EU Data Protection Regulations

Shelley Thomas
26 January 2012

At 11.30am UK time on 25 January 2012, with the words "Ladies and Gentlemen, we have done it", Viviane Reding (the EU Commissioner for Justice, Citizenship and Fundamental Rights) announced the EU draft Data Protection Regulations, which, if implemented in the current form, will supersede the EU Data Protection Directive of 1995 and represent the biggest shift in Data Protection law in Europe for 17 years.

The EU has taken the conscious decision to implement the proposed changes as Regulations which automatically apply rather than an EU Directive (which EU member states then need to implement into national law such as the Data Protection Act) so that Data Protection law is harmonised across Europe.  One of the criticisms of existing Data Protection law, and the justification for the new Regulations, is that the differing standards across Europe hamper pan-European business and leave both businesses and individuals in doubt as to how data is protected. Enacting these new laws as Regulations will resolve this issue.

There is also an additional Directive dealing with the protection of personal data where it is processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.  As a Directive, this will need to be implemented at national level.

The key points

The Regulations run to 118 pages, but there are a number of key points and significant changes from the current position that should be noted.

• The need to notify a data protection authority, such as the Information Commissioner in the UK, of an organisation’s data processing activities will be abolished, along with the associated cost and administrative burden.
• Companies with more than 250 employees (who therefore do not fall within the definition of an SME) will need to appoint a Data Protection Officer - although this may appear a burden, it is not necessarily a bad thing, as it will create a point of focus within the organisation for compliance with Data Protection law.
• Organisations must notify their national data protection authority of serious data breaches as soon as possible and if feasible within 24 hours, even where the breach involved encrypted data. They must also, if the data was not encrypted, notify the data subject(s). This obligation to notify breaches goes over and above the current situation in the UK, where a Guidance Note from the Information Commissioner sets out that serious breaches should be notified to him, but there is no legal obligation to do so.
• Organisations (and individuals) will only have to deal with one national data protection authority in the EU country where they have their main base; this makes it easier to secure authorisation for Binding Corporate Rules (see below), ensure compliance, and to enforce rights.
• The process for establishing Binding Corporate Rules (a set of rules which groups of companies can have in place to cover all group companies, resident in any jurisdiction of the world, to enable them to transfer data between them without breaching the restriction in Principle 8 around transferring personal data outside the EEA) will be made significantly simpler, as the group will only need to apply to one national data protection authority for approval, rather than 3+ authorities which is currently the case.
• Wherever consent is required for data to be processed, that consent must be given explicitly, rather than assumed. It is unclear at present how this would operate in practice, but it is likely that this requirement will go over and above what is generally required in the UK at present (where consent can be implied where data being processed is not sensitive personal data).
• A concept of 'portability' has been introduced so that individuals have easier access to their own data and are able to transfer it from one service provider to another more easily.
• The (now infamous) 'right to be forgotten' will, in theory, help people better manage data protection risks online by allowing them to delete their data.

A range of fines for various breaches of the Regulations have been provided for, with the maximum being €1 million or up to 2% of an enterprise’s worldwide annual turnover (interestingly, rumours prior to the release of the draft Regulations suggested that the maximum fine would be 5% of worldwide annual turnover, but this has not proved to be the case). This level of potential fines could (and should) prompt organisations to take their responsibilities under Data Protection law seriously.

Summary

The proposals will now be passed to the European Parliament and the Council of Ministers for discussion and will take effect two years after they have been adopted. This may seem like a long way off, but, as the saying goes, time flies, and the new Regulations when they do apply will have broad application. 

They are an indication of the seriousness with which the EU views Data Protection compliance, and in any event are likely to represent best practice standards in terms of Data Protection compliance as the EU moves closer to an implementation date. 

As well as the risk of monetary penalties and prosecution under current Data Protection law, a breach of Data Protection law is always likely to lead to loss of goodwill and reputational damage, and it is therefore vital that organisations take on board these proposals at an early stage and ready themselves for compliance.  We therefore recommend taking advice now on how your business should be complying with both current, and future, laws.