European Union Justice Commissioner Viviane Reding has announced a proposal for a new General Data Protection Regulation for the protection of personal data in the European Union.
The proposals retain the general principles of data protection law, but also introduce some significant changes around:
- Notification (including 24-hour notification of breaches);
- New obligations on data processors;
- Compulsory Data Protection Officers;
- Data subject rights;
- Collection of child data; and
- The “one stop shop” approach
Firstly, as Martin noted in his earlier blog on the impact for organisations engaged in outsourcing, the regulation has direct effect. Once passed, it will not be subject to local implementation in each member state. This is intended to ensure that the laws are applied consistently across the EU.
Powers to fine
The official announcement follows last month’s leaked proposals which suggested that companies breaching data protection law might face fines of up to 5% of their annual turnovers. While this level of fine is not advanced by the official proposal, companies will still be subject to a fairly stringent sliding-scale of fines:
- a maximum of 0.5% of annual turnover for failures such as not responding properly to requests by data subjects;
- a maximum of 1% of annual turnover for failures such as leaving inaccurate data uncorrected, or failing to adopt internal policies to comply with the new Regulation; and
- a maximum of 2% of annual turnover for the most serious violations, including “risky processing operations”, or failing to obtain data subject consent.
Another key change being proposed is that data controllers can no longer rely on implied consent. Instead, controllers will have to prove that they have been provided with “explicit” consent from the data subject, while consent may not be relied upon if there is a “clear imbalance between the data subject and the controller” (which will make it difficult for, for example, employers to rely on consent from employees, as grounds for processing).
As an alternative to obtaining explicit consent, “other legitimate interests” of a controller will provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding.
Whilst this change is consistent with the opinions that have been issued by the Article 29 Working Party, this change will be particularly felt in the UK, where much of the UK Information Commissioner’s guidance has focussed on the concept of “implied consent”. For example, the Information Commissioner’s view on website privacy policies has generally been that the data controller does not need to flag up in flashing lights processing that is obvious. It will be interesting to see how guidance changes in this area.
Controllers will no longer have to notify data protection authorities that they are processing data -instead they will be asked to make available upon request evidence demonstrating their data protection policies and procedures, including “privacy by design and default” mechanisms, and privacy impact assessments.
Data breach notification
Controllers will also be expected to notify data protection authorities of data breaches within 24 hours. Where notification within 24 hours is not possible – and 24 hours looks like an onerous requirement – an explanation of the reasons for the delay should accompany the notification. Data processors, meanwhile, will be expected to “assist” controllers in cases of data breach or loss, and will be deemed joint controllers if they process personal data other than as instructed by the controller.
Data protection officers
All public sector bodies will be required to appoint a Data Protection Officer, as will private sector bodies with more than 250 staff (or whose core activities consist of processing operations).
The “right to be forgotten” and other new restrictions
Last month’s leaked document suggested that the new proposals would contain a controversial “right to be forgotten”, and many stakeholders were already pondering how such a right could possibly be guaranteed or enforced. The official proposals are less explicit regarding this right, proposing that a controller shall carry out erasure of data “without delay, except to the extent that the retention of the personal data is necessary” for a variety of grounds, including “public interest” and “compliance with a legal obligation”.
Potentially more interesting is a new right for data subjects not to be subject to a “measure based on profiling”, meaning that organisations will be potentially barred from profiling individuals based on automatic processing seeking to predict a person’s creditworthiness, economic situation, location, health, personal preferences, reliability or behaviour. This may well impact upon Amazon’s religious beliefs patent (as blogged about by Martin last month).
It’s also worth noting that under the new proposals the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian. This concept of a “child” and the parental consent requirements will almost certainly conflict with many organisations’ current practices.
The “one stop shop approach”
Finally, the draft proposes that controllers and data subjects will have a one stop shop in terms of regulators. If a data subject wishes to complain about processing by a data controller in another EU country, it will complain to its local regulator who will raise the issue with the regulator in the data controller’s home country.
Given that non-EU data controllers collecting data from EU data subjects will also be subject to the new regulation, this will surely increase the administrative burden on the various national regulators.
These are just some of the changes to the present European data protection regime which are being proposed. It’s worth remembering that these proposals will need to be approved by the European Union’s member states and ratified by the European Parliament before they can come into effect. Given the extent of the proposed changes, that process might take up to 2 years, if not longer.
On January 25, 2012