In early December 2011, drafts of two legal instruments prepared by DG Justice of the European Commission to reform the EU data protection framework entered interservice consultation. This process will give other Directorates-General of the Commission the opportunity to comment on the drafts before they are formally released as legislative proposals; accordingly, changes to the drafts are likely. Following this comment period, the drafts will enter the EU legislative process, which is likely to take at least two to three years before they become law. It is believed that Justice Commissioner and Commission Vice-President Viviane Reding will formally announce final versions of the drafts at an appearance at the World Economic Forum in late January 2012.
The two documents prepared by DG Justice are entitled “Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)”; and “Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (Police and Criminal Justice Data Protection Directive).”
The following are some of the major elements of the first instrument (the draft Regulation), which applies to the private sector and thus is the more relevant of the two for businesses:
- The existing EU Data Protection Directive 95/46 would be repealed.
- Because the Regulation would be directly applicable, and not subject to member state interpretation, it would provide as near complete harmonization as is possible under EU law.
- Many of the obligations that are currently imposed on data controllers would also apply to data processors.
- The Regulation would make companies with operations in multiple EU member states subject to the jurisdiction of a single data protection authority (“DPA”), based on their main place of establishment in the EU.
- Data controllers and processors established outside the EU would be subject to EU law if they direct data processing activities at EU residents or “serve to monitor the behaviour” of such residents.
- Explicit consent (i.e., opt-in) would be made the rule. The rules on consent would be greatly strengthened, and use of consent as a legal basis for data processing would be outlawed in certain areas, such as the employment context. Data processing for marketing purposes also would require explicit consent.
- The general conditions for lawful data processing would be tightened.
- Notifications to DPAs of data processing activities would be eliminated.
- Enhanced obligations would be imposed on data controllers and processors to provide individuals with information about data processing.
- Joint data controllers would have to sign an agreement allocating responsibility between them; absent such an agreement, the controllers would be jointly liable for all processing.
- The right to be forgotten would be implemented.
- Data protection by design and by default would be mandatory, as would privacy impact assessments in certain cases.
- Data controllers and processors would be obliged to keep extensive documentation about data processing, and to cooperate with the DPAs.
- Both the relevant DPA(s) and affected individuals would have to be notified of data security breaches within 24 hours of discovery of the breach.
- Data protection officers would be mandatory for public sector companies and all companies with more than 250 employees.
- Reforms would be made to the conditions for issuing “adequacy” decisions for countries outside the EU to which personal data are transferred. Binding corporate rules (“BCRs”) would be explicitly recognized and subject to minimum requirements. Compliance with non-EU court orders to disclose personal data outside the EU would require the prior authorization of the relevant DPA. For the first time it would be possible to transfer personal data outside the EU based on a “balancing of interests” test.
- Independence of the DPAs would be strengthened, and member states would be required to provide DPAs with sufficient resources.
- The Article 29 Working Party would be renamed the “European Data Protection Board,” and would follow a complex procedure to rule on certain types of DPA-level decisions. The European Data Protection Supervisor (“EDPS”) would act as secretariat of the Board.
- In many cases the European Commission would be granted the power to issue so-called “delegated acts” interpreting provisions of the Regulation; this would likely shift power over data protection policymaking from the EU member states to Brussels.
- DPAs would be given harmonized enforcement powers, and have greatly increased powers to impose administrative sanctions, which could range up to a maximum of 5% of a company’s annual worldwide turnover. An enforcement measure by a DPA would be enforceable in any EU member state.
- Associations could bring complaints to DPAs and judicial actions on behalf of individuals.