As we saw in my last post, the proposed EU data protection Regulation will apply more extensively than the existing directive. In this post, I will pull out some of the new and expanded requirements for data controllers, look at how international data transfers are likely to be governed, and indicate what consequences might arise for breaches of the Regulation.
New Principles and Obligations
- Data controllers must have "transparent and easily accessible" data processing policies – which probably excludes size 6 font 40-page Terms of Service that lurk in the recesses of a website.
As foreshadowed by Ms Reding in a number of speeches, data subjects will have the "right to be forgotten". This means people will be able to ask data controllers to erase personal data relating to them, e.g. if the data is no longer necessary, if they withdraw consent, if they lodge an objection to processing, or if processing is unlawful. Data controllers must then ensure that any online links to that data, or other sources, are removed.
The new Accountability Principle means that data controllers must "adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation". The draft Regulation specifically suggests measures would include appropriately assigned responsibilities and staff training, along with proper data security and the use of privacy impact assessments. Independent auditors must be appointed to verify that these steps have been taken.
Essentially, what this means is that data controllers will have to grow out of their data protection adolescence, take responsibility for their actions, and recognise that handling personal data is a privilege, not a right. Assurances and promises must be backed up with evidence. It will no longer be sufficient to glibly state that "user privacy is important to us".
Privacy by Design, as heavily promoted by Canadian and European regulators, is explicitly required. Data controllers must implement technical and organisational measures which have privacy compliance built in, and privacy must be considered right from inception.
Outsourcing: if processing is outsourced to a data processor, the data controller a) must choose the processor carefully (i.e. demonstrate that they can comply with the Regulation), and b) will remain responsible for ensuring that data is processed appropriately.
Record-keeping: data controllers will have to maintain documentation covering matters like who the data protection officer is, what data is held, why it is processed, whether and to whom it is transferred, and how long it shall be kept for. Sophisticated data management will be a must. It may also have the added benefit of reducing data breaches, as there have been cases where the data was compromised simply because the organization had no idea that they had it.
Mandatory impact assessments: these shall be carried out before processing if it is "likely to present specific risks to the rights and freedoms of data subjects". Examples include processing sensitive data, automated processing with legal consequences, and surveillance. Public consultation will be necessary, and the outcome of the assessment shall be published. Doubtless, this addresses concerns about companies rolling out new products, services or practices which are belatedly discovered to have adverse effects on personal data privacy, e.g. Google Street View and assorted Facebook developments.
International Data Flows
Cross-border transfers will be permitted with provisos, including that personal data protection as established by the Regulation is not "undermined". In addition to the Commission being able to designate third countries as providing adequate protection, the Commission will also be able to rule that a country does not ensure adequate protection. One imagines that such a decision could adversely affect a country's commercial attractiveness, and presumably this would be a strong incentive for non-EU nations to improve their privacy regimes.
In effect, there is now a stick in addition to the carrot for passing laws which are similar to the EU's.
Enforcement and Penalties
Similar to the hard line taken against anti-competitive practices, the draft Regulation proposes a tiered regime of fines. For serious breaches, including of the new Accountability Principle, fines of up to €1,000,000 or 2% of annual turnover may be imposed.
National data protection authorities will have enhanced investigation and enforcement powers, which will make a dramatic difference to data protection law in practice. One of the current key problems in this field is the inconsistent and near-absence of strong actions and penalties for privacy breaches, and some Member States have been particularly slow to adopt suitably tough fines with a deterrent effect.
Should the draft Regulations become law, there will be ramifications for businesses across the world. However, these need not cause corporate conniptions, as my next post will explain.