The draft text of the new 'General Data Protection Regulation' is now circulating, ahead of its official publication date (due late January 2012). The draft Regulation as it stands promises greater harmonisation – but at the price of a significantly harsher regime, requiring more action by organisations and with tough penalties of up to 5% of worldwide turnover for the most serious data protection breaches.
The General Data Protection Regulation is set to be accompanied by a new Directive, governing use of data by public authorities for law enforcement purposes, the draft text of which is also in circulation.
The draft Regulation is even longer than the current Directive (95/46/EC), running to 116 pages and 118 Recitals. It is likely to take at least 2 years to finalise and is planned to enter into force a further 2 years after that finalised text is published in the Official Journal. The draft which we have seen appears to be a preliminary draft, released informally and without any confirmed status. We have summarised below the key changes which are envisaged by this draft Regulation, but note that there may be various changes to these provisions before an official draft is published.
The draft Regulation will continue to apply to processing carried out by or on behalf of EU operations. However, the draft Regulation is also due to apply to processing which is 'directed to' or which monitors individuals resident in the EU – even when the processing does not take place in the EU and where there is no EU establishment.
Mere accessibility of websites in the EU would not satisfy this test, but use of local currency, language or TLDs (i.e. top-level domains) may all trigger EU privacy rules. Organisations covered on this basis would be required to appoint a local representative, against whom enforcement action may be taken.
For organisations that operate across the EU, there is to be a partial country of origin approach. The data protection authority in the country where the group's EU headquarters or management are will have supervisory responsibility under the proposed draft. There are procedures included to ensure consistency amongst supervisory authorities involving the European Commission and the European Data Protection Board (which will replace the Article 29 Working Party Group). Further, where a matter affects individuals in other countries, then the draft Regulation gives those authorities rights to participate in joint actions.
Individuals will be free to bring proceedings either in a country where the controller has an establishment, or where they live.
Identifiable data would still be covered and the usual test of 'reasonable likelihood' of identification is due to be retained. However, the draft Regulation provides that certain categories of data are always to be treated as personal - location data and online identifiers such as IP addresses and cookie identifiers.
The concept of sensitive data is to be retained – but is set to be extended to include genetic data. Processing of criminal offence data would now only be carried out by official bodies: which would entail a significant change for UK organisations.
Controllers and processors
The concepts are to be retained. The draft Regulation includes new provisions relating to joint controllers: joint controllers would be able (if they wished) to allocate responsibility amongst themselves. As regards individuals, however, joint controllers would always be joint and severally liable, unless they can demonstrate that they are not responsible.
Controllers and processors are to be required to document the processor's tasks in some detail. Processors will need the consent of the controller to appoint sub-processors, however, the draft Regulation allows this consent to be given on an opt-out basis (i.e. right to object as opposed to active consent). Processors (as well as controllers) will have to co-operate with supervisory authorities under the draft provisions.
Organisations would be required to take measures to comply with the new rules and must be able to demonstrate this. Every processing operation would need to be documented and the documentation must be available to authorities on request. Annual reports would also need to contain statements on policies and measures taken in relation to data processing. The controller would have to implement measures to ensure that the data minimisation principle is met. The controller is also to be required to carry out privacy impact assessments for more 'sensitive' types of processing –including consultation with data subjects and the results of this assessment should be published. Data protection officers are set to become mandatory for all public and many private organisations, although SMEs employing up to 250 full-time staff will not need to do this unless their core activities involve regular and systematic monitoring of data subjects.
Under the draft Regulation, consent would now always be explicit. Consent would not be valid if it could not be withdrawn without the individual suffering detriment. It could also never be valid in the employment context or vis-ŕ-vis public bodies. Consent will not be allowed to be 'bundled' with other terms: consent for data processing must be clearly distinguished from these other provisions. In particular, the drat Regulation states that consent will be required for all direct marketing (save for that carried out by charities and non-commercial bodies). Profiling is also to require specific consent and will not be permitted at all on children (more information about children below).
Data minimisation would be significantly strengthened. Data could only be collected and retained if the purpose of the processing 'could not be fulfilled by other means'.
The more onerous transparency obligations across the EU are set to be combined - individuals would have to be told the purposes of processing and informed of their rights, what data is mandatory, the consequences of not providing data, the period for which data will be retained, if data will be exported and, if it is, how it will be protected.
A new right to be forgotten is due to be introduced, in particular where processing is justified based on consent, or where an individual wishes to remove data posted as a child.
The draft Regulation states that there is to be no charge for subject access, save in limited situations. There is also set to be a new right to data portability – with an obligation on providers to ensure that data is in a format that facilitates the exercise of this right.
Information provided to children would need to be in clear, plain language. Children under 18 would not be competent to give consent: parental consent would be required.
Data breach notification
Data breach notification is due to be introduced. The drafted rules are similar to the rules currently being implemented in relation to providers of public (electronic) communications services. All breaches would need to be notified to supervisory authorities within 24 hours.
The draft Regulation would abolish the current filing system. However, 'risky' processing would be subject to prior authorisation by data protection authorities. Risky processing could include processing using new technologies, or processing that could deprive individuals of the benefit of a contract.
Binding corporate rules are to be explicitly recognised (but the draft Regulation includes them on the basis of joint and several liability, effectively ruling them out for many US headquartered financial services providers). The draft Regulation would make it illegal to transfer data in response to legal requirements set out outside the EU. Authorisation would need to be obtained for use of non-Commission authorised standard contractual clauses or for transfers pursuant to an overseas court order.
Privacy by design
Privacy by design principle should be deployed and implemented by default.
Member States would be entitled to introduce derogations in limited areas: journalistic, literary and artistic processing, processing for health related purposes and employment.
Exemptions would also be possible for public security, important economic and financial interests and protections for the individual or the rights and freedoms of others.
The Commission is also set to be given powers to introduce supplemental legislation relating to data processing.
The draft Regulation proposes tiered penalties of up to 5% of worldwide turnover for the most serious data protection breaches. Data protection authorities will be required to co-operate with each other and provide mutual assistance in this regard.
Ruth Boardman [email protected]
Co-head of Bird & Bird international Privacy and Data Protection Group