By Daniella Terruso

Breaches of data protection and privacy rules are expensive, time-consuming and, above all, detrimental to business reputation. Current EU proposals, some of which could be put into effect in 2013, provide an opportunity for companies to review how the risks arising from processing of personal data can be better identified and managed.

Vivian Reding, Vice-President of the European Commission

At the beginning of this year, Vivian Reding the Vice-President of the European Commission with responsibility for questions of justice, launched a major review of the EU rules which protect individuals’ privacy and regulate transfers of personal data across national borders. In her opinion, the current legal framework no longer reflects the widespread use of new technologies and business practices that facilitate data transfers across national borders, nor does it address recent changes in the EU institutional framework.

The Commission’s proposals comprise:

• A regulation which will update the EU’s 1995 Data Protection Directive; and

• A new directive on personal data processing in the context of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. This proposal will update a 2008 Framework Decision.

Highlights of the proposals include:

• a “right to be forgotten and to erasure of data”

• a “right to data portability”

• a “one-stop shop” system that gives businesses and consumers a single point of contact with national data protection authorities

• stronger requirements for the data subject’s express consent

International data transfers are a persistent challenge for multinationals. This is particularly the case when they involve countries that are not considered to provide adequate protection for personal data, which have not negotiated safe harbour agreements or whose safe harbour provides only partial cover.

Companies have been criticised for relying too heavily on certain exceptions in the current EU legislation, such as explicit consent of the customer or employee to transfer data, including sensitive data. Companies need to use the tools provided by the EU system: standard contractual clauses to enable data controllers and processors to transfer data outside the EU/EEA, and/or binding corporate rules. The current proposals encourage use of binding corporate rules by, for instance, simplifying procedures for obtaining approval.

The EU legislative process

Following publication by the Commission of the proposals in January, the European Parliament has begun to review them in committee. The Council of Ministers must also provide its initial position. Thereafter, the three institutions will enter into negotiations, known as a trialogue, in order to reach agreement on a definitive text. The new Regulation could be enforceable against companies as early as the end of 2013. As for the proposed Directive, Member States would have an additional 12 to 18 months in which to implement the text into national law. This timetable is very provisional and depends heavily on political factors. The campaign for the European elections in June 2014 will no doubt focus minds.

Comment

First, enhanced protection of personal data and privacy is a global concern. For example, the EU, represented by Mrs Reding, and the United States, represented by the Secretary of Commerce John Bryson, recently released a joint statement, including the following,

“Both parties are committed to working together and with other international partners to create mutual recognition frameworks that protect privacy. Both parties consider that standards in the area of personal data protection should facilitate the free flow of information, goods and services across borders. Both parties recognise that while regulatory regimes may differ between the US and Europe, the common principles at the heart of both systems, now re-affirmed by the developments in the US, provide a basis for advancing their dialog to resolve shared privacy challenges. This mutual interest shows there is added value for … enhanced EU-US-dialogue…”

Second, the EU proposals encourage businesses, as well as the public sector, to take a strategic view of personal data protection, increase investment in systems to prevent hacking and other data breaches, improve detection and report incidents to the authorities.

The specialist press is taking a keen interest in the proposals, in particular: (1) the requirements to report a breach within 24 hours after having become aware of it to national supervisory authorities and notify the affected data subjects “without undue delay” and (2) the significant fines national supervisory authorities may impose, which are up to €1 million or 2 percent of global annual turnover.

Third, national data protection authorities are already questioning whether non-EU companies could be forced to comply with any new EU regime.

Finally, the European Data Protection Supervisor, Peter Hustinx, in his opinion on the proposals in March, stated that the reform constitutes “a huge step forward for data protection in Europe”. However, he also expressed regret that the package was not comprehensive. The reforms will leave other data protection legislation largely unaffected as will certain factual situations, such as the use of passenger name records or telecommunication data for law enforcement.

Next steps for companies

Companies cannot disregard protection of personal data and privacy. They should take the opportunity to review the risks involved with processing of personal data and reconsider their data protection and privacy policies in light of the expected changes in the rules. This is particularly relevant for companies with operations and outsourcing relationships with firms in multiple jurisdictions, whether within the EU or in other countries.

Daniella Terruso is a legal assistant in the Brussels office of FERMA’s EU legal adviser, Steptoe & Johnson.