Proposed EU Regulation Promises Significant Changes to Consumer Privacy
On January 25, 2012, the European Commission released its long-awaited proposal to reform its data protection rules, which have been in place since 1995. The "Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data" ("Regulation") will repeal and replace the existing Data Protection Directive (Council Directive 95/46) ("Directive") and the system of country-specific laws that it governs and is the latest step in the European Union's quest for greater harmonization and increased protection of consumers' right to data privacy.
Importantly, this proposal is only a draft. Passage is expected to take at least a year, and the enacted Regulation would not take effect for another two years. However, once enacted, the Regulation will be directly binding upon everyone in the EU Member States, whereas the Data Protection Directive was implemented through Member State law. In support of the single set of rules, the European Commission refers to a recent survey that found that two out of three Europeans are concerned that companies share personal data without permission and that nine out of 10 want the same data protection rights across Europe. While a single set of rules may provide the benefit of standard regulation across the European Union, the Regulation imposes new obligations upon companies that participate in the European market.
Who Is Affected?
The Regulation aims to increase protection of personal data by establishing new rights and sanctions (subjects of significant publicity already) and by strengthening and modifying existing obligations, in most cases to incorporate previous Working Party opinions. In addition, administrative burdens have been changed.
New Privacy Requirements and Sanctions
The Regulation proposes several new substantive rights and obligations that, if implemented, would significantly affect business practices for many companies. However, the magnitude of the proposed changes also suggests that they will be heavily debated and quite possibly extensively modified before implementation.
- The right to be forgotten allows data subjects to demand deletion of their personal data when the purposes of the collection have been accomplished, the data subjects have withdrawn consent and consent was the basis for lawful processing, or when the data subjects object to continued processing. There is an exception for data needed for historical, statistical or research purposes.
- The right to data portability allows data subjects to request a copy of their personal data in a format that makes further use by the data subjects possible.
- The right to object strengthens the existing right of data subjects to object to the processing of their personal data by requiring an opportunity to object to data processing for the purposes of direct marketing.
- Data breach obligations are significant, and if passed, will require notification to the relevant data protection authority without delay and where feasible, within 24 hours of learning of a breach. The required notification must describe the nature and extent of the breach, recommend mitigation measures, describe the consequences of the breach and discuss measures taken to address the breach. Notification to affected individuals is required "without undue delay" where the breach is likely to adversely affect the protection of the personal data or privacy of the data subject.
- Penalties and sanctions are significant. Failure to abide by the requirements will result in stricter sanctions. Data subjects are entitled to pursue judicial remedies and receive actual damages, with controllers and processors jointly and severally liable. In addition, administrative sanctions of up to 1,000,000 EUR or 2% of an enterprise's worldwide turnover may be imposed.
New Technical Requirements
The Regulation includes definitional and other changes that, for the most part, reflect the already-stated interpretations of the Article 29 Working Party. Examples of these changes include:
- "Consent" is defined to require an "explicit" indication of user preference. Data controllers have the burden to prove consent, and parents or legal guardians must give verifiable consent to process information regarding children under the age of 13. The changes are intended to ensure that the data subject knows that consent has been given, and for what it has been given.
- The definition of "child" is broadened to include any person below the age of 18.
- Data processing is explicitly limited to the "minimum necessary" information rather than a “not excessive” amount of information.
- Consumer notice requirements are longer and more detailed, and they are explicitly required to be “transparent and easily accessible.”
- Controllers are expected to design privacy-protective defaults into their systems that do not expose data to an indefinite number of individuals.
- The current filing system and pre-authorization requirements are abolished. Instead, data controllers and processors will be obligated to carefully document each processing operation and to preserve that documentation for a potential audit. Potentially risky processing operations require the controller to undertake a data protection impact assessment and approval before beginning operations.
- Each controller and processor must appoint a data protection officer when its core processing activities require regular and systemic monitoring or where the processing is carried out by a public authority or an enterprise employing 250 persons or more.
- The Article 29 Working Party will be elevated to the status of an independent European Data Protection Board. The composition of the board would remain unchanged, and it would be charged with facilitating the consistent application of EU data protection law and cooperation between Member State data protection authorities.
Contact counsel if you have questions about the Regulation and its impact on your company, or questions about current European data protection requirements.
© 2012 Perkins Coie LLP