A first legislative draft for a general EU data protection regulation has been leaked to the public 6 weeks ahead of the scheduled publication.
The draft Regulation - which aims to apply a harmonized and updated set of core data protection rules across the EU - will be reviewed by the different Directorates-General of the European Commission in the coming weeks, and is liable to change. The European Commission is not expected to release the final proposal until end January 2012.
The proposal, containing 91 articles is expected to replace the Data Protection Directive 95/46 and be directly applicable in all European Member States. It will update the UK's data protection regime currently set out under the Data Protection Act 1998.
Initial responses from business observers suggest that the proposal is "highly technocratic, unrealistically ambitious, very costly and inflexible"
Application. The supervisory data protection authority of the Member State where a data controller’s main establishment is based will be its lead authority, avoiding situations where a controller may be subject to the competing jurisdictions of multiple EU authorities. Included also is a new mandatory mutual assistance obligation intended to address forum shopping concerns.
Scope. The new Regulation also will apply to non-EU companies that “direct” their processing activities to data subjects residing in the EU or whose activities serve to monitor the behavior of data subjects, replacing the current “making use of equipment” test with a new “targeting” test. The new standard will impact online service providers, in particular, and proposed recitals clarify that relevant factors include whether services are provided in European languages or currencies or involve local domain names. Websites merely accessible to European users, however, will not be caught.
Definitions. The definition of “data subject” is expanded by incorporating language previously found in Recital 26 of the Directive. A data subject is now someone who can be identified (directly or indirectly) by the controller directly or “any other natural or legal person”. Identification may occur by reference to an identification number, location data or online identifier, amongst other things. The proposal also introduces a host of new definitions, including ones for “personal data breach”, “biometric data”, “genetic data”, “main establishment”, and “child”.
European Data Protection Board. A European Data Protection Board, consisting of the heads of the supervisory authority of each Member State and of the European Data Protection Supervisor is proposed.
The Board is intended to replace the existing Article 29 Working Party under a similar role.
Consent. The draft law contains a stand-alone section on consent, which is now defined as any “freely given specific, informed and explicit indication of will”. Consent cannot be used as a legal basis for processing personal data where “significant imbalance in the form of dependence between the position of the data subject and the data controller” exists.
Data protection authorities have traditionally advised against the use of consent as a legal basis for processing and this mentality is reflected in the draft Regulation. In addition, the consent of a child (defined as any person below the age of 18 years) will only be valid when authorized by the child’s parent or custodian.
New rights for data subjects. A heavily caveated “right to be forgotten” clause imposes a specific obligation on a controller to render inaccessible certain data, including such data when it appears on the Internet. A new data portability right will enable data subjects to request that their data be held by a data controller, such as a social network service provider, in a format that allows them to transfer that data to another service provider. The Commission reserves the right to specify the electronic format and technical standards to enable such transmission.
Impact assessments and prior authorization/consultation. The proposal also appears likely to increase the administrative burden for data controllers in certain respects, although it does dispose of the current national notification regimes. Controllers must carry out data protection impact assessments where processing operations are likely to put the rights of data subjects at risk by virtue of their nature, scope and purposes. In addition, controllers with more than 250 employees must appoint a qualified data privacy officer. In limited cases - where processing is likely to pose a high degree of risk to data subjects - data controllers will have to obtain an authorization from or consult with their supervisory authority prior to processing the personal data. Apart from the duty to appoint a privacy officer, these new obligations appear to apply equally to large multi-nationals and small and medium enterprises.
Breach notification. The draft Regulation, as was expected, introduces a comprehensive breach notification regime. Rules similar to those found in the e-Privacy Directive (applicable to providers of publicly available electronic communications services and networks) have been proposed. Data controllers would be required to notify any data breach to their data protection authority, notwithstanding the fact that protective measures, such as encryption, are in place or the likelihood of harm is low. Data controllers must notify data subjects when a data breach is likely to “adversely affect” the protection of their personal data unless the data controller can demonstrate, to the satisfaction of the supervisory authority, that they have implemented appropriate technological protection measures.
Disclosure. The provisions that will govern future foreign e-discovery exercises are likely to attract much attention and comment. Controllers will first be required to seek authorization from their data protection authority before they can make personal data available in response to a court judgment or decision by an administrative authority in a third country. These provisions, together with the higher monetary penalties envisioned by the Regulation, are clearly intended to serve as a counterweight to pressures exerted under foreign legal regimes, such as those in the U.S.
Data transfers. The existing EU restriction on data transfers to countries that do not offer adequate protection remains in place. However, the use of standard contractual clauses will no longer be subject to prior authorization or approval by data protection authorities. Also, the adoption of binding corporate rules (BCR) would be made easier, and an entire section is devoted to the concept. The draft Regulation retains the original derogations for transfers to third countries, such as consent, but adds a new derogation for transfers necessary for the legitimate interests of a data controller, although this must be balanced against the rights of the data subject.
Sanctions. An elaborate section on administrative sanctions is proposed. Mirroring sanctions for violations of EU competition law, each competent authority would now have the power to impose administrative sanctions and to tailor these sanctions according to a company’s annual turnover. For certain types of intentional or negligent violations, supervisory authorities will be able to impose fines of between 100,000 and 1,000,000 Euros, or as much as 5% of an enterprise’s annual worldwide turnover.
Draft leaked version of a Regulation is on http://www.statewatch.org/news/2011/dec/eu-com-draft-dp-reg-inter-service-consultation.pdf
See also "European Commission explains why UK’s Data Protection Act is deficient": http://amberhawk.typepad.com/amberhawk/2011/02/european-commission-explains-why-uks-data-protection-act-is-deficient.html