Why Is the New Regulation Considered Necessary?
The first data protection directive of the European Union came into force in December 1995. The objective of this directive, which is still in effect, was to strike a balance between the free movement of personal data, essential to a robust and growing economy, and the protection of the fundamental human right of privacy that each individual (or “data subject”) is considered to have in his or her own personal data. This protection is accomplished by certain notifications or approvals before a company or individual entrusted with an individual’s personal data (a “data controller”) can process or transfer such data.
Rather than regulate data privacy by sector, as is done in the United States (which has a myriad of privacy laws and enforcement mechanisms), the EU regulation of privacy is founded on general principles of data protection that apply universally to all personal data, which are any data whatsoever that can be traced back to a particular person.
This approach, however, creates certain problems. The existing EU Directive does not replace the national legislation of member states, but rather mandates minimum standards that are to be adopted. As a result, there are as many different privacy laws in the EU as there are member states, leading to confusion, lack of transparency for individuals, and significant costs for compliance for business.
Also, the 1995 Directive does not address many of the issues raised by social media and cloud computing on the Internet, through which global companies like Facebook can collect, store, and manage data in new ways not foreseen by the drafters of the 1995 Directive.
The proposed regulation would fundamentally change the way data protection is regulated in the EU to address these perceived deficiencies.
What Would Change?
The new regulation would be directly enforceable in all EU member states by the preemption of any conflicting national law. This would lead to an identical level of data protection across Europe.
The proposed regulation would introduce the following significant changes.
1. Companies with operations in multiple EU member states would be subject to the jurisdiction of a single data protection authority, clarifying the multijurisdictional battles between data protection controllers with respect to multinational corporations.
2. Data controllers would have to show that data subjects freely consented to the data processing, making it more difficult to rely on an individual’s consent. Of particular note in employment matters, the use of consent would not be allowed ‘‘where there is a significant imbalance between the position of the data subject and the controller,’’ in particular ‘‘where personal data are processed by the employer of employees’ personal data in the employment context.’’
3. Certain filing requirements, such as filings made to the national data protection authorities (“DPA”) that exist in each of the EU member states prior to any processing, would be eliminated. However, new requirements (such as strengthened obligations to document and enhanced data processing practices) would be introduced.
4. Most companies with more than 250 employees would have to appoint a data protection officer (“DPO”), an independent data privacy “czar” responsible for overseeing regulatory compliance on privacy matters.
5. New fundamental rights would be introduced to increase the transparency of data processing. The new ‘‘right to be forgotten’’ is likely to be one of the most controversial provisions of the proposed regulation. Also, a new ‘‘right to data portability’’ would simplify changing online services by giving individuals the right to obtain a complete copy of their personal data from their current service provider.
6. There would be some simplification of the procedures for transferring personal data outside the European Union, including the express approval of binding corporate rules and a newly introduced self-assessment exception that may be invoked for the “legitimate interest of the controller or processor.’’
7. The DPA in each member state would have greater resources and enforcement powers. The proposed regulation also gives organizations the right to bring claims before DPAs as collective actions, though these procedures are not as inclusive as those found in U.S. class actions. The sanctions that may be imposed on companies under the proposed regulation are also significantly increased and may represent up to two percent of a company’s annual worldwide revenues.
Timeline and Consequences
Completion of the EU legislative process will take at least one to two years and will require approval by both the Council of the European Union and the European Parliament; the proposed regulation would then be scheduled to enter into force two years later (i.e, no earlier than 2015).
The EU Commission is seeking to create a more predictable and user-friendly regime for data protection. The proposed regulation would make the existing legal framework more efficient, in particular by reducing the traditional bureaucratic form-filling-and-filing approach taken under the Directive; regulatory compliance will be largely delegated to company DPOs who will take on greater authority subject to supervision by member state DPAs.
However, policymaking on data protection matters would shift perceptibly from the member states to the European Commission, and this is likely to provoke resistance. This is just one example of the many political obstacles to the final adoption of the proposed regulation by the EU Parliament, and it is quite certain that there will be extensive and heated debate before any final version of the EU Data Protection Regulation is adopted.