Locations
This article was first published in Caterer & Hotelkeeper in January 2012.
The Issue
The process of reform of the European data protection legislation has been going on for over two years, but on 25 January 2012 the European Commission unveiled its proposal for a new data protection framework. This is without a doubt the most significant global legislative development affecting the collection, use and protection of personal information of the past 15 years.
The Law
As expected, the proposed new general framework for data protection is set out in a regulation, rather than another directive. This means that once adopted, the regulation will be directly and universally applicable across all EU Member States without the need for national legislation.
There are obvious pros and cons to this approach, so whilst a single law will be beneficial to companies operating internationally, UK companies will lose the benefit of the business-friendly approach of the UK data protection legislation.
Expert Advice
The new framework is aimed at rejuvenating a law which has lost its effectiveness to tackle the data protection challenges of the 21st century.
The main novelties introduced by the proposed regime include:
- Applicability based on establishment and targeting of European residents – Any company that processes personal data in the context an EU-based establishment will be subject to the new law in any event. However, the regulation will extend the applicability of European data protection rules to organisations established elsewhere that use personal information in relation to the offering of goods or services to, or the monitoring of the behaviour of, individuals who live in the EU.
- Stronger rights – Some rather radical changes are likely to come in the shape of new or strengthened individuals' rights. Expanding on the current directive, the regulation will also require companies to provide their customers with additional transparency information such as the period for which the personal data will be stored, the different rights available to individuals and whether their personal data will be transferred internationally.
- Controller's responsibilities – As a flipside of the increased rights of individuals, controllers are bound to face very specific responsibilities ranging from the adoption of policies and principles such as privacy by design and privacy by default to the training of staff and the appointment of data protection officers. For most companies, this will be one of the most noticeable differences with the existing regime, as putting in place a comprehensive data protection compliance programme will become a legal obligation in the black letter of the law.
- Data breach notification – An obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) within 24 hours will now apply to all controllers. This will make the likelihood of investigations by the data protection regulators much greater.
- International data transfers – Greater flexibility is provided on this issue through an express recognition for binding corporate rules (BCR). The European Commission has made it clear that they expect BCR to become the norm for all international companies going forward.
- Enforcement powers – The promise by the Commission of stronger enforcement powers for the data protection authorities has materialised through hefty monetary fines of potentially up to 2% of the annual worldwide turnover of a company.
To do checklist
Review the draft Regulation to assess the impact of its provisions on current data uses.
- Identify any aspects that may have a significant impact on the business and consider appropriate outreach actions.
- Identify the relevant individuals and institutions at both EU and national level in order to make representations on behalf of a business or industry sector.
- Prepare for compliance with the new obligations.
Beware
2012 will be a crucial year to influence the outcome of the new law and policy makers will be looking for input from all key stakeholders, but the time to act is now.
Eduardo Ustaran is a partner and Head of the Privacy & Information Law Group at Fieldfisher.