EU Data Protection Regulation: three years after
In January 2015, three years have passed since the European Commission (EC) proposed a new set of data protection rules and gathered them in a proposal for a General Data Protection Regulation. Attempting to predict the exact final wording of the new Regulation or the time of its adoption would most likely amount to speculation.
But we do seem to be getting a better idea of what and when we can expect.
Expected new law
The European Parliament (EP) has already expressed its opinion and voted on the amendments in March 2014, having passed the ball to the Council of the EU. The Council should first reach an agreement in order for the final act, the trialogue, to begin. According to the current predictions in the EU policy world, the trialogue is expected in mid 2015.
Accordingly, the final text could be tabled before the end of the year. This will leave companies approximately a two year sunrise period, enabling them to adapt to the new standards before the new directly applicable rules become binding for them.
Compared to the current Data Protection Directive 95/46/EC, the upcoming Regulation is much broader and regulates areas that are not covered by the present Directive.
The main differences between the existing and the expected new law are as follows:
The current Directive sets minimum data protection standards and each Member State had to implement the Directive requirements into its national data protection law. As the Member States were able to raise the bar and propose stricter requirements in their national laws, the EU ended with 28 different national laws regulating data protection rules.
In reality, a company’s business practice may be compliant with the law in one EU Member State but can face a fine due to a violation of a national data protection law in another. The Regulation aims to harmonize the legal requirements for the whole EU and unify the data processing standards.
Scope of application
Based on the current text, the Regulation seem to have a wider scope of application compared to the Directive of 1995. The Regulation seem to apply also to businesses that are established outside the EU as long as they offer goods or services to the EU data subjects or monitor them.
The main idea of the one-stop-shop mechanism is to enable companies to select a lead national Data Protection Authority (DPA). The chosen national DPA would examine the companies’ business practices and review their compliance with the EU data protection law.
This topic is still highly debated in the Council of the EU and it is not possible to predict at present to what extent will businesses be able to exercise one-stop-shopping.
Data protection officer
The Regulation obliges companies to appoint a data protection officer in certain cases. The EP and the Council have not yet unified the requirements on the matter.
According to the current state of the requirements, a company should designate a data protection officer if it processes data of more than 5000 individuals within the period of one year. However, in some EU Member States such as in Germany the national law already requires a company to appoint a data protection officer in some cases.
Privacy by design, privacy by default and privacy impact assessment
The Regulation strengthens the idea that a company that processes personal data needs to implement appropriate organizational and technical measures in order to safeguard the data. When deciding upon the safeguards the company is going to implement, it is important to take into consideration the nature, scope and purposes of data processing.
Furthermore, the company should review the risks that such processing my pose to collected personal data. If the data processing is likely to result in a high risk, the company conducting such data processing activity should carry out a privacy impact assessment. In addition, the company should, in certain cases, consult the data protection authority prior to the beginning of the data processing.
Data transfers by privacy seals and codes of conduct
Apart from adequacy decisions, binding corporate rules and model clauses, the Regulation would also enable companies to transfer personal data based on the approved codes of conduct or certified data protection seal accompanied by binding and enforceable commitments by the controller or the processor. The EP and the Council have not yet agreed on these data transfer mechanisms, leaving the final text on the matter unclear.
In March 2014 the EP has voted for higher fines than it was originally proposed by the EC According to the EP the maximum fine for not complying with the EU Data Protection Regulation should range up to 100 000 000 EUR or up to 5% of the company’s annual worldwide turnover.
A great deal of uncertainty
As one can conclude based on the above, a great deal of uncertainty still surrounds the final text of the Regulation. However we can already infer some main tendencies of the EU policy-makers on data protection issues. They wish to ease data transfers by proposing a new data transfer mechanism, harmonize the rules across the EU and ensure compliance with the laws by proposing higher fines.
For a comprehensive overview of regulatory developments in personal data protection in the world of Big Data, IoT and the Cloud, as well as more in-depth analyses like this, check out our our monthly broadband and privacy report series – the first issue out now!