The European Commission's proposal for a General Data Protection Regulation represents the most significant global development in data protection law since the EU Data Protection Directive, a legal framework which has struggled to remain relevant in an age of mass information sharing.
A "regulation", unlike a "directive", will be directly applicable in all EU member states without the need for national implementing legislation. The Commission's aim is to harmonise data protection law across those member states.
The legislative process is likely to take up to two years to complete. With any proposed regulation then taking a further two years to come into effect, it is unlikely that it will be in force before 2015.
While some of the current proposals will undoubtedly be amended in the course of this lengthy process, this article focuses on some of the practical steps that companies could usefully be considering now.
Make your voice heard
You may wish to lobby for changes to any aspects of the proposed regulation that are particularly problematic for your operations. As the legislative process is only just beginning, there is scope for amendments to be made.
The Ministry of Justice issued a "call for evidence" to inform the UK's negotiation position on the proposed regulation, and the results should be available online by 4 June 2012. Representatives from the Ministry of Justice are also attending many events run by various interested associations and other groups to hear the views of interested parties.
Organisations that have not commented on the proposed regulation by this process may wish to consider whether to appoint a lobbying firm (perhaps the most effective way to lobby). Many of these firms are based in Brussels and are deeply familiar with the processes, timelines, committees and individuals involved.
Alternatively, it is possible to lobby directly. You can track the committees involved and the rapporteur who will oversee and support the progress of the legislation online.
Read advice from our Security Think Tank on how to prepare for the EU data protection rules
Move towards compliance
One of the main benefits of the proposed regulation is that companies should have only one regulatory authority that supervises its activities across all EU member states. This is Viviane Reding's "one-stop shop" idea. Businesses with a presence across several European countries should therefore consider which regulatory authority would be its supervisor. This looks likely to be where the main decisions as to the purposes, conditions and means of processing of personal data are taken.
In theory, this should lead to a harmonised approach, as the proposed regulation is directly applicable in all member states and contains a "consistency mechanism" to try to ensure that a consistent approach is taken by supervisory authorities. In practice, however, there may well be divergences of attitude of national regulatory authorities (for instance towards enforcement). This may well lead to "forum shopping", whereby companies centralise their decision-making in more business-friendly jurisdictions.
Taken at a very high level, you can segment many aspects of compliance with the proposed regulation into three broad categories:
1. Internal procedures
One of the key themes of the proposed regulation is accountability (broadly – taking responsibility for your data processing). This concept is very likely to remain a key theme. In practice, this will entail establishing a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimise data processing and retention of data, and building in safeguards to all data processing activities. Auditable data impact assessments will need to be conducted to review any risky processing activities and steps taken to address specific concerns.
Many data-rich companies are attempting to de-risk their personal data processing activities by limiting employee access to data on a much tighter "need to use" basis and where possible anonymising and encrypting data. As an added incentive, the obligation to notify data subjects of a data security breach is unlikely to apply where the data has beenrendered "unintelligible" to persons who are not authorised to use it.
Analyse the legal basis on which you use personal data. Do you rely on data subject consent to process personal data or can you show that you have a legitimate interest in processing that data, that is not overridden by the interests of the data subject? What data transfers do you undertake and how do you ensure that the transfer of data to countries that are not recognised as having adequate data protection regulations are nonetheless safeguarded in a way that is compliant with legislation? Should you consider adopting binding corporate rules to facilitate intragroup transfers of data?
Review your current policies and procedures
You will need to document your data processing operations. The proposed regulation currently contains fairly onerous commitments as to the documentation to be maintained and implemented by data controllers and processors. This documentation must be made available to your supervisory authority on request. While these commitments may be softened and some regulators may be much more interested in substance over form, any company that cannot produce considered and clear policies will find it very difficult to prove that it has established appropriate standards and policies throughout its business.
Are you a processor?
By contrast to the existing legislation, the proposed regulation now imposes some direct obligations on processors. If you regard yourself as a processor for services that you provide to customers, you will need to take on board the fact that you will have direct statutory obligations, such as maintaining appropriate documentation.
How will you react to a data security breach?
Breaches of data security will need to be notified to the regulator and, in certain circumstances, to the individual(s) concerned where an adverse effect on their privacy is anticipated as a result of the breach. Despite criticisms of the broad nature of this obligation, it is likely to survive in some form. Once the position is clearer, you will need to put in place clear and well-practised procedures to ensure that you can notify in time.
2. Your communications with data subjects
Companies often assume that they need to obtain the consent of a data subject to process their data, which is often not correct (unless, for example, cookies are being used). Consent is one of a number of different ways of legitimising processing activity. It is far from the favoured route of regulator,s as it can be difficult to ensure that consent is meaningful and freely given, and it can be withdrawn.
If you do rely on obtaining consent to legitimise processing, you should review whether your documents and forms of consent are adequate and check that consents are freely given, specific, informed and explicit – and note, you will bear the burden of proof.
The proposed regulation provides that consent can no longer be relied on in any case where there is a significant imbalance between the position of the data subject and the controller (such as in an employment context). If you use personal data for direct marketing, it will be necessary to offer a very clear right for the data subject to object to processing.
Whether or not you rely on consent to legitimise processing, unless an exemption applies, you will need to inform data subjects of its processing of their data. Information provided should be in clear and plain language. Your policies should be "transparent and easily accessible".
Right to be forgotten
One of the most talked about elements of the proposed regulation is the so-called right to be forgotten. In theory, an individual will be able to demand that organisations erase records of their personal information, but this will only apply where there is "no legitimate reason" for the data to be retained.
If you store personal data, consider the legitimate grounds for its retention – it will be your burden of proof to demonstrate that your legitimate grounds override the interests of the data subject. You may also face individuals who have an unrealistic expectation of their right to be forgotten.
3. Data processing activities involving third parties
If you provide data processing services to third parties, you are likely to find that your customers will wish to ensure that your services are compatible with the enhanced requirements of the proposed regulation – whether that is in relation to data minimisation, helping them to comply with the right to be forgotten or reporting a data security breach.
You should therefore consider whether your contractual documentation is adequate and, for existing contracts, check who bears the cost of making changes to the services as a result of the changes in laws or regulations. If you obtain data processing services from a third party, it is very important to determine and document your respective responsibilities.
Cross-border data transfers
As with intra-group international data transfers, it will be important to ensure that you have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation. This is not a new concern, but as failure to comply with the proposed regulation's requirements in this respect could attract a fine of up to 2% of annual worldwide turnover, the consequences of non-compliance could be severe.
While the proposed regulation is likely to undergo fairly extensive negotiation and amendment, we expect the main concepts mentioned above to remain. Compliance with obligations such as accountability take time to become part of a company's DNA.
Given that the proposed financial penalties for non-compliance are severe, companies that start to take steps to address the proposed changes will be in a stronger position. The official line is that the figures being discussed – in some cases amounting to 2% of annual worldwide turnover – are intended to be "effective, proportionate" and, most pointedly, "dissuasive".
Jane Finlayson-Brown is a partner in the corporate department of law firm Allen & Overy
This was first published in March 2012