The EU are making changes to the rules on data protection – what do I need to do?

Now of historical interest only! Please see the latest articles here reviewing the actual provisions now due to enter into effect by early 2018.

The EU are making changes to the rules on data protection – what do I need to do?

Outdated text – see new article here.

For now nothing is changing and the process is highly political between the EU institutions and member state governments – but proposals are at a relatively advanced stage and decisions may be taken during 2014. However, a two year transition period would see the new rules come into effect in 2016 at the earliest (according to the UK Information Commissioner, probably 2017).

The draft rules are in the form of a regulation which (after the transition period) would become law automatically on approval by the EU institutions, unlike a directive which requires implementation by EU Member States – which in the case of the existing directives has been seen as a problem leading to differing results from different implementations, interpretations and enforcement by different Member States.

At the time of writing in May 2014, the draft regulation had been approved by the European Parliament but not by the EU Council who could reject or spend many more months discussing the proposal.

Would there be new restrictions on businesses processing data?

For non-EU businesses the new arrangements would require them to comply with the law in relation to their processing of the personal data of EU citizens for offering products or services in the EU or monitoring of EU citizens. This would be a significant change as currently this depends on whether they are established in the EU or use data processing equipment or means of processing located in the EU.

International transfers of data could be carried out using contractual clauses to provide an equivalent level of safeguards but such clauses could require the approval of an EU data protection authority or where the transferor and transferee were both certified under a “European Data Protection Seal” as proposed by the European Parliament.

Penalties for breaches of the rules would rise significantly: up to €100,000,000 or up to 5% of annual worldwide turnover (European Parliament version) or €1,000,000 or up to 2% of annual worldwide turnover (European Commission proposal).

A “right to be forgotten” (or to “erasure”) is intended as a benefit to data subjects (users) who would be entitled to require a data controller to delete data in the absence of any legitimate reason to keep it and also, in the version approved by the European Parliament, to have third parties delete any public links to such data.

Users would be able to address complaints to their local data protection authority rather than the authority in the Member State where the data controller is established which may lower the threshold for complaints.

‘Privacy by design’ and ‘privacy by default’ may mean that products and services need to be conceived differently in order to make high privacy settings the default rather than an option.

Consent to data processing would need to be explicit, separated from other terms, and not implied – the burden of proof would be on the data controller.

The European Parliament text also provides for greater protection of personal data and restrictions on monitoring of, and use of equipment by employees (as consent may be less freely given).

Are there any benefits?

EU businesses processing data could benefit from the new rules in terms of reduced administration and the certainty of dealing with just one data protection authority. Some examples:

  • Notifications of processing activities to data protection authorities would be abolished;

  • A business with more than one establishment would need to deal only with the data protection authority and laws in the Member State where it has its main establishment;

  • SMEs (less than 250 employees or, under the European Parliament proposal, those processing data of not more than 5000 persons a year) processing data would be exempt from some of the requirements e.g. they would not need to appoint any data protection officer or carry out data protection impact assessments, and would be entitled to charge for repetitive or abusive data requests;

  • The regulations in the form approved by the European Parliament expressly provide for a warning for a first time unintentional offence, rather than directly a fine or other sanction.

  • A harmonised age limit of 13 years would be instituted below which consent or a parent or guardian would be necessary for processing of data of young people.

What next?

The Google Street View cases, where different EU Member States took quite different action and enforcement decisions, may in part be behind the pressure for greater coordination between Member States’ data protection regimes. Also the NSA revelations have increased scrutiny of international data transfers and the adequacy or inadequacy of the EU-US Safe Harbor or contractual protections.

However, although the European Parliament has approved and even strengthened the proposals, the EU Member States through the EU Council of Ministers must also approve it and they appear far from united in relation to it. Differing cultures, constitutional laws, international relations and legislative priorities may make agreement difficult, delayed and – fairly certainly – diluted from the current documents.

Good data practices do seem to be good business. On the other hand, major global data processors have not been proactive in developing industry standards; and public concerns over the NSA revelations and developments in advertising tracking technology may make further regulation inevitable. EU laws in this area have been something of a world leader and the worldwide trend is towards more prescriptive regulation even in markets where to date regulation has been relaxed. So for now all that can really be said is that – in the light of the general direction that the legislation seems to be heading – new projects should be reviewed with care in relation to what types of data will be processed, where it will be processed, and the ways in which processing is justified by consent or otherwise.