On 25 January 2012, the Commission published its proposal for a new ‘General Data Protection Regulation’. The proposed Regulation promises greater harmonisation – but at the price of a significantly harsher regime, requiring more action by organisations and with tough penalties of up to 2% of worldwide turnover for the most serious data protection breaches.
The General Data Protection Regulation is to be accompanied by a new Directive, governing use of data by public authorities for law enforcement purposes, a proposal for which was also published on 25 January.
The draft Regulation is even longer than the current Directive (95/46/EC), running to 118 pages and 139 Recitals. It is likely to take at least 2 years to finalise and is planned to enter into force a further 2 years after that finalised text is published in the Official Journal.
We have summarised below the key changes envisaged by the proposed Regulation.
The Regulation will continue to apply to processing carried out by or on behalf of EU operations. However, the Regulation is also due to apply to controllers with no EU establishment where they undertake processing related to offering of goods/services to EU residents, or which monitors individuals resident in the EU. Organisations covered on this basis would be required to appoint a local representative, against whom enforcement action may be taken.
For organisations that operate across the EU, there is to be a partial country of origin approach. The data protection authority in the country where the group’s ‘main establishment’ is based is to have lead supervisory responsibility. There are procedures included to ensure consistency amongst supervisory authorities involving the European Commission and the European Data Protection Board (which will replace the Article 29 Working Party Group).
Further, where a matter affects individuals in other countries, then the draft Regulation gives those authorities rights to participate in joint actions.
Individuals will be free to bring proceedings either in a country where the controller has an establishment, or where they live.
Identifiable data would still be covered and the usual test of ‘reasonable likelihood’ of identification is due to be retained. The Regulation specifically notes that certain categories of online data may be personal - location data and online identifiers such as IP addresses and cookie identifiers are singled out for special mention, although the Regulation notes that whether these are personal will depend on the circumstances.
The concept of sensitive data is to be retained – but is set to be extended to include genetic data. Processing of criminal offence data would now only be carried out by official bodies or in accordance with specific legal authority: a significant change for UK organisations.
Controllers and processors:
The concepts are to be retained. As regards individuals, however, controllers and processors (and also joint controllers) would always be joint and severally liable, unless they can demonstrate that they are not responsible.
Controllers and processors are to be required to document the processor’s tasks in more detail. Processors will need the consent of the controller to appoint sub-processors. Processors (as well as controllers) will have to co-operate with supervisory authorities under the draft provisions, as well as being directly subject to the Regulation and to having obligations to appoint DPOs, to document processing and to comply with certain other provisions of the Regulation (beyond mere security matters).
Organisations would be required to take measures to comply with the new rules and must be able to demonstrate this. Every processing operation would need to be documented and the documentation must be available to authorities on request.
The controller would have to implement measures to ensure that the data minimisation principle is met. The controller is also to be required to carry out privacy impact assessments for more ‘sensitive’ types of processing –including consultation with data subjects. Data protection officers are set to become mandatory for all public and many private organisations, although SMEs employing up to 250 full-time staff will not need to do this unless their core activities involve regular and systematic monitoring of data subjects.
Under the draft Regulation, this would now always be explicit. Consent would not be valid if it could not be withdrawn without the individual suffering detriment. It would also not be valid if there is a significant imbalance between controller and processor – for example, in the employment context. Consent will not be allowed to be ‘bundled’ with other terms: consent for data processing must be clearly distinguished from these other provisions.
Would be significantly strengthened. Data could only be collected and retained if the purpose of the processing ‘could not be fulfilled by other means’.
The more onerous transparency obligations across the EU are set to be combined - individuals would have to be told the purposes of processing and informed of their rights, what data is mandatory, the consequences of not providing data, the period for which data will be retained, if data will be exported and, if it is, how it will be protected.
A new right to be forgotten is due to be introduced, in particular where processing is justified based on consent or contract, or where an individual wishes to remove data posted as a child.
The draft Regulation states that there is to be no charge for subject access, save in limited situations. There is also set to be a new right to data portability – with an obligation on providers to ensure that data is in a format that facilitates the exercise of this right.
Information provided to children would need to be in clear, plain language. Where information society services are offered directly to children under 13, verifiable parental consent would be required.
Data breach notification:
It is due to be introduced. The drafted rules are similar to the rules currently being implemented in relation to providers of public (electronic) communications services, however all breaches would ordinarily need to be notified to supervisory authorities within 24 hours.
The draft Regulation would abolish the current filing system. However, ‘risky’ processing would be subject to prior authorisation by data protection authorities. Risky processing could include processing using new technologies, or processing that could deprive individuals of the benefit of a contract.
Binding corporate rules are to be explicitly recognized (but the draft Regulation includes them on the basis of joint and several liability, effectively ruling them out for many US headquartered financial services providers). The draft Regulation would make it illegal to transfer data in response to legal requirements set out outside the EU. Authorisation would need to be obtained for use of non-Commission authorised standard contractual clauses or for transfers pursuant to an overseas court order.
Privacy by design:
Privacy by design principle should be deployed and implemented by default.
Member States would be entitled to introduce derogations in limited areas: journalistic, literary and artistic processing, processing for health related purposes and employment.
Exemptions would also be possible for public security, important economic and financial interests and protections for the individual or the rights and freedoms of others.
The Commission is also set to be given powers to introduce supplemental legislation relating to data processing.
The draft Regulation proposes tiered penalties of up to 2% of worldwide turnover for the most serious data protection breaches. Data protection authorities will be required to co-operate with each other and provide mutual assistance in this regard.