What is the EU preparing in the area of personal data protection?
The technological progress and globalisation have undoubtedly had a profound effect on the methods of personal data collection, access and use; therefore, the European Union (EU) came to the conclusion that many principles of the 1995 Data Protection Directive have become outdated. The differences in the implementation of EU legislation in Member States have led to differences in its application as well. The European Commission acted by proposing an extensive and comprehensive reform of EU personal data protection legislation.
The proposed reform was approved by the European Commission on 25 January 2012 and featured the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as its central part. The Regulation is currently discussed in the European Parliament; whereas the Council of Ministers will eventually also take a position, as the General Data Protection Regulation will be adopted by a codecision legislative procedure. Thus, adoption will be preceded by extensive three-party negotiations between the European Commission, Parliament and Council.
The new General Data Protection Regulation will be directly applicable, unlike the preceding Directive, which was binding on Member States only in terms of objectives while the manner of transposition into the national law was left to their discretion. The Regulation will thus immediately enter into force in all Member States without the national authorities having to take any legislative action and its provisions will take precedence over the domestic regulation of data protection, in accordance with the principle of supremacy of EU law.
The timely preparation of all market participants to the changes is therefore of utmost importance. It can be expected that such a comprehensive reform of data protection legislation will mean substantial changes to the national law in at least some Member States as a result of the Regulation. Corporate rules and guidelines on data protection will have to be adapted and the conduct of risk analyses would be recommendable, too.
What will the new General Data Protection Regulation bring?
Article 3 of the Regulation has extended the territorial scope of EU law because it will also apply to data controllers and processors outside the EU in the case of the processing of personal data of data subjects residing in the Union related to the offering of goods or services to such data subjects in the Union or the monitoring of their behaviour. The Regulation has not only increased the protection of EU residents but also of controllers in the EU because their competitors outside the EU will have to ensure the same level of protection of rights, which will dissolve their competitive advantage arising from the usually less strict domestic laws.
Article 4 of the Regulation has changed several definitions, featuring an extended definition of personal data and a stricter definition of data subject's consent. A consent shall be explicit, which means that companies will no longer be able to claim "implied consent" – consent by a conclusive action – or rely on miscellaneous opt-out mechanisms of obtaining consent. The burden of evidence of the existence of consent will be placed upon businesses. The draft Regulation legislates the children's consent too, by making the processing of personal data of children less than 13 years old legal only if and to the extent the consent is given or approved by the parent or custodian of the child. Such an arrangement will undoubtedly place a burden on businesses because they will have to introduce mechanisms to check the validity of a child's consent.
Articles 13.a and 14 of the General Data Protection Regulation impose on data controllers an extensive duty to inform individuals on the processing of their personal data. In addition to the current requirements, controllers will have to inform individuals on a standardised form on the purposes of the processing, the form of transfer and the mode of security, the period of storage, the right to lodge a complaint to the competent authority, the transmission of personal data to public authorities etc. All data controllers will therefore have to prepare new notifications and adapt their privacy rules.
Controllers processing data by electronic means will now have to submit an electronic copy of personal data to the concerned individuals, which means that it will be easier for the users of on-line services to change providers. The legal provision of the right to be forgotten and to erasure – which has already been covered (Internet censorship or major progress in personal data protection?) – is also new.
The Regulation imposes on controllers the duty to notify any breach of data protection without delay to the competent supervisory data protection authority, which means that controllers will have to introduce measures to ensure supervision and take action in the case of a breach. A new obligation is the conduct of regular risk analyses considering whether the applied mode of data processing poses any specific risk to individual's rights and duties, in particular with regard to the right to protection of personal data (the so-called data protection impact assessment). The businesses having personal data processing as their core activity and those processing data of more than 5000 data subjects within 12 consecutive months will have to appoint an internal supervisor for data protection. The EU's aim here is to promote a degree of self-regulation.
The transfer of personal data to third countries will also be subject to changes. The transfer will be only allowed exceptionally unless a suitable level of protection is provided by the third country. If the level of protection is insufficient, the disclosure of data will be subject to an approval by the supervisory authority even when imposed by a court or administrative decision.
What sanctions can be imposed on companies? In the case of violations of the Regulation, data protection authorities will have more powers to act and shall impose at least one of the following sanctions: (i) a written warning (for less serious breaches), (ii) a regular periodic data protection audit , or (iii) a fine of up to 100 million euro or up to 5% of annual worldwide turnover, whichever would be higher. The Personal Data Protection Act stipulated 12,510 euro as the maximum fine, which means that the Information Commissioner will now be able to sanction violations by fines that could be as much as 8,000 times higher. The minimum fine amount will be abolished.