All Change For European Data Protection Law
By Bridget Treacy
Posted: 20th March 2013 09:19
Information is often the most valuable asset that a business has. Businesses that think strategically about how they create and develop their information assets are able to increase their value, frequently by substantial amounts. For example, data analytics can help a business understand its clients, what they are likely to buy - when and how. Cloud computing offers efficiencies and cost savings. Aggregating data into a single, global database can make a global business more efficient and co-ordinated. However, much of the information processed by business systems is about individuals, and individuals have rights relating to their information. There is an obvious tension here: businesses wish to gather and use ever increasing amounts of information about individuals, yet they must do so in compliance with laws that safeguard the rights of individuals.
In Europe, the Data Protection Directive 1995, as implemented by national law in each Member State, governs how organisations may process personal data about individuals. This law is generally regarded as out of date for the digital era. In 2012, the European Commission issued a proposal to replace the Data Protection Directive with a Regulation which would fit the growing uses of data and technology. The draft Regulation contains provisions that would greatly enhance individuals’ rights but increase the compliance burden for businesses seeking to utilise personal data.
Businesses will face significant challenges to comply with the Regulation. Although the Regulation is not yet law, businesses that do not focus on these issues now, may find that they are limited in what they can do with their data and may find themselves dealing with customer complaints, or regulatory enforcement in the future. Businesses should start considering how they will comply with this new law when developing their business plans. Below is a summary of what business should know about the Regulation.
What will the Regulation cover?
The Regulation covers the processing of personal data. “Personal data” is already defined in very broad terms in the EU and extends to virtually any information that enables an individual to be identified. The Regulation broadens this definition even further by including location data, online identifiers and genetic information.
The Regulation seeks to expand the reach of EU data protection law to cover processing by organisations established outside the EU where the data processing activity is related to offering goods or services to, or monitoring, EU individuals. The Regulation is likely to impact most organisations which do business in the EU, even if they are not based here.
Differences between a “data controller” and a “data processor”
Under the current law, there is a distinction between a “data controller” which is the entity which controls the personal data, and a “data processor” which has no control over the data but carries out data processing on behalf of the data controller. Only a data controller currently has legal obligations in how it handles personal data, a processor does not. The Regulation blurs this distinction, and introduces obligations on both controllers and processors.
Limitations on use of personal data
The Regulation follows current law and requires that data must be processed fairly and lawfully; collected for specified, explicit and legitimate purposes; be adequate, relevant and limited to the minimum necessary for the specified purpose; accurate; and kept in an identifiable form for no longer than necessary for the purposes for which the data were collected.
The Regulation introduces restrictions on how consent is collected from individuals. It shifts the burden of demonstrating that consent was obtained to the data controller, and prohibits reliance on consent where there is an imbalance in the relationship between the controller and the individual. It will, therefore, be difficult to use consent in the context of an employment relationship.
The Regulation imposes prescriptive requirements on an organisation to adopt policies and implement appropriate measures to ensure compliance. These measures include numerous detailed requirements such as maintaining detailed records of the data processing activities, performing data protection impact assessments, and the appointment of a data protection officer.
New processes and rights
The Regulation incorporates the concepts of data protection by design and by default which requires organisations to build and embed data protection into their organisation’s new offerings, procedures and processes.
The Regulation also introduces the right to data portability which gives individuals the right to obtain an electronic copy of their data from organisations or request that an organisation transfer their data to another organisation. This right is intended to empower consumers, enabling them to easily switch services.
Finally, the Regulation includes a new right to be forgotten, which gives individuals the right to request that personal data about them is deleted. It also requires organisations that receive a request take reasonable action to inform any third parties to whom they have transferred data of the individual’s request.
The Regulation follows current law which restricts the transfer of personal data from the EU, unless one of the safeguards approved by the European Commission is satisfied. Approved safeguards include the execution of template contracts between the data exporter and importer, certification to the Safe Harbor scheme for transfers to the U.S., Binding Corporate Rules, or other limited exceptions.
Security breach notification
Mandatory notification to both the regulator and to affected individuals is required in the event of a data breach. Breaches will need to be notified to regulators within 72 hours after becoming aware of the incident.
Penalties and fines
The Regulation proposes an array of mandatory fines for data breaches, up to a maximum of 2% of a company’s worldwide turnover. Even relatively minor failings to comply with the Regulation appear to be liable to a fine. In a departure from current legislation, processors may also be subject to a fine.
The Regulation is currently being considered by the European Parliament, and will then be considered by the Council and is likely to alter during this process. The new law is expected to be passed in 2014 and to take effect in 2016. Although the precise nature and extent of any changes are not yet fixed, there are some areas in which change seems inevitable. At a minimum, organisations should take stock of their current privacy practices and focus on what the new law will mean in practical terms. It will take some time for organisations to prepare for the Regulation, and that work needs to start now.
Bridget Treacy is a partner of Hunton & Williams.
Bridget Treacy can be reached via email on email@example.com