The European Commission (“EC”) today released its long anticipated proposals for comprehensive reform to the EU’s 1995 Data Protection Directive (“1995 Directive”). The proposed reforms come after almost two years of extensive EC consultations with major stakeholders, conferences, and two phases of public consultations.
The EC explained that the proposals are aimed at updating and modernizing the principles contained in the 1995 Directive, and are intended to be drafted in a flexible manner so that they can be applied to future technology changes. The EC also emphasized that a key consideration in adopting the proposals is to install a uniform data protection framework across all EU Member States in place of the current patchwork of data protection laws that have resulted from the Member States’ inconsistent implementations of the 1995 Directive. The existing differences between the EU Member States’ transpositions of the 1995 Directive have resulted in inconsistent enforcement activities and have proved difficult for businesses operating in multiple EU jurisdictions to navigate.
The proposal includes: (1) a Policy Communication discussing the challenges of data protection in today’s fast-changing technological society and setting out the EC’s objectives in implementing the reforms; (2) a Regulation setting out a general EU framework for data protection; and (3) a Directive to protect personal data processed for purposes of prevention, detection, investigation, or prosecution of criminal offenses and related judicial activities.
Among the key proposals included in the Regulation are:
- Uniform Rules and Simplified Oversight. The proposal would create a single set of rules on data protection that would be implemented across the entire EU. Moreover, organizations would only have to deal with a single national data protection authority in the EU country where they have their main establishment. Similarly, EU citizens would be able to file complaints with the data protection authority in their country, even when their data is processed by a company based outside the EU or in a different Member State.
- Broadened EU Jurisdiction to Enforce the Rules. The Regulation would apply to any situation where personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens. This would mean that companies based in the U.S. that offer their services to EU citizens and are generally active in the EU market would have to comply with the new rules, and that existing jurisdictional arguments regarding the limited scope of the EU’s authority to take enforcement actions against companies located outside of the EU (such as arguments that the majority of processing takes place outside of the EU or that a company’s equipment is located outside of the EU), would be greatly diminished.
- Removal of Costly Administrative Burdens/Requirements. The EC estimates that implementing a uniform set of privacy rules across the EU will save businesses approximately €2.3 billion a year by eliminating the costs involved in complying with the existing patchwork of different laws in different jurisdictions. Moreover, the Regulation proposes the elimination of a number of administrative requirements, such as the need for companies to file data protection notifications with relevant authorities, which the EC estimates will save businesses approximately €130 million a year. In place of these requirements, the Regulation calls for increased responsibility and accountability for entities that process personal data. For example, the proposal would require companies to perform data protection impact assessments prior to data processing, which would include a review of the proposed processing activities and the safeguards and mechanisms available for protecting the processed data.
- Data Breach Notification Requirement. Companies and organizations would have to notify both individuals whose data have been compromised and the relevant national supervisory authority without undue delay (and within 24 hours if feasible) if data is accidentally or unlawfully destroyed, lost, altered, accessed by or disclosed to unauthorized persons. Where notification cannot be achieved within 24 hours, an explanation of the reasons for the delay should accompany the notification.
- Data Protection Officers and Privacy by Design. The Regulation would require the appointment of a data protection officer by: (1) all public authorities or bodies; (2) private enterprises employing 250 or more persons; or (3) controllers or processers engaged in certain processing operations (which shall be specified in later rules) that require regular and systemic monitoring of data subjects. Moreover, companies will be required to adopt concepts of “privacy by design” and “privacy by default” into their operations, whereby data protection safeguards should be built into products and services from the earliest stage of development, and whereby privacy-friendly default settings should be the norm (for example, on social networking sites).
- Clarified Consent Requirements. Whenever consent from a data subject is required for data to be processed, the Regulation would require that such consent be given explicitly, rather than assumed.
- Data Access, Deletion, and Portability. Under the Regulation, data subjects would be given easier access to their own data and be able to transfer personal data from one service provider to another more easily (“right to data portability”). Moreover, a “right to be forgotten” would allow data subjects to delete their data if there are no legitimate grounds for retaining it.
- Greater Protections for Sensitive Data. The proposal recognizes that personal data which are, by their very nature, particularly sensitive and vulnerable (such as data collected from children and health data), deserve special protection and should not be processed unless the data subject gives his explicit consent. However, the proposals also recognize that exceptions from the prohibition on processing sensitive data without consent should be explicitly provided for in situations such as where the processing is carried out in the course of legitimate activities by certain entities in order to permit the exercise of fundamental freedoms.
- International Transfer of Data. The proposals call for the development of streamlined “adequacy decisions” (acknowledgments that a given non-EU country ensures an adequate level of data protection) that will allow information to flow freely between the EU and non-EU Member States on the basis of explicit criteria. The proposals also aim to make legitimate transfers easier and less burdensome by simplifying and broadening the use of existing transfer tools so that: (1) prior authorization will no longer be needed for transfers covered by binding corporate rules or standard contractual clauses; and (2) binding corporate rules can be used to also cover data processors and for transfers within groups of companies, such as cloud computing entities.
- Strengthened Enforcement Powers. The proposals would strengthen independent national data protection authorities so that they can better enforce the EU rules in their jurisdictions. For first offences, the national supervisory authorities may send a warning letter. For serious violations (such as processing sensitive data without an individual’s consent or on any other legal grounds) supervisory authorities shall impose penalties up to €1 million or up to 2% of the global annual turnover of a company.
In addition to the proposals contained in the Regulation, the EC also issued a separate proposed Directive “on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.” This Directive would create general data protection principles and rules for police and judicial cooperation in criminal matters. The Directive would apply to both domestic and cross-border transfers of data.
The EC’s proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. The Regulation will be enforceable in all Member States two years after it has been adopted. Member States will also have a period of two years to transpose the provisions in the Directive on police and judicial cooperation in criminal matters into national law.