European Commission Releases Much Anticipated Data Protection Regulation: Questions Remain About What Will Finally Be Implemented

On January 25^th, the European Commission published a proposal for a new data protection regulation to replace the 1995 Data Protection Directive. The 1995 Directive has come under considerable criticism due largely to the significant variation in implementation by the 27 EU member states. While the Commission had announced a review of the Directive in the last few years, the proposal of a Regulation is intended to reduce the myriad approaches across the EU while also updating the rules to reflect such things as social networks, increased and more complex international processing, online behavioral advertising, and breach notification, to name just a few.

Highlights

The stated goals of the Commission in revamping the data protection rules have for some time included the expansion of an individual’s privacy rights, including the somewhat optimistic ‘right to be forgotten’, and for those subject to the rules, the simplification and consistency of compliance whether it be the use of cloud computing, international data transfer mechanisms, or marketing to European consumers. To those ends, the Commission has proposed the following:

• The right to be forgotten, in that if you no longer want a company to process your data and there is no ‘legitimate’ reason for the company to keep it, that data must be deleted.
• Breach notification ‘without undue delay’ and within 24 hours where feasible, likely placing the burden on the organization to explain why notice may take longer than a day.
• ‘Privacy by Design’ – the principle developed by Dr. Ann Cavoukian, Ontario Information and Privacy Commissioner – holding that the privacy and protection of personal information must be an integral part of any (re)design of an information system.
• Potential penalties up to 2% of a company’s global revenue for failure to comply with the European rules.
• Clearer rules of when the Commission intends application of these rules to firms that may have no presence within the EU, such as a US-based website that is accessible to or directed toward European consumers.
• Further encouraging the adoption of binding corporate rules for groups of companies (including service provider/data processors) to facilitate cross-border data transfers and promising the expedited approval of both BCR applications and other ‘adequacy’ decisions.
• Moving farther along the spectrum toward explicit consent and opt-in prior to the collection and processing of personal information. The viability of simply posting a privacy policy and leaving the burden to the consumer will not last long.
• Requiring the appointment of Data Protection Officers (commonly called Chief Privacy Officers in the US) for firms with over 250 employees.
• Eliminating the obligation currently in many member states that all types of data processing be notified if not approved by the national Data Protection Authority.

Skepticism about the final product

While there is much to gain from understanding the proposed Regulation and assessing where an individual company’s risks may be from the changes, it is important to remember that the document is styled and remains a proposal. The proposal must still be vetted by the European Council and the European Parliament. While the current draft most likely reflects a certain degree of consensus among EU members, the voting rules of the European Council and the Parliament mean that there will probably be further haggling and modifications in order to achieve the votes necessary for issuance of a final Regulation.

What to do?

With the proposed Regulation figuratively hot off the presses there is much to be digested from the 100 pages or so, in addition to identifying what has changed from the previously leaked version. The US government and international companies will doubtless want to understand how the proposed Regulation may benefit or hinder current and future activities and convey observations through appropriate channels as the Regulation is considered.

In the shorter term, while the Regulation is not likely to emerge precisely as proposed it is reasonable to expect many of the core changes to remain largely intact. We will continue to provide updates as understanding and ‘feedback’ regarding the Regulation continue.