The new EU framework: Uniform, prescriptive and ambitious
This article was first published in Data Protection Law & Policy in January 2012.
These are truly exhilarating times for the data protection world. Viviane Reding's recent announcement of the Commission's proposal for a fully harmonised European data protection framework had the connotations of an Olympic opening ceremony – the years of hard work in preparation for this moment, the sense of achievement in the face of challenge and the triumphant belief that something memorable is going to come out of this. Only the big drums and the flame were missing. The jury is now out but this is without a doubt the most significant global legislative development affecting the collection, use and protection of personal information of the past 15 years.
As expected, the proposed new general framework for data protection is set out in a regulation, rather than another directive. This means that once adopted, the regulation will be directly and universally applicable across all EU Member States without the need for national legislation. Recent legislative history suggests that a single EU-wide regulation is likely to be the only way to achieve the desired uniformity across the European Union. Member States' struggle to implement the changes to the e-privacy directive in a coherent way remind us daily of the limitations of a directive. But a single pan-European law is a double edged sword – one set of rules is meant to be beneficial to organisations operating internationally, but those who are used to dealing with the reasonably practical obligations of jurisdictions like the UK or Ireland face a cultural and legal shock.
The proposed regulation is also aimed at rejuvenating a law which has lost its effectiveness to tackle the data protection challenges of the 21st century. The novelties are varied and creative, but they all have in common one thing: the principles, rights and obligations are far more prescriptive in nature than under the 95 directive. This is a natural consequence of having to draft a directly applicable regulation, but it is a fundamental change from the way European data protection has operated until now.
The bulk of the proposed regulation brings with it a whole new set of obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers. Plus of course, nearly immediate data breach notification. These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also the basis for a new way of demanding practical compliance in the black letter of the law.
Above all, the Commission's proposal is an ambitious one. Not least because it sets out a very clear basis for its extra-territorial application. The regulation does away with the cumbersome references to equipment located in the European Union and introduces brand new EU residency grounds. Any company that processes personal data in the context of an EU-based establishment will be subject to the new law in any event. But in addition, the regulation will extend the applicability of European data protection rules to organisations established elsewhere that use personal information in relation to the offering of goods or services to, or the monitoring of the behaviour of, individuals who live in the EU.
This approach will affect Internet businesses from all over the world but the Commission's ambition goes even further than that. One of the greatest challenges ahead is not faced by organisations using personal information but by the regulators themselves. They will need to learn a radical new law which demands constant dialogue and closer cooperation than ever before. The legislative process is now wide open and 2012 will be a crucial year to influence the outcome of the new law. We have a real opportunity to contribute to this process, so it is our responsibility to get the right result.