Following several delays, the European Parliament Committee on Civil Liberties recently voted to adopt amendments to the EU’s proposed Data Protection Regulation. The proposed regulation, described as the most lobbied-against pieces of European legislation, will affect virtually all industries if adopted. Over 4,000 amendments have been received on the proposal from other committees within the European Parliament and from industry.
The pressure is now on to get the proposal adopted before the European Parliament’s elections in April 2014. However, following the recent meeting of European Heads of State, where there was disagreement over the timing of the proposal, it is more realistic for the proposal to be adopted some time in 2015.
Scope of regulation and enforcement
The proposed regulation will apply to European businesses that process personal data, and businesses outside the EU that monitor EU citizens or process personal data obtained from offering goods or services to EU citizens.
This effectively means any business that has European customers will need to comply with the new requirements under the proposed regulation.
There will be significant fines for companies that do not comply with the proposed regulation of up to 5% of annual worldwide turnover, or €100m, with the possibility for individuals and associations, acting in the public interest, to bring claims for non-compliance.
These fines will make data protection a boardroom issue and will require companies to carefully review what they need to do to comply.
Security, security breaches and data protection officers
Under the proposed regulation, appropriate technical and organisational security measures will need to be implemented by businesses. Security policies will also need to contain specific provisions – for example, a process for regularly testing, assessing and evaluating the effectiveness of security policies.
Businesses will also need to have detailed documentation on the data that is processed. In the case of a security breach, there will be a legal requirement to report the breach to a Data Protection Authority (DPA) without undue delay.
More on EU data regulation
Businesses will also be required to adopt reasonable steps to implement compliance procedures and policies, which should be reviewed every two years. The procedures should include adopting privacy by design throughout the lifecycle of processing from collection to deletion of data and carrying out privacy impact assessments where there are specified risks or data on a large number of individuals.
Where a business has data on more than 5,000 people in any 12-month period, or a business processes sensitive data, such as health data, it will need to appoint a data protection officer (DPO) who should have extensive knowledge of data protection. The DPO does not necessarily need to be an employee and the requirement may lead to an army of data protection officers and privacy consultants.
For many businesses, if adopted, these new obligations will require a significant review of existing security and data protection measures, policies and procedures, with training of staff and provision of additional resource.
Explicit consent, profiling and the right of erasure
Under the proposed Regulation, consent for processing personal data should be explicit and must be obtained through affirmative action. It should also be as easy to withdraw consent as to give it, while processing personal data on children under 13 will require the consent of the parent or legal guardian.
Businesses will need to review existing consent forms and policies
There are also new requirements for standardised data protection policies for individuals using symbols or icons. The information should include details on rights of access to the data, rectification and erasure of data, the right to object to profiling, how to bring a complaint to the relevant DPA and how to bring legal proceedings.
Importantly, the proposed regulation gives individuals the right to object to profiling and imposes a new requirement to inform an individual about this right in a "highly visible manner". In a digital world, the new restrictions on profiling, if adopted, could have a major impact on the marketing strategies of online companies and on the new methods being developed to analyse large quantities of data, such as through use of “Big Data”.
The proposed regulation also includes a new Right of Erasure, which would give individuals a right to have their personal data erased where the data is no longer necessary or where their consent is withdrawn under certain circumstances. Businesses will need to review existing consent forms and policies to take into account these new requirements, if adopted.
The proposed regulation maintains the current restrictions on the transfer of personal data from the EU to countries outside the EU that are not considered to provide an adequate level of protection, such as the US.
More on security
The latest amendments also re-introduce an important provision requiring that any request by a foreign authority or court outside of the EU for access to personal data in the EU must be authorised by a DPA.
The impact of the proposed Regulation, once adopted, will likely be significant for businesses, governments and individuals not only in the coming months but also for years to come and therefore it should continue to be closely monitored by all industries.
William Long is a partner at law firm Sidley Austin
This was first published in November 2013