Last week, at the European Data protection day, the European Commission published its highly anticipated proposal for a new data protection framework.
This revision, which had already been announced in 2010, is inspired by the fact that the existing framework of Directive 95/46/EC is no longer fit for the challenges presented by the digital age with its new technologies and new services (e.g. cloud computing, social media, location based services etc.).
While the general principles of the existing data protection framework have been maintained (e.g. finality, proportionality, transparency etc.), the draft legislation brings considerable changes, the most important of which are:
- A Regulation instead of a Directive. In view of harmonizing data protection law across the EU, the European Commission has opted for a regulation. The main benefit being that, once adopted, it will be directly and universally applicable across the entire EU. National implementation will no longer be required.
- Broader territorial applicability. On the internet many companies based outside the EU, market their services and products to EU citizens. The new regulation will also apply where such non EU-based companies process personal data while directing goods or services to EU citizens, or when monitoring their behaviour.
- Higher bar for consent. In addition to the other already existing options, consent remains a valid option for lawful processing of personal data. However, it will be less easy to rely on it than before. The controller will bear the burden of proving that the data subject has given consent. In addition, if there is a significant imbalance between the position of the data subject and the controller, consent will no longer constitute a valid ground for processing of personal data. Similarly, processing of personal data relating to children under the age of 13 will require the consent of their parents or custodians. Finally, consent will have to be given explicitly and the fact of giving consent must be made clear and distinguishable from other matters. The common practices whereby consent for a specific purpose is obtained by asking a data subject to accept a set of general terms and conditions will no longer be permitted.
- More rights for the data subject. The European Commission is determined to increase the rights of data subjects. Much has already been said about the 'right to be forgotten' and the 'right to data portability'. These should provoke a paradigm shift by virtue of which individuals are in control of their personal data rather than the companies the data is submitted to, especially in the field of social networking and profiling. In addition hereto, data controllers will need to provide more detailed information in relation to the data being processed, such as storage periods, rights of the individuals and international transfers of their data.
- More accountability for data controller. The European Commission vowed to cut red tape. Therefore, the general obligation to notify the data protection authorities of processing activities has been abolished. The flipside is that a series of practical measures are introduced to increase the accountability of data controllers. These obligations range from the mandatory appointment of a data protection officer, mandatory training of staff, carrying out privacy impact assessments etc. The administrative burden may have been reduced, but under the new proposal organizations will see a substantial increase in legal obligations.
- General data breach notification obligations. Building on the data breach notification for telecommunication companies and internet service providers, the regulation introduces a general obligation for all data controllers to notify the competent data protection authority of all data breaches without undue delay (in principle within 24 hours). Furthermore, if the data breach is likely to adversely affect the protection of the personal data or privacy of data subjects, the data controller must also notify them without undue delay.
- Stronger enforcement. One of the radical changes of the regulation relates to the enforcement powers granted to the national data protection authorities. This will include the right to carry out audits and to impose administrative fines up to 1 million EUR or 2% of the annual worldwide turnover of a company.
- International data transfers. Acknowledging the request by companies for a more flexible approach toward international data transfers, the regulation has expressly recognized the value of Binding Corporate Rules (BCR). According to the European Commission, adopting BCR must become the norm for multinationals, and they will therefore be available to both controllers and processors.
While this proposal for a regulation will most definitely see further tweaking and fine-tuning from the European Parliament and the European Council, it seems clear that a page has been turned and that the European Commission's proposal is the start of a new chapter for European data protection law.
As for companies processing personal data, considering the increased rights of data subjects and the increased enforcement powers of data protection authorities, non-compliance with these new rules will no longer be an option. Implementing a comprehensive data protection compliance program will therefore become more important than ever before.