Proposed new European Data Protection Regulation: a Data Privacy Day gift from the European Commission?

Saturday 28 January saw the annual Data Privacy Day1 once again upon us – an annual effort to alert the world to the importance of data protection, which, to date, has had varying degrees of success. Except this year it feels a little different – between the PlayStation Network being hacked2 , the Leveson enquiry3, the current cookie law ‘hiatus’4, and even the public response to Google’s new unified privacy policy5 – it seems your average data subject actually is paying attention in 2012.

To warm us up for the festivities, the European Commission released their proposal for a new European Data Protection Regulation (the Regulations). The original data protection directive is a 1995 relic, and, so the argument goes, is unfit to protect Europeans from the modern perils of mass marketing and big data. First leaked in December, this is now the official version, setting out how the Commission expects data protection in Europe to unfold over the next decade. The proposal is now with the European Council and Parliament for review.

In this update, we will take a look at the main reforms proposed, and how the proposal has changed since the leaked December version.

REGULATION NOT DIRECTIVE

Most strikingly, the proposal is for a Regulation rather than a Directive. This would set out mandatory provisions for all member states, rather than giving each country leeway to implement the Directive as it sees fit. With a unified law, any data protection officer would be able to act with confidence that they are complying with data protection obligations across the whole of the EU – no more instructing data processor lawyers in each jurisdiction for each outsourcing.

OTHER HEADLINES

Right to be forgotten: among the most contentious of the other new proposals is the ‘right to be forgotten’ contained within the proposed Article 17:

‘Article 17: The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data…’

The right to be forgotten is a technologically complex ‘beast’. Social web services often involve multiple users having access to data assets – how should my right to be forgotten relate to another’s right to not have parts of their e-mail archive deleted?

It also raised further so far unanswered queries as to what constitutes ‘erasure’ in the eyes of the Regulation:

  • would marking the data as available to be overwritten be sufficient, or does it need to be actively overwritten?;
  • if so how many passes?;
  • what about if the personal data is stored in fragments in multiple locations – is there a need for every copy of every fragment to be overwritten, or just enough to make it unusable?

For many web community businesses, the data they have collected in relation to their users literally is their main asset – automated tools to withdraw consent could ‘go viral’ and wipe out this asset ‘without delay’ as the Regulation would require.

FINES

Changing the profile of data protection on the corporate agenda, Article 79 of the Regulations proposes an overall cap on fines for non-compliance at 2% of 
the ‘annual worldwide turnover’ of the non-compliant business. The caps on fines for non-compliance would be staggered. There are three tiers of breach under the Regulations, ranging from the low grade ‘not responding’ sufficiently promptly to a data subject access request, through mid-tier breaches such as not giving data subjects relevant information about how their data will be used and stored, up to the high grade breaches such as:

  • ‘processing data without any or sufficient legal basis’;
  • profiling data subjects after they have objected to being profiled;
  • using personal data for direct marketing purposes without consent; or
  • not adopting internal policies for data protection responsibility.

The list of most severe breaches runs from (a) to (m), so gives plenty for data protection officers to bear in mind.

The leaked proposal in December 2011 had caps for enterprises of 1%, 3% and 5% of annual worldwide turnover, but it seems these have been negotiated down to 0.5%, 1% and 2% over the Christmas period. At half or less of proposed caps two months ago, it is hard to see the Commission’s basis for these caps.

This is not the end of things however – sweeping reforms abound:

  • The standard for giving consent has been increased – it must be ‘freely given, specific and informed’ as we have seen in other recent EU legislation. It must also be made by a statement or a clear affirmative action. This seems like ‘opt-in plus’.
  • Users would have the right to export their data in an electronic format (although the newly introduced caveat that this is only where the data is in a commonly used format may save the likes of Facebook from giving up its social graph);
  • The scope of the Regulation is very large – attempting to cover any company (anywhere in the world) that offers goods or services to, or even monitors, EU data subjects. This will make enforcement issues interesting to watch, and is also hugely ambitious as the world attempts to form a consensus on privacy with the Federal Trade Commission reporting on privacy later this year and Indian and Chinese privacy fbills being implemented.
  • Personal data breaches (widely defined with no materiality test) would have 
to be reported to supervisory authorities without undue delay, 
and, where feasible, within 24 hours (this was ‘as a rule’ within 24 hours but has been lightened in the last two months). If this is not within 24 hours, the reason for the delay should be explained. The breach should then be reported to the data subject without undue delay.
  • Children are afforded additional protections and rights in many places – including adults having additional rights over data which relates to them as a child;
  • The requirement that any processing of personal data of a child below 13 would need a parent’s consent – again the method of this is still to be confirmed, but interesting to see the age of consent here being aligned with the American Children’s Online Privacy Protection Act rules.
  • Extra consideration is to be given during implementation for micro, small and medium-sized enterprises (SMEs). In applying parts of the Regulation, the authorities will have to consider specific measures for these SMEs. This seems a sensible approach to reduce the administration for entrepreneurs and start-ups, but the devil will be in the detail. It does not necessarily follow that small businesses will process less personal data than big businesses.

The proposals have now entered the next stage of the legislative process – debate by the European Council and Parliament. For context, the 1995 Data Protection Directive took five years6 to go from this stage through to signature. The information commissioner has already issued its preliminary views7 – welcoming the proposal but expressing some specific concerns. We expect there will be more of the same from other information commissioners, and the Article 29 Working Party, in the months to come.

Please look out for Kemp Little LLP’s upcoming event on data protection where we will discuss the proposed Regulation in addition to other data protection issues.

By Calum Murray, head of commercial technology, and Richard Folsom, commercial technology solicitor,
Kemp Little LLP.