The EU Launches Initiative to Revamp EU Privacy Rules
The proposals consist of a new draft regulation ("Draft Regulation") and a new draft directive ("Draft Directive"). These proposals are accompanied by a regulatory impact assessment, a report, a draft communication and various press documents and tools. The Draft Regulation addresses data protection by companies doing business in the EU's internal market, while the Draft Directive concerns data protection in the exchange of information between EU Member State police and judicial authorities in the fight against serious crime.
The most salient change is the introduction of a system of fines for breaches of data protection rules by individuals or enterprises. This proposed system resembles, albeit with much lower thresholds, the current penalty framework for antitrust violations.
For businesses, the following fines are contemplated:
- Fines of up to 0.5 percent of the annual worldwide turnover (which would generally mean worldwide annual gross sales revenue) would apply for failure to establish adequate mechanisms for responding to information requests by data subjects, or if a response to such request is not timely or free of charge.
- Fines of up to 1 percent of annual worldwide turnover may apply when "anyone who intentionally or negligently" fails to (i) fully respond to information requests by data subjects, (ii) rectify mistakes, (iii) comply with the "right to be forgotten," (iv) obstruct data portability, (v) sufficiently determine co-responsibility with co-controllers, (vi) maintain sufficient documentation on processing operations, or (vii) adhere to rules for sensitive data.
- Fines of up to 2 percent of annual worldwide turnover are contemplated in several cases, including (i) illegal processing of data and sensitive data, (ii) failure to appoint a data protection officer or, for undertakings located outside the EU, a representative within the EU, (iii) lack of appropriate measures to comply with the privacy "by default" and "by design" principles (as further explained below), (iv) failure to provide notice of a data breach in a timely and/or complete manner, (v) failure to perform an impact assessment and obtain prior authorization where required, (vi) failure to cooperate with data protection authorities ("DPA"), (vii) breach of rules on international data transfers, and (viii) failure to comply with professional secrecy rules.
The above-mentioned fine levels are maximum amounts, and the extent to which turnover will also be used in practice as a matrix to calculate actual fines remains to be seen. The Draft Regulation provides only for criteria that must be taken into consideration for setting fines, such as the nature, gravity, and duration of the breach, intent, recidivism, and cooperation, but it does not actually establish fining guidelines.
Extended Scope of Privacy Rules
The proposals also extend the scope of privacy rules, both materially and territorially.
Materially, the Draft Regulation increases the protection afforded to data subjects by expressly including within the scope of personal data all data that can be identified by reference to location data and online identifiers. Sensitive data requiring specific protection now also include criminal records and genetic data. Furthermore, obligations previously applicable only to data controllers (e.g., data owners) are now also applicable to data processors (e.g., service providers). For instance, service providers that process personal data on behalf of the controller, such as many cloud computing companies, will have direct obligations under the Draft Regulation. Currently, controllers are required to impose data protection requirements on processors. The Draft Regulation also confers joint-controller status on a processor that processes data beyond the controller's instructions.
Territorially, the Draft Regulation extends the application of data protection rules to undertakings not established in the EU if (i) the data originates from persons residing in the EU, and (ii) the processing activities relate either to the offering of goods or services in the EU or the monitoring of the person's behavior in the EU. Such undertakings must now also designate a representative within the EU.
Consent remains the keystone of the framework but is now more strictly defined. According to the 1995 Directive, the data subject should "unambiguously" give his consent prior to data processing. Consent now needs to be explicit, i.e., given either by a statement or by clear affirmative action. The Draft Regulation thus sanctifies the "opt-in" system. The consent of children below the age of 13 will now entail verifiable parental consent.
Depending on the countries where they do business, companies can currently be subject to up to 27 sets of different rules and DPAs. The Draft Regulation establishes the country of origin principle, whereby the applicable law and the competent DPA will be that of the country where the business has its main place of establishment, i.e., for the controller, this is essentially the place in the EU where the main decisions on data processing are made; for the processor, this is the place of central administration within the EU.
However, there are limitations to the one-stop-shop principle, because the Draft Regulation allows data subject and data protection associations to (i) lodge complaints to the DPA in their country, and (ii) bring proceedings against a controller or processor before the courts of the Member State where the data subject has his habitual residence.
Abolition of the Notification Procedures, Except for Data Breaches
The current system of systematic notifications to the DPA of automatic data processing is proposed to be eliminated. Instead, companies will be responsible for self-assessing their practices based on (i) the internal appointment, within medium and large businesses, of a data protection officer to monitor compliance, (ii) the maintenance of documentation of all processing operations, to be available on request to the DPA, and (iii) impact assessments and prior approval of the DPAs for certain processing, such as video surveillance and large-scale filing systems on children, genetic data, or biometric data.
The Draft Regulation also contemplates requiring companies to provide notice of any data breach to (i) the DPA as soon as possible, and where feasible within 24 hours, and (ii) data subjects affected by the breach without undue delay.
Streamlining International Data Transfers
The Draft Regulation first clarifies that the Commission alone shall adopt adequacy decisions (i.e., determinations that the country of destination affords adequate data protection), allowing the free flow of information. The Draft Regulation also formalizes the practice of Binding Corporate Rules ("BCRs"), as developed by the Article 29 working party. BCRs are personal data protection policies, adhered to voluntarily by controllers to transfer data within a group of companies.
The Draft Regulation aims at increasing BCR efficiency by simplifying the process of DPA approval of BCRs and by extending their use to data processors. Finally, a new derogation is introduced based on the controller's or processor's legitimate interest, but only if the transfer is not frequent or massive, and only after assessing and documenting the circumstances of that transfer.
Right To Be "Forgotten," Privacy by Default, Privacy by Design, and Data Portability
The draft Regulation introduces several new concepts.
First, the "right to be forgotten" strengthens the possibility to delete incomplete or inaccurate data by allowing each data subject to request a controller to delete any stored personal data and to stop any further dissemination of such data. Where the controller has made the data public, this would mean taking all reasonable steps toward removal of any link, copy, or replication of such data.
Second, under "privacy by design," appropriate technical and organizational measures and procedures shall be implemented, by the time of the determination of the means of processing, in order to guarantee the protection of the rights of data subjects.
Third, "privacy by default" implies that privacy-friendly default settings will be the norm under the Draft Regulation.
Fourth, "data portability" triggers a right to transfer data from one electronic processing system to another, without hindrance from the controller. If asked by the data subject, the data controller must provide a copy of data undergoing processing in an electronic and structured format that is commonly used, allowing for further use by the data subject.
For all of the above concepts, the Commission shall have the power to adopt secondary legislation to detail these specific obligations.
The proposed draft legislation will now be discussed in the European Parliament and the European Council, both of which may amend the text prior to its final adoption. The duration of the legislative process will depend on the ability to find a common position, but it is not expected to be finalized before 2013.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.
Laurent De Muyter
Dr. Undine von Diemar
Stefano Macchi di Cellere
Kevin D. Lyles
Mauricio F. Paez
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our web site at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.