Data Protection Reforms to Increase Enforcement and Enhance Single Market

The European Commission’s proposals to reform European data protection laws have now reached an advanced stage and draft legal instruments have been issued for an interservice consultation. The proposals are significant and wide-ranging. Some of the more noteworthy aspects are highlighted below.

  • The new framework. The new data protection framework is due to repeal the Data Protection Directive and to replace it with a Regulation and a Directive for specific criminal matters. This note considers the new draft Regulation. The use of a Regulation should guarantee a high level of harmonisation throughout the Members States and should therefore help to enhance the single market (though national variations remains possible to some limited extent).
  • Single Market enhancements. The Regulation also contains specific single market measures. For example, processing by a data controller established in more than one Member State would only be subject to supervision by the data protection authority where its headquarters are based. This change is very welcome as it should significantly ease the compliance burden for multi-national companies operating in Europe.
  • Significant increases in enforcement. The draft Regulation sets out new fining powers. The level of fines varies depending on the nature of the breach, but ranges up to 5 per cent of global turnover. For very large companies, this could mean fines in excess of a billion Euros. Of equal significance is the imposition of a minimum level of fines for certain breaches. So, for example, failing to notify a data breach within 24 hours or not adopting proper internal privacy policies would lead to a minimum fine of 100,000 Euros. Last, according to the draft, it will become possible for representative bodies to bring actions for collective redress on behalf of individuals.
  • “Accountability”. According to the draft, organisations with more than 250 employees will have to appoint a data protection officer. Similar obligations apply to public authorities or those that are involved in monitoring activities, regardless of the number of employees. More generally, organisations will have to demonstrate that all of their processing activities comply with data protection law backed up by privacy by design requirements and obligations to carry out privacy impact assessments for certain types of processing. The burdensome general notification obligations to national data protection authorities should however be removed.
  • Consent. The rules around consent have been clarified and narrowed. All consent would have to be “explicit” as well as “freely given, specific and informed”. There would be a clear right to withdraw consent and restrictive conditions would apply where the consent is given in relation to processing by public authorities or in the employment context. Consent from a child (i.e. someone under the age of 18) would have to be authorised by the child’s parent or guardian.
  • Marketing. Consent would be needed for all direct marketing for commercial purposes. According to the draft, it will no longer be possible to rely on the legitimate interests condition to justify direct marketing activities.
  • Notification of data breaches. All personal data breaches are due to be notified to the relevant data protection authority within 24 hours. There appears to be no de minimis threshold to this notification obligation nor any exception for information that is encrypted. There is also an obligation to notify individuals who are adversely affected by any such breach unless that information was protected, for example through encryption. The notification to individuals must also be made within 24 hours.
  • Obligations on data processors. According to the draft, data processors will become directly subject to certain parts of the Regulation, such as the obligation to document details of their processing, and can be sued directly for breach of the Regulation. A data processor will become a data controller if it processes data outside the scope of its instructions.
  • Transborder dataflow. There will be some relaxation on the restrictions on transferring personal data outside of Europe. For example, binding corporate rules will be put on a statutory footing and will only require approval from one lead regulator. There will be no need to have model contracts approved by national data protection authorities (though it is not clear if there might still be a notification obligation). Finally, transfers that are not frequent, massive or structural can be justified on the basis of a legitimate interests test, though that assessment will have to be documented and notified to the relevant national regulator.

It is important to underline that the above review is based on a working draft of the new Regulation and not the final proposal from the Commission. Equally, the points above are not a comprehensive list of the proposed changes.

Overall, the Regulation clarifies many aspects of the Data Protection Directive. This clarity and some of the changes are welcome but others are highly questionable. It is likely that the draft Regulation will trigger another round of review by all relevant stakeholders and further negotiations. However, it now seems clear that there will be significant changes to the framework for data protection in Europe when it finally comes into force, which is not foreseen before 2013 or 2014 considering the adoption process required under the Lisbon Treaty

For further information on this subject or any other TMT issues please contact Tanguy Van Overstraeten or your usual Linklaters contact.