A common criticism of the existing European Union (“Union”) data protection regime is that, because the core set of rules for the protection of personal data are contained within a Directive, Union Member states have interpreted and implemented the rules in a fragmented manner. Divergence is almost inevitable where the source of the data protection rules is a Directive because, to give effect to the rules at a national level, each Member State is required to perform a further legislative act.
However under the new framework, the Commission’s legal instrument of choice is a Regulation which will be directly applicable in all Union Member States. Therefore, the core set of rules for the protection of personal data should be generally consistent in each Member State. (It appears that only the rules governing processing of personal data by
competent authorities in relation to criminal offences and penalties will be set out in a Directive). This should satisfy one of the Commission’s objectives to harmonise data protection rules, creating a uniform set of standards across the Union.
The draft Regulation is wider in scope than the existing legislation, as it not only applies to controllers established in the Union, but also to non-Union controllers where the processing activities are “directed” to data subjects residing in the Union, or serve to monitor their behaviour, including for commercial or professional activities such as offering products or services.
The draft Regulation adopts some definitions from Data Protection Directive 95/46/EC; however other definitions have been amended, expanded or newly introduced. New definitions include “personal data breach”, “genetic data”, “biometric data”, “data concerning health”, “main establishment”, “representative”, “enterprise”, “group of undertakings”, “binding corporate rules” and “child”. Of particular interest are the definitions of “data subject” and “consent”.
- The definition of “data subject” is now more detailed and extensive. It covers someone who can be identified, directly or indirectly, not only by the controller but by any other natural or legal person. Such identification could be based on an identification number, location data, online identifier or any factor that is specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- The definition of “consent” now requires that consent be explicit. This definition has been altered to ensure that the data subject is aware that s/he is giving consent and in respect of what that consent is being given. The Commission has acknowledged that children deserve specific protection of their personal data.
Therefore consent from a child (being any person under the age of 18) will only be valid when it is given or authorised by the child’s parent or custodian.
New rights have been introduced for data subjects, including:
- Article 15 gives the data subject a right to be forgotten and to erasure. The data subject has the right to erasure of his/her personal data where: the data is no longer necessary in relation to the purposes that it was collected or processed for; the data subject withdraws consent or the storage period has expired; the data subject objects to the processing of the data; or the processing does not otherwise comply with the Regulation. If the data is in the public arena, there is an obligation on the controller to erase or restrict the processing of that data, including where links to or copies of the data can be found on the internet.
- Article 16 establishes a right to data portability where data are processed by automated means, allowing a data subject to transfer their personal data from one service provider to another without hindrance. In certain circumstances, Article 16 provides the right to obtain from the controller those data in a commonly used format.
The obligations placed on both controllers and processors have been increased.
- Article 25 obliges each controller, processor and, if any, the controller’s representative, to maintain documentation of all processing operations under its responsibility and specifies the minimum content of such documentation.
- Article 27 requires controllers and processors to implement appropriate security measures. This requirement extends to all processors, regardless of the contract that they have entered into with the controller.
- Articles 28 and 29 build upon the existing personal data breach notification regime, establishing an obligation on the processor to alert and inform the controller of any personal data breach immediately after its establishment, and an obligation on the controller to notify the personal data breach to the supervisory body without undue delay and, as a rule, not later than 24 hours after the breach has been established. The breach must also be communicated to the data subject without undue delay and again, as a rule, not later than 24 hours after the breach has been established, unless the supervisory authority is satisfied that appropriate technological protection measures (which would render the data unintelligible to those not authorised to access it) were implemented in respect of that data.
- Article 30 states that controllers must carry out data protection impact assessments prior to risky processing operations. A processing operation might be deemed risky based on its nature, scope or purpose and Article 30 offers examples of transactions that are likely to present specific risks.
- Article 32 introduces the requirement for companies and authorities to designate a data protection officer in both the public sector, and in the private sector, to the extent that the private enterprise employs more than 250 persons permanently or the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects.
In line with the Commission’s acknowledgement that international data transfers are essential for doing business in today's global economy, the Commission has looked further at the Binding Corporate Rules (“BCRs”) model. Article 40 states that the relevant supervisory authority will approve a controller’s or processor’s BCRs, provided that they are legally binding and apply to and are enforced by every member within the controller’s or processor’s group of undertakings, and include their employees; they expressly give enforceable rights to data subjects; and they satisfy a list of specific requirements.
The draft Regulation imposes administrative sanctions that can be tailored according to the enterprise’s annual worldwide turnover. Certain breaches with an intentional or negligent element could lead to fines of up to 1,000,000 EUR or, in the case of an enterprise, up to five percent of its annual worldwide turnover. These sanctions bring data protection in line with other areas of regulation, such as competition law.
This article provides a brief overview of some of the provisions of the draft Regulation and industry awaits the Commission’s final proposal. For a more in-depth analysis and advice on complying with data protection legislation, please contact us.