Oct 222013

European Parliament votes on new EU Data Protection Regulation

Sidley Data Matters Contributors
, , , , , ,

The European Parliament’s Civil Liberties Committee (the “LIBE Committee”) has after several delays finally voted on the European Commission’s proposed EU Data Protection Regulation and adopted all amendments. The LIBE Committee also approved a mandate to start negotiations with the Council of Ministers (which represents EU Member States) and the Commission – the so called trilogue process. The Regulation was published by the European Commission in January 2012 and has been described as the most lobbied piece of European legislation in history receiving over 4,000 amendments in opinions from other Committees in the European Parliament as well as from numerous industries.

The Council of Ministers has also been very active and a compromise text containing amendments to the Proposed Regulation was published in June 2013. The LIBE Committee have during its vote urged the Council to finalize its position quickly. The race is now on to see if the European Commission, the European Parliament and Council of Ministers can agree the text of the proposed Regulation before the European Parliamentary elections in May of next year. The Proposed Regulation once adopted will have a significant impact on governments, businesses and individuals for the rest of this decade and beyond. Based on the latest amendments of the LIBE Committee the main elements of the proposed Regulation are summarized below.

Enforcement

In a surprise move the amount of the maximum fines for non compliance with the proposed Regulation has been dramatically increased, from the Commission’s proposed 2% of annual worldwide turnover, to 5% with an ability for individuals and any association, acting in the public interest, to bring claims for non compliance.

Scope of Regulation

The Regulation will apply to the processing of personal data in the context of the activities of a data controller or a processor in the EU and to a controller or processor not established in the EU, where the processing activities are related to (a) the offering of goods or services to EU citizens; or (b) the monitoring of such individuals. This means that most non EU companies that have EU customers will need to comply with the proposed Regulation once implemented.

One Stop Shop

The latest amendments provide for a new regulatory “one stop shop” so where a company operates in several EU countries the DPA where it is established will be the lead DPA which must consult with other DPAs before taking action which can be decided upon by the European Data Protection Board in the case of a dispute between DPAs.

Profiling

Significantly for online companies under the Regulation, every individual will now have a general right to object to profiling. In addition, the Regulation imposes a new requirement to inform individuals about the right to object to profiling in a “highly visible manner”. Profiling which does significantly affect the interests of an individual can only be carried out under limited circumstances such as with the individual’s consent and should not be automated but involve human assessment. These provisions if adopted could have a major impact on how online companies market their products and services.

Explicit Consent

Consent for processing personal data should be explicit with affirmative action required under the proposed Regulation. So the mere use of a service will not amount to consent. According to the proposal it should also be as easy to withdraw consent as to give it with consent being invalid where given for unspecified data processing. Processing data on children under 13 also requires the consent of the parent or legal guardian. The LIBE Committee also clarified that companies cannot make the execution of a contract or a provision of a service conditional upon the receipt of consent from users to process their data.

Standardized Information Policies

The proposed Regulation requires that certain standardized information should be provided to individuals in the form of symbols or icons similar to those used in the food industry. Individuals should also be informed about how their personal data will be processed and their rights of access to data, rectification and erasure of data and of the right to object to profiling as well as to lodge a complaint with a Data Protection Authority (“DPA”) and to bring legal proceedings.

Right of Erasure

In the latest amendments the “Right to be Forgotten” has been replaced by a “Right of Erasure” giving individuals a right to have their personal data erased where the data is no longer necessary or where they withdraw consent although certain exemptions also apply, such as where data is required for scientific research or for compliance with a legal obligation of EU law.

Accountability

Controllers will be required to adopt all reasonable steps to implement compliance procedures and policies that respect the choices of individuals which should be reviewed every 2 years. Importantly, controllers will need to implement privacy by design throughout the lifecycle of processing from collection of the data to its deletion. In addition, businesses will need to keep detailed documentation of the data being processed and carry out a privacy impact assessment where the processing presents specific risks such as use of health data or where the data involves more than 5,000 individuals with the assessment being reviewed every two years.

Data Protection Officers

Businesses with data on more than 5,000 people in any 12 month period or that process sensitive data, such as health data, will also need to appoint a data protection officer who should have extensive knowledge of data protection and who does not necessarily need to be an employee.

Security and Security Breaches

The controller and the processor will need to implement appropriate technical and organizational security measures. The proposal also requires that security policies contain a number of elements including, for example, a process for regularly testing, assessing and evaluating the effectiveness of security policies, procedures and plans put in place to ensure ongoing effectiveness. In addition, security breaches will need to be notified to DPAs without undue delay.

Data Transfers

In addition to Binding Corporate Rules and other data transfer solutions a new method allowing for international data transfers of personal data from the EU includes use of a “European Data Protection Seal” awarded by European DPAs for businesses and recipients that are audited for compliance with the Regulation. The latest amendments also re-introduce an important provision requiring that any requests for access to personal data by foreign authorities or courts outside the EU must be authorized by a DPA.

Health Data

The Regulation also has important provisions relating to use of health data including that processing of personal data for scientific research is only permitted with consent subject to exceptions by Member States where the scientific research serves a high public interest with the data either anonymized or pseudonymized under the highest technical standards with measures to prevent re-identification of individuals.

The proposed Regulation reflects the growing concern that governments, regulators and society has to data protection and privacy issues and should continue to be closely monitored as it moves closer to adoption which could take place over the next few months.

 

 

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

Sidley Data Matters Contributors

Sidley Austin Privacy Group

1n-licensing@onenorth.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.