The European data protection regime is one of the most stringent regimes in the world. The varying laws across EU member states and differing approaches to enforcing data breaches, however, has led to uneven treatment of individuals.
The European Parliament is now in the final stages of approving the new European Data Protection Regulation, which aims to tackle this uneven level of protection across Europe by constituting one directly effective law, which, therefore, does not need to be implemented through local laws, and also increase the requirements on organizations to protect data even further than the current regime.
The Regulation is still making its way through the European Parliament. The current intention is that a final version of the Regulation will be published later this year. The Regulation is expected to become law next year.
In this article, I summarize the key principles of the Regulation (as currently drafted) and some other similar new European data protection and data privacy laws. I also set out the practical effects of these new laws for businesses both within and outside Europe.
The extra-territorial effect of the Regulation has raised eyebrows in the U.S. The Regulation is intended to apply to all businesses operating in the EU market, whether or not they are based in the EU, have a subsidiary or branch office in the EU or otherwise have a physical presence in the EU.
This effectively means that any Internet business selling goods or services to individuals in the EU is going to be subject to the Regulation, along with all other organizations formally operating in the EU and subject to other EU laws. This is designed to level the playing field and protect EU consumers, regardless of the identity of their goods or services provider.
The key requirements of the Regulation are as follows:
1. The definition of “personal data” is broad and covers all information relating to a living individual (who is identified or can be identifiable from the data, e.g., from a code, genetic information or other identifying information).
2. Consent to process personal data must be explicit and freely given. This means that consent provisions must be express. Comprehensive information about the purposes for which personal data is collected and processed, as well as disclosed to others and transferred out of the U.S., must be provided to individuals before consent is obtained. Businesses should review their terms and conditions of business in this respect as well as in their online and other privacy policies. Employers should also review, or include, the data processing provisions of their employment contracts.
3. Large organizations, with 250 or more employees, have to appoint a Data Protection Officer to manage the organization’s compliance with data protection requirements and to be the liaison officer with the relevant data protection authority.
4. Organizations have to notify the data protection authority of a data breach without undue delay and no later than 24 hours of becoming aware of the breach. This will create a significant change in managing data breaches in Europe. Unlike in the U.S., there are no trends to report data breaches. Currently, countries such as the UK, Ireland, Denmark and Italy do not have a legal requirement to notify of a data breach. Countries such as Germany, Austria, Norway and Spain do have mandatory data breach notification requirements.
5. Individuals can exercise their rights to be forgotten, which would require an organization, and others to whom their data was passed, to delete their personal data on request. This right is subject to the organization’s rights of freedom of expression or legal obligations to retain the data or if it would be against public interest to effect the deletion or if retaining the data is necessary for certain research purposes (this is likely to be applicable to public figures only).
6. Individuals will have rights to obtain a copy of their personal data in a reusable electronic format, designed to allow them to transfer their data easily to another provider or otherwise to receive a copy of their data for their own purposes. This right is likely to be used to good effect in the context of early discovery in a dispute with an organization or an employer.
7. Organizations will have to build in data protection safeguards at an early stage of development. Privacy settings should, by default, allow privacy for the individual (rather than the other way around, as is currently the case). Internet businesses such as search engines and providers of goods and services online will need to consider making changes in this regard as the current trend is for default privacy settings to be set at a low level of privacy.
8. Organizations only have to deal with one (their local or a nominated) data protection authority rather than, as is currently the case, each of the European data protection authorities of the EU countries in which they operate. The relevant data protection authority will liaise as needed with other EU data protection authorities in relation to cross-border data protection issues (such as data breaches).
9. Organizations that are not currently subject to data protection laws, such as third parties who provide subcontracted services to clients, will become subject to some of the requirements of the Regulation. Specifically, individuals will be able to bring direct claims against such third parties for a data breach and consequential loss suffered as a result of the third party’s actions.
10. Another change likely to raise eyebrows is the significant increase in penalties for breaching the Regulation. Fines of up to the greater of five percent of annual global turnover or EUR 100,000,000 could be levied for a breach of the Regulation. This is a significant increase to the previous proposal of a maximum fine of two percent of annual global turnover/EUR 1,000,000. Currently, the average maximum fine in Europe is around EUR 500,000.
A further key change under the Regulation is the removal of the current requirement for all organizations to register with their local data protection authority. This requirement will be removed for small and medium businesses (e.g., companies with less than 250 employees or an annual turnover of less than EUR 50,000,000).
The European Parliament has been considering the draft NIS Directive, aimed to tackle cyber threats (and similar in scope to the U.S. NIS legislation), for the last 12 months. On 13 March 2014, it approved the NIS Directive with some significant amendments that dilute the requirements on some organizations to implement NIS measures. One of these significant amendments is the removal of the previous obligation for incident notification for all “market operators in the Internet economy.”
This effectively means that search engines, social networks, app providers and online payment providers are excluded from this requirement, which undermines the stated intention of the NIS Directive to protect consumers when using these Internet providers. However, one of the key criticisms of the NIS Directive was the overlap with the Regulation with respect to reporting data breaches. Internet market operators should be aware that they may still have obligations to report data breaches under the Regulation even if they do not have obligations under the NIS Directive.
In any event, each EU member state will need to pass local laws implementing the NIS Directive, and it is open to member states to pass additional legislation regarding reporting data breaches.
Following the uproar in Europe last year after revelations that U.S. agencies were allegedly spying on European citizens or otherwise mining personal information from companies operating in Europe, without satisfying regulatory requirements or obtaining proper permissions, the European Commission has reviewed the U.S.-EU Safe Harbor regime to assess whether it should be improved or withdrawn altogether.
The Safe Harbor regime has a membership of approximately 3,300 companies (this represents an eight-fold increase of 400 companies that registered in 2004). The increasing popularity of the regime is a mark of how international businesses are now becoming and the heightened awareness of European data protection restrictions against transferring personal data from Europe to the U.S.
If a company registers with the U.S.-EU Safe Harbor regime, it can lawfully receive personal data from Europe without an additional need to obtain the consent of the individuals concerned. There are, however, obligations in some European countries (such as Greece and Cyprus) on the exporter of the data to obtain approval from the local data protection authority to use the Safe Harbor scheme. There are also other, non-regulatory options allowing organizations to transfer data outside Europe (such as model clause agreements).
At the end of last year, the European Commission published 13 recommendations to improve the operation of the Safe Harbor regime (expected to be finalized later this year):
1. Self-certified companies should publicly disclose their privacy policies.
2. Privacy policies of self-certified companies’ websites should always include a link to the U.S. Department of Commerce Safe Harbor website, which lists all the “current” members of the scheme.
3. Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g., cloud computing services.
4. Clearly flag on the website of the U.S. Department of Commerce all companies that are not current members of the scheme.
5. The privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider.
6. ADR should be readily available and affordable.
7. The U.S. Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.
8. Following the certification or recertification of companies under Safe Harbor, a certain percentage of these companies should be subject to investigations of effective compliance of their privacy policies.
9. Whenever there has been a finding of non-compliance, the company should be subject to follow-up specific investigation after one year.
10. In case of doubts about a company's compliance or pending complaints, the U.S. Department of Commerce should inform the competent EU data protection authority.
11. False claims of Safe Harbor adherence should continue to be investigated.
12. Privacy policies of self-certified companies should include information on the extent to which U.S. law allows public authorities to collect and process data transferred under the Safe Harbor. In particular, companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Safe Harbor Principles to meet national security, public interest or law enforcement requirements.
13. It is important that the national security exception foreseen by the Safe Harbor decision is used only to an extent that is strictly necessary or proportionate.
Companies that are looking to register with the Safe Harbor scheme in the short term should consider implementing the above recommendations applicable to them to be ahead of the new changes to be announced later this year. Companies that are already certified with the Safe Harbor regime should consider the required changes they will need to make when the announcement is made.
These new data protection requirements will be stringent, and the potential fines for non-compliance will be severe. Organizations should start to consider how they will be able to implement the steps summarised above and, for larger companies, consider appointing Data Protection Officers early on to take charge of compliance with the new regime.
Pulina Whitaker is a UK-qualified lawyer in King & Spalding’s London office and a Partner in the London Employment and Benefits Practice. Her practice focuses on transactional employment law in sales and acquisitions, commercial outsourcings and corporate reorganizations.