EU Focus on Privacy Affects Global Companies, Including Those in the U.S.
The EU Commission recently published a draft Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “draft Regulation”).
The draft Regulation aims at replacing EU Directive 95/46 on the same subject matter. Contrary to the Directive, which was implemented by EU Member States into their national law with a certain room for maneuver, the draft Regulation contains rules that will be directly applicable in a uniform way in the 27 EU Member States (plus Norway, Iceland and Liechtenstein). Under this harmonized set of rules, enterprises will no longer have to deal, as in the current regime, with diverging national legislative regimes and authorities.
Regarding its contents, although the main existing principles will remain (i.e., legitimacy, transparency, proportionality and specific requirements for sensitive data and for international transfers), the draft Regulation brings some significant changes for individuals, enterprises and the national data protection authorities (DPA), notably the following:
The data subject’s rights will be reinforced.
In order to target non-EU companies that operate on the Internet, the draft Regulation will apply also to enterprises not established in the EU if they process personal data in relation to (i) the offering of goods or services to EU residents or to (ii) the monitoring of their behavior. This would lead to an extra-territorial application of the EU data protection rules.
The use of consent as a means for legitimizing data processing will be limited. Thus, where there is a significant imbalance between the position of the data subject and the data controller, such as in the employment context, consent shall not provide a legal basis for data processing. Wherever consent may still be used for legitimizing personal data processing, it will no longer be considered as assumed in light of the circumstances but must be given explicitly, either by a statement, or by a clear affirmative action. The data subject will have the right to withdraw his/her consent at any time. The draft Regulation also provides for specific rules regarding the processing of personal data of children.
In order to increase the transparency of data processing, the information to be provided to the data subjects about the processing of their personal data will be extended (retention period, right to lodge a complaint, data transfer to a non-EU country, etc.) and data controllers will have to implement detailed procedures for allowing individuals to exercise their right of access.
The new right to be forgotten, in fact an extension of the existing right to erasure, targets in particular an effective deletion of the personal information provided by an individual to social media networks once he/she has decided to close his/her account.
The new right to data portability, defined as the right to obtain a copy of data undergoing processing in an electronic and structured format, should allow data subjects to change online service providers more easily.
The draft Regulation enhances the compliance obligations of data controllers (the entities that determine the purposes, conditions and means of the data processing) and data processors (entities that process personal data on behalf of the controller, such as IT service providers).
The draft Regulation imposes duties of responsibility and accountability on data controllers, in particular:
- Keeping detailed documentation on the processing;
- Implementing data security requirements appropriate to the risks represented by the processing and the nature of the personal data;
- Performing impact assessment studies in case of risky data processing, such as profiling; processing of information on sex life, health and ethnic origin for the provision of healthcare; video surveillance on a large scale; filing systems on children; etc.;
- For enterprises employing at least 250 persons, designating a data protection officer.
The compliance measures will be independently verified, either by internal or external auditors.
In accordance with the new concept of data protection by design and by default, data controllers will have to implement technical and organizational measures in such a way that the data processing will meet the requirements of the draft Regulation. Moreover, products and services will have to be featured in such a way that privacy-friendly settings are activated by default when they are used.
The draft Regulation introduces a general data breach notification requirement. Data controllers will be obliged to notify their DPA of the breach within 24 hours as a matter of principle, and to all data subjects concerned by the breach without undue delay. The same obligation is imposed on the data processors vis-à-vis their controllers.
As far as international data transfers are concerned, the draft Regulation clarifies and amends the various means for legitimizing a transfer from the EU to a non-EU country. In this framework, the Binding Corporate Rules (BCRs), which allow intra-group transfers beyond EU borders, are legally recognized as a means for legitimizing such transfers.
As a matter of obvious simplification, companies with operations in several EU Member States will no longer have to deal with several national DPAs, but will be subject only to the jurisdiction of the DPA of its main place of establishment, which will be a “one-stop shop” for data protection-related issues. Companies will also welcome the elimination of the general requirement to notify data processing activities to DPAs.
Data Protection Authorities
The draft Regulation provides DPAs with increased enforcement powers, since they will be able to impose fines on organizations that violate the data protection rules up to EUR 1,000,000 or up to 2 percent of their worldwide annual turnover.
The draft Regulation should eliminate administrative burdens and costs to companies incurred as a consequence of the current need to deal with various national data protection rules and DPAs. The downside for companies is that it imposes new significant and onerous obligations, with potentially substantial sanctions.
The draft Regulation, even if adopted as is, will not be applicable until at least two years after its adoption. However, companies should move forward as from now, not only by complying with the existing rules, especially with those that will last after the reform, but also by planning ahead about how to proceed in order to be compliant when the new rules will become effective.
The McGuireWoods data privacy and security team is working on and will issue soon an in-depth analysis of the cost/risk management implications of the draft Regulation for businesses, together with compliance issues that will flow in particular from the mandatory data breach notification.
McGuireWoods Data Privacy and Security Team
Counseling regarding data protection, including global data breach and privacy issues, is one of the services of McGuireWoods’ interdisciplinary Technology & Outsourcing practice, which provides legal services for business transactions driven by technology. Foremost among our diverse services are IT procurement, outsourcings, e-commerce transactions, data security, and dispute prevention and resolution. Our clients include Fortune 100 corporations, governmental entities, nonprofit organizations, and emerging business enterprises spanning the industry spectrum. For more information, see our Brussels EU Data Protection practice or our London office page.