensuring a high level of data protection for individuals.

Second, a Directive to ensure a smoother exchange of information between Member States’ police and judicial authorities in the fight against serious crime while at the same time protecting people’s fundamental right to data protection.

The new rules will help businesses in three ways.

Firstly, they create legal certainty. Secondly, they simplify the regulatory environment. And thirdly, they provide clear rules for international data transfers.

Let’s look at the first point (legal certainty) in more detail. Instead of a patchwork of 27 different rules in 27 countries, there will be one law that will apply to all Member States in the European Union and to all companies which are offering their goods and services to consumers in the EU – even if their servers are based outside of the European Union.

The directly applicable Regulation will create a strong, clear and uniform legislative framework that will help unleash the potential of the Digital Single Market. It will do away with the fragmentation that will save businesses around 2.3 billion euros per year. The new Regulation will remove barriers to market entry – a factor of particular importance to small and medium-sized enterprises.

The savings will be achieved by a series of measures. First, by simplifying the regulatory environment and by drastically cutting red tape. No more general notification requirements. Instead, companies across Europe will be themselves responsible and accountable for the protection of personal data in their business field. They will have to appoint a data protection officer – a requirement that businesses here in Germany are already very familiar with. The scrapping of the general notification rule alone brings about savings worth 130 million euro a year.

Second, there will a regulatory ‘one-stop-shop’ for businesses for all data protection matters. A company will have to comply with one law for the whole of the EU territory. It will only have to deal with one single data protection authority. It will be the data protection authority of the Member State in which the company has its main establishment.

It will not matter anymore which data protection authority deals with a case. All data protection authorities in whichever EU country will have the same adequate tools and powers to enforce EU law. Data protection authorities should be able to deal with complaints, carry out investigations, take binding decisions and impose effective and dissuasive sanctions, whether the French, the Irish, the Romanian or the Bavarian data protection authority is in charge of a case. This will give the legislation the necessary ‘teeth’ so the rules can be enforced.

Data protection authorities must be independent from political and economic interests and have sufficient resources to do their job. They will need to work closely together – especially in cross-border cases – to make sure that the rules are enforced consistently across Europe.

The third element to ease burdens on companies is to ensure clear rules for international data transfers. In a world where the free flow of data is fundamental to business models and physical boundaries are meaningless, we need to rethink the way we transfer data. It seems odd that data held by a European company is adequately protected whilst it is inside the borders of the European Union, but not when it is transferred to a different part of that same company in Asia or South America, even when there are safeguards in place. In the Internet age, data protection laws need to take account of this global dimension. If they only focus on the activities of a company within a given country, they will not reflect reality.

Personal data can be collected in Berlin and processed in Bangalore. I therefore want to improve the current system of binding corporate rules to make these exchanges less burdensome and more secure. I will propose a consistent and streamlined approval process with a single point of contact for companies. And once the binding corporate rules are approved by one data protection authority, they will be recognised by all the data protection authorities in the European Union. There should be no need for additional national authorisation in case of further transfers.

As a result, companies will be able to sell goods and services under the same data protection rules to 500 million people – this can be a very interesting business opportunity!

This is what Europe can do to help the Digital Single Market take off. This is what Europe can do to work towards global standards.

But you, businesses handling personal data, have a critical role to play as well. If we want to give a real meaning to the fundamental right to the protection of personal data, if we want individuals to be in control of their information, then business responsibility has to come in. It makes good business sense to respect customers’ privacy and build up trust so people feel secure sharing their personal information on your platform, on your service.

Here, transparency is the name of the game.

First, people need to be informed about the processing of their data in simple and clear language. Internet users must be told which data is collected, for what purposes and how long it will be stored. They need to know how it might be used by third parties. They must know their rights and which authority to address if those rights are violated. People need to be able to make an informed decision about what to disclose, when and to whom.

Second, whenever users give their agreement to the processing of their data, it has to be meaningful. In short, people’s consent needs to be specific and given explicitly.

Thirdly, the reform will give individuals better control over their own data. I will include easier access to one’s own data in the new rules. People must be able to easily take their data to another provider or have it deleted if they no longer want it to be used.

The new rules will provide for data portability. Another important way to give people control over their data: the right to be forgotten. I want to explicitly clarify that people shall have the right – and not only the ‘possibility’ – to withdraw their consent to the processing of the personal data they have given out themselves.

The Internet has an almost unlimited search and memory capacity. So even tiny scraps of personal information can have a huge impact, even years after they were shared or made public. The right to be forgotten will build on already existing rules to better cope with privacy risks online. It is the individual who should be in the best position to protect the privacy of their data by choosing whether or not to provide it. It is therefore important to empower EU citizens, particularly teenagers, to be in control of their own identity online. By the way, 81% of German citizens are worried they are no more in control of their personal data!

If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system.

The right to be forgotten is of course not an absolute right. There are cases where there is a legitimate and legally justified interest to keep data in a data base. The archives of a newspaper are a good example. It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.

The new EU rules will include explicit provisions that ensure the respect of freedom of expression and information. After all, I have been the EU’s Media Commissioner for many years, and I will never compromise in the fight for the fundamental rights of freedom of expression and freedom of the media. This also holds true in the field of data protection, which is another important fundamental right, but not an absolute one.

Finally, individuals must be swiftly informed when their personal data is lost, stolen or hacked. Whether user data gets stolen from an online gaming service, or credit card details are hacked on a firms’ website: these security breaches affect millions of users around the world. There were recently many serious data breach incidents which highlight why companies need to reinforce the security of the information they hold. Frequent data security breaches risk undermining consumers’ trust in the digital economy. I will therefore introduce a general obligation for data controllers to notify data breaches. Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay. As a general rule, without undue delay means for me ‘within 24 hours’.

My detailed analysis of Draft 56 of the Regulation was also published in early December 2011 on my law firm’s website. For my other comments on how the new Regulation will affect cloud service providers and users, see my monthly column on TechTarget.