International Data Protection and Privacy Day is Monday, January 28th.
The European Commission certainly found a way to mark the day. After weeks of intense speculation, the European Commission has released its sweeping package of legislation to reform the Data Protection Directive.
We are analyzing the entire legislative package, which includes a new regulation and a directive and will comprise a single set of data protection rules for all of the European Union.
Key provisions that will impact US companies:
- Extraterritorial application. In her press conference earlier today, EU Commissioner Viviane Reding made it perfectly clear that this new data protection scheme will be apply to EU based companies and non-EU based companies that either process data of individuals residing in the EU to whom they offer goods or services, or whose activities serve to monitor the behavior of such individuals. This is virtually any company operating online.
- “One-stop-shop” for EU data controllers -- but not for non-EU controllers. EU data controllers will be supervised by the data protection authority of the Member State where the controller’s “main establishment” is based. Non-EU based controllers must designate a representative in one of the Member States where they target data subjects. We'll have further analysis on this point.
- Data transfers. The existing EU restriction on data transfers to countries that do not offer adequate protection remains in place. However, the use of standard contractual clauses will no longer be subject to prior authorization or approval by data protection authorities. Also, the adoption of binding corporate rules (BCRs) would be made easier, and the regime would be extended to data processors; an entire section is devoted to BCRs. US companies with multinational operations should start thinking about the BCR process.
- Specific rules on consent. The existing data protection rules include certain grounds for lawful processing of personal data, including consent. The concept of "consent" and cross-border transfers of personal data for processing in the human resources context has always proven vexing and not well defined. The draft law now contains a stand-alone section on consent -- and a definition: any “freely given specific, informed and explicit indication of will”. Consent cannot be used as a legal basis for processing personal data where “there is a clear imbalance between the data subject and the controller.” This appears to be problematic for US companies that have relied on some sort of consent from employees for the processing of personal data.
- Breach notification. The draft Regulation, as we discussed here, introduces a comprehensive breach notification requirement. It specifies that data controllers must notify any data breach to the supervisory authority “without undue delay and, where feasible, within 24 hours”. When discussing the "undue delay" qualifier, Commissioner Reding added, "for me [this] means 24 hours."
- Mandatory Data Protection Officer. Organizations employing 250 persons or more must designate a data protection officer.