The first draft EU Data Protection Regulation was leaked in December 2011. This nonofficial version clearly demonstrates that the European Commission intends to provide a more harmonized EU data protection legal framework, to strengthen the protection of data subjects and to ensure a better enforcement of the EU data protection rules by a deterrent sanctions mechanism.
Harmonisation and Updating of the Existing EU Data Protection Rules
The EU Member States personal data legislation is governed by Directive 95/45/EC, which was adopted on 25 October 1995. More than 16 years later, this Directive presents two main disadvantages:
- Since the Directive is not directly applicable throughout the European Union, it has been implemented by each Member State in its own system, with some latitude in interpretation. As a consequence, some significant differences currently exist between the national data protection laws of Member States, which implies that an identical situation will not be treated in the same way, for instance, in Italy, Germany, Great Britain and Belgium. In concrete terms, a company established in these four countries, which collects and processes personal data via and between its different subsidiaries, has to comply with all these different legislations.
- The Directive was adopted before the advent of social networks and cloud computing, which have increased, with other things, the collection and international sharing of personal data over the last decade.
Increased Rights of Data Subjects
The protection of data subjects is clearly strengthened by several provisions:
- Extraterritorial application to non-EU businesses: whereas the Directive is currently applicable to businesses that are established in the EU or use equipment located there, the draft Regulation would apply to any businesses that direct processing operations towards the EU even if they are not established in the EU and do not use equipment located there.
- Clarification of the right to be forgotten (i.e., to have his or her data erased): this right is particularly important for social media.
- Introduction of a right to data portability: the data subject is entitled to request the transfer of his or her personal data to another provider.
The draft Regulation also clarifies some notions contained in the Directive:
- The “data subject” is someone who can be identified, directly or indirectly by the controller or “any other natural or legal person.”
- The “consent” is now defined as any “freely given specific, informed and explicit indication of will.” This consent would not be valid (i) when given by a child without the authorization of his or her parents and (ii) where “significant imbalance in the form of dependence between the position of the data subject and the data controller” exists (e.g., between employees and employer).
New Obligations for Data Controllers
For instance:
- Appointment of a data protection officer in large enterprises (more than 250 employees);
- Performance of an assessment of the impact of the envisaged processing operations where they are likely to present risks to the rights and freedoms of the data subject;
- Implementation of measures to ensure that the processing of personal data is performed in compliance with the data protection rules and to keep records of all forms of processing of personal data carried out by the controller;
- Notification to the national authorities of the EU Member States and directly to the data subject in certain cases (e.g., breach of personal data).
Deterrent Penalties
The draft Regulation enables the national authorities of EU Member States to impose penalties of up to 5 percent of the annual worldwide turnover of a business that fails to comply with the Regulation.
McGuireWoods Global Data Security Team
Counseling regarding data protection, including global data breach and privacy issues, is one of the services of McGuireWoods’ interdisciplinary Technology & Outsourcing practice, which provides legal services for business transactions driven by technology. Foremost among our diverse services are IT procurement, outsourcings, e-commerce transactions, data security, and dispute prevention and resolution. Our clients include Fortune 100 corporations, governmental entities, nonprofit organizations, and emerging business enterprises spanning the industry spectrum.