First draft of a new data protection regime – the proposed EU Regulation

A reform of EU data protection law has been on the cards for several years now, to update the Directive drafted in the early 1990s. Following public consultations in 2009 and 2010, the publication of the proposed new law has been long-awaited. Key aims are to adapt to the rapid increase in the amount and value of data used by businesses, the technologies and methods by which data is shared and used (particularly by means of the internet) and the global market for business and social operations. It is also hoped that the new law will address practical issues which have arisen in the interpretation and implementation of existing law, by harmonising, clarifying and simplifying certain obligations.

A proposed new law has therefore been welcomed by regulators and business. The provisions combine new requirements with clarification and elaboration of existing requirements, leaving less room for misapplication. However, with a week now since publication of the draft Regulation, a number of reported concerns are gradually emerging, including on practical consequences of some provisions and areas for further clarity.

The proposed new Regulation has perhaps a clearer definition of territorial scope than its predecessor; the requirements will apply to data controllers and data processors (see paragraph on processors below) established within the EU or those data controllers directing goods and services to the EU. However, as the Information Commissioner raises in his initial response to the proposal³, it is unclear at this stage how the requirements will be enforced against overseas controllers.

The existing law requires tighter controls for certain categories of data (“sensitive personal data” under the DPA) above those for all personal data. These are to be expanded under the Regulation to include genetic data. In addition, there are proposed requirements relating specifically to the use of children’s data, and, in the context of carrying out impact assessments, the use of biometric data. The draft Regulation also recognises use of data on individual preferences and behaviour (now widely used by online businesses) as a specific area of risk (e.g. in relation to profiling).

The proposed new law retains the concept of core principles governing the use of personal data. Principles of transparency, data minimisation and accountability, although arguably covering matters already required under current principles, are now explicitly mentioned. In addition, there is generally more elaboration surrounding the precise requirements of the principles.

The Regulation includes a new article on data protection by design and by default. “Privacy by design” is a concept already promoted by the Information Commissioner’s Office in the UK, and involves taking data protection into account in the design of systems and procedures (rather than after the data processing starts). Data protection “by default” means that the default position is to process the minimum amount of data necessary.

An example of elaboration of existing requirements can be found in the proposed provisions surrounding consent of the data subject (as a condition for lawful processing). Consent must be “specific, informed and explicit” and the data controller has the burden of proving that it has been obtained.

If consent to data processing is being obtained as part of agreement to another matter, the presentation of the consent requirement must be distinguishable from such other matter. For example, in the context of providing an online service, it may not be sufficient to “hide” a data protection consent within the middle of the terms of service.

Consent can also be withdrawn at any time and organisations will need to consider how this may impact any related agreement/services provision. Consent cannot be relied upon at all where there is “a significant imbalance between the position of the individual and the data controller”. This may restrict relying on consent where the individual does not have a genuine choice.

Overall, even to the extent these provisions do not change the intention of existing law (although arguably they are tighter), they spell out what is acceptable and clarify that alternative methods (which may currently be relied upon for obtaining consent) will not be valid.

Although already commonplace (and good practice), under the Regulation, having a data protection officer would be mandatory for the public sector and organisations with over 250 employees. Such officers would have specific roles, including monitoring the implementation and application of the law and associated policies (although it is the controller or the processor’s responsibility to ensure this, and the officer himself/herself does not appear to have direct obligations under the Regulation).

Proposed new obligations for data processors would have a big impact on technology and data service providers. The existing legislation only imposes obligations on the “controller”, being the party who determines the purposes for which and the manner in which personal data is processed. A data controller is also responsible for compliance by its “processors”, being parties who process data on behalf of the controller (e.g. a service provider). The data processor currently has no direct obligations to comply with the law (although should have appropriate contractual obligations to the data controller).

It is now proposed that processors will have certain direct responsibilities for compliance, meaning that regulators and data subjects could take action against them for non-compliance (as well as the controller). Obligations include to keep data secure from misuse, loss or damage and to retain certain records relating to their use of personal data.

For data processors, this means that data protection would no longer be simply a matter of “helping out” data controllers with compliance (and complying with some often not very prescriptive contractual clauses), as there would be direct consequences at law for non-compliance.

The proposals provide additional protection for data subjects, but only within the EU – where a service provider is in a third country, these requirements will not apply (see also paragraphs below on processor to controller relationship and transfers of data).

The proposals will still require each data processor to be “legally bound” to the data controller. Whilst the legislation anticipates sub-processors (there is a requirement on processors not to appoint a further processor without the controller’s permission), it does not appear clear how sub-contracting structures will meet the “legally bound” requirement (which has long been an issue under current law). Sub-contracting models are extremely common, and with developing technologies such as cloud services, sub-contractors (often overseas) may have no connection to the ultimate data controller. It would be useful for more clarity on this point (which also calls into question whether cloud providers could be controllers (or joint controllers) in their own right).

The proposed Regulation introduces a requirement for breaches of security to be notified to the relevant supervisory authority (in the UK, currently the Information Commissioner’s Office). Such breaches must also be notified to data subjects where they are “likely to adversely affect the protection of the personal data or privacy of the data subject”.

Breach notification is not currently compulsory in the UK, although there has been a recent increase in voluntary notification of substantial breaches. The proposed changes introduce a seemingly wide requirement, which could lead to a flood of required notifications (and associated administration and alarm), even if a breach has no substantial impact. However, the proposed Regulation also leaves scope for delegated legislation to specify further circumstances in which it may or may not be necessary to provide such notifications.

As with current law, the draft Regulation contains restrictions on transferring personal data to countries outside the EU and extends the relevant provisions to include transfers to “international organisations”. Certain countries may be designated as “adequate” by the EU Commission (and it is possible that countries currently satisfying “adequacy” criteria may need may need re-assessment following implementation of the new law).

There are expanded provisions on standard contractual clauses and binding corporate rules which allow more options for these to be approved and adopted. Prior authorisation of the regulator may be required where these options are not taken.

There are similar derogations to the restrictions, e.g. consent and necessity. In relation to consent, the associated risks must be highlighted – simply asking for consent to transfer data overseas will not be sufficient.

The draft Regulation also includes provision for the promotion of international co-operation. It will be interesting to see how this develops, as the proposed law does not appear yet to solve all the complications of globalisation, including requirements of overseas authorities.

Contrary to the current law, the draft Regulation does not contain any general requirement to notify/register with the supervisory authority. This seeks to reduce administrative burden by focussing on notification and authorisation requirements only in high risk situations (e.g. international transfers or breaches). Data controllers and processors will, however, be required to maintain documentation relating to their processing activities.

The rights of data subjects, i.e. the individuals about whom data is processed, have been expanded and clarified. Of particular note, the much-debated “right to be forgotten” expands on existing rights to erasure of data. There are also new provisions on data portability to ensure ease of transfer of an individual’s data from one provider to another (e.g. in the context of social media).

Unlike its predecessor, the proposed Regulation prescribes maximum fines for non-compliance of the requirements. The level of fines varies depending on the breach, but they go up to 2% of annual turnover, or one million euro (greater than the current UK fines).

As before, Member States are able to lay down their own rules for other penalties and remedies which must be “effective, proportionate and dissuasive”.

The proposed Regulation is not yet law and must now be considered by the European Parliament and the EU Council, who may reject it or propose amendments. Personally, I hope that changes will be incorporated to clarify outstanding areas of uncertainty, including those highlighted above.

Once (or if) it is adopted, there is a proposed period of two years before it comes into force. This seemingly gives organisations a long time to adapt to the new requirements. However, when implementing or reviewing your data processing operations and/or governance framework, it may be prudent to start thinking how they may be impacted by the new regime to avoid further big changes down the line.

• “How EU data rules will hit IT contractors” published by Contractor UK (www.contractoruk.com)
• “A proposed new Data Protection regime” published in the February 2012 Evans Employment Law Newsletter (www.evansemployment.co.uk)
• “A Proposed New Data Protection Regime” published in the March 2012 LawWorks Choices Chronicle (www.lawworkschoices.org.uk)