Publications

European Data Protection – EC proposes radical changes including fines of 2% of world-wide turnover

25 January 2012

All organisations hold and process personally identifiable data – not least about their staff, customers or suppliers, or all three. In Europe how this data is handled has been regulated by data protection laws since the early 1980s. 

Those already complex laws are set to be shaken up by the European Commission (EC) which on 25 January 2012 announced a radical overhaul of the Data Protection Directive. 

If adopted the changes will have a huge impact on all organisations with European facing operations, as will the suggested penalties for those who get it wrong.  Large fines (up to 2% of global turnover have been proposed) are being lined up for local regulators to impose on non-compliant organisations.

In short, the new laws will:

• increase the regulatory burden on organisations with European operations
• increase the amount of time, money and personnel required to achieve compliance
• raise the stakes, in terms of potential fines and brand damage, which could arise from non-compliance

Once the EC's proposals have passed through the European parliamentary system, because they are in the form of a "Regulation" they will have direct effect in every EU Member State with minimal further scope for debate, or rationalisation.  While a more harmonised data protection regulatory landscape sounds appealing, the uncompromising approach taken by the EC's draft Regulation is a cause for concern for business.

Key points proposed by the EC's draft Regulation include the following:

(a) Fines – national data protection regulators will be given the ability to impose significantly higher fines of up to 2% of global turnover where basic knowledge/consent obligations or requirements to adopt good policies and procedures are not followed.

(b)  Data Protection Officers (DPO) – private sector companies with more than 250 employees, or whose core activities involve regular monitoring of individuals, as well as public authorities will all be required to formally appoint a DPO. The DPO must be empowered by their organisation to act as an independent assessor of its compliance with data protection laws and report to the board of directors in doing so. The Regulation specifically requires the DPO to co-ordinate data protection by design and privacy impact assessment initiatives (see below for more details on both) and to be responsible for data security initiatives generally.  Responsibility for training staff is also mentioned as important.   In short, the DPO must ensure that his/her organisation has adopted good data governance policies and procedures. 

(c) Audits, data protection by design and privacy impact assessments – organisations will be required to demonstrate that they have undertaken regular data protection audits and privacy impact assessments (PIAs)using recognised industry standards (such as ICO's PIA criteria). Key will be demonstrating that new processing systems and activities have been only introduced after privacy compliance and risk mitigation steps have been implemented. A key role of an organisation's DPO will likely be co-ordinating such privacy by design initiatives.  Regulators can designate processing activities in respect of which organisations should always proactively run a PIA before processing commences.  The Regulation sets out a starting point list which includes any activities using data about an individual's "economic situation, location, health, personal preferences or reliability of behaviour". 

(d)  Security breach notification – organisations will have to notify data protection authorities within 24 hours of establishing that they have suffered a data breach or explain why it is not possible to provide full details of the breach. Slick internal procedures will therefore be required to verify suspected breaches and establish what has been lost or subject to unauthorised accessed.

(e)  Expanded consent requirements – the EC's proposals include a radical overhaul of the level of consent that is required before organisations process data.  At the heart of this change is the requirement that consent to use personally identifiable information should always be obtained in advance and on an opt-in basis before it is used. Thankfully the EC has pulled back from requiring parental consent to be obtained from under 18 year olds, as required by an earlier draft of the Regulation leaked in November. The bar is proposed at 13 in the draft Regulation published in January.

(f)  Data portability – individuals will be given the right to demand that an organisation should transfer any or all information held about them to a third party organisation in a format which the individual determines. This increases the control that individuals have over data which identifies them and makes it easier for them to transfer business or employment relationships.  It remains to be seen who will be required to cover associated costs of such an exercise, but it seems very likely that the transferring organisation will be expected to do so.

(g)  Jurisdictional reach – the new laws will apply to anyone processing data in the EU as well as those outside Europe who offer goods or services to EU citizens. For a multi-national organisation, the location of its European HQ will determine which EU Member States' laws bind it, and which regulatory authority will have jurisdiction over it.  That said, individuals will be given wider ranging powers to bring action personally against an organisation (either in the country where a non-compliant organisation is located or in the individual's local courts).  Trade associations will also be empowered to bring class actions on behalf of their members.  For the first time data processors will share equal responsibility and liability for compliance with the new laws raising the stakes for IT service suppliers.

(h) Data transfers – Europe's painful data transfer laws will be relaxed in that more options will be made available to enable organisations to share data with non-European third parties. Specifically, the policy implementation known as Binding Corporate Rules will be formalised as a mechanism enabling data transfer compliance, which is good news for multi-site, multi–national businesses.

(i)  The right to be forgotten – individuals (children, defined as under-18 year olds, are mentioned in particular) will have the ability to demand that information published about them online is deleted and is not republished.  Organisations which receive such a demand must take all reasonable efforts to inform other website operators of the existence of the complaint which they have received. The right, which is particularly relevant to social media businesses, is subject to some exemptions. These including one benefiting journalists publishing stories in the public interest, raising the question is a blogger or someone who posts an opinion on a website a journalist?   But questions remain about how practical the regulation is and who would bear the costs of complying with it.

For more information about the proposed amendments to Europe's data protection laws or for a copy of Osborne Clarke's guide to complying with them please contact James Mullock (james.mullock@osborneclarke.com). 

 

Subscribe here for updates

These materials are written and provided for general information purposes only. They are not intended and should not be used as a substitute for taking legal advice. Specific legal advice should be taken before acting on any of the topics covered.