European Commission proposes new data protection framework | Practical Law

European Commission proposes new data protection framework | Practical Law

The European Commission has published its proposal for a new EU data protection framework. (Free access.)

European Commission proposes new data protection framework

Practical Law Legal Update 0-517-4165 (Approx. 14 pages)

European Commission proposes new data protection framework

by PLC IPIT & Communications
Published on 26 Jan 2012European Union
The European Commission has published its proposal for a new EU data protection framework. (Free access.)
Speedread

Speedread

The European Commission has published its long-awaited proposals for reform of EU data protection law. The centrepiece of the reform package is a draft Regulation that would replace the existing regime set out in Directive 95/46/EC. The Regulation contains measures that would harmonise data protection procedures and enforcement across the EU, and achieve consistency with the existing system for ensuring privacy online that is set out in the E-Privacy Directive (2002/58/EC). Many of the new provisions contained in the draft Regulation could be expected to have a significant impact on data controllers and processors who are active within the EU, including many who are located outside it but who monitor the behaviour of EU consumers, or offer them goods or services online. (Processors are likely to feel the effect all the more because under the existing system most of the compliance burden is placed on controllers, who then impose contractual obligations on their processors in order to ensure compliance.) The Regulation requires consent to be explicit, and data-access policies and procedures to be transparent as well as fair.
Data controllers will have a new set of compliance obligations (entailing additional record-keeping, auditing and training requirements) in place of the existing system of self-notification, and controllers above a certain size will have to designate a data protection officer. In relation to international transfers of data, the Regulation recognises the role of binding corporate rules, and creates new powers for national data protection authorities to approve not only standard contractual clauses, but also contractual clauses between transferors and recipients. The Regulation envisages a formal mechanism designed to ensure consistency of measures across the EU in relation to matters that are liable to affect several member states. The net effect of the Regulation, which has still to be approved by member states as well as by the European Parliament, would be to strengthen the powers of data protection authorities, enhance the rights of data subjects and increase the compliance burden on businesses.
If you don't yet subscribe to PLC, you can request a free trial by completing this form or contacting the PLC Helpline.

Background

The EU's data protection regime is currently set out in Directive 95/46/EC of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive), with which all EU member states must comply. The Directive was implemented in the UK by the Data Protection Act 1998 (DPA). For information about these provisions, see Practice note, Overview of UK data protection regime and Practice note, Overview of EU data protection regime.
In April 2010, the European Commission announced plans to prepare a new comprehensive legal framework for data protection by modernising the Directive. This was part of a more general drive to protect citizens' rights in the information society (see Legal update, European Commission publishes plans to review data protection framework). The objective of the review was to respond to new technological challenges and to put in place a harmonised framework across the EU for the protection of personal data (including activities in the area of police and judicial co-operation, which were covered by the "third pillar" before the Lisbon Treaty came into force in December 2009).
In November 2010, the European Commission issued a Communication to the European Parliament and the Council in which it set out its approach to the task (see Legal update, European Commission publishes approach to data protection reform).
A copy of the Commission's proposal for legislation to replace the Directive was leaked to various online blogs in December 2011 (see Legal update, Proposal for revised EU data protection framework leaked). Subsequently, there was significant lobbying against the leaked form of the proposals, including representations from the US Department of Commerce in relation to interoperability, cross-border transfers of data, and enforcement.

Facts

Package of proposals

The European Commission has published details of its proposals (see EU Commission: Commission proposes a comprehensive reform of the data protection rules).
Its announcement is accompanied by a set of factsheets answering questions about how the proposals will affect interested parties; results of opinion surveys; and a set of legislative texts including:
  • A Communication entitled "Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century".
  • A proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. This proposal is accompanied by a report on the implementation to date of the 2008 framework decision on protection of such data (see Legal update, European Council adopts Framework Decision for data protection in third pillar for more information). The proposed directive is designed to widen the scope of application of the existing rules so that they will apply to processing activities by the police and judiciary authorities at national level, and not just to cross-border transfers of data by such authorities.
  • A proposal for a Regulation on the protection of individuals with regard to processing of personal data and on the free movement of such data (Regulation). The fact that the framework is in the form of a Regulation rather than a Directive means that it would be directly binding on data controllers in all member states immediately upon adoption by the EU institutions, without the need for implementation at national level.
This legal update focuses on the Regulation, which would replace the existing rules set out in the Directive.

Regulation

The Regulation includes nine substantive chapters, covering:
  • General provisions (including subject matter, scope and definitions).
  • Data protection principles.
  • Rights of the data subject.
  • Obligations on controllers and processors.
  • Transfer of personal data to third countries or international organisations.
  • Nature, status, duties and powers of national supervisory authorities.
  • Co-operation and consistency between member states, including the creation of a European Data Protection Board to replace the Article 29 Working Party.
  • Remedies, liability and sanctions.
  • Provisions relating to specific data processing situations, such as processing in a health or employment context.
The Regulation is accompanied by an explanatory memorandum that explains the context of the proposal, the nature and outcome of consultations with interested parties, the legal basis for the proposal and the detail of the provisions that the Regulation contains.
Assuming that the Regulation passes into law, it is to be expected that there will be further legislation to flesh out the detail, as it contains provisions giving the Commission the power to do this in respect of various matters.
This legal update sets out the main points of interest in the draft Regulation. PLC IPIT & Communications will publish further coverage and comment next week.

Chapter 1: Scope and definitions

Material scope (Article 2)

Article 2(2)(d) creates an exemption for processing of personal data "by a natural person without any gainful interest in the course of its own exclusively personal or household activity". (The previous, leaked version of this exception excluded activities which made personal data available to the world at large (which would have made, for example, tweeting on Twitter subject to data protection rules) but this proviso has been removed from the final draft.)
This new wording clarifies that the "household exemption" previously contained in Article 3(2) of the Directive, which merely exempted processing "by a natural person in the course of a purely personal or household activity", does not apply unless there is a "gainful interest". (Recital 15 suggests that a gainful interest means a connection with a professional or commercial activity.)
The household exemption has been problematic ever since the ECJ held, in the Lindqvist case (C -101/01) that the act of identifying a natural person on an internet site, by name or other personal identifiers, constitutes "processing" of personal data within the meaning of the Directive (see Practice note, Privacy implications of social-networking sites: Household exception).

Territorial scope (Article 3)

Article 3 expands the scope of the data protection framework by extending the rules to data controllers who are not established in the EU if the processing relates to either:
  • The offer of goods or services to data subjects within the EU.
  • The monitoring of EU data subjects' behaviour.
Previously, this was dealt with in Article 4 of the Directive, which applied implementing law to non-EU organisations only if they used equipment situated in the EU for the purposes of their processing (see Checklist, Which national data protection law(s) apply to the processing of personal data). The new provision would bring large US companies such as Facebook and Google into the EU regulatory regime (despite the fact that their servers are in the US), because they directly target EU data subjects with their services, including through tracking, mining and profiling and targeted advertising.
Article 25 requires such non-EU data controllers to nominate a representative within a relevant EU member state, unless they are situated in countries for which there is a Commission finding of adequacy, or the controller employs fewer than 250 people, is a public authority or body, or only offers goods or services to EU consumers on an occasional basis.

Definition of "data subject" and, by implication, "personal data" (Article 4(1))

"Data subject" is defined as a person "who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person".
This definition now incorporates what was previously recital 26 of the Directive, making it clear that personal data includes all data that can identify an individual, whether that data is held by the data controller himself or by a third party which, in combination with the data held by the controller, could identify the data subject. The crucial question is how likely it would be that the data controller would have access to both sets of data to enable identification to take place.
This change is important from a UK point of view, as the DPA has not so far reflected recital 26 and the UK courts, applying only national law, have developed an "in the hands of" concept that provides that the same data controller must hold all the data that make the data subject identifiable. Therefore, if one data controller holds one piece of information, and another holds another piece, and identification takes place only when the two pieces are combined, neither piece on its own will constitute personal data. It is arguable that the DPA was incompatible with the Directive in this respect, and this amendment seems designed to ensure that national law recognises this principle.
This expansion of the definition could affect, for example, rightsholders who hand over IP addresses to ISPs for enforcement under the Digital Economy Act 2010. Until recently, rightsholders could argue that such IP addresses on their own are not personal data (although the validity of this argument was put in doubt by the ECJ judgment in Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (Case C-70/10); see Practice note, Data protection and the internet: UK issues: Meaning of personal data and processing). The re-definition of personal data confirms that rightsholders can no longer use this argument to justify supplying IP addresses, given that they are collecting such addresses with the express purpose of combining them with other data in order to identify the individual. The new definition might mean that any such collection would have to be conducted in compliance with the Regulation.

Definition of "consent" (Article 4(8))

  • Under the Directive, consent to data processing must be a "freely given, specific and informed indication of his wishes by which the data subject signifies his agreement".
  • Article 4(8) of the Regulation changes this to "freely given, specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement [to processing]."
The Regulation would therefore require that all consent must be explicit, although it also provides that the data subject can indicate consent by a clear affirmative action, such as clicking on a tick-box online, as an alternative to making a statement of consent. The UK has so far largely allowed its data controllers to work on the basis of implied consent for the majority of processing activities, so the requirement for explicit consent would require a major change in practice.
This definition is line with recommendations in relation to consent that were made by the Article 29 Working Party in 2011 (see Legal update, Article 29 Working Party develops detailed interpretation of "consent"). It is also consistent with the definition of "informed consent" that is already used in the context of the new cookie regime under the E-Privacy Directive (2002/58/EC) (see Practice note, Cookies: UK issues). For more information on the issue of consent, see Practice note, The use of consent in data protection and Checklist, The use of consent for the purposes of data protection.

Definition of "personal data breach" (Article 4(9))

This reflects the provisions included in Article 4 of the revised E-Privacy Directive in a technology-neutral way and – together with Article 28 – extends the security breach notification system (currently only applicable to public electronic communications service providers) to all data controllers.
This definition ensures that the framework created by the Regulation is consistent with that established under the E-Privacy Directive. For more information about data security breach notification, see Practice note, Data sharing and data security: Notification of data security breaches and Checklist, Personal data security breach management.

Definition of "child" (Article 4(18))

The definition of "child" as a person under 18 is inconsistent with the US legal definition of a child as someone under 13. This has implications for the data protection obligations with which social network operators, in particular, must comply. Currently they widely use the age of 13 as a cut-off age because of the US law, but this provision means that they would have to ensure greater protection of children between 13 and 18 than they are currently doing.

Chapter 2: Data protection principles

Principles relating to personal data processing (Article 5)

The data protection principles, although modelled on those contained in the Directive, have been made more stringent:
  • First principle: data must be processed not only lawfully and fairly (as under the Directive), but also "in a transparent manner in relation to the data subject". Some may argue that the fairness requirement already implied a need for transparency, but this amendment makes this clear.
  • Third principle: this now includes a data minimisation requirement that demands that personal data must be adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed, and that they should only be processed if the purpose cannot be fulfilled by processing non-personal data. The old criterion (that processing of personal data should not be "excessive") was substantially more lenient than this.
  • Article 4(f) imposes a new accountability principle on data controllers, entailing additional record-keeping, auditing and training requirements. This would replace the notification requirements previously contained in the Directive, as recommended by an Article 29 Working Party opinion on the subject (see Legal update, Article 29 Working Party publishes opinion on proposed new accountability principle).

Lawfulness of processing (Article 6)

The provisions relating to fair processing (Article 5(1)) are very similar to the current conditions, with the exception of the "legitimate interest" condition, in which the counter-interest of the data subjects has been strengthened where the data subject is a child.

Conditions for consent (Article 7)

Article 7 places on the data controller the burden of proving that the data subject has consented to processing, and stipulates that if the data subject's consent is given in the context of a written declaration on another matter, it must be made distinguishable in its appearance from that other matter. This provision strengthens the consent provisions in favour of data subjects.
Article 7(4) goes further, saying that consent will not be valid if there is "significant imbalance between the position of the data subject and the data controller". It will be interesting to see how this provision will be applied in situations where there is an inherent imbalance, such as those involving consumer-seller contracts or consent from employee to employer.

Processing of children's personal data (Article 8)

This provision requires the consent of a parent or guardian before personal data of a child aged under 13 can be processed in relation to information society services. It requires the controller to make reasonable efforts to obtain verifiable consent.

Processing of special categories of personal data (Article 9)

The definition of "special categories of personal data" in this provision is similar to the Directive's definition of "sensitive personal data". Financial and biometric data are still not included, but there is a greater emphasis on genetic and health data. Data relating to criminal convictions has been added to the definition.
The conditions for processing sensitive data echo the existing ones, but with a few notable additions:
  • Article 9(2)(a) envisages that EU law may in certain cases prohibit data subjects from authorising the processing of personal data by giving their consent. This might open the door to a more consumer protection-based approach to personal data. It could lead, for example, to a blacklist or "grey list" of data processing activities, such as the blacklist of unfair commercial practices that is appended to the Unfair Commercial Practices Directive (2005/29/EC).
  • Article 9(2)(g) allows the processing of sensitive data where it is necessary for the performance of a task carried out in the public interest under EU or national law. Under the Directive, this exemption existed in relation to personal data (Article 7(e)), but not sensitive personal data.
  • Article 9(2)(h) permits the "necessary" processing of data concerning individuals' health for certain purposes (set out in Article 81) without consent.
  • Article 9(5) tightens up the requirements for processing of data relating to criminal convictions.

Chapter 3: Rights of the data subject

Transparency and modes of operation and communication (section 1)

Article 11 introduces a new obligation on data controllers to operate policies (governing such matters as processing and disclosure) that are transparent, intelligible and easily accessible to data subjects. It says that information must be provided in plain language, especially when addressed to a child.
Article 12 imposes obligations on controllers to establish procedures for the provision of information, including a maximum time limit of one month for informing data subjects of whether or not any action has been taken in response to a request for access. Article 12(4) prohibits controllers from charging data subjects for responses to requests for access, rectification or erasure, except in relation to vexatious requests.
Article 13 gives data subjects the right to receive copies of communications sent by controllers to third-party recipients of their personal data that request rectification or erasure of that data.

Information and access to data (section 2)

Article 14 (relating to information to be provided at the point of data collection) and Article 15 (relating to responses to data access requests) provide a list of information to which the data subject is entitled that is more exhaustive than was set out in the Directive. It includes, for example, the length of time for which the data will be stored, details of the subject's right to complain to a supervisory authority, and information about the level of protection afforded by any third country or international organisation to which the controller intends to transfer the data. In addition, there is a positive obligation to tell the subject where the controller got the information (Article 14(3), Regulation), whereas the Directive only required the controller to provide this information if it was available (Article 12(a), Directive).
Under Article 15(4), the Commission reserves the right to specify standard forms and procedures for requesting and granting access to information. The creation of standard forms applicable across the EU would help the Commission in its aim to make data protection compliance easier for businesses that operate in multiple member states.

Rectification and erasure (section 3)

Section 3 relates to rectification, erasure and portability of personal information.
Of particular interest is Article 17, which sets out a new "right to be forgotten" which has been the subject of much debate. This right would entitle data subjects to withdraw their consent to the processing of personal data they have given out themselves. In practice, this means that such data would have to be deleted entirely from the controller's system. In respect of information that the controller has made public (such as on the internet), the controller would have to ensure that it erases all hyperlinks to the information. The controller would be required to act without delay unless there were a legitimate reason not to do so, such as a concern about freedom of expression, or a need to retain the data for scientific research purposes or in order to protect the rights of a third party. This requirement is likely to place a significant administrative burden on controllers.
Article 18 entitles data subjects to receive a copy of their personal data on a convenient, portable format such as a disk or MP3 file.

Profiling and the right to object (section 4)

Article 19 creates a "right to object" to processing that is being conducted (without the data subject's consent) under exceptions relating to protection of the individual's vital interests, the public interest and the controller's legitimate interests. Where this right is exercised, the processing must stop unless there are compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.
Article 19(2) gives data subjects the "right to object", free of charge, to the processing of their personal data for direct-marketing purposes. The right must be explicitly offered to the data subject, in an intelligible manner and so that it is clearly distinguishable from other information.
Article 20 relates to automated personal profiling of individuals, and prohibits such profiling except in certain circumstances. The Commission is given power to produce secondary legislation to specify suitable measures for protecting individuals that are profiled.

Chapter 4: Obligations on controllers and processors

General obligations on controllers and processors (section 1)

There is an obligation on controllers not only to ensure compliance with the Regulation, but also to be able to demonstrate that they have done so (Article 22). The provision lists certain measures that must be taken, such as appointment of a data protection officer, record-keeping and prior consultation with data protection authorities. It also says that independent verification of such procedures must be conducted, where it is proportionate to expect this.
Article 23 creates a principle that data protection measures should be "by design" rather than "by default". This provision is aimed at ensuring that processing of personal data is limited to what is necessary to achieve the purpose in question, and that access to such data is given only to those who need it within the organisation. "Privacy by design" is a concept that has been promoted by the Information Commissioner's Office (ICO) for some time (see Legal update, ICO publishes report on privacy by design) but, in light of the Directive's relatively subjective requirement that data processing should not be "excessive", many organisations have viewed it as an expensive luxury rather than a necessity.
Article 26 largely follows Article 17(2) of the Directive, but adds a provision that, if a processor processes personal data other than as instructed by the controller, it will assume the position of a joint controller in respect of that processing. Article 24 requires joint controllers to delineate their respective responsibilities and agree on who will conduct necessary procedures for data subject access.
In place of the notification regime that currently operates, there is a new obligation for controllers and processors to maintain documentation relating to their data processing. Article 28 sets out a non-exhaustive list of information that must be kept and produced to the data protection authorities on demand. However, individuals who are processing personal data on a non-commercial basis and organisations with fewer than 250 employees that process data as a by-product of their main business are exempt from these requirements.

Data security (section 2)

Under the current regime, the burden of ensuring data security is placed solely on the controller, who is responsible for ensuring by contractual means that its processors comply with security requirements. The Regulation changes this by placing direct security obligations not just on controllers, but on processors as well (Article 30).
Furthermore, it imposes a system for notifying data subjects of security breaches which is consistent with the breach notification system established under the E-Privacy Directive. The controller is required to notify breaches to the data protection authorities without undue delay and, in any event, within 24 hours of becoming aware of them. This will require controllers to have continuous monitoring and reporting systems in place at all times. Processors also have their part to play in facilitating such notification, and must inform their controller "immediately after the establishment" of a breach, including prescribed information (Article 31).
Security breaches must be notified to the relevant data subjects without undue delay, unless the controller can demonstrate that encryption or other technology rendered the data unintelligible to third parties.

Data protection impact assessment and prior authorisation (section 3)

This section imposes a new obligation on controllers and processors to conduct an impact assessment before undertaking any processing that presents a specific privacy risk. Article 33(2) sets out a non-exhaustive list of categories of processing that will fall within this provision, including profiling, analysis of data on sensitive subjects such as sex life or health, large-scale CCTV monitoring of public places, and mass processing of genetic or biometric data or children's personal data.
If a controller or processor wishes to make an international transfer of personal data without the safeguards of a legally binding instrument (of a type set out in Article 42) or of contractual clauses authorised by a national data protection authority (under Article 42(5)), it must obtain prior authorisation from its national data protection authority.
Prior consultation may also be required if the authorities deem it appropriate, or if the impact assessment indicates a high degree of risk.

Mandatory designation of data protection officer (section 4)

Any data controller or processor which:
  • Is a public authority or body; or
  • Employs 250 people or more; or
  • Regularly and systematically monitors data subjects,
must designate a data protection officer for a minimum initial period of two years. If the requirement is triggered solely by the criterion on the number of employees, it would be adequate to appoint a single officer for a group of companies, and in the case of public bodies and authorities, several entities may share a single officer.
The officer must be allowed to operate independently and must report directly to management level. Article 37 sets out the core tasks that the officer must be given.

Codes of conduct and certification (section 5)

Section 5 encourages member states to draw up codes of conduct relating to data protection, and provides for the first time that the European Commission can validate such codes. Another new provision is the recommendation that certification mechanisms, seals and marks be used to provide reassurance to data subjects.

Chapter 5: Transfer of personal data to third countries or international organisations

Chapter 5 relates to cross-border transfers of data (including transfers to international organisations). For information on this area of law, see Practice note, Cross-border transfers of personal data.
The Regulation proposes several changes to the existing regime:
  • Under the Directive, a finding of adequacy could only apply to a non-EU country as a whole. In contrast, under Article 41 of the Regulation it can also apply to a territory or processing sector within a non-EU country, or to an international organisation.
  • The Regulation gives legislative recognition, for the first time, to the role of binding corporate rules (BCRs) (Article 42(2) and Article 43). For more information about BCRs, see Practice note, Cross-border transfers of personal data: BCRs.
  • Standard data protection clauses could be pre-approved by national data protection authorities, subject to their being declared valid by the Commission itself (Article 42(2)(c)).
  • International transfers could be made under contractual clauses between the controller or processor and the person who is receiving the data, provided that these clauses have obtained prior authorisation from the national data protection authority (Article 42(2)(d)).

Chapter 6: Independent supervisory authorities

Independent status of national data protection authorities (section 1)

Under section 1, national data protection authorities must be made independent (by various measures set out in Article 47), and would have new duties to co-operate, both with their counterparts in other member states, and with the Commission itself.
Member states would be required to legislate for the creation of such authorities, the quality of their staff, internal procedures and other matters (Article 49).
Section 2 deals with the duties and powers of these authorities. Notably, national authorities are given powers:
  • To act as the lead authority in cases where a controller or processor is established in several member states, so as to ensure unity of application (a "one-stop shop" concept) (Article 51(2)).
  • To sanction administrative offences (Article 53) such as the offences envisioned in Article 79 (see Chapter 8: Remedies, liability and sanctions).

Chapter 7: Co-operation and consistency

Co-operation (section 1)

Under the Directive, national data protection authorities could ask each other to exercise their powers, and they were required to co-operate with each "to the extent necessary for the performance of their duties, in particular by exchanging all useful information" (Article 28(6), Directive). Article 55 of the Regulation greatly expands on this, introducing explicit rules on mandatory mutual assistance, including requirements for sharing of information and consequences for non-compliance with the request of another authority. Article 55(8) specifies a one-month deadline for an authority to comply with another's request, failing which the requesting authority will be competent to take a provisional measure in its own member state.
Article 56 sets out a framework for collaboration between data protection authorities in different territories in relation to investigation, enforcement and other joint operations. Each data protection authority will have the right to participate in any such operations that relate to processing that are likely to affect data subjects within its territory.

Consistency (section 2)

This section creates a procedure for national data protection bodies to communicate certain types of proposed legal measures to the European Data Protection Board (EDPB) and the Commission, in the interest of creating consistency across the EU. Notably, measures adopted under this procedure would be enforceable by the data protection authorities of all EU member states (and not just those which have proposed them).
Measures that would fall within this requirement include:
  • Measures relating to processing activities in connection with sales to consumers across several EU member states, or with behavioural monitoring of such consumers.
  • Measures which may substantially affect free movement of personal data within the EU.
  • Measures that are on a list of types of processing that the national authority wishes to designate as requiring prior consultation with it (drawn up under Article 34(4) of the Regulation).
  • Standard data protection clauses that the national authority would like the Commission to declare generally valid (under Article 42(2)(c) of the Regulation).
  • Contractual clauses which the authority would like to authorise (under Article 42(2)(d) of the Regulation).
  • Binding corporate rules.
National authorities and the EDPB can, in addition, request that other types of measure be subjected to the consistency mechanism.
The mechanism itself involves the issue of an opinion by the EDPB within one week, adoption of that opinion within one month, and response from the national authority within two weeks as to whether it will amend its draft measure or retain it as it stands. The Commission could also, within ten weeks of the matter being raised, adopt its own opinion, of which the national authority would have to "take utmost account".
If the national authority were to decide not to follow the Commission's opinion, and the Commission had serious doubts as to whether the draft measure would properly reflect the Regulation or lead to inconsistency of application, the Commission could adopt a decision suspending the adoption of the measure for up to 12 months while it tried to resolve the issue or ultimately, it could decide the matter by adopting an implementing act (under Article 62). There is provision for the national authority to expedite this by requesting an urgent opinion, in cases where delay might put the interests of data subjects at risk.

European Data Protection Board (section 3)

These provisions would create a new EDPB (consisting of the heads of the data protection authorities of EU member states and of the European Data Protection Supervisor) and outline its powers and duties. The EDPB would replace the Article 29 Working Party.

Chapter 8: Remedies, liability and sanctions

This chapter gives data subjects a judicial remedy against decisions of national data protection authorities which concern them (Article 74), and against controllers and processors who infringe their rights by failing to comply with the Regulation (Article 75). This includes a right to compensation for any damage suffered (Article 77(1)).
Article 79 sets out the fines that can be awarded against controllers and processors who fail in their data protection duties (although it leaves it to national authorities to decide the actual level of fines). The amount of any fine would be fixed with regard to:
  • The nature, gravity and duration of the breach.
  • Whether the breach was intentional or negligent.
  • The degree of responsibility of the relevant person, and any history of previous breaches.
  • The technical and organisational compliance measures that were in place.
  • The degree to which the organisation has co-operated with the authorities to try to remedy the breach.
A range of sanctions is provided for:
  • A written warning in cases of first and non-intentional failure to comply, where the offender is an individual who was conducting the processing on a non-commercial basis, or an organisation employing fewer than 250 people whose main business is not the processing of data.
  • Fines of up to EUR250,000 (or up to 0.5% of the organisation's annual worldwide turnover) for intentionally or negligently failing to operate a proper subject access request mechanism, failing to respond promptly, or in the correct format, to subject access requests, or charging a fee for responding to such requests.
  • Fines of up to EUR500,000 (or up to 1% of annual worldwide turnover) for intentionally or negligently failing to respond to subject access requests in a manner which complies with the Regulation. The provision sets out a variety of ways in which an organisation might commit such failure, including for example refusing access, providing only partial data, and failing to consult with joint controllers of the information.
  • Fines of up to EUR1 million (or up to 2% of annual worldwide turnover) for other compliance failures, such as processing without a sufficient legal basis, failing to comply with the more stringent regime applicable to special categories of data and risky types of processing such as profiling, failing to notify data breaches, transferring data to a territory without ensuring appropriate safeguards, or failing to designate a data protection officer.

Chapter 9: Provisions relating to specific data processing situations

Chapter 9 creates special rules for specific situations:
  • It allows member states to derogate from the Regulation where the processing is conducted solely for the purposes of journalism, literary or artistic expression, or to reconcile the right to data privacy with the right to freedom of expression (Article 80(1)).
  • It requires that personal data concerning health be processed within suitable and specific legal safeguards (Article 81).
  • It envisages the adoption of specific national legal rules to govern processing within an employment context (Article 82).
  • It sets out restrictions on processing that is for the purposes of historical, statistical or scientific research.

Comment

The proposed Regulation would strengthen the powers of data protection authorities. Not only would they have comprehensive investigative powers, but also the power to impose fines of up to 2% of worldwide turnover.
Businesses are likely to be concerned about the various new rights for individuals under the Regulation:
  • First, the right "to be forgotten" will enable individuals to have their data deleted unless the data controller can demonstrate compelling legitimate grounds for retention, such as those relating to freedom of expression or newspaper archival. One of the stated aims of this right is to help teenagers to protect their online identities. Online platforms, such as social media networks, are likely to be adversely impacted by it.
  • Second, there is a compulsory data breach notification obligation that applies across all sectors. The ICO wants this right to be limited to serious breaches only, and is likely to lobby to this effect in later stages of the legislative process. The requirement is to notify the individuals affected and the relevant authority as soon as possible. The EU Commissioner Viviane Reding has stated that this means within 24 hours, a view widely regarded as unrealistic.
  • Third, data controllers not established in the EU would be subject to the Regulation if their processing were aimed at individuals residing within the EU. Many US online businesses would be caught by this, although it is not clear how these rules would be enforced outside the EU.
Existing rights of individuals have been strengthened in several areas:
  • First, the meaning of personal data would be broader than that given by the UK courts and ICO to date and, consequently, the scope of data protection law would be extended in the UK.
  • Second, where consent is required for data to be processed, it would have to be given explicitly. This could be challenging, particularly in the online environment and in the employment context. Currently in the UK, implicit consent is sufficient in many circumstances.
  • Third, individuals' rights to access their own data would be enhanced. In particular, there would be a right of data portability enabling individuals to obtain a copy of the data held about them in a reusable, electronic format.
  • Fourth, a new requirement would be introduced for prior approval by the relevant authority of certain types of international transfer deemed to be higher-risk.
  • Fifth, data processors would have direct obligations under the legislation for the first time.
These and other measures are likely to increase the administrative burden on businesses. Moreover, many businesses would be required to appoint a data protection officer. That role would cover carrying out mandatory data protection impact assessments, compulsory documentation of various processes and training, both of which are features of the Regulation.
The key achievement of the Regulation would be to replace the patchwork of laws of the 27 member states with a single set of data protection laws. Businesses would only need to deal with a single data protection authority, saving vast amounts of time and money. However, the Regulation's more restrictive and less-nuanced approach would hit British industry particularly hard, as to date the ICO has been among the more pragmatic of the national data protection authorities in the EU.
The Regulation will need to be approved by the EU's member states and ratified by the European Parliament. Consequently, it could take two or more years for it to take effect. During this period it is expected that there will be much lobbying, particularly by those US businesses likely to be affected.

Source

European Commission news release, 25 January 2012.