Overview of Proposed EU Data Protection Regulation published for comments on January 25, 2012 by the European Commission

1. State Bar of California
Business Law Section - Cyberspace Committee
February 14, 2012
EU Data Protection Reform
January 25, 2012 Draft
Francoise Gilbert
Managing Attorney - IT Law Group
fgilbert@itlawgroup.com +1 650 804 1235
(C) 2012 IT Law Group - All rights reserved
This presentation is offered for information purposes only, and the content should not be construed as legal advice on any matter.
1

2. Francoise Gilbert
• Founder & Managing Attorney, IT Law
Group, Palo Alto
• Author & Editor, Global Privacy & Security
Law (2 volumes, 2,900 pages)(Aspen
Publishing / Wolter Kluwer)
• Founding Member & General Counsel,
Cloud Security Alliance
• CIPP/US; admitted to practice law in CA, IL
and France
IT Law Group
• Niche law firm that focuses on information
privacy and security, data governance and
cloud computing
• Providing services to clients in the US and
throughout the world through long term
relationships with carefully selected privacy /
security lawyers established on all continents
2

3. Agenda
• Background and history
• Proposed new structure
• Implications for businesses
• Proposed expanded rights
for individuals
• Proposed rules for cross-
border transfers
3

4. Background
• European Union has been slowly built since the
mid 1950’s
• Uniformity was ensured through directives
• In the data protection field:
• Directive 95/46/EC
• Directive 2002/58/EC (amended by Directive
2009/136/EC)
• Directive 2006/24/EC
• Framework Decision 2008/997/JHA (police and
criminal matters)
4

5. Proposed framework
• General Data Protection Regulation
• http://ec.europa.eu/justice/data-protection/
document/review2012/com_2012_11_en.pdf
• Intended to replace Directive 95/46/EC
• Directive on the protection of individuals with respect
to the processing of personal data for prevention,
investigation, detection, prosecution of criminal offenses
• http://ec.europa.eu/justice/data-protection/
document/review2012/com_2012_10_en.pdf
• Intended to replace Framework Decision
2008/977/JHA
5

6. Key goals of the Regulation
• Creating a uniform framework throughout the
European Union
• Putting citizens in control of their data
• Ensuring more transparency, better privacy
• More accountability, better security, immediate
disclosure of security breaches
• Facilitating cross border transfers
• Giving more funds, powers, authority to the DPAs
6

7. Uniformity? ... Not so clear
• Other laws
• Not clear how the Regulation would interact with the other
sectoral laws, and the extent to which it would supersede
them.
• Member States
•Significant freedom given to Member States to create
supplemental legislation and set up their own minefield, e.g.
•
health information, employee data
•
rules on penalties
• Uncertainty
• Delegated acts and implementing acts to supplement the Reg
7

8. Broad scope
• Regulation would apply to
• processing of personal data in the context of activities of
an establishment of a processor or controller in the
European Union
• companies that are established in third countries when:
•offer goods or services to individuals located in the EU
•monitor behavior of individuals located in the EU
• Regulation would NOT apply to
• natural person without gainful interest, in the course of
own exclusively personal or household activity
• activities outside scope of EU law, e.g., national security,
prevention, investigation, detection of crimes
8

9. Simplified regulatory environment
• Would reduce red tape and formalities
• No more “notification” requirement
• One-stop-shop for companies that operate in
several countries
• Company would designate a “main establishment”
• Would interact only with the DPA of their main
establishment
9

10. Increased power for DPAs
• Strengthen the independence and powers of the
Data Protection Authorities:
• better equipped to handle complaints
• power to carry out investigations
• power to take binding decisions
• power to impose effective sanctions
• Provide means for more coordination between the
DPAs so that there is more consistency in
enforcement
10

11. Data Protection Officer
• Obligation to appoint a Data Protection Officer if
• Company has more than 250 employees; or
• Company is involved in processing that, by virtue
of its nature, scope or purpose, presents specific
privacy risks
• Would apply both to controllers and processors
• DPO would have to be independent, and not
receive instructions on how to exercise functions
• DPO’s identity to be disclosed to individuals
11

12. Stronger rules for consent
• When consent is required, it must be “specific, informed and
explicit” and freely given
• Individual must be aware that he is giving consent
• Requirement for consent must be presented separately from
other matters
• Data subject must be able to withdraw consent at any time
• Consent would not be legal basis for the processing if there
is a significant imbalance between position of the controller
and that of the individual
• For child under 13, consent would have to be given by parent
• Companies would have to be able to prove that the data
subject has consented to the collection and use of the data
12

13. More obligations
• Companies would have extended obligations with
respect to data processing, including:
• establish detailed policies and procedures
• implement security measures
• disclose security breaches
• perform data protection impact assessment in
special circumstances
• implement verification / audit mechanisms
• document compliance with Regulation
13

14. New concepts
• Privacy by Design
• make sure that data protection safeguards are
taken into account at the planning stages
• must be able to demonstrate compliance with
privacy by design requirement
• Privacy by Default
• use privacy-friendly default settings
14

15. Emphasis on security
• Increased emphasis on using appropriate security
measures
• Security breach reporting for all companies
• Definition of security breach much broader than
in the US
• Obligation to notify the DPA within 24 hours, if
feasible
• Obligation to notify individuals “without undue
delay” if their data were adversely affected by
the breach
15

16. New rights for individuals
• Right to be forgotten: Individuals would have the
right to have their data deleted if they withdraw
their consent, and if there are no other legitimate
grounds for retaining the data
• Right to data portability: Individuals would have the
right to obtain a copy of their stored data from the
data controller, in an electronic, commonly used,
structured format, and the freedom to move it
from one service to another without hindrance
16

17. Streamlined formalities
• Significant savings resulting from streamlined
formalities for cross border transfers
• No more notification
• But, requirement for prior checking would remain
for special kind of processing
• Interaction with one single DPA
• Ability to use Binding Corp Rules in the 27 States
17

18. Complaints; Enforcement
• Individuals would have the right to lodge a
complaint with a DPA
• Individuals would have the right to seek judicial
remedy against data controller or data processor
• Organizations and associations would have the
right to lodge complaints and to seek judicial
remedies on behalf of injured individuals
18

19. Significant penalties
Up to 250 K Euros or Minor violations, e.g., failure to
.5% of annual worldwide G.I. provide mechanism for access
Up to 500 K Euros or
Most violations
1% of annual worldwide G.I.
Serious violations, e.g.,
processing data without legal
Up to 1 M Euros or
basis, without complying with
.5% of annual worldwide G.I.
consent requirement; failure to
adopt required policies
19

20. Questions?
Francoise Gilbert
+ 1-650-804-1235 fgilbert@itlawgroup.com
ITLG: www.itlawgroup.com
Blog: www.francoisegilbert.com
Book: www.globalprivacybook.com
20