By Kevin Bailey, Head of Market Strategy.
They say that there is no smoke without fire and the proposed EU Data Protection Regulation (EU DPR) that will supersede the previous EU Data Protection Directive 95/46/EC maybe the fire from which a lot of smoke and hot air has been expelled from Belgium over the past 2 years.
The new regulation was announced in January 2012 to address the digital age and other ‘norm’ functions, such as mobile working and electronic globalization, with the hope that the 27 EU Member States who had implemented the 1995 rules differently (which resulted in divergences of enforcement) would concur. A single law will strive to do away with the current fragmentation and costly administrative burdens, (hopefully) leading to savings for businesses of around €2.3 billion a year and help reinforce consumer confidence in online services, amongst others.
On Monday 21 October members of the LIBE (Home Affairs and Civil Liberties) committee overwhelmingly voted to approve 91 adopted amendments from a distillation of more than 3,000 amendments submitted to the European Parliament's lead negotiator, or rapporteur, German Green lawmaker Jan Philipp Albrecht These amendments will now feed into negotiations between Parliament, the Council of Ministers and the Commission. The vote of the LIBE committee is one more move towards adoption of the draft Regulation.
The committee's approval of the draft regulation was a preparatory step that sets out the position of the European Parliament on the data protection reform ahead of negotiations on the final legislation with the EU Council, which represents the governments of EU member states. The objective is to reach an agreement that the full European Parliament could vote on in April 2014.
Albrecht, the rapporteur, said that the aim was to finalize the data protection reform before European Parliament elections in May 2014.
The main outcomes are:
- Fines up to €100 million or 5% of annual worldwide turnover: MEPs propose:
(i) a written warning (unintentional, first offences only),
(ii) regular audits, and
(iii) a fine of up to €100 million or 5% of annual worldwide turnover, whichever is greater.
- Broad territorial scope confirmed: the amendments apply the Regulation to organisations outside the EU whenever they process personal data, in connection with provision of services to or monitoring, individuals in the EU. This will apply to both controllers and processors – so US cloud providers who host personal data of EU individuals will, in many cases, be directly subject to EU law – even when the cloud provider's clients are not themselves established in the EU.
- Additional definitions in Article 4: MEPs have not pursued the new concept of a “data producer” (suggested in an earlier draft). However, new terms are introduced: “pseudonymous data” (data that cannot be attributed to a specific individual without the use of data held strictly separately), “encrypted data”, “profiling”, “third party” and “genetic data”. The definition of “main establishment” is amended: for both controllers and processors this will be where the main decisions on personal data processing are taken.
- The compromise amendments state that identifiers provided by devices, applications or other online tools will be regarded as personal data, unless they do not relate to an identified or identifiable person. RFID technologies are added to the list of relevant examples.
- Legitimate interests remain a strong lawful basis for processing personal data: These can be overridden where processing does not meet individuals' reasonable expectations. The Recitals suggest certain types of processing suitable for processing based on legitimate interests:
(i) pseudonymous data
(ii) processing for enforcement of legal claims and to prevent or limit damages, and
(iii) for direct marketing purposes by post.
- Consent must be freely given: a service cannot be made conditional on a user giving consent to the processing of personal data that is not 'necessary' for the service. As the provisions on profiling remain unclear, this may constrain ad-supported services.
- Data formerly known as sensitive: MEPs have expanded the definition to cover “gender identity” and a variety of sanctions (i.e. administrative or criminal) or suspected offences. The compromise amendments also add two additional legal grounds for processing such special categories of data:
(i) performance or execution of a contract,
(ii) processing necessary for archiving purposes.
- Commission-delegated acts significantly reduced: MEPs have massively restricted this and instead have reinforced the role to be given to the European Data Protection Board (“EDPB”) in issuing guidelines, recommendations, and/or best practice.
- Data subject’s rights: MEPs encourage data controllers to provide data subjects with direct access to their personal data via a secure system, echoing “mydata” movements. Controllers are given 40 calendar days (against one month in the Commission text) to respond to data subject rights.
- Icon based privacy notices: information must be provided in two ways:
(i) in a yes/no icon based table (with prescribed icons such as a money bag with a € on it to indicate list rental); and
(ii) in a detailed notice.
MEPs have expanded the prescribed contents for the detailed notice.
- MEPs displeased by PRISM and the like: various new provisions have been included:
(i) provides a data subject with the right to know if his personal data has been disclosed to a public authority at the authority's request,
(ii) prohibits the transfer of personal data required by a third country court decision or administrative authority if this is not compliant with a mutual legal assistance treaty or an international agreement,
(iii) Article 15 of Directive 2002/58/EC which authorises use of traffic and location data by public authorities i.e. for safeguarding national security and law enforcement activities has been deleted.
- A right to be forgotten rebranded: the “right to be forgotten and to erasure” becomes the “right to erasure". MEPs introduce a welcome limitation by providing that, instead of erasure, the data should be restricted where “the particular type of storage technology does not allow for erasure and has been installed before the entry into force of this Regulation”.
- Two sorts of profiling subject to different obligations: the European Parliament introduces a distinction between two sorts of profiling. The first leads to measures producing legal effects or significantly affecting the data subject. This is only possible:
(i) if necessary for entering into/ performance of, a contract where there are suitable measures to safeguard the individual's legitimate interests,
(ii) where expressly provided by EU/ member state law, or
(iii) if based on the consent.
Other profiling activity (e.g. provision of content by a news website based on the country of origin of the internet user) is acceptable but a right to object must be highlighted. Profiling based on pseudonymous data falls into the second category – unless it can be attributed to a specific data subject, in which case the data is no longer pseudonymous.
- Joint controllers: the European Parliament now provides that the “essence of the arrangement” between co-controllers shall be made available to the data subjects. This aims to force controllers to define clearly who does and is responsible for what.
- Amendments to data breach notification framework: Requires notification “without undue delay”. MEPs have also inserted a duty for supervisory authorities to maintain a public register of the types of breach notified. Questions remain as to
(1) what will happen to the breach notification regime currently being discussed in the draft Cyber security Directive and
(2) to providers of publicly available electronic communications services who remain subject to their specific procedures pursuant to European Regulation 611/2013 (i.e. notification within 24 hours after detection of a breach).
- Data Protection Impact Assessment (PIA): the threshold for PIAs is extended - e.g. processing of personal data relating to more than 5000 data subjects during any consecutive 12-month period. In certain cases, the data protection officer or the supervisory authority must be consulted. PIAs must be repeated at least annually. 'LDPM' is likely to become the new data protection acronym, as PIAs are now part of a new Lifecycle Data Protection Management obligation.
- Data protection officer (DPO): the trigger for appointing a DPO will be the number of people whose data is processed (5000 data subjects in any consecutive 12-month period), not the number of personnel. A DPO will have to be appointed if
(i) special categories of data,
(ii) location data,
(iii) data relating to children, or
(iv) employee data in large scale filing systems are processed.
There is a new 4 (employee) or 2 (contractor) year minimum term for the DPO, a list of minimum qualifications, and a duty of confidentiality.
- 'European data protection seal': Companies are encouraged to certify their data processing by a supervisory authority, possibly in cooperation with accredited third party auditors. Such certificate would be valid for up to 5 years. A public register of valid and invalid certificates will be maintained. To encourage certification, there are some incentives such as
(i) offering a lawful basis for transferring the data if the accredited company is located in a third country, or
(ii) not being subject to fines unless the breach is intentional or negligent.
- Transfer to third countries: the criteria for assessing adequacy are altered. Existing adequacy decisions by the Commission are to expire 5 years after entry into force of the Regulation (unless amended, replaced, or repealed by the Commission before then). Authorisations granted by data protection authorities are subject to a 2 years sunset period. Unfortunately, it seems that the same sunset period also applies to transfers based on standard contractual clauses and Binding Corporate Rules (both of which rely on authorisations of Directive 95/45).
- Supervisory Authorities: the one-stop shop is replaced by a 'lead authority': the lead must consult all other competent authorities, take the utmost account of their opinions, and endeavour to reach a consensus. The EDPB will be involved if a consensus cannot be found and is given powers to impose decisions on individual authorities.
In addition to voting on amendments to the General Data Protection Regulation, MEPs also voted on amendments to the proposed Directive on data protection in the law enforcement sector.