For US organisations with business operations in Europe, the European Union (EU) approach to regulation of data privacy or 'data protection' can seem like a logistical quagmire. While in theory EU-wide harmonization of laws (under a 1995 Data Protection Directive) should enable businesses to collect, utilize and transfer data freely across European borders with legal certainty, the reality can be much more complicated. A patchwork of 28 different legal regimes applying different standards with varying enforcement between national regulators means advising business on EU privacy law risk becomes a complicated undertaking.
A new EU legal framework for processing of personal data
Given perceived gaps in EU privacy regulation and the fact that the old regime has been overtaken by rise of social networking, mobile technology and mass data analytics, in 2012 the EU Commission put forward proposals for an overhaul of the current EU regime, replacing the Directive-led national rules approach with a single EU wide regulation. This should give organisations the certainty of having one set of directly applicable rules across Europe as well as enhanced privacy rights for citizens to deal with new technologies. Despite a long and sometimes acrimonious debate since this initial proposal, it seems that the end of the legislative process may now be in sight. This “Proposal for a [General] Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data” (the “GDPR”) essentially has two key aspects:
1. Enhancing individual rights as well as obligations of 'data controllers' (the organizations who direct data processing activities) and 'data processors' (organizations acting under a data controller's authority); and
2. Strengthening enforcement and potential sanctions for violations of the law.
So, what is this new EU data privacy regime likely to mean in practice for your corporation?
1) Will it even apply to US companies?
Yes, it extends EU data privacy jurisdiction to a US business collecting personal data when offering its products or services to individuals ('data subjects') in the European Union or monitoring EU citizens' behaviour, even if a relevant website or platform is hosted overseas. Under the current regime some physical or technical presence in the EU would normally be required.
2) What are the key changes to be aware of?
Below are some of the key proposed changes to be aware of:
- A 'One Stop Shop' Principle: *There will be one GDRP although the regime of different national data supervisory authorities to enforce the regulation will remain in place. At the same time US data controller organisations with multiple business establishments Europe will have a 'lead' regulatory authority in the EU state where their main operations takes place to supervise their data processing activities.
- Data Breach Notification*: Potential mandatory notification of data breaches to a national supervising authority in the territory where the breach occurred (as soon as possible and in any event within 72 hours). Individuals affected will also have to be notified of any adverse impact on them.
- Extended Privacy Notices & Consent Requirements:* An extension to the list of obligatory information that needs to be included in privacy notices. This includes the details of relevant data retention periods; explanation of any contractual basis under which the data processing takes place and information; about how to complain to a supervisory authority. The grounds for obtaining valid 'consent' from an individual to justify processing their personal data is also going to be made tougher.
- Data Protection Officer Requirements*: It is proposed that businesses with 250 or more employees may be legally required appoint a data privacy officer and there will be new compulsory record keeping requirements in relation to data processing activity.
- Direct Data Processors Obligations:* Another proposed feature of the GDRP is the introduction of some direct obligations on data processors such as maintaining records of processing activities and security requirements. This may impact on some US based cloud service providers or data hosting companies that have previously characterized themselves as mere data processors for their EU based clients.
3) Which sanctions will apply in case any of the obligations imposed by the GDPR on data controllers are breached?*
Crucially, the GDPR looks to introduce a significantly tougher enforcement and sanctions regime than at present. Depending on the seriousness of a violation, it is proposed that EU authorities will be entitled to fine organisations up to one million Euro or between 2% and 5% of total annual turnover of the preceding financial year. Data controllers will also remain subject to individual claims for damages in the national courts as well.
4) When the GDPR is due to come into effect?*
At the moment a final version of the GDPR is scheduled to be produced by December 2015. Once approved, the new regime will likely come into force two years, allowing organisations a period in which to modify their data processing activities.
5) What is the impact of on transfers of personal data between the EU and the US?*
One advantage of the proposed 'one – stop shop' GDRP is to simplify the regime for third country data transfers from the EU to the US and elsewhere, with EU national authorities no longer able to implement their own additional procedures on top of the EU 'adequacy' requirements.
It is envisaged that arrangements meeting current standards would be able to continue under the new regime. However, with the current EU-US Safe Harbors programme under review from the European Commission amongst other issues, how the GDRP deals with this issue in its final form may be subject to further negotiation.
While the final details are still to be agreed, there is little doubt that the new EU law will have a profound impact on the way that many US companies collect and process personal data about EU citizens. With the backing of a tougher sanctions regime as well, legal counsel should be prepared to get ready to act.
This article originally published on Inside Counsel on October 22,, 2015
Reprinted with permission from “InsideCounsel”© 2015 ALM Media Properties, LLC. All rights reserved.