This week we moved one step closer to the adoption of the proposed EU Data Protection Regulation with the agreement by the Council of Ministers on its proposals for the draft Regulation. The Regulation has been described as the most lobbied piece of European legislation in history and, once adopted, will have a significant impact on governments, businesses and individuals.
The Regulation was originally published by the European Commission in January 2012 with the European Parliament adopting its proposals in June 2014. Following the agreement by the Council on June 15, 2015, negotiations can now commence between the Commission, the Parliament and the Council in what is known as the Trilogue process, with adoption of the Regulation widely expected by the end of 2015 or early 2016.
Some of the key proposals made by the Council to the draft Regulation include:
- Enforcement: significant fines of up to two percent of annual worldwide turnover (gross revenue) for non-compliance with the proposed Regulation (compared to the five percent in the Parliamentary draft).
- One Stop Shop: the lead DPA is required to cooperate with all ‘concerned’ DPAs to reach a consensus on any decision, and any DPA can initiate a procedure in cases it deems “urgent”. Where no consensus can be reached the case can be referred to the European Data Protection Board whose decision will be binding.
- Scope: applies to both businesses established in the EU and to non-EU businesses offering goods or services to individuals within the EU or monitoring their behavior.
- Consent: consent needs to be explicit where processing sensitive personal data. However, further processing is permitted where it is “compatible” with purposes for which the data are collected taking into account factors, such as, the context in which the data are obtained and the nature of the data.
- Privacy Impact Assessments: a privacy impact assessment must be carried out where using new technologies or where the processing is likely to result in high risk for data subjects.
- Profiling: an individual has a right not to be subject to a decision based solely on automated processing (including profiling), which has legal effect or otherwise significantly affects the individual unless, for example, it is necessary for the performance of a contract or with the explicit consent of the individual. The provision does not prohibit creation of a profile as such.
- Right to Erasure: the controller is under an obligation to erase personal data without undue delay where, for example, the data is no longer necessary for the original purpose or the data subject objects, subject to a limited number of exceptions.
- Right to Data Portability: Where personal data is processed in a machine-readable, structured and commonly used format and is based on consent or on a contract, the data subject has the right to transmit these personal data to another controller without hindrance from the original controller.
- Data Protection Officer: the obligation to appoint a data protection officer is voluntary unless otherwise compulsory under national Member State law. This contrasts with the position in each of the Commission and Parliament texts, which make the appointment of a data protection officer mandatory if certain thresholds are met.
- Data Breach Notification: a requirement to notify the data protection authority of a data breach without undue delay and where feasible within 72 hours.
- Requests for Data Pursuant to Non-EU Authorities: Article 43a as included in the proposals by the European Parliament makes judgments of a court or authority in a non-EU country requesting personal data unenforceable and where requests for data are made by a non-EU court or authority authorization must be obtained from the relevant EU DPA. No equivalent provision is included in the Council’s proposal.
- International Transfers: in addition to the use of Binding Corporate Rules, Model Contracts, approved codes of conduct or certification mechanisms, international data transfers are permitted where necessary for the “legitimate interests” of the controller, providing the transfer is not large scale or frequent, the controller has adduced appropriate safeguards and that the interests of the data subject are not overridden.
It is clear that the approach adopted by the Council is risk-based and one which is somewhat less prescriptive than that adopted by the Commission or Parliament, with data controllers being afforded greater discretion in how they manage their data protection compliance obligations.
Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.