|
february 9‚ 2012
The EU Commission Has Proposed a New Framework for
Data Protection: What does this mean for your business?
By Susan L. Foster, Cynthia J. Larose,
and Julia M. Siripurapu
Recently the European Commission unveiled a proposal for a
comprehensive and significant reform of the existing EU data protection
framework. The proposed data protection framework, which consists of a General
Data Protection Regulation that sets forth the general data protection
framework (the Regulation) and a Directive
that applies to the processing of personal data by police and judicial
authorities in criminal matters, is intended to replace the existing Data
Protection Directive 95/46/EC and the data protection laws of
each EU Member State with a single set of rules that would apply across the
27 EU Member States.
The fact that the existing Data Protection Directive is to be
replaced by a Regulation is very important. EU Directives must be
implemented by each EU Member State via national legislation, which can give
rise to different flavors of the legislation and require a
country-by-country analysis of the specific legal requirements.
Regulations, on the other hand, have the immediate effect of law throughout
the EU. Replacing the existing Data Protection Directive with a Regulation
means there is no wiggle room for individual countries to tailor the law in
any way – but it also means that European law on data protection (other
than for criminal justice matters) will be uniform. So it will require less
effort to figure out how to bring your European operations into compliance
with the new data protection law – but the standards have also been
tightened up in many respects.
Viviane Reding, the EU Commissioner for Justice, Fundamental
Rights and Citizenship and Vice-President of the Commission, identified the
following key goals of the proposed reform in her press
release: (1) to update and modernize the existing EU data protection
rules in light of technological developments to address, among other
things, online privacy, in order to improve the protection of personal data
processed both inside and outside the EU; (2) to address the protection of
personal data processed by law enforcement and judicial authorities; (3) to
give individuals more control over their personal data and facilitate
access to and transfer of such data; (4) to harmonize data protection rules
across the EU by establishing a “strong, clear, and uniform data protection
framework” with a single set of data protection rules and a single national
data protection authority (i.e., the national data protection authority of
the EU member state where the company has its “main establishment” as
defined in the General Data Protection Regulation); and (5) to boost the EU
digital economy and foster economic growth, innovation, and job creation in
the EU (as an example, per Commissioner Reding, the new framework would
eliminate certain administrative requirements that would save businesses
around 2.3 billion euros a year).
Please note that any business outside of the EU that either
processes personal data of EU residents in connection with offering goods
or services to such individuals or monitors the behavior of such
individuals will be subject to the provisions of the Regulation. The
proposed Regulation defines “processing” very broadly as “any operation or
set of operations which is performed upon personal data or sets of personal
data, whether or not by automated means, such as collection, recording,
organization, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, erasure or destruction.”
Below are some of the provisions of the proposed Regulation
that would most likely have a significant impact on U.S. companies that
would be subject to the Regulation:
1. Expansion of Definition of “Personal Data”
“Personal data” is defined in Article 4 of the Regulation as
“any information relating to a ‘data subject.’” The definition of “data
subject” has been broadened so that a “data subject” can now be identified by
means reasonably likely to be used by the controller or by any other
natural or legal person, by reference to not just an identification
number but also to location data and online identifiers or to
additional factors like genetic and mental identity, among other
factors. The Commission’s extremely broad interpretation of what
constitutes “personal data” is reflected in a recently published factsheet
on the proposed data protection reform where “personal data” is defined as “any
information relating to an individual, whether it relates to his or her
private, professional or public life. It can be anything from a name, a
photo, an email address, your bank details, your posts on social networking
websites, your medical information, or your computer’s IP address.”
2. Express Consent Requirement to Process Personal Data
Covered businesses are required to obtain (and not assume)
the express consent of the data subject to the processing of his/her
personal data for one or more specific purposes, unless processing is
required for certain limited purposes such as compliance with a legal
obligation of the business or to protect the vital interests of the data
subject. If consent is required as a part of a written document which also
covers another matter, the consent requirement must be clearly
distinguished from the other matter. The data subject may withdraw the
consent at anytime and consent is essentially not valid where there is an
“imbalance” between the position of the data subject and the business.
These provisions make it very difficult to assess from a practical
perspective whether a business truly has a legal basis for the processing
of personal information of EU residents.
3. Breach Notification Requirement
Businesses must notify the supervisory authority (i.e., the
public authority established by each Member State) of a “personal data
breach” “without undue delay and, where feasible, not later than 24 hours”
after becoming aware of the breach. “Personal data breach” is defined very
broadly as “a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed.” After notifying
the applicable supervisory authority, companies must also notify the
affected data subject of a personal security breach “without undue delay”
if the personal security breach “is likely to adversely affect the
protection of the personal data or privacy of the data subject.”
4. Requirement to Adopt Policies and Implement Measures to Ensure and
Demonstrate Compliance with the Regulation
Businesses must adopt policies and implement appropriate
measures to ensure and be able to demonstrate that the processing of
personal data is performed in compliance with the Regulation, including
maintaining documentation of processing activity. Businesses must have
transparent and easily accessible policies regarding the processing of
personal data that are clearly presented to data subjects which, among other
things, provide the identity and contact information of the business,
identify the purpose of processing the personal data, set forth the data
subject’s right to access, correct or have the personal data deleted, set
forth the right of the data subject to complain to supervisory authority,
specify the period during which the personal data will be stored by the
business, and specify whether the personal data will be disclosed to third
parties and/or transferred to third countries.
5. Binding Corporate Rules (BCRs)
Under the new Regulation, Binding Corporate Rules, the tool
uses by companies with global operations to transfer personal data of EU
residents within their corporate group to entities located in countries
which do not have an adequate level of data protection, will no longer need
to be approved by each Data Protection Authority in each applicable EU
Member State. Under the proposed regime, BCRs that meet the requirements
described in the Regulation will need to be approved by one authority and,
once approved; the BCRs will be recognized by the rest of the authorities
in each applicable Member State. More importantly, the approved BCRs would
also cover third parties that process personal data of EU residents on
behalf of the business, such as cloud service providers, for example.
6. Data Security Obligations
Businesses are required to implement appropriate technical
and organizational measures “to ensure a level of security appropriate to
the risks represented by the processing and the nature of the personal data
to be protected, having regard to the state of the art and the costs of
their implementation.”
7. Data Protection Impact Assessment Requirement
Businesses with processing operations that “present specific
risks to the rights and freedoms of data subjects by virtue of their
nature, their scope or their purposes” are required to conduct a data
protection impact assessment.
8. Requirement to Appoint Data Protection Officer
Businesses with more than 250 employees and certain other
organizations are required to appoint a data protection officer responsible
for monitoring data processing activities.
9. Significant Penalties
Penalties for violations of the Regulation range, based on
the type of violation, from a written warning to fines for intentional or
negligent conduct of anywhere from 250,000 euros or 0.5 % of the annual
worldwide turnover of a company up to 1,000,000 euros or 2% of the annual
worldwide turnover of a company.
10. Transfers of Personal Data to Third Countries
Although the restriction on the transfer of personal data to
third countries that do not offer an adequate level of protection, as
determined by the Commission, remains in place, under the proposed
Regulation, transfers based on standard data protection clauses adopted by the
Commission or a supervisory authority or based on binding corporate rules
that now must be approved by just one supervisory authority will not
require further authorization.
***
The proposed data protection framework will be evaluated by
the European Parliament and the EU Member States and if adopted, the
Regulation will go into effect and the Directive will be required to be
incorporated into the national law of each Member State, within two years
from the date of adoption. At this point, it is still possible that the
proposed Regulation and the Directive could be modified before adoption.
Click here to view Mintz Levin’s Privacy &
Security attorneys.
Click here to read and subscribe to Privacy & Security
Matters blog.
|
