What to Expect from EU Data Protection Reform

Privacy Law360

November 2013
Article
Reprinted with permission.

What To Expect From EU Data Protection Reform

Law360, New York (November 15, 2013, 12:29 PM ET) -- On Oct. 25, 2013, the European Council concluded that the new data protection framework should be adopted in a timely manner in order to strengthen consumer and business trust in Europe’s digital economy. The council did, however, refuse to commit to adoption by early next year.

This conclusion follows on the heels of the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee vote setting out its position on a compromise text of the draft regulation on Oct. 21, 2013. After some 18 months of intense discussions and lobbying, the compromise text was passed by the LIBE Committee with a 49-3 majority. The compromise text was heavily influenced by the revelations of the surveillance activities of the U.S. National Security Agency.

Together with the compromise text, the LIBE Committee adopted a “negotiation mandate” to start official talks with the council, in view of adopting a joint text. This so-called trilogue negotiation procedure will also involve the European Commission.

Adoption of the new regulation may still be some time away, but the clock is ticking.

Below we set out some of the most important changes for private sector organizations proposed by the LIBE Committee. An unofficial version of the compromise text has been published by Rapporteur Jan Philipp Albrecht.

An Overview of the Main Changes

Territorial Scope (Article 3)

The LIBE Committee’s text extends the scope of the regulation to any organization (including service providers/data processors) collecting personal data of individuals in the EU/EEA when: (1) offering products or services (including free services and products and services available online) to individuals in the EU/EEA or (2) monitoring such individuals. As a result, most websites available in the EU/EEA will be covered. How this will be enforced in practice remains unclear.

Most significantly, service providers (data processors) would also be directly subject to the regulation, which not only goes far beyond the commission’s proposal but is unclear as to when data processors will be covered. Whereas Recital 20 clarifies that the regulation will cover data controllers that offer goods or services or target EU/EEA residents (and not just any individuals in the EU/EEA), there is no such clarification regarding data processors, which seems to imply a much broader application.

Personal Data (Article 4)

The LIBE Committee’s compromise text also broadens the definition of “personal data” to cover data that presents the possibility of identifying or singling out an individual, directly or indirectly. Device identifiers, IP addresses and location data will be regarded as personal data. Although pseudonymous data is considered to be personal data, they are subject to somewhat less burdensome requirements.

Notice (Article 13a, 14)

The LIBE Committee completely transforms the way of providing a privacy notice. It proposes a two-step process: first, mandatory icons must be shown when collecting data; the icons must appear as follows:

Second, a detailed notice (including security measures, retention period, transfer mechanisms, profiling, disclosure to public authorities, etc.) needs to be provided. But if this requirement were to apply in all offline and online contexts (including on any website or mobile app, in emails, signage, or on paper data collection forms, for example) this will not only be burdensome on businesses, but could also be irritating to individuals who will be bombarded with multiple icons as well as a detailed text. This can lead to a nuisance effect. The icons are somewhat over simplistic, and will still need to be used even if data controllers do not engage in certain processing or process data in other ways not shown in the icons.

Consent (Article 7)

The LIBE Committee also imposes additional restrictions on consent. Consent to data processing must be explicit by default (for both sensitive and nonsensitive data) and specific to a very narrow purpose. An individual’s consent shall cease to be valid when the original purpose of data collection ceases to exist or where data are used for a secondary purpose. In addition, provision of additional services cannot be made conditional upon providing consent. On the face of these restrictions, providing free online services in return for some marketing would no longer be possible.

Legal Basis (Article 6)

Despite some welcome amendments, such as extending the definition of “legitimate interest” to cover the processing of business contact details, direct marketing relating to the organization’s own or similar products, postal marketing and sharing of data with EU/EEA affiliates, the LIBE Committee has significantly limited the use of the legitimate interest legal basis for processing data. The legitimate interest basis may be used where the company’s interests meet the “reasonable expectations” of the individual, based on his/her relationship with the data controller.

In contrast with an earlier draft of the regulation proposed by the European Commission, the legitimate interest legal basis can no longer be used as a means to transfer data outside the EU/EEA. This means that single data transfers (e.g., for concrete internal investigation purposes) will require burdensome contractual arrangements, safe harbor certification, or an adequacy finding.

The council, on the other hand, has been in favor of maintaining the current understanding of legitimate interest, and also proposes to extend it to prevention and monitoring of fraud, which would cover whistleblowing hotlines and internal investigations.

Profiling (Article 20)

The compromise text includes stricter conditions for the use of data for profiling purposes. Notices about profiling must be “highly visible” and individuals must have the right to object to being profiled.

Where profiling results in legal effects or significantly affects an individual’s rights, it will only be allowed where the individual’s (explicit) consent is obtained; where provided for by law; or where necessary to conclude or perform a contract. There is no further clarification on the meaning of “significantly affects” but for an exception stating that profiling based on pseudonymous data is not presumed to result in significant effects.

This could bring more flexibility to analytics companies. However, where such profiling is based on aggregated pseudonymous data originating from different sources, and if it were possible for the data controller to link data to a specific individual, such profiling would be possible only with explicit consent. As many profiling activities do involve data from multiple sources, it is difficult to foresee the practical significance of this provision.

Compliance Obligations (Article 22)

There is less red tape in some areas and more of a risk-based approach to compliance in the compromise text. This means there are no prescriptive internal documentation requirements. Instead, internal practices must take into account the risks of processing data, the nature of the data processed, and the use of current technology. The strict 24-hour deadline for security breach notification has been removed. Instead, breaches would need to be reported without “undue delay.”

There is no need to consult the data protection authority (DPA) in cases of risky processing if a data protection officer (DPO) has been appointed. However, burdensome obligations for data controllers remain and this could increase compliance costs for companies and not necessarily directly benefit individuals. For example, the LIBE Committee requires impact assessments for all data controllers and data processors in a broad range of situations (including where personal data of more than 5,000 individuals are processed within a 12-month period) and a biannual review of compliance policies.

Data Protection Officer (Article 35)

Appointment of a DPO is mandatory for any organization processing personal data of more than 5,000 individuals within a 12-month period. Multinationals may appoint a “main responsible” DPO, provided the DPO is easily available from each location/establishment. There is a minimum term of appointment of four years for employees and two years for external contractors. As the DPO is protected against dismissal, organizations will have to carefully consider who to appoint. On the positive side, if a DPO is appointed, consulting the DPA in case of risky processing would no longer be required; the matter could be referred to the DPO. The council favors optional appointment as a general compliance choice, but this would not provide relief from administrative requirements.

Employee Data (Article 82)

Under the compromise text, member states retain the right to adopt employee data protection laws, however, minimum common standards would need to be adopted across the EU/EEA. For example, consent to data processing in the employment context is invalid if it has not been freely given. This provision would cover processing of employee data in most situations.

The DPAs have continuously argued that because an employee is in a subordinate position, he or she cannot freely consent (see the EU Article 29 Working Party’s opinion on the processing of personal data in the employment context). Processing must be linked to purpose for data collection and must remain within the employment context. Use of employee data for secondary purposes would be prohibited. It is unclear whether employers could obtain employee consent for such processing (which would be difficult) or whether such processing would generally be prohibited under any circumstances.

Importantly, investigations would be permitted only where related to employees’ criminal behavior, which significantly limits the possibility of performing employee monitoring for any other purposes. Finally, blacklisting of employees based on political or trade union membership is prohibited. Although no significant limitations are placed on sharing of employee data with other EU affiliates, cross-border restrictions will still apply.

Data Processors (Article 26)

The text proposed by the LIBE Committee maintains prescriptive requirements for data processing contracts. The only positive change is that there is no need to list all sub-processors in the contract; details can be limited to “determining the conditions for enlisting another processor” with prior permission of the data controller.

This provision allows for more flexibility in outsourcing contracts and, in particular, in the cloud computing context. On the negative side, the LIBE Committee kept joint liability for data processors (and data controllers) if they act contrary to or outside the processing agreement or become the determining party for the processing. Burdensome contractual requirements and joint liability for data processors make outsourcing very difficult in practice.

Cross-Border Transfers (Article 41-42)

In reaction to the NSA surveillance activities, the LIBE Committee has on numerous occasions called for tightening of the rules on international data transfers and more scrutiny of existing data transfer mechanisms, including, in particular, the safe harbor framework. This has resulted in significant limitations on cross-border data transfers in the compromise text.

Under the compromise text proposal, the safe harbor framework and the commission’s model clauses will expire five years after the regulation enters into effect, or earlier if so decided by commission. DPA data transfer approvals based on binding corporate rules and other transfer contracts will automatically expire within two years after entry into force of the regulation (unless earlier amended, replaced, or repealed by the DPA).

The legitimate interest basis for cross-border transfers has been removed, which will have significant implications. The commission will also have the authority to blacklist countries or sectors if local laws allowed for governmental access to personal data without EU/EEA authorization. This is a very explicit example of how the NSA operations have influenced the tightening of the rules by the LIBE Committee.

Regulatory Disclosure (Article 43a)

The LIBE Committee proposes that DPA approval be required for any transfer in response to a foreign (i.e., non-EU/EEA) regulatory or court request for personal data, unless international treaties allow for such disclosure. This means that any foreign company holding EU/EEA personal data will need to ask for DPA approval before allowing access to such data by foreign law enforcement agencies.

This is clearly a move against the NSA or similar practices to request access to data from online companies in possession of massive EU/EEA data. This provision certainly requires greater clarity. The way it reads at present creates a risk that transfers to safe harbor recipients may effectively be blocked as such data are vulnerable to U.S. governmental disclosure. The LIBE Committee adds that, in cases of jurisdictional conflict, EU law should always take precedence.

This puts foreign companies between a rock and a hard place. Companies responding to regulatory requests before obtaining DPA approval will risk noncompliance with the regulation. On the other hand, such companies will risk noncompliance with foreign laws — due to the lengthy DPA approval process they will not be able to comply with tight deadlines. By adding this provision, the LIBE Committee has effectively reinserted the commission’s original proposal that was later removed from the proposal after intensive lobbying.

The “One-Stop Shop” (Article 56)

“One-stop shop” means that the DPA in the jurisdiction where a company has its “main establishment” will be responsible for oversight of that company’s data processing activities, irrespective of where the processing takes place. This approach was set out in the commission’s proposal.

The LIBE Committee appears to agree with the concept in principle but interprets it differently. It favors what it calls a “lead DPA” system for enforcement. The lead DPA — in the jurisdiction where a company has its main establishment — would be the only authority to make legal decisions but would have to cooperate with DPAs in the other jurisdictions where processing is carried out. This dilutes the commission’s original idea of ensuring more consistency in enforcement by allowing both companies and consumers to have a single point of contact.

The council, the member state representation, supports the commission’s proposed one-stop shop mechanism but has not reached an agreement on the details. For example, some countries (e.g., Austria, Belgium and France) prefer that decisions are made through a formal co-decision procedure including the lead DPA and other DPAs. Other countries (e.g., Ireland, Luxembourg and Portugal) favor decision-making powers assigned to the lead DPA with other DPAs in an advisory role.

Sanctions (Article 79)

The further tightening of sanctions is a good example of the approach pursued by the LIBE Committee. Under the compromise text, any violation of data processing requirements would be subject to sanctions instead of a tiered, violation-specific approach. These sanctions include fines of up to 5 percent of annual worldwide turnover (increased from the commission’s proposal of 2 percent) or €100 million, whichever is greater.

Alternatively (supposedly for less serious violations), DPAs will order regular data protection audits or issue a written warning for a first instance of unintentional noncompliance. Imposition of one of these sanctions is mandatory. However, the LIBE Committee does set out a list of mitigating factors, including the seriousness of the violation; whether the violation is repetitive in nature; any intended or actual financial gains; and cooperation with enforcement authorities.

What Happened

The commission published its General Data Protection Regulation to revise the EU’s existing data protection framework back in January 2012. The regulation, once adopted, will apply to all EU member states and replace the existing Data Protection Directive, adopted in 1995.

Following publication of the regulation, the commission sent the text to the European Parliament, composed of directly elected members representing EU citizens, and to the council, representing the EU member state governments. Both institutions will review the text and may propose amendments and eventually pass a final text into law in a co-decision procedure.

What to Expect

The LIBE Committee’s compromise text sets out its formal position which is ready for the trialogue negotiations. The Council of Ministers meeting scheduled for Dec. 5-6, 2013, which will gather ministers in charge of justice and home affairs, will be an indicator of the member states' willingness to move ahead quickly. But no firm commitments have been made so far: EU leaders only have committed to have the new data protection framework adopted by 2015, but they have not specified whether the target date should be at the beginning or rather at the end of 2015.

Important changes will occur during 2014 in the EU. First, in May 2014, elections will be held in all member states to elect the new European Parliament. Following the elections, a new commission will be appointed, and this may take several months.

The composition of the new Parliament is unclear, as is that of the new commission. It is unlikely that Commission Vice President Viviane Reding will remain the commissioner in charge of data protection, and it is unclear whether Jan Philipp Albrecht (and other members of the LIBE Committee negotiating team) will be re-elected. The LIBE Committee, however, will continue to the lead on the data protection framework negotiations.

The trialogue is a closed process, but Albrecht has pledged to provide regular updates on the developments. There are no formal rules regarding timing or methods. It is still possible to try to influence the process through targeted lobbying by talking to governments and their permanent representations in Brussels or by approaching some of the more business-friendly members of Parliament’s negotiating team. Parliament has scheduled a first full plenary reading of the regulation for March 2014.

How to Influence the Process

There is still some way to go before the final regulation is adopted. This lengthy process means there is ample opportunity to influence the various parties involved in the negotiations, as well as to pull together industry alliances to increase the impact of such lobbying.

The council, with its generally more business-friendly position, is likely to be the most effective target for businesses. Although Parliament has been clear on its strict, human rights-oriented position, established lobbying channels and a commitment to keep the negotiation process more or less transparent mean that lobbying Parliament is an easier and potentially effective route to take.

Efforts to lobby the commission will probably be less effective; it is likely that Vice President Viviane Reding will want to tightly monitor and control the process and, in any event, it is not the Commission that has the final say on the regulation, but the council and Parliament together. Reding has also warned that “excessive lobbying can be counter-productive.”

In the trialogue negotiations, the council will be led by a representative of the government holding the EU presidency — currently Lithuania, then Greece from Jan. 1, 2014, and Italy from July 1, 2014. While Lithuania has kept the data protection reform relatively high on the EU agenda, Greece’s announcement on its presidency priorities for the first half of 2014 did not include the regulation.

For all parties, the most effective approach is to identify the areas of the compromise text that will be harmful to all businesses and propose alternative workable provisions. It may also be worth highlighting some of the contradictions in the text, for example, provisions strengthening enforcement of data protection laws but other provisions abolishing database registration fees which many national DPAs rely upon for their annual income. Concerns about contradictions have already been raised by the UK Information Commissioner’s Office.

Targeting member state governments represented in the council in order to influence the negotiations is most effectively done by lobbying the responsible ministries or the head of state offices in member states. In addition, each member state has an ambassador to the EU and some countries have dedicated staff responsible for broad policy areas. The larger, more influential member states (e.g., France, Germany, the Netherlands, Spain and the U.K.) and the country that holds the council presidency will be the prime targets. It is understood from the recent council summit that the U.K. and Sweden oppose any swift adoption of the regulation and have raised many concerns about its provisions.

Looking Ahead

The LIBE Committee’s compromise text sets out the European Parliament’s informal view on the future regulation and is a step closer toward its adoption. However, the significance of the text should not be overestimated. Before the regulation becomes law, many steps must still be taken. Political compromises to be reached are difficult to predict, although the compromise text provides a starting point for influencing both the council and the Parliament.

The final text will very likely differ from the current compromise text, which remains far from perfect. But in any case, the future regulation will significantly impact how companies collect, use and share personal data both within the EU/EEA and globally. It is becoming clearer that the main principles of the regulation will remain, including the strengthened enforcement provisions and more limitations on rather than facilitations for data transfers.

Even if the regulation is adopted by or in 2015, companies will still have approximately two years to come into compliance. However, companies should already be considering the potential impact of the regulation on how they intend to process personal data going forward, what changes will likely be required in their data protection policies, what resources will need to be allocated to data protection compliance, and how to prioritize areas where the impact of the regulation could be the most significant.

—By Karin Retzer and Joanna Lopatowska, Morrison & Foerster LLP

Karin Retzer is a partner and Joanna Lopatowska, Ph.D., is an associate in Morrison & Foerster's Brussels office.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

All Content © 2003-2013, Portfolio Media, Inc.

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2019 Morrison & Foerster LLP. All rights reserved.