EU Set to Adopt More Stringent Data Privacy Laws

The European Parliament is working on a final proposal that would make the European Union's already stringent data privacy laws even tougher for businesses and would cast a wider net, requiring many U.S. companies to comply with European data protection regulation for the first time.

The Parliament was supposed to agree to a revised version of data laws by the end of this month, but with time running out and no deal in sight lawyers are questioning just how much of this controversial project will ever reach the statute book.

Some legal experts feel the scale of the compliance challenge is such that U.S. companies should start planning now, rather than waiting for a final set of laws. Others argue, however, that the likely shape of the new regulations and the scope of their application are now so cloudy that companies should remain in “wait-and-see” mode.

Europe published its ambitious draft “General Data Protection Regulation” aimed at safeguarding the privacy of personal data back in January 2012. It would make companies far more accountable for all personal data they collect and process.

They'd have to report serious data breaches to regulators as soon as possible, meaning within 24 hours “if feasible.” Consumers and customers would have to give explicit consent for their data to be processed and would get new legal rights to view their own data, to move it from one company to another, and to request to have their data wiped clean from a company's database.

The rules also pull in far more companies than current European privacy laws, which generally apply mostly to companies with a physical presence in the European Union. The proposed laws would apply to any companies that are active in the European Union or offer services to EU citizens. That means many U.S. companies would have to comply with Europe's data laws for the first time. Those that fail could be fined up to 2 percent of their global annual revenue.

To become law, three bodies must approve the final set of rules: the European Parliament; the European Council, which represents national governments; and the European Commission, which is the executive branch of the European Union. But this complicated process has run aground. Five different committees of the Parliament have reviewed the proposals and generated over 3,000 proposed amendments among them.

“It's difficult to gauge which way the wind is blowing at the moment,” says Jonathan Kirsop, a partner in the commercial, outsourcing, and technology group at lawyers Stephenson Harwood.

“Many of these committees are coming at the issue from different perspectives,” says Kirsop. The Civil Liberties, Justice, and Home Affairs (LIBE) Committee wants changes that would make the laws even more onerous for business, says Kirsop. But the main Industry Committee has echoed many of the concerns raised by data controllers in the commercial sector—for example, that the “right to be forgotten,” as the data deletion provision has come to be known, is impractical.

 Compliance Week Europe | Effective Compliance Across Europe and the World | 14-15 Oct | Sofitel Brussels

Belinda Doshi, a partner at solicitors Nabarro, says the draft laws have proved to be “one of the most controversial—and, consequently, one of the most lobbied—pieces of EU legislation to date.”

The LIBE committee was supposed to produce a new draft that assimilates all the amendments by May 29—a deadline that has already been extended twice. But the man tasked with leading the effort, Jan Philipp Albrecht, a Parliament member from Germany, said recently that yet more time was needed. He reckons an agreed-upon draft will be ready before the Parliament goes into its summer recess, in the first week of July.

“Given the extent to which opinions differ both between the three key institutions and also within them, there must be serious doubt as to whether there will be any agreement before the European elections of May 2014.”

—Jonathan Kirsop,

Partner,

Stephenson Harwood

Still, some say the reform measures are still further out on the horizon. “That timetable is still ambitious given the number of amendments to be considered and the controversy surrounding them," says Doshi. “There are numerous areas for contention and debate.”

The areas where there is the greatest consensus are the increased transparency in privacy notices, stronger powers for the regulators, the right to be forgotten and the right of portability, Kirsop says.

“But the concept of a one-stop shop regulator, changes to the grounds for fair and lawful processing—particularly around the threshold for consent—and the current proposals around mandatory data breach notification are perhaps less likely to make it into the legislation in their current form,” he adds.

Even if LIBE meets its new deadline, the European Council still needs to publish its views, which will then feed into a three-way negotiation between the Parliament, Council, and Commission later this year.

No Done Deal

The Council's concerns include fundamental issues with the prescriptive approach taken by the Commission, says Jonathan Bartley, a partner at law firm Manches. The Council wants the extent of any obligations on data controllers determined by the level of privacy risk, the compliance burden on businesses reduced, and greater clarity about the territorial scope of the changes.

“Given the extent to which opinions differ among the three key institutions, there must be serious doubt as to whether there will be any agreement before the European elections of May 2014,” says Kirsop.

WHY DOES EU NEED DATA PROTECTION?

Below is an excerpt from the European Commission's paper, “Why do we need an EU data protection reform?”

Personal data is any information

relating to an individual, whether it relates to his or her private, professional, or public

life. It can be anything from a name, a photo, an e-mail address,

your bank details, your posts on social networking Websites, your

medical information, or your computer's IP address. The EU data

protection rules apply when a person can be identified, directly

or indirectly, by such data. The EU Charter of Fundamental Rights

says that everyone has the right to personal data protection in

all aspects of life: at home, at work, whilst shopping, receiving

medical treatment, at a police station or on the Internet. 74%

of Europeans think that disclosing personal data is

increasingly part of modern life, but at the same time,

72% of Internet users are worried that they give away

too much personal data. They feel they are not in complete control of their data.

This eats away at their trust in online and other services and holds back the growth of the

digital economy in general.

What is the Commission planning to do?

The Commission's proposals update and modernize the

Principles enshrined in the 1995 Data Protection Directive to

guarantee the right of personal data protection

in the future.

They focus on: reinforcing individuals' rights;

strengthening the EU internal market; ensuring a high level of data

protection in all areas, including police

and

criminal justice

cooperation; ensuring proper

enforcement of the rules; and

setting global data-protection standards.

What will be the key changes?

A

‘right to be forgotten'

will help people better manage data-protection risks online. When they no longer want their data

to be processed and there are no legitimate grounds for retaining it, the data will be deleted.

Whenever consent is required

for data processing, it will have

to be given

explicitly, rather than be assumed.

Easier access to one's own data and the

right of data portability, i.e. easier

transfer of personal data

from one service

provider to another.

Companies and organizations will have to notify serious data breaches without undue delay,

where feasible within 24

hours.

A single set

of rules

on data protection, valid across the EU.

Companies

will only have to deal with

a single national data protection authority—in the EU country where they have

their main establishment.

Individuals will have the

right to refer all cases to their home national data protection authority, even when their

personal data is processed outside their home country.

EU rules will apply

to companies not established in the EU, if they offer goods or services in the EU or monitor the online

behavior of citizens.

Increased

responsibility and accountability

for those processing personal data.

Unnecessary administrative burdens

such as notification requirements for companies processing personal data

will be

removed.

National data protection authorities will be strengthened

so they can better enforce the EU rules at home.

Source: European Commission.

If there's no deal by those elections, the proposed laws would have to come back before the new Parliament and “would very likely slip down the priority list,” he believes. “So I think that while a new data protection framework is still likely, it is perhaps some way off and may look very different to the one being proposed today.”

So should companies be preparing now? "U.S. compliance professionals whose businesses either have establishments in the EU or even just offer services to or monitor EU citizens will wish to keep a watching brief on the Regulation's developments,” says Doshi. “But it's too early to take compliance action given the likely movement on the final text."

That doesn't mean compliance executives should put data privacy on the back burner. “Compliance executives should plan for the fact that this legislation will come into force over the next couple of years,” says Andrea Ward, senior associate with law firm, McGuire Woods. “If they have not done so already, they should alert their board and senior management to the issues, which will undoubtedly affect the way they do business in Europe.”

All companies that do business in Europe will probably need to employ an established and qualified data privacy officer, Ward adds, who will be responsible for data protection. “This will be an important position in the company, not least because of the potential fines for data breaches,” she says.

Kirsop recommends U.S. companies run an audit of their data processing activities, based on the proposed EU data privacy regulation, to find out how much compliance work is needed. The objective would be “to identify relevant data flows within the organization, on what legal grounds (such as consent) the processing is or may be based, where the processing occurs, and what notices are given to data subjects,” he says. “This will enable an understanding of likely costs of implementing new proposals and any gaps, including gaps against the law as it stands now.”

The new laws, whenever they are finalized, will likely require companies to be far more accountable for personal data, whether they are based in the United States or Europe, says Wim Nauwelaerts, partner at law firm Hunton & Williams.

“Under the new regulatory regime, they can't just say they comply with the law, they would have to demonstrate that they comply and build a robust compliance program that a regulator from an EU member state could come and review,” he says.