EU Considers Changes to Data Privacy Legislation

In May 2009, the European Commission launched a public consultation on the European Union legal framework for the protection of personal data. This framework is largely encompassed by the EU Data Protection Directive (Directive 95/46/EC), which was adopted in 1995. The stated objectives of the consultation were threefold: (i) to modernize the EU legal system for the protection of personal data, in particular to meet the challenges resulting from globalization and the use of new technologies; (ii) to strengthen individuals’ rights, and at the same time reduce administrative formalities to ensure a free flow of personal data within the EU and beyond; and (iii) to improve the clarity and coherence of the EU rules for personal data protection and achieve a consistent and effective implementation and application of the fundamental right to the protection of personal data in all areas of the Union’s activities. Following receipt of public comments and meetings with identified stakeholders, the Commission in November 2010 issued for public comment a high-level blueprint of the changes it was considering to the Data Protection Directive. At that time, the Commission indicated that it expected to issue a legislative proposal by mid-2011. This date was later pushed back to the fall, and then again to early 2012.

Directorate-General for Justice (DG Justice), the department within the European Commission responsible for data protection and developing the Commission’s proposal for reform of the Data Protection Directive, recently commenced interservice consultation on its draft legislative proposal for reform of the Directive. Interservice consultation is the process by which one department within the Commission obtains the views of other departments before a legislative proposal is formally introduced. The consultation process is generally intended to be internal to the Commission and closed to the public. Nevertheless, as has been widely reported in the media, DG Justice’s interservice consultation draft was leaked or otherwise made available to the public, and copies can be downloaded at: http://www.drinkerbiddle.com/files/upload/eu-com-draftdp-reg-inter-service-consultation.pdf. Of particular note, DG Justice’s proposal takes the form of a regulation, and the regulation would replace the existing Directive. Under EU law, a regulation is a legal instrument that is directly binding on the public and does not require any EU member state implementing measures. In contrast, a directive is a legal instrument that requires member states to adopt national laws consistent with its provisions. Directives can afford member states a certain degree of flexibility in terms of the specific means of achieving the identified objectives. This flexibility has led to criticism of the current framework for data protection as lacking harmonization among member states and creating a confusing patchwork of member state laws.

The Commission is expected to officially release the proposed regulation on or around Data Protection Day (January 28). The draft will likely change as a result of the ongoing interservice consultation. Some commentators suggest that the legislative process that commences once the proposal is formally introduced by the Commission could then take up to two years.

This summary presumes a general familiarity with the current requirements of and terminology in the Data Protection Directive . Some general highlights of the draft regulation include the following:

• Penalties for non-compliance could be severe. In the case of a corporation, fines of up to 5 percent of the corporation’s annual worldwide turnover are possible. The penalties are required to be “effective, proportionate, and dissuasive.”
• Companies with multiple establishments throughout the EU would be subject to supervision by a single data protection authority (supervisory authority). The location of this supervisory authority would be based on the location of the company’s central administration within the EU (i.e., the location where the management decisions concerning the purposes, means, and conditions for the processing of personal data are usually made). (Companies without establishments in the EU would be subject to the regulation if they direct data processing activities at EU residents.)
• Existing requirements to register a company’s data processing activities with data protection authorities would be abolished and replaced with various requirements to create and maintain documentation of one’s data processing activities. Companies would be required to undertake privacy impact assessments in a number of instances, including when processing health data, genetic data, or biometric data. “Genetic data” would be defined as “all data, of whatever type, concerning the hereditary characteristics of an individual.” Genetic data would be explicitly included as a sensitive category of data. “Biometric data” would mean “any data relating to the physical, physiological, or behavioral characteristics of an individual which allow his or her unique identification, such as facial images, or dactyloscopic data.”
• Companies with more than 250 employees would be required to appoint a data protection officer. There would be a variety of rules to ensure the independence of such data protection officers.
• A “right to be forgotten” would be given legal effect. However, retention of data would be allowed where it is necessary for historical, statistical or scientific research purposes. The definition of consent would be modified to require that when consent is relied upon as a grounds for processing of personal data, such consent must be explicit (i.e., “opt-in”).
• Personal data would be permitted to be processed for purposes of scientific research where those research purposes are compatible with the purposes for which the data were initially collected, or consent of the data subject to processing for the research purposes is obtained. Processing pursuant to the scientific purposes justification is permitted only where (i) “these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject”, and (ii) “data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner.” As noted in the recitals, “the procession of personal data for the purposes of historical, statistical or scientific research should, in order to be lawful, also respect other relevant legislation such as guaranteeing patients’ rights or on clinical trials.”
• Security breach notification would be required within 24 hours of discovery of a breach to the supervisory authority. Notification to data subjects would be required also within 24 hours, but only where the breach adversely impacts the privacy of the data subject. A breach would be considered to adversely impact the privacy of the data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation.
• Binding corporate rules for both controllers and processors would be recognized as grounds for transferring personal data to countries not deemed to provide adequate data protection. The process for approval of BCRs would be further simplified. Companies that transfer data internationally, pursuant to an approved BCR or the model contractual clauses, would not be required to obtain further approval prior to transferring the data.
• Before transferring personal data for purposes of compliance with foreign e-discovery requests and orders, approval of the supervisory authority would be required. Similarly, supervisory authority approval would be required before complying with an order to disclose personal data to U.S. authorities pursuant to the USA Patriot Act or similar legislative instruments in other countries outside the EU.
• The Article 29 Working Party would be turned into the “European Data Protection Board” and would have powers to oversee the decisions of member state DPAs. The European Commission would have the authority to interpret provisions of the regulation.
• Associations representing categories of controllers would be encouraged to develop codes of conduct to facilitate the effective application of the regulation, taking into account the specific characteristics of the processing in that sector.