EU Data Protection Overhaul – New Draft Regulation

Francoise Gilbert

Note: This post is superseded by the post above, due to the publication of a new draft of the proposed legislative texts.

The European Commission has just published drafts of the two documents that will form the new legal framework for the protection of personal data throughout the European Economic Area. The draft documents are intended to provide a last opportunity for comments. The final version is expected to be published during the first quarter of 2012, and will come into force two years after publication. Thus, the new rules are currently not expected to be effective before the middle of 2014.

The proposed new legal framework consists of two legislative proposals: a proposal for a General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which will supersede Directive 95/46/EC; and a proposal for a Police and Criminal Justice Data Protection Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. This article discusses only the Regulation.

A Regulation; not a Directive

The European Commission found that a “Regulation,” as opposed to a “Directive,” was the most appropriate legal instrument to define the new framework for the protection of personal data in the European Union. EU regulations are the most direct form of EU law. A regulation is directly binding upon the Member States, and is directly applicable within the Member States. As soon as a regulation is passed, it automatically becomes part of the national legal system. EU directives, on the other end, are used to bring different national laws in line with each other. They prescribe only an end result that must be achieved in every Member State. The form and methods of the application of the principles set forth in the directive are a matter for each Member State to decide for itself. Once a directive is passed at the European Union level, each Member State must implement or “transpose” the Directive into its legal system. A directive takes effect through national legislation that implements the measures. 

The current data protection regime, which is based on a series of directives, has proved to be very cumbersome due to the significant discrepancies between the interpretations or implementations made in the various Member State data protection laws. While a directive must be implemented into national laws – and implementations vary -, a regulation is directly applicable, as is, in the Member States. The choice of a regulation for the new general regime for personal data protection should provide greater legal certainty by introducing a harmonized set of core rules that will be exactly the same in each Member State. Of course, each country’s government agencies and judicial system are still likely to have their own interpretation of the same text, but the discrepancies between these interpretations should be less drastic than those that are currently found among the Member State data protection laws.

Overview of the Draft Regulation

The 116-page draft Regulation lays out the proposed new rules. Some of the key components are discussed below.

New Concepts

The Regulation shifts the consent requirement to that of an “explicit” consent. It introduces some new concepts that were not in Directive 95/46/EC, such as the concept of breach of security, the protection of children information, the use of binding corporate rules, the special status of data regarding health, and the requirement for a data protection officer.

New, Expanded Data Protection Principles

Articles 4 to 8 incorporate the general principles governing personal data processing that were laid out in Article 6 of Directive 95/46/EC, and add new elements such as: transparency principle, comprehensive responsibility and liability of the controller, and clarification of the data minimization principle. The rules for consent are strengthened. The consent must be “specific, informed and explicit.” The controller bears the burden of proving that the data subjects have given their consent to the processing of their personal data for specified purposes.

Special categories of processing

The rules that apply to special categories of processing are found in Articles 80 to 84. The special categories include processing of personal data for:

• Journalistic purposes;
• Health purposes;
• Use in the employment context;
• Historical, statistical or scientific purposes;
• Use by individuals bound by a duty of professional secrecy;
• Public interest.

Transparency and Better Communications

Article 9 of the proposed Regulation introduces the obligation for transparent and easily accessible and understandable information, while Article 10 requires the controller to provide procedures and a mechanism for exercising the data subject’s rights, including means for electronic requests, requiring response to the data subject’s request within a defined deadline, and the motivation of refusals.

Rights of the Data Subjects

Articles 12 to 18 define the rights of the data subjects. In addition to the right of information, right of access, right of rectification, which exist in the current regime, the Regulation introduces the “right to be forgotten” as part of the right to erasure. The right to be forgotten included the right to obtain erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service. It also integrates the right to have the processing restricted in certain cases. Article 16 introduces the data subject’s right to data portability, i.e., to transfer data from one automated processing system to, and into, another, without being prevented from doing so by the controller. As a precondition, it provides the right to obtain from the controller those data in a commonly used format. The right to object to the processing of personal data is supplemented by a right not to be subject to measures based on profiling.

Obligations of Controllers and Processors

Articles 19 to 26 define the obligations of the controllers and processors, as well as those of the joint controllers and the representatives of controllers that are established outside of the European Union. Article 19 addresses the accountability of the controllers. These include for example, the obligation to keep documents, to implement data security measures, and to designate a data protection officer. Article 20 sets out the obligations of the controller to ensure data protection by design and by default. Under Article 21, joint data controllers are required to determine their own responsibility for compliance with the Regulation. If they fail to do so, they will be held joint responsible. Articles 22 requires data controllers that are not established in the European Union and that direct data processing activities at EU residents, or monitor their behavior, will be required to appoint a designated representative in the European Union.

Supervision of Data Controllers or Processors by Data Protection Authority

Article 25 introduces the obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, instead of a general notification to the data protection supervisory authority, as is currently the case under Articles 18 and 19 of Directive 95/46/EC. The provision contains a long list of documents that must be created and maintained by data controllers and data processors. This information is somewhat similar to the information that is currently provided in notifications to the data protection authorities. For example, the categories of data and data subjects affected, or the categories of recipients. There are also new requirements such as the obligation to keep track of the transfers to third countries, or to keep track of the time limits for the erasure of the different categories of data. In the case of data controllers or data processors with operations in multiple countries, Article 50 establishes the concept of the “main establishment.” The data protection supervisory authority of the country where the data processor or data controller has its “main establishment” would be competent for the supervision of the processing activities of that processor or controller in all Member States under the mutual assistance and cooperation provisions that are set froth in the Regulation.

Data security

Articles 27 to 29 focus on the security of the personal data. In addition to the security requirements already found in Article 17 of Directive 95/46/EC and extending these obligations to the data processors, the Regulation introduces an obligation to notify personal data breaches. In case of a breach of security, a data controller will be required to inform the supervisory authority within 24 hours. In addition, if the breach is “likely to adversely affect the protection of the personal data or the privacy of the data subject”, the data controller will be required to notify the data subjects, also within 24 hours after it has established the existence of the breach.

Data protection impact assessment

Article 30 would require controllers and processors to carry out a data protection impact assessment if the proposed processing is likely to present specific risks to the rights and freedoms of the data subjects by virtue of its nature, scope or purposes. Examples of these activities include: monitoring publicly accessible areas, use of children personal data, use of genetic data or biometric data, processing information on sex life, health or race, evaluation having the effect of profiling or predicting behaviors.

Data protection officer

Articles 32 to 34 require the appointment of a data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations that require regular and systematic monitoring. Article 33 identifies the roles and responsibilities of the data protection officer and Article 34 defines the core tasks of the data protection officer.

Crossborder Data Transfers

Articles 37 to 44 define the conditions of, and restrictions to, data transfers to third countries or international organizations, including onward transfers. For transfers to third countries that have not been deemed to provide “adequate protection,” Article 39 requires that the data controller or data processor adduce appropriate safeguards, such as through standard data protection clauses, binding corporate rules or contractual clauses. It should be noted, in particular that:

• Standard data protection clauses may also be adopted by a supervisory authority and be declared generally valid by the Commission;
• Binding corporate rules are specifically introduced (currently they are only accepted in about 17 Member States);
• The use of contractual clauses is subject to prior authorization by supervisory authorities.

Binding Corporate Rules take a prominent place in the Regulation. Their required content is outlined in Article 40. Article 41 spells out and clarifies the derogations for a data transfer, based on the existing provisions of Article 26 of Directive 95/46/EC. In addition, a data transfer may, under limited circumstances, be justified on a legitimate interest of the controller or processor, but only after having assessed and documented the circumstances of the proposed transfer.

Disclosures Requested by Foreign Court

Article 42 prohibits a data controller operating in the European Union from disclosing any personal data to a recipient located in a third country if so requested by the judicial or administrative authority in the third country unless this transfer is especially authorized by an international agreement or is provided by mutual legal assistance treaties or is approved by a supervisory authority. A data controller or data processor who receives a judgment of a court or tribunal or a decision of an administrative authority of a third country requesting the disclosure of personal data, must immediately notify the supervisory authority of the request and must obtain prior authorization for the transfer.

European Data Protection Board

The “European Data Protection Board” is the new name for the “Article 29 Working Party.” Like its predecessor, the new Board will consist of the European Data Protection Supervisor and the heads of the supervisory authority of each Member State. Article 64 and 65 clarify the independence of the European Data Protection Board and describe its role and responsibilities.

Remedies and Sanctions

Article 73 to 79 address remedies, liability, and sanctions. Article 73 grants data subjects the right to lodge a complaint with a supervisory authority (which is similar to the right under Article 28 of Directive 95/46/EC). It also allows consumer organizations and similar associations to file complaints on behalf of a data subject or, in case of a personal data breach, on their own behalf. Article 75 grants individuals a private right of action. It grants individuals the right to seek a judicial remedy against a controller or processor in a court of the Member State where the defendant is established or where the data subject is residing. Articles 78 and 79 require Member States to lay down rules on penalties, to sanction infringements of the Regulation, and to ensure their implementation. In addition, each supervisory authority must sanction administrative offenses and impose fines.

Conclusion

The terms of the proposed Regulation are not really a surprise. For several months, Ms. Reding and other representatives of the European Union have provided numerous descriptions of their vision for the new regime. It is nevertheless exciting to see, at long last, the materialization of these descriptions, outlines, and wish lists. Altogether, the new Regulation will increase the rights of the individuals and the powers of the supervisory authorities. The adoption of a single rule throughout the European Union is also likely to help simplify the information governance, procedures, record keeping, and other requirements for companies. Directive 95/46/EC has been the basis for the data protection laws of the EU Member States, as well as those of the other EEA Members. In addition, numerous other countries, such as Peru, Uruguay, Morocco, Tunisia, or the Dubai Emirate (in the Dubai International Financial District) have adopted data protection laws that followed Directive 95/46/EC. It remains to be seen what effect the adoption of the Regulation will have on the laws of these other countries.