One Step Closer to the EU Data Protection Regulation

• Enforcement: significant fines of up to two percent of annual worldwide turnover (gross revenue) for non-compliance with the proposed Regulation (compared to the five percent in the Parliamentary draft).
• One Stop Shop: the lead DPA is required to cooperate with all ‘concerned’ DPAs to reach a consensus on any decision, and any DPA can initiate a procedure in cases it deems “urgent”. Where no consensus can be reached the case can be referred to the European Data Protection Board whose decision will be binding.
• Scope: applies to both businesses established in the EU and to non-EU businesses offering goods or services to individuals within the EU or monitoring their behavior.
• Consent: consent needs to be explicit where processing sensitive personal data. However, further processing is permitted where it is “compatible” with purposes for which the data are collected taking into account factors, such as, the context in which the data are obtained and the nature of the data.
• Privacy Impact Assessments: a privacy impact assessment must be carried out where using new technologies or where the processing is likely to result in high risk for data subjects.
• Profiling: an individual has a right not to be subject to a decision based solely on automated processing (including profiling), which has legal effect or otherwise significantly affects the individual unless, for example, it is necessary for the performance of a contract or with the explicit consent of the individual. The provision does not prohibit creation of a profile as such.
• Right to Erasure: the controller is under an obligation to erase personal data without undue delay where, for example, the data is no longer necessary for the original purpose or the data subject objects, subject to a limited number of exceptions.
• Right to Data Portability: Where personal data is processed in a machine-readable, structured and commonly used format and is based on consent or on a contract, the data subject has the right to transmit these personal data to another controller without hindrance from the original controller.
• Data Protection Officer: the obligation to appoint a data protection officer is voluntary unless otherwise compulsory under national Member State law. This contrasts with the position in each of the Commission and Parliament texts, which make the appointment of a data protection officer mandatory if certain thresholds are met.
• Data Breach Notification: a requirement to notify the data protection authority of a data breach without undue delay and where feasible within 72 hours.
• Requests for Data Pursuant to Non-EU Authorities: Article 43a as included in the proposals by the European Parliament makes judgments of a court or authority in a non-EU country requesting personal data unenforceable and where requests for data are made by a non-EU court or authority authorization must be obtained from the relevant EU DPA. No equivalent provision is included in the Council’s proposal.
• International Transfers: in addition to the use of Binding Corporate Rules, Model Contracts, approved codes of conduct or certification mechanisms, international data transfers are permitted where necessary for the “legitimate interests” of the controller, providing the transfer is not large scale or frequent, the controller has adduced appropriate safeguards and that the interests of the data subject are not overridden.

It is clear that the approach adopted by the Council is risk-based and one which is somewhat less prescriptive than that adopted by the Commission or Parliament, with data controllers being afforded greater discretion in how they manage their data protection compliance obligations.