The proposal for a new Data Protection Regulation
The EU Commission issued its proposal for a new Data Protection Regulation on Wednesday the 25th January 2012. If enacted this regulation will repeal and replace the existing Data Protection Directive, which was enacted in 1995. The expectation is that if the Regulation is enacted then it will enter into force some two years afterward. When that happens national implementing legislation such as Ireland’s Data Protection Acts 1988 and 2003 will have to be amended or replaced.
One of the primary objectives of the EU Commission in making this proposal is the harmonisation and clarification of Europe’s data protection laws. Viviane Reding, the Commissioner responsible for the Proposal, has claimed that enacting the proposal will ‘…do away with the fragmentation that will save businesses around 2.3 billion euros per year’. At the same time Neelie Kroes, the EU Commissioner responsible for implementing the EU’s digital agenda, has expressed a worry that the EU may be ‘…too rigid and controlling…’ with the result that ‘…would-be data controllers may just take their bright ideas outside the EU – or give up all together…’ Vice President Kroes conclude with a few ideas as to how the EU might avoid throwing ‘…out the baby with the bathwater’, making the observation that:
‘Data protection cannot simply be about setting rights in stone and then finding out they don’t make sense in practice’
The Commission’s proposal is a complex document, encompassing 139 Recitals, 11 Chapters, 91 articles, spread over 82 pages. Analysing such a proposal in depth will take time, but some of the more significant proposals are as follows. The changes proposed would seem to fall into four categories:
- Improved enforcement and supervision.
- Clarification data controllers’ and processors’ obligations;
- Clarification and enhancement of subject’s rights;
- Processing outside the EU.
Before considering each of the above in some greater detail, it is worth pointing out that to a large extent the proposal simply codifies and restates the existing law. Data subjects will have largely the same rights of access, objection and rectification as before; controllers will have broadly similar obligations. What is different is how these rights and obligations will be implemented and enforced. Supervision will be enhanced and focused. Controller’s obligations may have the same theoretical basis, but they are now spelt out in much clearer detail.
Improved enforcement and Supervision.
The most significant changes proposed may well be those enhancing the EU’s supervision and enforcement of its data protection laws.
- The proposal will create a ‘one-stop-shop’ for supervision. Enterprises that operate across a number of different Member States will be subject to a single supervisor (that of the Member State in which they have their main establishment). The proposal defines main establishment as meaning ‘…where the controller’s or the processor’s central administration in the Union is located’. This will end the situation where controllers operating in multiple Member States will be subject to multiple supervisory regimes.
- This ‘one stop shop’ will be balanced by the creation of co-operation and consistency mechanisms between data protection supervisors.
- One of the co-operation and consistency mechanisms will be the establishment of the European Data Protection Board which will replace the existing Working Party established pursuant to Article 29 of the Data Protection Directive
- The Data Protection Commissioner will be given enhanced real powers to enforce data protection, including powers to: order compliance with requests such as access requests; order the rectification, erasure or destruction of data that has been processed in breach of the proposed regulation, to impose a temporary ban on processing.
- In addition to real enforcement powers the DPC will gain the power to impose administrative sanctions. The DPC will be able to impose fines of up to €1 million or 2% of an enterprise’s world-wide-turnover in relation to serious breaches of the proposed regulation such as failing to notify a security breach, not designating a data protection officer or processing personal data without an adequate legal base.
- Such administrative sanctions will be in addition to the ‘effective, proportionate and dissuasive’ penalties which must be provided by Member States.
- The existing, but much ignored data protection register will be abolished and replaced by record keeping obligations.
Clarification of the obligations of data controllers and processors
- The proposal sets out in some detail the precise obligations of controllers and processors, who are obliged to co-operate with the Data Protection Commissioner.
- Data controllers will have to undertake an assessment of the impact of envisaged processing operations that are likely to present specific risks to the rights and freedoms of subjects by reason of their nature, scope or purpose. The proposal goes onto specify a number of situations which might pose such a risk such as workplace performance, epidemiological research or CCTV.
- Security breaches must be notified to the data protection commissioner and where such a breach is likely to ‘…adversely affect the protection of the personal data or privacy of the data subject…’ then such notification must be made directly to that subject
- Some controllers (public bodies, large private sector enterprises) will have to designate data protection officers, who must be involved in all ‘personal data’ matters, not just those relating to data protection. The duties of the officer will include monitoring compliance with data protection policies, responses to access requests and ensuring that proper documentation is maintained.
Clarification of subject rights
- If and when the proposal is enacted then, in principle, data subjects will have largely the same rights as before. However, the proposal clarifies those rights in many ways. For example, it provides that public authorities cannot rely on consent as a basis for processing data, and that a child’s consent will only be validly given where it is authorised by a parent or guardian. The proposal goes onto specify the information to be given to data subjects and the right of access for data subjects
- Much attention has focused on the ‘right to be forgotten and erasure’. This may be exercised in defined circumstances where: processing is no longer necessary; consent has been withdrawn; or the processing is not in compliance with the proposal. This right can also be invoked by a subject who has successfully invoked their right to object to processing which is being carried out in the public interest, the legitimate interests of the controller or the vital interests of the subject.
- It is proposed that data subjects be given the right not to be subject to ‘measures based on profiling’, particularly those that will ‘…predict…t
- he natural person’s performance at work, creditworthiness, economic situation, location, health, personal preferences, reliability or behaviour’ This ban is not absolute. Profiling may occur in pursuit of a contract, where authorised by law or with the subject’s consent. However, it may never be undertaken in respect of a child.
- A right to data portability is proposed.
- Specific provisions are included on processing in certain contexts such as employment. Specific limitations on the processing of data for health purposes, limitations that are additional to those imposed on the processing of sensitive categories of data such as data relating to a person’s health. This would seem to impose specific controls on the processing of personal data to generate health data, which would then be subject to the sensitive categories of data controls.
- The existing, albeit limited, exemption for Journalists is continued, but will integrate with the right to freedom of speech set out in article 9 of the EU Convention on Fundamental Rights.
- The Statistics and historical research exemption is continued.
Processing outside the EU.
- In a speech given in December 2011 Commissioner Viviane Reding described her proposal as ‘…what Europe can do to work towards global standards…’ and ‘…which will become an international standard-setter in terms of modern data protection rules’ To this end the proposal commits the Commission to ‘…develop effective international co-operation mechanisms to facilitate the enforcement of legislation for the protection of personal data’
- The proposal expands upon existing provisions on transfers to countries outside the EU, requiring entry into contracts if data is not sent to countries deemed to have adequate data protection regimes themselves or binding corporate rules are not in place.
- The Regulation is intended to have application to controllers outside the EU, those who are engaged in the offering of goods or services to Europeans. or the monitoring of their behaviour