EU: New details on EU data protection reform

There is a version of the draft of the EU data protection regulation available on the internet which throws light on the possible future of data protection in Europe. In a total of 91 articles there is much that is familiar but also a great deal that is new.

1. Regulation rather than directive

The first thing that is new is that the EU's new data protection legislation is to be clothed as a regulation rather than as a directive. In view of the fact that a regulation has a direct effect, this step is a useful attempt to harmonize data protection within Europe. Below you will find a brief overview of some of the coming innovations.

2. Consent as a central precondition for legitimacy

The legitimacy of data processing is to be tied much more clearly to effective consent for data processing. This is particularly the case in the field of direct marketing. Data processing that is to be carried out for this purpose should only continue to be possible if the data subject has provided consent (Art. 5 paragraph 2). The draft does not envisage exceptions, as allowed for by the German Federal Data Protection Act.

3. Strict requirements when handling data relating to children

The new regulations take data protection for children into consideration. Previously there were no specific regulations in this area. For the purposes of the draft, children are defined as persons aged under 18 years (Art. 3 No. 18). The processing of children's personal data is dealt with in a particularly restrictive manner in the draft. The draft envisions that, when weighing up the arguments for and against, in the case of children's data the protection of children's rights and freedoms should carry greater weight than the legitimate interests of the data processor (Art. 5 paragraph 1 (f) (ii)). But there are additional complications with regard to the processing of children's data. A child's consent is only valid if either the parents or a representative of the child have provided or approved consent (Art. 7 paragraph 6). The draft also envisions that particular standards should apply with regard to the intelligibility of information when that information refers to children (Art. 9 paragraph 2). There are also substantial restrictions (Art. 18 paragraph 3) when it comes to so-called "profiling" with regard to children. If children's data are involved in certain processing methods, it will be necessary to carry out a data protection impact assessment (Art. 30 paragraph 2 (d)) on a regular basis. When so-called "codes of conduct" are being drawn up, these must also contain regulations to ensure data protection in the case of children's data (Art. 35).

4. "Right to be forgotten"

The draft envisions a "right to be forgotten". Under this provision, data processors who have placed data relating to the data subject in the public domain and whose data are now to be deleted must also ensure that links on their web pages to such data on third party web pages are removed. They must also ensure that these data cannot be reproduced via other publicly available sources under their control (Art. 15 paragraph 2).

The draft reacts to the recent increasingly heated debate regarding the transfer of personal data to courts and investigation authorities outside the EU by requiring that data should not be transferred until after the relevant supervisory authority has granted approval for this (Art. 31 paragraph 1 (a)). This provision should lift some of the burden from the shoulders of the decision-makers in the data processor's office, who are confronted by this question.

5. Data Protection Impact Assessment

Another new requirement is the need for a data protection impact assessment in the case of certain data processing procedures. The provision extends the familiar prior-checking procedure. Prior checking is required where processing affects the evaluation of the data subject or the prediction of a probable future method of behavior, where particular types of data are processed, where video surveillance is processed, where data relating to children, genetic data or biometric data are processed or in the case of a procedure which will require the involvement of the supervisory authority.

The assessment must include at least the following points: a general description of the relevant processing method, the potential risks of these methods for the rights and freedoms of the users, measures, provisions and security measures required to ensure data protection, having due regard to the legitimate interests of the data subject.

Further details regarding the content and form of the assessment are to be addressed in additional legislation (Art. 30 paragraphs 6 and 7).

6. Binding Corporate Rules

According to the draft, the "Binding Corporate Rules" (BCR), which have already received close attention in the working documents of the Article 29 group, are to be part of the regulation and could lead to permissible data transfers to third countries (Art. 39 paragraph 2 (a)). The draft contains regulations as to the minimum content of the Binding Corporate Rules (Art. 40 paragraph 2) as well as the procedures required to obtain approval. The draft envisions additional legislation with regard to further requirements in respect of the Binding Corporate Rules.

7. Data protection officer

According to the draft, organizations with 250 or more employees must appoint a data protection officer (Art. 32 paragraph 1 (b)). Although there is no strict obligation to do so, smaller organizations can voluntarily appoint a data protection officer. The data protection officer can be an internal appointment or can be engaged as an external service provider (Art. 32 paragraph 6). The name and contact details of the data protection officer must be advised to the relevant supervisory authority as well as to the general public (Art. 32 paragraph 7). The draft envisions that certain minimum requirements must be applied to the standard of qualification expected of the data protection officer. Further details regarding the standard of qualifications of the data protection officer, his position and his tasks, are to be included in delegate acts (Art. 33 paragraph 9; Art. 34 paragraph 2).

8. Relevant supervisory authority

At first glance, the responsibility of the supervisory authorities is to be drastically simplified. For organizations that operate throughout Europe, it is exclusively the supervisory authority in the member state where they have their main branch that will be responsible for supervision. By definition, the main branch should be the branch in which their data protection purposes, conditions and measures are determined, i.e. where management decisions in respect of data protection are taken. Preliminary remark 83 makes it clear that the location in which actual data protection is carried out is not the basis for this determination. This definition reaches its limits if, by using modern communications opportunities, not only does data processing take place across a range of member states but even the organization's management itself no longer sits in one central location in order to take decisions; in other words, there is no longer any physical company headquarters. So if managing partners of equal status meet together in a virtual head office to coordinate decisions and if it becomes necessary in this environment for a decision to be taken as to the purpose and nature of data processing, it would be legitimate to raise the question as to whether the location of the server that facilitates the virtual conference room should be the connecting factor. If the new provisions are to be future-proof, the possibilities and realities of what is already a highly integrated business world need to be taken into account in this regard.

9. Authorization and prior inclusion of the supervisory authority

The existing reporting obligation is to be extensively removed. Instead, the draft includes regulations which envision the involvement of the supervisory authorities in the case of certain data processes. For instance, the supervisory authorities should be consulted if the data protection assessment leads to the conclusion that particular data processing is coupled with a high risk for the data subject or if the supervisory authority regards it as necessary to become involved prior to the start of processing. There needs to be a list of processes with specific risks, for this purpose. This will be included in separate legislation (Art. 31 paragraph 8), as will standard pro forms and procedures on how consultations are to be carried out (Art, 31 paragraph 9). The data protection officer will be regarded as the contact person in this respect. He must supervise the data protection assessment and the application to the supervisory authorities for authorization of a particular process.

It is therefore not accurate to say that there has been a complete removal of reporting obligations. However, there has been a distinct change in character. Over and above the mere information that a particular processing method exists, the supervisory authority is now called upon to actively consider the reported process and to react.

We hope this article has introduced some of the highlights of the draft to you. In the days and weeks ahead we will provide you with separate articles containing further details and considerations that could lead to particular effects on businesses.

Further Information:

statewatch.org/news/2011/dec/eu-com-draft-dp-reg-inter-service-consultation.pdf