Maurits van Buren

maurits (2)

Five things you need to know about the new EU Data Protection Regulation

19-10-2014

In 2012, the European Commission proposed a new general privacy regulation which will replace current European privacy regulations. If the proposed regulation is adopted then this will have a signifact impact on U.S. companies doing business in the EU.

The European Parliament and the Council are currently reviewing the proposed Data Protection Regulation (DPR). In that respect the European Parliament proposed an amended version of the DPR. If the DPR is adopted it will likely come into force as of 2017. The legislative procedure can be followed on the EC’s website.

1. The European Commission (EC) proposed to replace the current Data Protection Directive (95/46/EC) in 2012 – the proposal is currently under review by the European Parliament and the Council.

The current privacy regulations are laid down in the Data Protection Directive (DPD) and the national privacy laws of each Member State, which laws are all based on the DPD. This system, where the EU only sets out the guidelines on the basis of which Member States must implement data protection laws, has resulted in fragmented privacy laws. Consequently, businesses that process personal data in more than one Member State are usually faced with different jurisdictions, different privacy laws, and different supervisory authorities.

This has proven to be a burden for companies that want to do business in the EU – reason for the European Commission to make some changes, inter alia to adopt a Data Protection Regulation, which – unlike a directive – is directly applicable in all Member States.

2. Controllers will no longer be required to notify the supervisory authority about each form of data processing. Also, implementation of “one-stop-shop” for controllers.

Under the DPD controllers are required to notify the supervisory authority of the country where the data subjects reside for each form of data processing. This obligation to notify has proven to be a substantial administrative burden for both the data controllers as the supervisory authorities, who have to register each notification.

Under the DPR controllers will not be required to notify the supervisory authority, but are obliged to document each form of data processing (the personal data being processed, the purposes for processing personal data, the storage period(s), the security measures, etc.). The supervisory authority may at any time request to have access to these documents. Also, the EC has proposed a rule stating that controllers or processors will only have to deal with the supervisory authority of the Member State in which the controller or processor has its main establishment, thus creating a “one-stop-shop” for data controllers/processors. The European Parliament, however, has amended the proposed text limiting the power of the lead supervisory authority and conferring more power to local supervisory authorities.

3. Under the DPR local supervisory authorities will be able to impose substantially more severe sanctions on controllers/processors that violate privacy laws.

Pursuant to the DPD each Member State of the EU has to determine to what extent its supervisory authority/authorities can impose (administrative) sanctions to persons that violate the privacy regulations. This means that the exposure for controllers depends on the Member State(s) in which the controller is active. In the Netherlands, for example, the supervisory authority (the “College Bescherming Persoonsgegevens”) can impose an administrative fine on the controller of up to EUR 4,500. The criminal fines for privacy violations can amount up to EUR 21,500. In the UK, the supervisory authority (the “Information Commissioner’s Office”) can impose fines of up to GBP 500,000 for violations of the local data protection laws.

The draft DPR, however, provides that supervisory authorities can impose the following administrative sanctions:

  • A fine of up to EUR 250,000 or 0.5% of the global annual turnover if, for example, a controller fails to provide a system for people to request their personal data (or charges a fee for doing so);
  • A fine of up to EUR 500,000 or 1% of the global annual turnover if, for example, a controller does not comply with the data subject’s right to access, right to erasure, and/or right to portability, or fails to document the processing of personal data properly;
  • A fine of up to EUR 1,000,000 or 2% of the global annual turnover if, for example, a controller processes personal data without proper legal basis, processes uses personal data in order to extensively “profile” data subjects, unlawfully processes special personal data (race, health, criminal convictions, etc.).

In the European Parliament’s amended version of the DPR, the supervisory can impose a fine of up to EUR 100,000,000 or 5% of the global annual turnover, whichever is higher, for violations of the DPR.

 

4. The Safe Harbor Privacy Principles for data transfer from the EU to the U.S. as yet remain in place, though this may change.
Under the DPD the EC is able to decide whether a third country (Non-Member State) ensures an adequate level of protection, and if a transfer of personal data to that third country can take place without further authorization (art. 25.6 DPD). This has resulted – inter alia –, in an agreement between the EU and the U.S. on the conditions under which personal data may be transferred to the U.S. These conditions are currently laid down in the Safe Harbor Privacy Principles.

Under the DPR the EC will still be able to decide whether a third country (Non-Member State) ensures an adequate level of protection, and it seems that the Safe Harbor Privacy Principles will therefore stay in place. Whereas the LIBE Committee – a committee of the European Parliament closely involved with the proposed DPR – has proposed to suspend the Safe Harbor agreement following the Snowden-affair, it remains to be seen whether this will eventually become part of the new regulations. The European Commission intends to continue the Safe Harbor agreement, although the European Commission acknowledges that the Safe Harbor Privacy Principles require improvement in certain areas.

5. Controllers/processors must adhere to the DPR when they are handling personal data outside the EU and are active in the EU market and offer their services to EU citizens.
Finally, the territorial “reach” of the DPR will be different than under the DPD. Whereas the DPD (or more precisely: the national laws based on the directive) currently can also apply to controllers outside the EU, this is only the case when a) the processing is carried out in the context of the activities of an establishment of the controller in a Member State, b) the controller is established in a place where the national law of a Member State applies by virtue of international public law, or c) the controller makes use of equipment, automated or otherwise, situated on the territory of a Member State, for the purposes of processing personal data (unless such equipment is used only for purposes of transit through the territory of the EU).

The DPR, however, will also apply to controllers, not established in the EU, who process personal of data subjects residing in the EU, if the processing activities are related to the offering of goods or services to these data subjects (in the EU) or to the monitoring of their behavior. Thus, controllers will have to comply with EU privacy laws if they are doing business in the EU and are processing personal data of EU-citizens in the line of their business.