New European Data Protection Regulation Draft

The proposal would become law, after Parliamentary approval, 20 days after publication in the Official Journal of the European Union, and be enforced two years after publication date.

Updates 1995 Directive

With the new regulation ' presented to the EU Parliament and Council as Communication COM (2012) 9 final ' the standing Data Protection Directive, adopted in 1995, and known as Directive 95/46/EC, will be updated, with a focus on EU-wide standards and cooperation among businesses and law enforcement.

The change, which EU legislators hope will serve to define the general data-protection legal framework in the European Union, is expected to help e-commerce and business in general in EU member states.

Initially, when a regulation contrary to the existing guideline is planned and when that guideline will have a direct effect in all member states, not all member states need to implement separate acts in order for the rule to go into effect throughout the Union.

The proposal was presented in its final form for consideration after a survey of EU citizens and various considerations of components of previous adjustments to the 1995 Directive.

A summary of the proposal says that the Commission examined the pending regulation to assess “its economic impact on stakeholders (including on the budget of the EU institutions), its social impact and effect on fundamental rights.”

No environmental impact was noted, the EU Commission says.

As for what the Commission defines as the fundamental rights of EU citizens, the Commission report ' which is part of the proposed legislation ' notes that the draft of the law does not violate personal-data rights established in the EU's Charter on Fundamental Rights (Article 8), Article 16 of the Treaty on the Functioning of the European Union (The Lisbon Treaty), or the European Convention on Human Rights.

The proposal report notes, though, that “the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society,” with protection “closely linked to respect for private and family life protected by Article 7 of the Charter,” which the 1995 Directive also considers.

Particulars

With a new data-protection guideline, data-protection principles, and rules for police and judicial cooperation are to be implemented. The most important content of the draft of the data-protection regulation is briefly summarized as follows.

Expanded Authority

With the regulation, a set of rules for data protection is introduced throughout the EU for the first time. The implementation of the guideline from 1995 led to varying levels of data protection in the member states, which is now to be prevented by the direct effect of the proposed updating regulation.

The draft is aimed at changes regarding the handling of personal data, the reporting of data-protection information covered by the proposed rule by companies and organizations that may be affected, and a restructuring of the rights of citizens.

National data-protection authorities' jurisdiction is strengthened in their significance and their range of influence.

Range of the Rule

Also, the scope of application of data protection under the draft rule would be enlarged. In the future, any company offering services that are directed at users within the EU will be subject to European regulations.

Member nations are also obliged under the proposal to establish an agency to monitor and enforce the regulation, if adopted, and to appoint a data-protection officer to handle data monitoring and protection, and to deal with data controllers and processors, supervisory bodies in each member nation, and the public.

Nomenclature Added

The Commission notes that some terms and their meanings carry over from Directive 95/46/EC and Framework Decision 2008/977/JHA, but that some are modified to meet current usages applicable to personal-data definitions

New definitions include those for personal data breach, genetic data and biometric data, competent authorities and child. The Commission reports that the definition of “child” is based on the UN Convention on the Rights of the Child.

The modified definitions, included in Article 3, are:

• Personal data breach. “Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”;
• Genetic data. “All data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal development”;
• Biometric data. “Any data relating to the physical, physiological or behavioral characteristics of an individual which allow their unique identification, such as facial images, or dactyloscopic (fingerprint identification) data; and
• Child. “Any person below the age of 18 years.”

Reporting Requirements

Data controllers in each nation would be required to report, “without undue delay and, where feasible, not later than 24 hours after having become aware of it,” a personal-data breach to the supervising authority.

If notification isn't provided within 24 hours, the controller of the data would have to provide the supervisory authority with justification for the notification delay ' if the authority requests such an explanation.

Notification would require “at least” the following information:

• A description of the nature of personal-data breach, with categories and the number of people whose data was compromised, and categories and number of data records believed or known to have been breached;
• Identity and contact information of data-protection officer;
• Recommended steps to lessen possible effects of data breach;
• A description of possible data-breach consequences; and
• A description of steps the data controller has taken or proposes to take to address the data breach.

The proposed legislation also outlines many other steps to address how data compromises will be dealt with, including establishing more reporting and notification requirements, format in which notifications will be made, and how people would be notified of breaches in personal-data security.

Non-EU Entities

Businesses outside the European Union would no longer be exempt from the duty to apply the regulations to personal data.

Distinctions of Personal Data Sets

The proposal requires the data controller to stave off crime by identifying personal data of people likely to be criminals or to commit crimes.

The proposal states that the following categories (quoted here directly from the proposed legislation) of personal data sets be identified and treated separately from other people's:

• Persons with regard to whom there are serious grounds for believing that they have committed or are about to commit a criminal offence;
• Persons convicted of a criminal offence;
• Victims of a criminal offence, or persons with regard to whom certain facts give reasons for believing that he or she could be the victim of a criminal offence;
• Third parties to the criminal offence, such as persons who might be called on to testify in investigations in connection with criminal offences or subsequent criminal proceedings, or a person who can provide information on criminal offences, or a contact or associate to one of the persons mentioned in [the first two points in this list]; and
• Persons who do not fall within any of the categories referred to above.

Simplified Reporting

The draft also provides for simplified reporting from companies. In the future, certain reporting requirements will be replaced by greater responsibility and stricter accountabilities of enterprises.

Right to Be Forgotten

Also, the so-called “right to be forgotten” will be newly implemented. This right will allow users to request cancellation of all data ' which is, however, a step that will bring challenges to new technical developments (cloud computing, for instance).

The legislation calls this right “erasure.” The proposal states that people may request erasure of their personal data when provisions of the regulations have not been met. The controller of the data is required to act immediately. People can also ask, such as in disputes of data accuracy or authorized use, that instead of information being erased, it be “marked” for restricted use.

The controller can also retain information, such as when personal data would provide some type of required proof of a data owner's identity. A controller must inform a person when the controller refuses to erase data or mark it, and provide the owner with information about complaining to the supervisory authority or a court for redress.

Data Portability

Also new will be the right of data portability. In the future, it will be easier for users to “take along” their data; this change is meant to increase and simplify competition in certain areas.

International Personal Data Transfer

Under the new regulation, there would be a tightening of the rules regarding transfer of personal data to other countries and international organizations. Provisions are made in the proposal for the introduction of a minimum data-security standard that can be specifically adapted by the Commission as required for different countries.

Breach Penalties

In the event of a breach of regulations, penalties will be implemented that can be imposed by local data-protection authorities.

e-Commerce enterprises would be subject to the regulations.

The proposed law notes that:

Article 53 introduces common rules for court proceedings, including the rights of bodies, organisations or associations to represent data subjects before the courts, and the right of supervisory authorities to engage in legal proceedings. The obligation of Member States to ensure rapid court actions is inspired by Article 18(1) of the e-Commerce Directive 2000/31/EC.

Unrealistic?

Criticism of this draft included comments that the proposal, as presented, is unrealistic. Critics alleged that implementation of the “right to be forgotten” as well as the planned portability of data are almost impossible to achieve.

Conclusion

As the need for data protection grows along with the proliferation of international online business and the associated necessity of entering, storing, manipulating, sharing, transmitting and securing consumers' and others' personal data, national and local authorities must ensure that information citizens provide to businesses and other entities is safe. And if that information is compromised, consumers need to be alerted, and the authorities need to stop the use of the information and pursue the criminals who appropriated the data.

The new European Union regulations take a step in that direction. Counsel who represent the interests of e-commerce entities and companies with e-commerce operations ' these businesses' greatest interests being their customers ' can only hope that nations without such data-protection provisions will soon fall into line with those nations that have begun the march toward providing universal and reliable personal-data protection.

On Jan. 25, the European Commission, the Brussels-based executive body of the European Union (EU), proposed a wide-sweeping comprehensive regulation to reform existing EU data-protection laws to strengthen privacy-protection rights of individuals throughout the Union, boost Europe's digital economy, and to prevent digital and other crime.

The proposal would unify EU data-protection regulations among member states. This change would allow closer cooperation among law-enforcement agencies and courts in EU member nations to protect data, safely share citizens' personal data only among authorized parties, and help police detect and catch personal-data privacy violators.

Because the effective date of the draft is scheduled for two years after adoption, and because implementation will take some time, the new regulations cannot realistically be counted on until 2016.

The proposal would become law, after Parliamentary approval, 20 days after publication in the Official Journal of the European Union, and be enforced two years after publication date.

Updates 1995 Directive

With the new regulation ' presented to the EU Parliament and Council as Communication COM (2012) 9 final ' the standing Data Protection Directive, adopted in 1995, and known as Directive 95/46/EC, will be updated, with a focus on EU-wide standards and cooperation among businesses and law enforcement.

The change, which EU legislators hope will serve to define the general data-protection legal framework in the European Union, is expected to help e-commerce and business in general in EU member states.

Initially, when a regulation contrary to the existing guideline is planned and when that guideline will have a direct effect in all member states, not all member states need to implement separate acts in order for the rule to go into effect throughout the Union.

The proposal was presented in its final form for consideration after a survey of EU citizens and various considerations of components of previous adjustments to the 1995 Directive.

A summary of the proposal says that the Commission examined the pending regulation to assess “its economic impact on stakeholders (including on the budget of the EU institutions), its social impact and effect on fundamental rights.”

No environmental impact was noted, the EU Commission says.

As for what the Commission defines as the fundamental rights of EU citizens, the Commission report ' which is part of the proposed legislation ' notes that the draft of the law does not violate personal-data rights established in the EU's Charter on Fundamental Rights (Article 8), Article 16 of the Treaty on the Functioning of the European Union (The Lisbon Treaty), or the European Convention on Human Rights.

The proposal report notes, though, that “the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society,” with protection “closely linked to respect for private and family life protected by Article 7 of the Charter,” which the 1995 Directive also considers.

Particulars

With a new data-protection guideline, data-protection principles, and rules for police and judicial cooperation are to be implemented. The most important content of the draft of the data-protection regulation is briefly summarized as follows.

Expanded Authority

With the regulation, a set of rules for data protection is introduced throughout the EU for the first time. The implementation of the guideline from 1995 led to varying levels of data protection in the member states, which is now to be prevented by the direct effect of the proposed updating regulation.

The draft is aimed at changes regarding the handling of personal data, the reporting of data-protection information covered by the proposed rule by companies and organizations that may be affected, and a restructuring of the rights of citizens.

National data-protection authorities' jurisdiction is strengthened in their significance and their range of influence.

Range of the Rule

Also, the scope of application of data protection under the draft rule would be enlarged. In the future, any company offering services that are directed at users within the EU will be subject to European regulations.

Member nations are also obliged under the proposal to establish an agency to monitor and enforce the regulation, if adopted, and to appoint a data-protection officer to handle data monitoring and protection, and to deal with data controllers and processors, supervisory bodies in each member nation, and the public.

Nomenclature Added

The Commission notes that some terms and their meanings carry over from Directive 95/46/EC and Framework Decision 2008/977/JHA, but that some are modified to meet current usages applicable to personal-data definitions

New definitions include those for personal data breach, genetic data and biometric data, competent authorities and child. The Commission reports that the definition of “child” is based on the UN Convention on the Rights of the Child.

The modified definitions, included in Article 3, are:

• Personal data breach. “Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”;
• Genetic data. “All data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal development”;
• Biometric data. “Any data relating to the physical, physiological or behavioral characteristics of an individual which allow their unique identification, such as facial images, or dactyloscopic (fingerprint identification) data; and
• Child. “Any person below the age of 18 years.”

Reporting Requirements

Data controllers in each nation would be required to report, “without undue delay and, where feasible, not later than 24 hours after having become aware of it,” a personal-data breach to the supervising authority.

If notification isn't provided within 24 hours, the controller of the data would have to provide the supervisory authority with justification for the notification delay ' if the authority requests such an explanation.

Notification would require “at least” the following information:

• A description of the nature of personal-data breach, with categories and the number of people whose data was compromised, and categories and number of data records believed or known to have been breached;
• Identity and contact information of data-protection officer;
• Recommended steps to lessen possible effects of data breach;
• A description of possible data-breach consequences; and
• A description of steps the data controller has taken or proposes to take to address the data breach.

The proposed legislation also outlines many other steps to address how data compromises will be dealt with, including establishing more reporting and notification requirements, format in which notifications will be made, and how people would be notified of breaches in personal-data security.

Non-EU Entities

Businesses outside the European Union would no longer be exempt from the duty to apply the regulations to personal data.

Distinctions of Personal Data Sets

The proposal requires the data controller to stave off crime by identifying personal data of people likely to be criminals or to commit crimes.

The proposal states that the following categories (quoted here directly from the proposed legislation) of personal data sets be identified and treated separately from other people's:

• Persons with regard to whom there are serious grounds for believing that they have committed or are about to commit a criminal offence;
• Persons convicted of a criminal offence;
• Victims of a criminal offence, or persons with regard to whom certain facts give reasons for believing that he or she could be the victim of a criminal offence;
• Third parties to the criminal offence, such as persons who might be called on to testify in investigations in connection with criminal offences or subsequent criminal proceedings, or a person who can provide information on criminal offences, or a contact or associate to one of the persons mentioned in [the first two points in this list]; and
• Persons who do not fall within any of the categories referred to above.

Simplified Reporting

The draft also provides for simplified reporting from companies. In the future, certain reporting requirements will be replaced by greater responsibility and stricter accountabilities of enterprises.

Right to Be Forgotten

Also, the so-called “right to be forgotten” will be newly implemented. This right will allow users to request cancellation of all data ' which is, however, a step that will bring challenges to new technical developments (cloud computing, for instance).

The legislation calls this right “erasure.” The proposal states that people may request erasure of their personal data when provisions of the regulations have not been met. The controller of the data is required to act immediately. People can also ask, such as in disputes of data accuracy or authorized use, that instead of information being erased, it be “marked” for restricted use.

The controller can also retain information, such as when personal data would provide some type of required proof of a data owner's identity. A controller must inform a person when the controller refuses to erase data or mark it, and provide the owner with information about complaining to the supervisory authority or a court for redress.

Data Portability

Also new will be the right of data portability. In the future, it will be easier for users to “take along” their data; this change is meant to increase and simplify competition in certain areas.

International Personal Data Transfer

Under the new regulation, there would be a tightening of the rules regarding transfer of personal data to other countries and international organizations. Provisions are made in the proposal for the introduction of a minimum data-security standard that can be specifically adapted by the Commission as required for different countries.

Breach Penalties

In the event of a breach of regulations, penalties will be implemented that can be imposed by local data-protection authorities.

e-Commerce enterprises would be subject to the regulations.

The proposed law notes that:

Article 53 introduces common rules for court proceedings, including the rights of bodies, organisations or associations to represent data subjects before the courts, and the right of supervisory authorities to engage in legal proceedings. The obligation of Member States to ensure rapid court actions is inspired by Article 18(1) of the e-Commerce Directive 2000/31/EC.

Unrealistic?

Criticism of this draft included comments that the proposal, as presented, is unrealistic. Critics alleged that implementation of the “right to be forgotten” as well as the planned portability of data are almost impossible to achieve.

Conclusion

As the need for data protection grows along with the proliferation of international online business and the associated necessity of entering, storing, manipulating, sharing, transmitting and securing consumers' and others' personal data, national and local authorities must ensure that information citizens provide to businesses and other entities is safe. And if that information is compromised, consumers need to be alerted, and the authorities need to stop the use of the information and pursue the criminals who appropriated the data.

The new European Union regulations take a step in that direction. Counsel who represent the interests of e-commerce entities and companies with e-commerce operations ' these businesses' greatest interests being their customers ' can only hope that nations without such data-protection provisions will soon fall into line with those nations that have begun the march toward providing universal and reliable personal-data protection.