Proposed Changes to the EU Data Directives: What Consequences for Businesses?

Francoise Gilbert

The European Commission has determined that the privacy and data protection framework applicable throughout the European Union must be revised in order to adapt the current rules to the rapid technological changes that have dramatically modified the way individuals live and companies operate. Communication COM (2010) 609, published on November 4, 2010, summarizes the goals that the European Commission has set for the overhaul of the EU data protection regime.[1]

The Commission intends to expand the duties and obligations of the data controllers, improve the awareness and understanding of privacy matters by individuals, increase the protection of individuals’ rights especially in the context of Web 3.0 applications, and ease the flow of information in the internal market as well as in the context of crossborder data transfers out of the European Union.

New Responsibilities and Obligations For Data Controllers

Communication 609 stresses data controllers’responsibility for ensuring effective data protection in the new technological context. To this end, the Commission plans to examine ways to enhance data controllers’ responsibilities with respect to the protection of personal information, such as by requiring most companies to appoint a data protection officer and conduct privacy assessments in certain cases.

• Mandatory Appointment of a Data Protection Officer

The Commission proposes to make the appointment of an independent Data Protection Officer (DPO) mandatory for companies over a certain size. The specific size or criteria for triggering this obligation have not yet been identified. The Commission also intends to harmonize the rules related to the DPO’s tasks and competences, while reflecting on the appropriate threshold to avoid undue administrative burdens, particularly on small and micro-enterprises.

Currently only a small percentage of the EU Member States have adopted the concept of the DPO. This is the case, for example, for Germany, France, Estonia, and Hungary. In addition, the existing laws that provide for a DPO may make it an option rather than an obligation. This is the case in France and Estonia.[2] On the other hand, the appointment of a DPO is mandatory in other countries, for example, in Hungary and Germany.

When a country law provides for a DPO, this individual is granted specific powers and authority. The DPO may be an employee of the company or may be an outsider. In all cases, the individual is paid by the company, but must be able to act independently. The DPO only reports to the company management. The DPO is also responsible to the country’s Data Protection Authority for ensuring that the company abides by the applicable data protection law. The DPO is responsible for monitoring the company’s compliance with the applicable legislation, receiving complaints from the data subjects, informing the data controller of the deficiencies, preparing an annual report of his activities, and much more. Should the company be found liable for any infringement, the DPO is likely to bear a portion of the responsibility, including jail terms, if the country law provides for it. In addition, the DPO usually must keep a register of the data processing performed by, or on behalf of, the data controller. Thus, it should be expected that the updated directive would contain most of these features, as well.

The advantage of this structure is that it usually increases a company’s awareness of, and compliance with, the applicable data protection laws. By having one individual assigned to focus on privacy and data protection matters, the company has a better chance to reach compliance. In addition, the presence of a DPO is likely to improve the interaction between a company and the local Data Protection Authority. Of course, the creation of this function creates a financial burden for which companies would have to plan.

The concept of the DPO has some common elements with the Chief Privacy Officers or Privacy Directors often appointed by US companies. However, the main difference between the US and the EU structure is the fact that the DPO could be criminally liable for infringements. Another important difference is the extent of the powers that are granted to the DPO under the current EU Member State laws. In the United States, the authority, scope of powers, and rank within the company’s hierarchy vary on a company basis. Abroad, the authority and powers are mandated by law.

• Use of Privacy Impact Assessment

In addition, the Commission proposes to require data controllers to carry out privacy impact assessments (PIA) in specific cases, for instance, when sensitive data are being processed, or when the type of processing otherwise involves specific risks, in particular when using specific technologies, mechanisms or procedures that include profiling or video surveillance.

PIAs are deemed a best practice and are recommended in most circumstances when an entity designs a new product, updates an existing one or takes a new measure, such as a new use of personal information. Thus, this change should not drastically affect companies that already have appropriate structures in place, or that have a concern for the protection of the privacy rights of their users or employees. For the others, the new requirement is likely to cause changes in project development frameworks, and to create an additional administrative burden and cost.

Despite the fact that a PIA may cause cost, delays, or some level of reorganization, it will also have a positive effect. Making a PIA before the completion of the design and development phase will allow confirmation that the proposed product provides adequate privacy protection, or point, early in the development process, to deficiencies that can be corrected more economically when addressed promptly. In the end, the use of PIAs should save money and efforts to businesses.

• Expanded Obligations for Data Processors

Communication 609 also indicates that the Commission intends to ensure that the responsibility for the protection of personal data applies also to data processors and to data controllers that are subject to professional secrecy obligations (e.g., lawyers).

Indeed, since the adoption of the 1995 EU Data Protection Directive, there has been a significant wave of outsourcing and subcontracting. For many companies, the processing of personal and other data is accomplished by numerous third parties, service providers, advertising networks, hosting companies, contractors, and the like. These service providers may also rely on several layers of subcontractors, so that there is little contact, and no privity of contract, between the data controller who is responsible for the data and the entities that actually process the data. Ultimately, the distance (geographic and contractual) between the data custodian and the actual data processor may be so significant that the protection of confidential or sensitive data inevitably lessens.

It is not clear how the Commission will address the issue of processor’s liability. It is likely that the updated Controller to Processor Standard Contractual Clauses might serve as an example of the allocation of liability in a structure where numerous third parties contribute to a common goal.[3] In this model, the data controller has an obligation to keep track of the different layers of subcontracting, and the law of the data subject follows the data through these layers of subcontracting. In addition, the different layers of subcontractors are jointly liable.

Strengthening Individuals’ Rights

New technologies and new uses of technology, such as social media and behavioral targeting, have eroded individuals’ rights and protections. The Commission is especially concerned with the collection of personal data through technologies, in increasingly elaborate ways that may not be easily detected. For example, the use of sophisticated tracking technologies allows the monitoring of individuals’ behavior. Electronic transport ticketing, road toll collecting, and other procedures allow the automatic collection of data, including location data. Social media applications result in the sharing and disclosure of information about individuals’ interests, and the collected information can easily become globally available. Cloud Computing may cause the loss of individuals’ control over their potentially sensitive information when their data are stored on applications hosted on someone else’s hardware.

To address this evolution, the Commission intends to find means to ensureappropriate protection for individuals in all circumstances. One priority is to ensure informed and free consent. This could be achieved, among other things, by increasing transparency for data subjects and enhancing individuals’ control over their data and raising awareness. In addition, the Commission proposes to increase the scope of the definition of sensitive data and to make remedies and sanctions more effective.

• Increasing Transparency and Ensuring Informed and Free Consent

The current rules regarding individuals’ consent to the processing of their data have been interpreted differently throughout the European Union. The formalities range from a requirement for written consent to acceptance of an implicit consent. Further, the opacity of privacy policies online makes it difficult for individuals to be aware of their rights and to give informed consent.

Communication 609 stresses the need for individuals to be well and clearly informed, in a transparent way, of the data controllers’ data handling practices. The information must be easily accessible, easy to understand, and must be made using clear and plain language. According to Communication 609, the Commission may introduce a general principle of transparent processing of personal data in the legal framework in order to increase transparency for data subjects.

The Commission may also define specific obligations for data controllers that will depend on the type of information to be provided and on the modalities for providing it, including in relation to children.

In addition, the Commission has committed to examine ways of clarifying and strengthening the rules on consent in order to ensure informed and freely given consent. This change is likely to require companies to change their privacy notices to make them more easily understandable by their users, clients, and employees.

This trend towards clarity and simplification is consistent with the approach that the Federal Trade Commission has also identified, as indicated in the 2010 roundtables, as well as in its consent decree with Sears.[4] In the Sears case, the Federal Trade Commission determined that a failure to clearly and conspicuously address a certain issue in the company’s privacy notice was an “unfair practice.” In addition, the FTC has made frequent statements, in its recent series of roundtables, and in other venues, about the need to address the shortcomings of the current “notice and choice” scheme.[5]

• Ensuring Appropriate Protection in all Circumstances

According to Communication 609, the Commission will also consider how to ensure a coherent application of data protection rules, taking into account the impact of new technologies on individuals’ rights and freedoms. In practice, this means that some categories of information and processing will be subject to additional measures. Key-coded data, location data, and data mining technologies are especially targeted.

While it is not clear how this goal will be achieved, it is certain that it will have a significant effect on many companies. Some categories of data may receive enhanced protection, and some types of uses of data may become more regulated. This, in turn, might affect the business models or revenue streams.

• Expanded Definition of “Sensitive Data”

In addition to the above, the revisions are also likely to result in the expansion of the definition of “sensitive data.” The current definition of “sensitive data” is limited to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life. According to Communication 609, the Commission will consider whether other categories of data should be considered as “sensitive data,” for example genetic data. It will also further clarify and harmonize the conditions allowing for the processing of categories of sensitive data.

The expansion of the definition of “sensitive data” is likely to create an additional burden for companies. Indeed, throughout the European Union – and in many countries that follow the EU model – data that are deemed sensitive are subject to special protections. For example, the collection and processing, and crossborder transfers of sensitive data, is generally prohibited, unless an exception applies. Thus, the expansion of the definition of “sensitive data” is likely to require companies to go through more red tape before collecting or processing data that were previously not restricted.

This proposed change might bring the United States and the European Union closer. The United States recently passed GINA (the Genetic Information Nondisclosure Act).Among other things, GINA places broad restrictions on an employer’s deliberate acquisition of genetic information, mandates confidentiality for genetic information that employers lawfully collect; and strictly limits disclosure of such information. Thus, US employers who have had to address compliance with GINA might find it easy to address the new EU requirements.

Communication 609 does not provide any other example of potential sensitive data. Thus, it is difficult to appreciate the effect of this proposed change. Concurrently, the United States is also seeking to identify which categories of information should be deemed “sensitive information.” In this regard pending bills are paying increasing attention to location-based information. Pending US data protection bills would make location information a category of “sensitive data.”[6] In addition, identifiers such as social security and driver’s license numbers are also frequently treated as sensitive information.

• Enhancing Individuals’ Control Over Their Own Data

Communication 609 notes the challenges encountered by individuals’ when trying to exercise their right to access, correct, and delete or block their data. This has been the case in particular when social networking sites have retained individuals’ information without the knowledge or consent of individuals.

The Commission intends to clarify and strengthen the rights of access, correction, and deletion. To achieve the goal of enhancing individuals’ control over their data, the Commission proposes to examine ways of improving the modalities for the actual exercise of the rights of access, rectification, erasure or blocking of data, for example this might be achieved by introducing deadlines for responding to individuals’ requests, by allowing the exercise of these rights by electronic means, or by providing that the right of access should be exercised free of charge as a principle. It also proposes to clarify the right of individuals to prevent the processing of their personal data, and to have their data deleted when they are no longer needed for legitimate purposes or “right to be forgotten.” This is the case, for example, when processing is based on the person’s consent and when he or she withdraws consent or when the storage period has expired.

In addition, the Commission proposes to increase the rights of individuals by placing stronger restrictions on companies. The proposed changes would include strengthening the principle of “data minimization,” i.e., limitation to the processing of data by data controllers in relation to the purpose for the collection of the information. In addition, the Commission is planning to introduce the rights of “data portability,” i.e., providing the explicit right for individuals to withdraw their own data (e.g., photo or list of friends) from an application or service, so that the withdrawn data can be transferred into another application or service, as far as technically feasible, without hindrance from the data controllers.

These changes are likely to significantly affect social networking sites, and other cloud computing providers that cater to individuals. With these proposed changes, the balance would tip in favor of users. It remains to be seen whether these requirements would echo in the United States. For several years, the US Federal and State enforcement agencies as well as numerous EU and other data protection agencies have been concerned about the uses and misuses of personal data by social media sites. State Attorney Generals have conducted several investigations against Facebook, MySpace, and others such as virtual worlds, questioning their collection and handling of personal information. Data Protection Authorities, such as Canada or Germany’s have also questioned some of Facebook’s practices. The Federal Trade Commission has conducted a thorough evaluation of social media and virtual worlds, as well.

• Security Breach Disclosure

The Commission is also planning to introduce a personal data breach notification requirement that would identify who should receive notifications and the criteria for triggering the obligation to notify. This framework would expand the current framework that has been structured in the 2009 amendments[7] to the 2002 e-Privacy Directive.[8]

For several years, EU Members States have expressed great interest in the wave of security breach disclosure laws that were enacted in the United States after the groundbreaking adoption of the first law of this nature in California in 2002.[9] Several EU Member States have explored different forms of security breach disclosure requirements. The 2009 amendments to the 2002 e-Privacy Directive introduced the concept of security breach disclosure for providers of electronic communications networks and services in connection with the processing of personal data and the protection of privacy in the electronic communications sector. The upcoming revision of the 1995 Directive would expand these requirements to all types of data.

American companies are familiar with security breach disclosure requirements. Many have implemented security incident preparedness policies and procedures. This should be a great position and able to quickly adapt to the requirements that will result from these amendments in the European Union. Hopefully, the changes will be expressed in sufficient details to ensure that the Member States will adopt consistent measures and that Europe does not end up with a patchwork of laws that are as diverse as those that are currently in effect in the United States.

Ensuring The Free Flow Of Data Within The Internal Market

The Commission acknowledges that tools that were created to harmonize the national laws of the Members States have been ineffective. There are significant divergences between the national laws in a large number of sectors, such as in the employment context, which hampers the free flow of data within the internal market. The proposed changes would provide additional means to facilitate the flow of individuals and their personal data throughout the European Union, by reducing the administrative burden for entities that operate in several Member States and clarifying the rules on applicable law and Member States’ responsibility.

• Reduce the Administrative Burden

Noting that the current general obligation to notify all data processing operations to the Data Protection Authorities is cumbersome, Communication 609 proposes to reduce the administrative burden for entities that do business in several Member States. One of the potential avenues would be the simplification and harmonization of the current notification system. In particular, it proposes the possible development of a uniform EU-wide registration form.

The obligation to file notifications in numerous countries has been a burden for all companies with operations in several Member States. This proposed change would reduce the red tape and administrative burden. There is no indication of how the EU-wide registration system would work. Since the fees from registration constitute an important source of revenue for those data protection authorities that are self-funded, it is likely that a change may create concerns in some countries about the decrease in revenues. In addition, if a system similar to that which is used currently for the filing of BCR applications is used – i.e., the designation of a “lead data protection authority” – it will be important to provide specific rules on how the lead will be identified. Otherwise, there may be “forum shopping” by companies in search for a friendly jurisdiction for their filing.

Another solution might be to use a system similar to that which is used with trademarks, where a single entity receives all filings. European trademarks are filed with the Office for Harmonization in the Internal Market located in Alicante.

• New Rules on Applicable Law and Member States’ Responsibility

The Commission announced its intent to examine how to revise and clarify the existing provisions on applicable law, including the current determining criteria, in order to improve legal certainty, clarify Member States’ responsibility for applying data protection rules, and ultimately provide for the same degree of protection of EU data subjects, regardless of the geographic location of the data controller.

This clarification will be welcome by companies that do business in several EU Member States. Indeed, it is not always clear to data controllers – and perhaps to data protection authorities, as well – which Member State is responsible and which law is applicable when several Member States are concerned. This is the case, in particular in the case of cloud computing, where it is often difficult to determine the location of personal data and of equipment used at any given time.

Clearer, Simplified Rules for International Data Transfers

Communication 609 acknowledges the need to improve the rules for international data transfers. Current schemes may need to be streamlined to make transfers simpler and less burdensome. To this end, the Commission plans to clarify and simplify the rules for international data transfers.

Currently, crossborder transfers are permitted only when the recipient country provides “adequate protection” of the privacy rights and personal data. Currently, the Commission or the Member States may determine whether a third country ensures a level of protection that the EU considers as adequate. According to Communication 609, this regime has several shortcomings. For example, the exact requirements for recognition of adequacy by the Commission are currently not specified in satisfactory detail in the Data Protection Directive.

In addition, in some Member States, adequacy is assessed in the first instance by the data controller which itself transfers personal data to a third country, sometimes under the ex-post supervision of the data protection supervisory authority. This situation may lead to different approaches to assessing the level of adequacy of third countries’ law or international organizations, and involves the risk that the level of protection of data subjects provided for in a third country is judged differently from one Member State to another.

In order to clarify and simplify the rules for international data transfers, Communication 609 indicates that the Commission intends to examine how to improve and streamline the current procedures for international data transfers, including legally binding instruments and “Binding Corporate Rules” in order to ensure a more uniform and coherent EU approach vis-à-vis third countries and international organizations; and to define core EU data protection elements that could be used for all types of international agreements.

Given the complexity of the current regime applicable to transfers of data out of the European Union and Economic Area, any improvement will be welcome by companies. The current regime is complex and lacks uniformity. Companies have to resort to a patchwork of Standard Contractual Clauses, Binding Corporate Rules, and in some cases, Safe Harbor self-certification. Further, numerous types of data transfers do not fit within any of the pre-defined categories where samples and models are provided, which creates additional burdens and delays. For example, transfers from a data processor to a data controller require tailor made solutions. In addition, in most cases, several layers of contracts are needed to interact with several layers of subcontractors and service providers.

In addition, assuming that the formalities for a transfer from one country have been met, it is often unlikely that the same formalities can be used for the same transfer of the same data out of a different country. For example, transferring personal data out of France is much more complex and subject to red tape than it is to effect the same transfer or the same data out of the United Kingdom. Thus, a structure initially created for a UK to India transfer will not be sufficient for the France to India transfer of the same data.

Stronger Institutions

Finally, the Commission intends to strengthen the role of Data Protection Authorities and that of the Article 29 Working Party. This would be achieved by providing the Data Protection Authorities with the necessary powers and resources to exercise their task at the national level and when cooperating with each other. In addition, the Commission calls for a strengthening of the Working Party’s role in coordinating the positions of the Data Protection Authorities, and ensuring a uniform level of data protection in order to improve the cooperation and coordination between Data Protection Authorities.

Currently many data protection authorities lack the funding and staff necessary to address all of the issues within the scope of their responsibilities. Some data protection authorities are self-funded. The size of their budget is commensurate to the amount of fines that they can collect. Thus, in these countries – for example Spain – the data protection authority is very active and aggressive. On the other hand, a data protection authority that is only funded by the government will have a much smaller budget and staff, and may lack independence. As a result, there are significant discrepancies in the activities and achievements of the different data protection authorities. The discrepancies between the Data Protection Authorities and the lack of knowledgeable staff have hampered and delayed businesses. Any improvement would be greatly welcome.

Conclusion

Privacy practitioners have long complained about the shortcomings and deficiencies of the 1995 Data Protection Directive in view of the dramatic changes in the practices and technologies over the past 15 years. The adoption of the Directive was primarily intended to encourage the free flow of people and personal information throughout the European Union in addition to defining a minimum level of protection for the personal data and the privacy rights of individuals. However, the Directive could not anticipate the development of new technologies and new ways of doing business, such as cloud computing, social media and the drastic globalization of business. Concepts that might have made sense in the early 1990’s now hamper the free flow of information and create a burden for companies. In addition, the significant discrepancies between the national laws implementing the directive have also become a burden.

Concurrently, as companies have been able to take advantage of new technologies, they have increasingly tried to collect larger amounts of personal information, directly or through covert methods, such as flash cookies or beacons. Opaque privacy policies have lulled individuals into a false sense of security. Through the guise of sharing personal information with service providers and affiliates, companies have provided third parties with much more personal information than users anticipated. Recent scandals or mishaps, and data leaks have made consumers much more aware of the uses and misuses of their personal information. Consumers and consumer advocates are asking for the taming of aggressive practices.

The proposed update of the EU Data Directives is likely to improve the current landscape, by providing more consistency, and putting in place more efficient structures. Of course, businesses and other entities will have to adapt to change, and this change will cause pain and expenses. Personal information has become a precious fuel to the economy. It is used ubiquitously in business, marketing, sales, research, and development. It is to the best interest of companies to treat this fuel with respect, in order to ensure that individuals preserve its integrity. If individuals cannot trust companies with their personal information, they will provide false data, or will use pseudonyms and aliases, and the stream of this precious ore that feeds businesses will dry up.