Fresh Data Blog
Fresh Data Archive
The Latest on the European Privacy Directive
Date: February, 2012 --
Here we go again! The European Commission (“EC”) is revising the law which has given so many companies in Europe a headache, the Data Protection Directive, which was adopted in 1995.
From that Directive came requirements for companies in Europe to register with a data protection office in each country where they had operations, to develop complex contracts or join the US Safe Harbor program if they brought European personal information back to the US and to obtain consent in some countries to even send direct mail offers, and definitely to get consent to send email offers.
With the digital age having revealed many weaknesses and inadequacies in the old Directive, the Commission is now proposing an entirely new approach – a Regulation. In the European system, a Regulation is a truly Europe-wide law, not subject to interpretation by each of the member countries, as is a Directive.
This Regulation, when adopted, will do three very important things: (1) Bring the law into the 21st digital century and take account of the increasing globalization of data use caused, for example, by e-commerce, (2) Harmonize the interpretation of the law and treatment of companies subject to the law throughout Europe, making compliance uniform, and (3) Hopefully reduce compliance costs and bureaucratic obstacles.
Key proposed changes, some of which will be very controversial include...
- Global Reach: This law will apply to processing of personal data related to anyone living in Europe, citizen or non-citizen, even where the data controller is outside the EU. In short, a website in the US which gathers information on a customer in Europe will be subject to the law.
- Simplified Regulatory Regime: For companies doing business in more than one country in Europe, although they will still be subject to regulations in each country, their primary regulator would be the one in which they have their “main establishment”. At the same time, the previous system of having to register one’s data processing activities and files in each country will be abolished. In short, there is an attempt to create a “one regulator” and “one-stop shop” for data protection compliance by companies.
- In-House Expertise Requirement: Government offices and companies with more than 250 employees must appoint a data protection officer whose function will be to ensure compliance. Previously, only Germany had this as a legal requirement, although many companies of this size would likely have in-house legal advisors who functioned as advisors on this subject. Whether or not this requirement applies outside Europe remains to be seen.
- Data Breach Reporting Requirement: In what could prove to be one of the most controversial requirements, companies will be required to notify their national data protection regulator of a personal data breach “without undue delay and, where feasible, not later than 24 hours” of becoming aware of it.
- Right to be Forgotten: Data controllers would be required to delete an individual’s personal data if that person explicitly requests deletion or otherwise when there is no other legitimate reason to retain it. In fact, this merely makes explicit a power that individuals possess today. It is rarely exercised.
- More Regulatory Power & Potential Fines: The powers of data protection authorities will increase. Fines are provided of up to €1 million or up to 2% of a company’s global annual turnover. These would be among the highest penalties in the European corporate legal regime.
- Explicit Consent: Consent to process data would be required to be explicit (rather than merely assumed). However, the use of data for direct marketing still remains in an “opt-out” form, despite a proposal in an earlier draft for explicit consent. Email, however, remains opt-in.
All of this comes with a cost, of course, and those costs stem from new compliance requirements and potential new liabilities under the law.
It is early days still. The proposal was only announced on January 25. It must be studied and negotiated in Europe by the countries and their Brussels representatives. If some countries object strenuously to various parts of it, which it is likely Germany and the UK will, the process may go on for some time.
GADA’s privacy expert Charles Prescott, with whom Data Services consults on these matters, has estimated it could be two years before the law is finalized. It is for this reason that we have decided to report to you periodically on developments as the Regulation is debated. Look for news on this in future issues.