European Commission Publishes New Framework on Data Protection
As anticipated, and just days before Data Protection and Privacy Day, the European Commission has released its proposal to reform the European Union’s data protection framework. The reform—which takes shape via a regulation on data protection and a directive “protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences”—comes after years of public consultations and dialogue with stakeholders.
“There is quite a buzz in Brussels today,” said IAPP Europe Managing Director Rita Di Antonio.
European Justice Commissioner Viviane Reding held a press conference at 10:30 CET to announce the changes. She said the proposals will improve the protection of Europeans’ personal data, reduce administrative burdens and save companies’ money.
The legislation defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life,” including posts to social networking websites and computer IP addresses.
Eduardo Ustaran, CIPP/E, partner at Field Fisher Waterhouse LLP, said the proposal “is the most radical global attempt ever to regulate the increasing exploitation of personal information.”
The changes create “a single set of European rules—valid everywhere across the EU,” Reding said in the press conference. “So, one rule for the 27 member states and the 500 million people.”
The new regulation sees national data protection authorities as the go-to regulators for organizations, meaning that an organization will only have to work with one DPA rather than many, or, as Reding described it in her press conference, “One DPA for one company—a one-stop shop.”
She said this will eliminate unnecessary administrative burdens and costs to companies incurred as a result of the current need to deal with varying rules and authorities among member states. “This will save businesses around 2.3 billion euros per year,” Reding said.
Other facets of the regulation include:
A breach notification mandate: In the event of a serious breach, organizations must notify the national supervisory authority “as soon as possible (if feasible within 24 hours).”
Increased enforcement powers for data protection authorities: DPAs will be able to fine organizations that violate the rules up to €1 million or “up to 2 percent of the global annual turnover of a company.”
A data protection officer requirement: Companies with more than 250 employees and certain other organizations will be required to designate a data protection officer.
A data protection impact assessment requirement: Organizations involved in risky data processing will be required to conduct data protection impact assessments.
Explicit consent requirement: Wherever consent is required for data to be processed, it must be given explicitly, rather than assumed, according to the regulation.
Extra-territorial reach: The regulation applies to “personal data handled abroad by companies that are active in the EU market and offer their services to EU citizens.”
It is obvious, says Field Fisher Waterhouse’s Ustaran, that “the new law is targeted at companies operating on the Internet and aims to shake up the way they tackle privacy issues.”
Ustaran adds, “The prospect of substantial monetary fines based on the annual worldwide turnover of a company may contribute to get the attention of some decision makers.”
The Article 29 Working Party (WP)—the advisory body comprised of national data protection authorities from EU member states—issued a press release this morning stating that it welcomes the commission’s proposals, particularly the strengthened authority for DPAs and the data breach notification requirement, but WP Chairman Jacob Kohnstamm “regrets the commission’s level of ambition in the area of police and justice and underlines the need for stronger provisions in this field.”
Under the new framework, the Article 29 Working Party would be “upgraded” and renamed the European Data Protection Board.
Next, the proposal will be reviewed in the European Parliament and member states, via the Council of Ministers.
“This is by no means the end of the road,” Ustaran says, predicting that “2012 will be a crucial year” in the continued evolution of the law. “Policy makers will be looking for input from all key stakeholders.”
Look for continuing analysis of the new framework in IAPP publications over the coming weeks and months. On February 2, the IAPP will host a web conference where European data protection experts will discuss the new framework and answer participants’ questions.
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm (background documents and frequently asked questions)