Fundamental overhaul of EU data protection regime unveiled

A package of draft measures aimed at fundamentally overhauling and harmonising the EU’s data protection regime has been published by the European Commission. If passed in its current form, the new data protection framework will introduce enhanced rights for individuals and tough penalties for non-compliance.

Why do we need new data protection laws?

With the explosion of the internet, volumes of personal data held by organisations have increased dramatically and data now flows much more easily between organisations and jurisdictions. The EU believes that the current regime is in need of updating and that harmonising the regimes across Member States will bring greater security for individuals, greater clarity and (arguably) lower compliance costs for organisations which process personal data. To that end, it has published a draft framework of legislation which will entirely replace current European data protection laws.

Who will have to comply with the new laws?

Data controllers and data processors with legal entities in the EU will have to comply. In addition, organisations which process personal data of EU individuals in relation to the offering of goods and services or monitoring of behaviour irrespective of the location of the controller or processor, will also be subject to the new laws.

What are the key changes?

The draft framework is lengthy and detailed. While the data protection principles and some (but not all) of the defined terms remain largely unchanged, there are a number of key changes proposed including:

• Regulation by one Member State – all EU based data processing activities of data controllers and data processors will be regulated by a single Member State which will be determined by the location of the main establishment of the relevant organisation or, if there is no EU establishment, by the place where the bulk of the processing takes place.
  
  
• Consent – consent is defined as “any freely given, specific, informed and explicit indication” of the data subject’s wishes. It cannot be automatically implied where there is a significant imbalance of power between the data subject and the data controller, for example, in respect of the processing of employee data. In some instances, consent may not be capable of being obtained and other means of making the processing of personal data lawful will have to be relied on.
  
  
• Data controllers and data processors – these roles have been re-defined and for the first time, the data processor has a direct liability for compliance as well as enhanced administrative obligations.
  
  
• Right to be forgotten – the right to be forgotten and to have all personal data removed from records under certain circumstances is provided for under Article 17 of the draft Regulation. There are exceptions to this right including where the personal data is necessary for exercising freedom of expression or is held for historical, statistical and scientific research purposes. This is a completely new right which is liable to prove one of the most controversial elements of the draft package.
  
  
• Right to data portability – where personal data is processed electronically and in a commonly used, structured format, data subjects will have the right to obtain a copy of their data in that format in order to be able to transfer the data to another service provider.
  
  
• Right not to be profiled – individuals have an enhanced right not to be subject to any measures based on automated processes which use personal data to analyse, evaluate or predict their performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
  
  
• Additional enforcement powers and sanctions – Data Protection Authorities will have an increased set of duties as well as enhanced enforcement powers. Penalties for intentional or negligent breaches of data protection law will reach a maximum of 2% of annual global turnover for "enterprises" or fines of up to 1 million Euros in other cases. The definition of what constitutes an "enterprise" is likely to be looked at closely prior to enactment.
  
  
• Mandatory security breach notification – data protection authorities must be informed of a data security breach by the data controller “without undue delay and, where feasible, not later than 24 hours of becoming aware of it”. Data subjects must then be informed “without undue delay” of the breach unless the relevant data protection authority is satisfied that the data was sufficiently protected from being accessed by an unauthorised user, for example, by encryption.
  
  
• Data transfers outside the EU – there is considerably more detail on how to effect compliant data transfers outside the EU including a set of Binding Corporate Rules and the acknowledgment that authorisation of a non-standard data transfer contract by one Member State will validate it across the EU.
  
  
• New requirement to have a Data Protection Officer – data controllers and data processors with over 250 employees will be required to have a designated Data Protection Officer to help ensure the organisation’s compliance with data protection law (subject to limited exceptions).
  
  
• Additional administrative requirements – There are a number of new administrative requirements which data controllers and, in most cases, data processors will have to comply with (although the general obligation to notify has gone). These include the obligation to maintain a form of compliance register and to conduct privacy impact assessments "where processing operations present specific risks to the rights and freedoms of data subjects" before data processing or data transfers are permitted.
  
  
• SMEs - Organisations with fewer than 250 employees are exempt from many of the administrative requirements.

When will the new laws come into force?

The published framework is in draft form and may change before it becomes law. However, the EU intends that the framework will be enacted this year. The bulk of the reforms are in the form of a Regulation. Unlike Directives, EU Regulations have direct effect. This means they come into Member State Law exactly as drafted without any room for manoeuvre (although the Regulation does give Member States scope to introduce their own measures under limited circumstances). The proposed Regulation will repeal the current Data Protection Directive and is likely to come into force two years after enactment so we are potentially looking at the end of 2014.

What happens next?

Essentially, a great deal of lobbying and wrangling as well as several rounds of amendments while the legislation passes through the necessary hoops towards enactment.

How can I learn more?

Over the coming weeks, we will be sending out more detailed information about the proposals and regular updates will follow as the framework progresses towards enactment.

Taylor Wessing will be launching a new monthly webinar series on key issues around Data Protection. Our first webinar will be on 6 March and will look at the new data protection framework. On 28 March, we will also be hosting a seminar on the new framework at our London office. If you would like to receive more information about our webinar series or the seminar, please register your interest at events@taylorwessing.com.

If, in addition, you would like one of our data protection specialists to come and talk to you or if you have specific questions or concerns, please send us an email.