EU Data Protection Reforms Update

Just over two years ago, the European Commission initiated the process with the aim of comprehensively reforming the 1995 EU data protection rules. It is no exaggeration to state that the 1995 rules have been one of the EU's most widely impacting pieces of legislation, entailing significant compliance requirements for businesses both inside and outside the EU.

Although the 1995 rules are being replaced entirely, the core elements concerning privacy remain, the main EU motive for the reforms being to “strengthen individual rights and tackle the challenges of globalization and new technologies.” The extent to which these issues are finally addressed remains to be seen, notably as regards new technologies.

One objective of the reforms is to introduce what the European Commission hopes will be a less administratively burdensome and costly regime for businesses, and, according to Commissioner Viviane Reding, who holds the EU Justice portfolio and is driving the reforms, “Following the U.S. data spying scandals, data protection is more than ever a competitive advantage.” Some businesses might share this view but others may disagree. Whatever the final outcome, there will be a high level of compliance obligations to maintain along with financial and administrative costs for businesses.

The reform package consists of a Regulation that sets out a general EU framework for data protection, and, a Directive specifically concerned with protecting personal data processed in a law enforcement context. Both sets of proposals are long and complex, and the European Parliament has itself put forward an enormous amount of amendments, many of which may not be finally taken up.

The Regulation

The Regulation is the main focus of importance for businesses, and, by way of brief reminder, the key reforms set out in it along with the Parliament's proposals are as follows.

One-Stop-Shop

Using the format of a Regulation (as opposed to a Directive, as undertaken under the 1995 rules, which is subject to individual EU Member State implementation), there will be one set of EU-wide rules. Businesses established and operating in several EU Member States will only have to deal with a single national data protection supervisory authority (i.e., the data protection regulator) in the country where they have their base; complainants will also only have to deal with the supervisory authority in their Member State.

The Parliament amendment goes further. Namely, it wants: 1) a lead supervisory authority responsible for the supervision of data processing activities of the “data controller” (the person or entity determining the purposes and means of the processing of personal data); or 2) the “data processor” (the person or entity processing personal data on behalf of the controller), in all EU Member States where the “processing of personal data” (any operation or set of operations which is performed upon personal data) takes place in the context of the activities of an establishment of a controller or a processor in the EU and the controller or processor is established in more than one Member State; or 3) where personal data of the residents of several Member States are processed.

Level Playing-Field

In what must be stressed as a very significant new element, the EU data protection rules will apply equally to EU-based and non-EU based businesses, i.e., not only will the rules apply where either a data-controller or processor or “data subject” (an identified or identifiable person to whom specific personal data relates) are based in the EU, but, in addition, the rules will also apply to businesses based outside the EU where they process data of EU residents who are offered goods or services. The Parliament supports this and has left it relatively untouched. How this extra-territorial reach will work in practice though remains to be seen

'Privacy by Design' and 'Privacy By Default'

These will become essential compliance principles, meaning that data controllers will be legally obliged to ensure that data protection safeguards are built into products and services from the earliest stage of development, and that privacy-friendly default settings are the norm. The Parliament supports this and elaborates further by requiring that privacy by design address the entire lifecycle management of personal data, from collection to processing to deletion, systematically focusing on comprehensive procedural safeguards regarding the accuracy, confidentiality, integrity, physical security and deletion of personal data.

Explicit Consent

Where consent is required for data to be processed, it will have to be explicitly given, i.e., it is not assumed. Therefore, saying nothing will not amount to consent. The Parliament supports this and goes further in its amendments, for example, by providing that provisions on the data subject's consent that are partly in violation of the Regulation will be completely void.

The Right to be Forgotten, and Erasure

A data subject will have the right to have his or her data erased when there are no legitimate grounds for the data to be retained, as long as this does not encroach on the freedom of expression and information. The Parliament amendment goes further by allowing EU citizens to obtain from third parties (to whom the data have been passed) the erasure of any links to, or copy or replication of, that data. It also wants EU citizens to have the right to erasure where a court or regulatory authority based in the EU has ruled as final and absolute that the data concerned must be erased.

The Right to Avoid Profiling

Data subjects will have the right not to be subject to data processing intended to evaluate certain personal aspects relating to them, or to analyze or predict in particular their performance at work, their economic situation, location, health, personal preferences, reliability or behavior ' subject to certain exceptions. The Parliament supports this, but with some modifications, including the basic way this right is expressed, stating that every natural person shall have the right to object to profiling and the data subject has to be informed about the right to object to profiling in a highly visible manner.

Data Portability

Data subjects will have easier access to their data and be able to transfer data from one service provider to another more easily. The Parliament has left this untouched.

Data Protection Officer

Data controllers and processors will have to appoint an internal data protection officer to oversee compliance where: 1) either data processing is carried out by a public authority or body; or 2) the processing is carried out by an enterprise employing 250 persons or more; or 3) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. While supporting the appointment of a data protection officer, the Parliament prefers that a data protection officer will be appointed when the processing is carried out by a legal person and relates to more than 5,000 data subjects in any consecutive 12-month period.

Data Breaches

“Personal data breaches” are defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Under the reforms, where there is a personal data breach, the controller must without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority will have to be accompanied by a reasoned justification in cases where it is not made within 24 hours. The Parliament supports the notification requirement but in a more limited way.

Sanctions

The reforms will empower supervisory authorities to fine businesses that infringe the data protection rules up to Euro 1 million or up to 2% of the global annual turnover of a business, whichever is the greater. The Parliament amendment goes further, raising the level of the fine to up to Euro 100 million or 5% of global annual turnover, whichever is the greater.

Impact Assessment and Risk Analysis

Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf will have to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

An example of such a situation is personal data in large-scale filing systems on children, genetic data, or, biometric data. The Parliament, however, favors more of a risk analysis of the potential impact of the intended data processing on the rights and freedoms of data subjects to determine whether the processing is likely to present specific risks. Those risks are, for example, where the processing of personal data relates to more than 5,000 data subjects during any consecutive 12-month period.

Data Transfers to Third Countries

The core principles concerning the transfer of data from the EU to third countries (including the U.S.) will remain, most notably the requirement that such data flows can only occur where third countries ensure an adequate level of protection. What the reforms introduce is an extension of the existing principles. For example, the criteria against which protection adequacy are considered by the European Commission on its own are more explicitly detailed. In the absence of a Commission protection adequacy decision, data transfers may be made where other safeguards are in place.

Arguably the most notable of these are “Binding Corporate Rules,” which essentially allow for intra-group compliance rules as approved by a supervisory authority, which are now explicitly provided for and also extended to data processors as well as data controllers. The criteria against which a supervisory authority approves “Binding Corporate Rules” are also more explicitly detailed. The other main form of safeguards are through the use of Commission-approved “Model Clauses,” which are also now explicitly provided for. In the absence of such safeguards, data transfers may still be made according to certain conditions, which have also been revised and extended.

The Parliament broadly supports the changes adding some of its own extending amendments, and, in addition, it has proposed new elements concerning the situation where the courts or regulatory authorities in third countries require or request the disclosure of data from a data processor or controller. Although the reforms bring some clarity, implementing and complying with the various principles of data transfers to third countries may still present challenges to businesses.

These elements raise a number of issues, and, there is also much other detail in the Regulation that will need to be addressed in order for businesses to meet their compliance obligations.

The Politics

As the earlier quote from Commissioner Viviane Reding indicates, the reforms have taken a political slant due to the mass surveillance revelations made by whistleblower Edward Snowden. In November 2013, the European Commission officially voiced its concerns about the implementation of the “Safe Harbor” regime, the 2000 EU-U.S. policy agreement that regulates the way that U.S. companies export and handle personal data of EU citizens. The Commission highlighted various perceived U.S. shortcomings, including from the security perspective.

More politically radical, in March 2014, the European Parliament itself passed an official Resolution calling for the immediate suspension of the “Safe Harbor” regime until the U.S. better respects EU fundamental rights, although technically speaking, this competence rests only with the European Commission. However, in a more upbeat mode, EU and U.S. political leaders have reaffirmed a commitment to “Safe Harbor,” which comes in the wake of the announcement by the Federal Trade Commission (FTC) about settlements with a dozen U.S. companies where it had been alleged that the companies had falsely claimed compliance with “Safe Harbor.” Despite this more positive recent move, this EU political undercurrent of concern should not be viewed as a simple hiccup and is more likely to persist in one form or another in EU privacy policy developments.

In terms of next steps, the European Parliament's proposed amendments will be considered by the (EU) Council of Ministers. It is expected that the Council will start this month. Once the 28 EU Member States have agreed a position within the Council, the latter will then engage with the Parliament (which will be of a different composition after the May 2014 elections) and both bodies have to come to an accord in order for the reforms to become law; the European Commission (whose Commissioner composition will also change later in 2014) will continue to play a role as a kind of honest broker.

Once adopted, the Regulation would be applicable within a month, completely repealing the 1995 EU data protection rules in the process. Entry into force of the Regulation is a question for speculation right now, but, despite enthusiasm in certain EU quarters for this happening as soon as feasibly possible, it is not anticipated to occur until sometime in 2016.

Although finalization of the reforms may seem to be some time ahead, some compliance issues for corporate counsel and businesses to nevertheless consider are as follows:

• Forward-planning the implementation of comprehensive changes into their business and IT practices ' for example, outsourcing arrangements entered into now are likely to be still in place once the new regime comes into place;
• Planning to put in place a privacy by design/default lifecycle policy into all products and services ' this could be a selling-point for customers although it may be a two-edged sword as the administrative burden may also be high; and
• Concerning policies, procedures and documentation: 1) prepare to update everything, also bearing in mind that supervisory authorities have powers to request certain information; 2) review all key practical aspects such as data retention, destruction, etc., through all means of collecting data used by the business; 3) ensure that new aspects such as explicit consent, the right to be forgotten and erasure, and, the right to not be subject to profiling are all included; 4) put in place a data breach notification procedure, including detection and response capabilities; 5) where applicable, appoint a data protection officer; 6) where applicable, put in place an impact assessment and/or risk analysis policy; 7) create compliance statements for annual business reports; and 8) train staff on all of the above.

Finally, it must be stressed again that non-EU based businesses that are active on the EU market and handling EU personal data will be affected and so they too will need to ensure that they are compliant.

Andr' Bywater is a commercial lawyer with Cordery Compliance in London, where he focuses on regulatory compliance, processes and investigations. Prior to working in London he was Brussels-based for many years focusing on a multitude of EU issues across Europe and beyond, including working on EU-funded projects building the expertise and capacity of government ministries and agencies. Reach him at [email protected].

Corporate Counsel would do well to familiarize themselves with the ongoing process of reforms to the EU data protection rules due to their eventual compliance impact and because they constitute more than a simple upgrade to the existing rules. These reforms will affect not only U.S. businesses that currently have EU operations, but also any U.S. businesses without EU operations that are nevertheless active on the EU market and handle personal data. The aspect of the reforms that specifically deal with the rules on data transfers between the EU and the U.S. will also be affected, and have been the focus of particular EU political attention.

The proposed reforms to the EU data protection rules have advanced through the EU legislative pipeline with the March 2014 plenary vote by the European Parliament approving the amendments made at its committee level. Generally speaking, the Parliament has left the constituent elements of the original proposed reforms intact and has instead focused on qualifying a number of aspects and introducing some new elements.

Background

Just over two years ago, the European Commission initiated the process with the aim of comprehensively reforming the 1995 EU data protection rules. It is no exaggeration to state that the 1995 rules have been one of the EU's most widely impacting pieces of legislation, entailing significant compliance requirements for businesses both inside and outside the EU.

Although the 1995 rules are being replaced entirely, the core elements concerning privacy remain, the main EU motive for the reforms being to “strengthen individual rights and tackle the challenges of globalization and new technologies.” The extent to which these issues are finally addressed remains to be seen, notably as regards new technologies.

One objective of the reforms is to introduce what the European Commission hopes will be a less administratively burdensome and costly regime for businesses, and, according to Commissioner Viviane Reding, who holds the EU Justice portfolio and is driving the reforms, “Following the U.S. data spying scandals, data protection is more than ever a competitive advantage.” Some businesses might share this view but others may disagree. Whatever the final outcome, there will be a high level of compliance obligations to maintain along with financial and administrative costs for businesses.

The reform package consists of a Regulation that sets out a general EU framework for data protection, and, a Directive specifically concerned with protecting personal data processed in a law enforcement context. Both sets of proposals are long and complex, and the European Parliament has itself put forward an enormous amount of amendments, many of which may not be finally taken up.

The Regulation

The Regulation is the main focus of importance for businesses, and, by way of brief reminder, the key reforms set out in it along with the Parliament's proposals are as follows.

One-Stop-Shop

Using the format of a Regulation (as opposed to a Directive, as undertaken under the 1995 rules, which is subject to individual EU Member State implementation), there will be one set of EU-wide rules. Businesses established and operating in several EU Member States will only have to deal with a single national data protection supervisory authority (i.e., the data protection regulator) in the country where they have their base; complainants will also only have to deal with the supervisory authority in their Member State.

The Parliament amendment goes further. Namely, it wants: 1) a lead supervisory authority responsible for the supervision of data processing activities of the “data controller” (the person or entity determining the purposes and means of the processing of personal data); or 2) the “data processor” (the person or entity processing personal data on behalf of the controller), in all EU Member States where the “processing of personal data” (any operation or set of operations which is performed upon personal data) takes place in the context of the activities of an establishment of a controller or a processor in the EU and the controller or processor is established in more than one Member State; or 3) where personal data of the residents of several Member States are processed.

Level Playing-Field

In what must be stressed as a very significant new element, the EU data protection rules will apply equally to EU-based and non-EU based businesses, i.e., not only will the rules apply where either a data-controller or processor or “data subject” (an identified or identifiable person to whom specific personal data relates) are based in the EU, but, in addition, the rules will also apply to businesses based outside the EU where they process data of EU residents who are offered goods or services. The Parliament supports this and has left it relatively untouched. How this extra-territorial reach will work in practice though remains to be seen

'Privacy by Design' and 'Privacy By Default'

These will become essential compliance principles, meaning that data controllers will be legally obliged to ensure that data protection safeguards are built into products and services from the earliest stage of development, and that privacy-friendly default settings are the norm. The Parliament supports this and elaborates further by requiring that privacy by design address the entire lifecycle management of personal data, from collection to processing to deletion, systematically focusing on comprehensive procedural safeguards regarding the accuracy, confidentiality, integrity, physical security and deletion of personal data.

Explicit Consent

Where consent is required for data to be processed, it will have to be explicitly given, i.e., it is not assumed. Therefore, saying nothing will not amount to consent. The Parliament supports this and goes further in its amendments, for example, by providing that provisions on the data subject's consent that are partly in violation of the Regulation will be completely void.

The Right to be Forgotten, and Erasure

A data subject will have the right to have his or her data erased when there are no legitimate grounds for the data to be retained, as long as this does not encroach on the freedom of expression and information. The Parliament amendment goes further by allowing EU citizens to obtain from third parties (to whom the data have been passed) the erasure of any links to, or copy or replication of, that data. It also wants EU citizens to have the right to erasure where a court or regulatory authority based in the EU has ruled as final and absolute that the data concerned must be erased.

The Right to Avoid Profiling

Data subjects will have the right not to be subject to data processing intended to evaluate certain personal aspects relating to them, or to analyze or predict in particular their performance at work, their economic situation, location, health, personal preferences, reliability or behavior ' subject to certain exceptions. The Parliament supports this, but with some modifications, including the basic way this right is expressed, stating that every natural person shall have the right to object to profiling and the data subject has to be informed about the right to object to profiling in a highly visible manner.

Data Portability

Data subjects will have easier access to their data and be able to transfer data from one service provider to another more easily. The Parliament has left this untouched.

Data Protection Officer

Data controllers and processors will have to appoint an internal data protection officer to oversee compliance where: 1) either data processing is carried out by a public authority or body; or 2) the processing is carried out by an enterprise employing 250 persons or more; or 3) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. While supporting the appointment of a data protection officer, the Parliament prefers that a data protection officer will be appointed when the processing is carried out by a legal person and relates to more than 5,000 data subjects in any consecutive 12-month period.

Data Breaches

“Personal data breaches” are defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Under the reforms, where there is a personal data breach, the controller must without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority will have to be accompanied by a reasoned justification in cases where it is not made within 24 hours. The Parliament supports the notification requirement but in a more limited way.

Sanctions

The reforms will empower supervisory authorities to fine businesses that infringe the data protection rules up to Euro 1 million or up to 2% of the global annual turnover of a business, whichever is the greater. The Parliament amendment goes further, raising the level of the fine to up to Euro 100 million or 5% of global annual turnover, whichever is the greater.

Impact Assessment and Risk Analysis

Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf will have to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

An example of such a situation is personal data in large-scale filing systems on children, genetic data, or, biometric data. The Parliament, however, favors more of a risk analysis of the potential impact of the intended data processing on the rights and freedoms of data subjects to determine whether the processing is likely to present specific risks. Those risks are, for example, where the processing of personal data relates to more than 5,000 data subjects during any consecutive 12-month period.

Data Transfers to Third Countries

The core principles concerning the transfer of data from the EU to third countries (including the U.S.) will remain, most notably the requirement that such data flows can only occur where third countries ensure an adequate level of protection. What the reforms introduce is an extension of the existing principles. For example, the criteria against which protection adequacy are considered by the European Commission on its own are more explicitly detailed. In the absence of a Commission protection adequacy decision, data transfers may be made where other safeguards are in place.

Arguably the most notable of these are “Binding Corporate Rules,” which essentially allow for intra-group compliance rules as approved by a supervisory authority, which are now explicitly provided for and also extended to data processors as well as data controllers. The criteria against which a supervisory authority approves “Binding Corporate Rules” are also more explicitly detailed. The other main form of safeguards are through the use of Commission-approved “Model Clauses,” which are also now explicitly provided for. In the absence of such safeguards, data transfers may still be made according to certain conditions, which have also been revised and extended.

The Parliament broadly supports the changes adding some of its own extending amendments, and, in addition, it has proposed new elements concerning the situation where the courts or regulatory authorities in third countries require or request the disclosure of data from a data processor or controller. Although the reforms bring some clarity, implementing and complying with the various principles of data transfers to third countries may still present challenges to businesses.

These elements raise a number of issues, and, there is also much other detail in the Regulation that will need to be addressed in order for businesses to meet their compliance obligations.

The Politics

As the earlier quote from Commissioner Viviane Reding indicates, the reforms have taken a political slant due to the mass surveillance revelations made by whistleblower Edward Snowden. In November 2013, the European Commission officially voiced its concerns about the implementation of the “Safe Harbor” regime, the 2000 EU-U.S. policy agreement that regulates the way that U.S. companies export and handle personal data of EU citizens. The Commission highlighted various perceived U.S. shortcomings, including from the security perspective.

More politically radical, in March 2014, the European Parliament itself passed an official Resolution calling for the immediate suspension of the “Safe Harbor” regime until the U.S. better respects EU fundamental rights, although technically speaking, this competence rests only with the European Commission. However, in a more upbeat mode, EU and U.S. political leaders have reaffirmed a commitment to “Safe Harbor,” which comes in the wake of the announcement by the Federal Trade Commission (FTC) about settlements with a dozen U.S. companies where it had been alleged that the companies had falsely claimed compliance with “Safe Harbor.” Despite this more positive recent move, this EU political undercurrent of concern should not be viewed as a simple hiccup and is more likely to persist in one form or another in EU privacy policy developments.

In terms of next steps, the European Parliament's proposed amendments will be considered by the (EU) Council of Ministers. It is expected that the Council will start this month. Once the 28 EU Member States have agreed a position within the Council, the latter will then engage with the Parliament (which will be of a different composition after the May 2014 elections) and both bodies have to come to an accord in order for the reforms to become law; the European Commission (whose Commissioner composition will also change later in 2014) will continue to play a role as a kind of honest broker.

Once adopted, the Regulation would be applicable within a month, completely repealing the 1995 EU data protection rules in the process. Entry into force of the Regulation is a question for speculation right now, but, despite enthusiasm in certain EU quarters for this happening as soon as feasibly possible, it is not anticipated to occur until sometime in 2016.

Although finalization of the reforms may seem to be some time ahead, some compliance issues for corporate counsel and businesses to nevertheless consider are as follows:

• Forward-planning the implementation of comprehensive changes into their business and IT practices ' for example, outsourcing arrangements entered into now are likely to be still in place once the new regime comes into place;
• Planning to put in place a privacy by design/default lifecycle policy into all products and services ' this could be a selling-point for customers although it may be a two-edged sword as the administrative burden may also be high; and
• Concerning policies, procedures and documentation: 1) prepare to update everything, also bearing in mind that supervisory authorities have powers to request certain information; 2) review all key practical aspects such as data retention, destruction, etc., through all means of collecting data used by the business; 3) ensure that new aspects such as explicit consent, the right to be forgotten and erasure, and, the right to not be subject to profiling are all included; 4) put in place a data breach notification procedure, including detection and response capabilities; 5) where applicable, appoint a data protection officer; 6) where applicable, put in place an impact assessment and/or risk analysis policy; 7) create compliance statements for annual business reports; and 8) train staff on all of the above.

Finally, it must be stressed again that non-EU based businesses that are active on the EU market and handling EU personal data will be affected and so they too will need to ensure that they are compliant.

Andr' Bywater is a commercial lawyer with Cordery Compliance in London, where he focuses on regulatory compliance, processes and investigations. Prior to working in London he was Brussels-based for many years focusing on a multitude of EU issues across Europe and beyond, including working on EU-funded projects building the expertise and capacity of government ministries and agencies. Reach him at [email protected].