January 31, 2012
On Wednesday, January 25, 2012, the European Commission released its proposed new regulation which will replace and update the outdated Data Protection Directive 95/46/EC (the "Directive"). The existing Directive has governed data privacy in the EU for approximately 17 years and was enacted at a time when the privacy issues faced today from the proliferation of the internet, cloud computing, social networks and global outsourcing could hardly be imagined.
Whilst businesses may welcome the proposal to replace the existing patchwork of laws with a single law that will apply across Europe, the new regulation will also introduce additional new rights for employees, consumers and users across Europe, creating new challenges for companies subject to the regulation. Significantly, the proposals will introduce new powers to levy substantial fines of up to 2% of global turnover and, as a result of their extraterritorial application, will impact organizations far beyond Europe’s borders.
We summarize the most significant proposals within the European Commission’s proposed new regulation (the "Regulation") below, although the final text remains subject to approval and possible amendment by the European Parliament and Council:
- Single EU-Wide Regulation. The current Directive would be replaced with a single Regulation that would have direct effect across all 27 EU member states. The current Directive does not have direct effect and is instead implemented by local legislation in each member state giving rise to (sometimes significant) differences in scope, interpretation and enforcement. This can lead to widely different outcomes, and the cost of compliance can be extremely burdensome. The Commission estimates that this proposal alone will lead to cost savings for business of €2.3 billion a year.
- Single Regulator. Instead of having to deal with a different regulator for each establishment that controls data within the EU, organizations would instead be regulated by a single regulator based on the location of their main establishment. This is being referred to as a "one-stop-shop" approach and may also reduce uncertainty created by inconsistent application of the Directive by different member states.
- Right to be Forgotten. The Regulation introduces a novel "right to be forgotten," which would enable a data subject to secure the erasure of their personal data by a data controller. Where a data controller has made personal data publically available, for instance by publishing it on the internet, then in addition to removing that personal data from its own website, the data controller will also be required to take all reasonable steps to inform "third parties processing such data" that the data subject wishes for them to erase links to that personal data and delete copies. Where processing is based upon consent, data subjects will have a right to withdraw such consent requiring data controllers to delete their data. In an age where the wholesale retention of data is less expensive than its selective destruction, and in which a single file might contain data relating to a large number of data subjects, the implications of this proposal are enormous.
- Data Breach. A key new feature will be a general data breach notification rule requiring all companies that control personal data to inform the relevant data protection regulator of any data security breach. Individuals must also be informed if the breach "adversely affects the personal data or privacy of the data subject". Whilst there is no materiality requirement, the Regulation envisages that delegated legislation will provide further guidance on what kind of breach is considered to have an adverse effect on privacy. Notifications must be made without undue delay and usually within 24 hours. Currently there is no express EU-wide data breach notification requirement outside the telecommunications sector.
- Extraterritorial Application. The Regulation would expressly apply to non-EU organizations that offer goods or services to EU data subjects or who monitor their behavior. Non-EU organizations employing more than 250 employees who are based in countries which are not deemed to have adequate laws to protect personal data (including US organizations which do not participate in the US Department of Commerce Safe Harbor) must also appoint a representative physically located in the EU. An exception to this requirement would apply if the organization only occasionally sells goods and services into the EU. Whilst EU data regulators have long maintained that the Directive applies to non-EU companies placing "cookies" on users’ equipment in the EU, the Regulation would provide support for this analysis.
- Clearer Privacy Policies. The current regulatory trend of insisting upon clearer, easier to understand privacy policies — which highlight processing that data subjects might not expect — is reflected in new requirements for privacy policies to be in "clear and plain language". All privacy notices also would be required to be more detailed and would need to include a data retention period and information about a data subject’s rights. Where a data controller seeks to legitimize its processing based on the data subject’s consent, the Regulation expressly provides that such consent must be distinguishable from other matters contained in the policy – in other words, it would no longer be acceptable to bury consent language within the fine/small print.
- New Red Tape. The existing rules requiring formal notification of data processing to the local data protection regulator would be replaced with a requirement that data controllers maintain documentation setting out specified details about the data processing for inspection (although there is an exception for employers with less than 250 employees who only process personal data as an "ancillary activity"). Data controllers engaged in higher risk processing would also be required to carry out "impact assessments" and also consult with data subjects and the data protection regulator. Systems and processes would have to be "designed with privacy in mind" and "assume privacy by default."
- Data Protection Officer. The Regulation would require all EU companies with over 250 employees to appoint a suitably qualified data protection officer.
- Sensitive Personal Data. The Regulation extends the current definition of sensitive personal data to include "biometric data" and "genetic data." This is significant because the processing of sensitive personal data is subject to more onerous conditions and usually requires the data subject’s consent.
- Data Portability. The Regulation introduces a right of data portability allowing individuals who have provided organizations with their personal data to be provided with a copy of that data in a commonly used format.
- Data Processors. Currently, only "data controllers", meaning the entities which control the manner and means of processing personal data, are subject the Directive. The Regulation would also impose obligations directly upon "data processors": the term used to describe entities which process data on behalf of data controllers (e.g., IT vendors and other outsourced service providers).
- Easier International Transfers (Slightly). The current restriction on the transfer of personal data outside the EU would continue to apply. The existing exceptions would remain, although: (a) there will be a new exception allowing data controllers to make small scale occasional transfers of data outside the EU based on their own risk assessment; (b) national privacy regulators would be able to approve transfers on "non-standard" terms; and (c) it should become less onerous to get approval for binding corporate rules (which allow the free movement of data within global organizations).
- Major Fines. Recent years have seen a steady increase in enforcement activity, including fines and criminal sanctions in some member states. The Regulation would substantially increase this trend by giving privacy regulators the power to issue fines of up to 2% of a company’s global turnover. In the case of individuals, the maximum fine would be €1 million (approx. $1.3 million today). The Regulation states that the level of the fine must be "effective, proportionate and dissuasive".
The Regulation would not affect the e-Privacy Directive which would continue to regulate spam email and insist upon (opt in) consent for website operators who set "cookies" on users’ computers in certain circumstances.
A number of these proposals had been widely trailed in the media and some of the more controversial proposals appear to have been dropped. In particular, an earlier unofficial leaked draft stated that non-EU court orders could not be used as a basis for justifying processing or transferring data outside the EU, unless processing was first approved by an EU data protection regulator. This was apparently aimed at blocking the US government from accessing European data from US-based enterprises under the mandate of the US Patriot Act. However the measure in the leaked draft was broadly drawn and would also have restricted discovery in civil litigation and internal investigations. Whilst this provision was dropped, the Regulation instead provides that transfers made directly to US regulators which have to rely on the transfer being "necessary on important grounds of public interest" will only be permitted if the public interest in question is recognized in the EU law.
The current proposal is in draft form and is subject to approval and amendment by the European Parliament and the European Council. Given the controversial subject matter it is not clear whether the Regulation will survive in its current form and how long the legislative process might take, but once the Regulation is eventually passed into law, the draft envisages a two-year grace period before the new rules apply. However, businesses are advised to take the Regulation into account to ensure that the products, services, systems and structures they implement today are consistent with what is likely to come.
The existing Directive has also been highly influential in the other 50 or so non-EU countries that have adopted general privacy laws and these proposals may also influence further developments outside the EU.
Whatever form the final text of the Regulation takes, we can confidently predict the pace of technological and international integration will mean that the further regulation in this rapidly expanding area of practice is highly likely.
Gibson, Dunn & Crutcher’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you work, the authors (Daniel E. Pollard – London (+44 207 071 4257, [email protected]), Kai Gesing – Munich (+49 89 189 33-180, [email protected]), or Meredith A. Smith – Los Angeles (+1 213-229-7531, [email protected])), or any of the following:
James Barabas – London (+44 20 7071 4253, [email protected])
James A. Cox – London (+44 207 071 4250, [email protected])
Patrick Doris – London (+44 20 7071 4276, [email protected])
Andrés Font Galarza – Brussels (+32 2 554 7230, [email protected])
Bernard Grinspan – Paris (+33 1 56 43 13 00, [email protected])
Jean-Philippe Robé – Paris (+33 1 56 43 13 00, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Mark Zimmer – Munich (+49 89 189 33-130, [email protected])
S. Ashlie Beringer – Palo Alto (+1 650-849-5219, [email protected])
Gareth T. Evans – Los Angeles/Orange County (+1 213-229-7734, [email protected])
G. Charles Nierlich – San Francisco (+1 415-393-8239, [email protected])
Jennifer H. Rearden – New York (+1 212-351-4057, [email protected])
M. Sean Royall – Dallas (+1 214-698-3256; [email protected])
Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
© 2012 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.