Earlier this year a new draft EU law was announced that, when adopted, will have a major impact on business and the technology sector in particular.
The draft law is a new General Data Protection Regulation (Regulation) that will repeal and replace the current Data Protection Directive 1995 (Directive) that was implemented in the UK by the Data Protection Act 1998. The new law has hit the headlines not only because of its implications for business but also because the fines for breach will be significantly greater than at present – up to a staggering two percent of annual worldwide turnover for international businesses.
The world has changed dramatically since the Directive was first introduced. When the Directive was implemented, the internet was in its infancy and few could imagine the explosion in data that has occurred since. An updated law to address the challenges of the current 'big data' age has been sorely needed, not least to address the challenge of data security, which has become one of today's key business risks. So, what are the draft Regulation's main aims and what will they mean for businesses – and, in particular, technology businesses?
One regulation, one single set of data laws?
One of the most important aims of the draft Regulation is to promote greater harmonisation of data protection laws across the EU. A key problem with the Directive is that it has not been consistently implemented across the EU member states. There remain significant differences in national law – not least in the meaning of 'consent' for data processing.
The draft Regulation will promote greater harmonisation because, when adopted, it will have 'direct effect'. This means that the Regulation will apply directly in all EU member states without having to be implemented by a local law in each jurisdiction. The harmonisation will still not be complete as there remain important exceptions relating to such matters as criminal justice and enforcement. However, overall the use of a Regulation will be warmly welcomed by international businesses.
Another welcome development is that the draft Regulation introduces the concept of a single data protection regulator for businesses processing personal data across the EU. This will help make managing data protection compliance across the EU much simpler. Instead of having to deal with each data protection regulator in each EU member state, international businesses will only have to deal with the data protection regulator in the country in which they have their main establishment.
Steeper fines and mandatory data protection officers
The parts of the draft Regulation that have attracted the most press attention have been those dealing with sanctions for regulatory breach.
Although each EU member state will retain its control over the particular rules for sanction and enforcement in its jurisdiction, the draft Regulation provides for maximum fines to run up to two percent of an enterprise's annual worldwide turnover. The draft Regulation also introduces a mandatory requirement for all public authorities and all businesses employing more than 250 employees to appoint a data protection officer.
Who will the draft regulation affect?
The draft Regulation shall apply not only to establishments based in the EU. Controversially, its provisions state that it shall also apply to establishments based outside the EU that either offer goods or services to individuals in the EU or monitor their behaviour. As such, the draft Regulation aims significantly to extend the reach of EU data protection law.
An end to notification but more responsibilities for data controllers
The responsibilities on data controllers, those businesses that determine the purposes for which and manner in which personal data is processed, will be more extensive under the draft Regulation than under the current Directive.
Although data controllers will no longer be required to undertake notification, they will be required to demonstrate compliance by keeping documentation that shows that they are compliant with the Regulation.
Unsurprisingly, there are stronger data security obligations. Data controllers will also be required to notify data subjects of the time period for which they will process their personal data as well as having 'transparent' and 'easily accessible policies' with regard to the processing of personal data and the exercise of data subject rights.
Data breach notification
The draft Regulation also introduces the concept of personal data breach notification. This concept already exists in certain EU jurisdictions such as Germany and Ireland.
In the draft Regulation, data controllers are required to notify their relevant data protection supervisory authority of any personal data breach within 24 hours 'if feasible'. There are also separate requirements to notify data subjects.
These provisions are, arguably together with the penalty provisions, the most controversial in the draft and are of keen interest to technology businesses. In particular, these provisions will have important implications for management of data processors.
The provisions have attracted significant criticism because of the tight timescale for notification and the absence of a materiality threshold. Technology businesses are advised to keep a weather eye on these provisions as the Regulation progresses to adoption. Several organisations including the British Bankers' Association have lobbied for these provisions to be amended.
New data subject rights and for data processors
Finally, the draft Regulation will introduce two new data subject rights: (i) a right "to be forgotten"; and (ii) a right to data portability. The right to be forgotten, as its name suggests, is a right for an individual to require a data controller to stop processing their personal data and to cease all marketing ie to be forgotten. This is an important right in an online world – but poses challenges for compliance. Technology businesses will need to review and, if necessary, amend their policies and procedures to recognise this new right.
The right to data portability is a right for a data subject to require a portable copy of his or her personal data so that they may transfer it to another data controller. Whilst a laudable intention, there are real challenges as to how this can be implemented in practice.
The draft Regulation still needs to be approved by the member states and ratified by the European Parliament before it can be adopted. It is expected that this process will take approximately two years. Although there may be some minor amendments and drafting clarifications, most privacy lawyers expect the Regulation, once adopted, to contain essentially the same key provisions as in the draft Regulation. Given its likely impact, businesses would do well to start planning now for the new Regulation.