On the 25th of January 2012 the European Commission published a proposal for a new Data Protection Regulation to replace the existing EU Data Protection Directive. The proposal sets out a general data protection framework aimed at unifying the current differing data protection rules in the EU. A brief summary of the major changes this will make to EU data protection law is set out below.
One Data Protection Authority
Processing of personal data by businesses established in more than one EU country will be monitored by one single data processing authority (DPA) – the “lead authority”. Generally the lead authority will be the DPA of the country where the business has its main establishment. The main establishment of a business will be determined according to objective criteria, such as where the central administration of a company is located, for example where management decisions are usually made.
One EU-wide Data Protection Law
If the Regulation is adopted, there will be one EU data protection law that businesses will need to comply with. The new rules will apply throughout the EU and businesses established in more than one EU country will no longer need to cope with the national rules adopted in each relevant EU country. In the long term this means that current local data protection provisions – mainly exemptions that have been introduced by EU countries for national reasons – would disappear.
The new data protection rules will apply to non-EU based businesses who offer their goods or services to EU customers based in the EU (or monitor their behaviour). For example a US company with a subsidiary in the EU will be required to comply with EU data protection law as well as their own local US laws.
There are exceptions where the data controller is established in a third country ensuring an adequate level of protection (for example a business registered under the Safe Harbor scheme in the US), or if the data controller is a small or medium sized business or public authority.
Penalties for Breaches
A breach of the new data protection rules could result in a fine of up to €1 million or 2% of the global annual turnover. Fines will be imposed by the DPA. Currently the maximum fine in the UK for a breach of data protection law is £500,000.
Serious data breaches must be notified to both the DPA and data subjects. Notification should be without undue delay and, where feasible, within 24 hours. Businesses will need to have adequate procedures in place to deal with these new requirements and it may be worth considering purchasing obtaining cyber risk insurance.
Data Protection Officer
An independent data protection officer must be appointed by public authorities and businesses with 250 or more employees or businesses whose core activities involve processing operations which require regular and systematic monitoring. The data protection officer must maintain an internal register which the DPA has the right to inspect.
Explicit consent must be obtained from data subjects. It will not be acceptable to assume consent from a data subject’s silence or inactivity or through generic terms and conditions. Consent must be given by a data subject in a clear statement or via an affirmative action (i.e. ticking a consent box when visiting a website). The data subject must have the right to withdraw consent at any time.
In addition explicit parental consent must be given when processing the data of a child under the age of 13.
Right to be Forgotten
Data subjects will have the right to be forgotten. This will allow individuals to have all personal data that business holds on them deleted. This will include all photos and any public links to, or copies of, personal data that can be found on the Internet for example in social networks or via search engines. Business will be required to permanently delete the individual’s data unless there are legitimate grounds for retaining it.
Preparing for Change
The draft Regulation must be approved by all EU countries and the European Parliament before it comes into effect, possibly in about 3 years time. The rules will introduce significant and onerous new obligations upon business, who will need to implement time consuming measures to ensure compliance, in order to avoid the risks of facing substantial fines.
It is advisable that businesses start to prepare now in preparation for the coming changes. For example by appointing a data protection officer (where appropriate), devising a documentation system for recording data processing activities, reviewing how consent is obtained from data subjects and revising all data processing agreements.