The reforms to the EU data protection regime widely expected to be adopted in May 2014 before the European Parliamentary elections may now be delayed to 2015. EurActiv reports that the possible delay is due to efforts by the UK Government last week at a meeting of the European Council after it expressed concerns about the impact of the regulation on business.
As interested parties will be aware, the data protection reforms were first proposed by the European Commission in January 2012 with a view to, amongst other things, updating the 1995 EU Directive (95/46/EC) in line with challenges from technological advances and globalization and to strengthen online privacy rights. (The protection of citizen’s in relation to the processing of personal data being a fundamental right enshrined in various EU constitutional documents). In addition, the current regime has attracted criticism for resulting in a piecemeal approach to compliance standards and enforcement due to differences when the directive was implemented into local law in each of the 28 EU member states.
The initial proposals back in 2012 were radical enough for some by proposing a regulation and not a directive as the legislative instrument. (A regulation means that the adopted law will be directly applicable across all of the EU in its entirety and with no or little scope for member states for flexibility on the interpretation of provisions). But, this latest announcement follows even more suggested, and arguably radical, changes to the regulation by the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) announced only a few days before. The latest changes (which may not be the final word) re-emphasise the rights of the consumer and place heavier burdens on those handling EU citizens’ personal data. Commentators have suggested that some of the even more radical changes may have garnered support following the Snowden revelations and the allegations of bugging of world leaders’ mobile telephones by the US. Certainly a new restriction on non-EU Government surveillance which will need the permission of a national data protection authority before transferring personal information outside of the EU and compliance with an obligation to tell the individual about the request seems to support this view.
Our top ten of these latest changes are as follows:
- Territorial Scope: Confirmation that EU law would apply to EU citizens’ personal data even if they are processed outside of the EU
- Definitions & Conditions to Consent: Explicit consent only, i.e. consent that is freely given specific, informed and an explicit indication of the data subjects wishes, either by a statement or by a clear affirmative action. It must also be as easy to withdraw consent as it is to give it
- Right to Erasure - at the request of the individual (subsuming the right to be forgotten)
- Profiling: New restrictions on the ability to profile and a right to object which the individual must be advised of in a highly visible manner
- Data Breach Notification: Requirement to notify a supervisory authority without undue delay, presumed to be within 72 hours (a change from the previous 24 hours requirement)
- Designation of Data Protection Officer: Requiring the appointment of a data protection officers (DPOs) by all companies processing personal data of more than 5,000 data subjects in any consecutive 12 month period (a change from the previous requirement for DPOs where a company has 250 or more employees)
- Certification: A new concept of a voluntary data protection certificate to certify that data controllers are in full compliance with the regulation
- Right to Compensation: Right for an individual to seek compensation for pecuniary and non-pecuniary damage as a result of the unlawful processing of their data
- Sanctions: Larger maximum fines of up to 100 million euros or 5% of a company’s annual worldwide turnover, whichever is greater (a change from the previous maximum of 1 million euros or 2% of annual worldwide turnover)
- Minimum Standards in Employment Context: Member states will have some flexibility to adopt legal provisions or collective agreements in respect of processing in an employment context provided they comply with the remainder of the regulation, are proportionate or are covered by a statutory basis. Any processing must stay within the purpose for which it is collected and consent will only be valid if freely given.
There will be, undoubtedly, further negotiation, amendment and compromise so watch this space. In the meantime, it should be remembered that even when the regulation is finally adopted in 2015 it will only become effective two years later.
The latest amendments from LIBE are available in two parts at http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/comp_am_art_01-29/comp_am_art_01-29en.pdf and at http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/comp_am_art_30-91/comp_am_art_30-91en.pdf.
Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.