The revised EU data protection laws, which were first leaked to the press in early December 2011, will be submitted to the European Parliament for ratification around the end of January 2012.
There has been extensive coverage of this over the past month of December. Unfortunately, most of it makes for pretty heavy reading, which many of us are either unable or unwilling to wade through. But given its critical importance to both cloud service providers (especially in the US) and to their clients and prospects (especially in Europe), I have attempted here to summarize the main highlights in short, bulleted one-paragraph form in the four key areas of jurisdiction, controller and processor responsibilties, individual rights and company obligations. Those who want to dig deeper can check out the Further Reading section at the end.
If you’re unfamiliar with basic data protection legal-speak, which is essential for understanding this article, then the three main terms you need to know are:
- “data subject” (ie an individual citizen with personal data, eg a customer or employee),
- “controller” (ie the company storing and using the data subject’s personal information)
- “processor” (ie the entity that processes the data on behalf of the controller, eg an IT department or a cloud service provider).
For further information on these terms, jump straight to the section called A QUICK PRIMER ON EU DATA PRIVACY LAWS in my recent article entitled “The Patriot Act and EU data privacy – threats and opportunities”.
1. New European Data Protection Board: This new executive body would ensure consistency of approach for the new laws across all member states’ data protection authorities, thereby simplifying compliance. Under the current laws, there is no overarching supervisory body to facilitate EU-wide coordination, thus requiring non-EU companies (eg Google) to deal separately with each country and its local implementation of the laws.
2. Increased geographical scope outside of the EU: EU data protection laws would apply outside the EU. The scope of the regulation extends to any controller established inside or outside of the EU who processes the personal data of EU subjects. Organizations outside the EU would have to appoint an EU representative answerable to the EU data protection authority..
But the devil is in the detail, because the requirement refers to the processing of personal data “directed to” data subjects residing in the EU – or “serves to monitor their behaviour”. Consider, for example, a non-EU website (eg in the US) directed in part towards the EU market. The “directed to” clause could, if the controller was envisaging the processing of the personal data of EU subjects, require that he designate an EU representative to act on his behalf, who would be answerable to the EU data protection authority.
3. The European HQ determines the EU state jurisdiction: Companies with operations in multiple EU member states would be subject to the jurisdiction of one state’s legal system and data protection laws. The headquarters of the European office would determine this.
4. Transfers to non-EU countries and the Patriot Act: The new laws would effectively replace the current EU/US Safe Harbour regulations, which the Patriot Act is able to override. Transfers of data outside the EU would still be permitted where adequate protection is established (eg through Binding Corporate Rules or BCRs, as well as “adequacy statements”). The Patriot Act, however, could no longer be invoked on a US-registered company because the EU member state’s data protection agency (with authority over the company’s European headquarters) would have to agree to the data transfer.
NEW CONTROLLER AND PROCESSOR OBLIGATIONS
5. Increased processor obligations: Processors would have identical obligations imposed on them as for controllers, and would be accountable for the processing of personal data, for which they would be directly liable. So a US cloud provider (processor), for example, would also be accountable for any data breach, and not just the EU customer (controller), as is the case today.
6. Explicit consent: Consent for the processing of personal data would now need to now be explicit, involving some affirmative action by the data subject. Implied consent or consent by default would no longer be valid.
7. New definition of “child” (under 18): Children would now be is defined as anyone under the age of 18. This new rule would impact websites allowing access to children over 13 without first seeking parental consent. Targeted marketing would also be impacted, since that would require parental consent for “children” under 18.
8. Notification requirements replaced by internal controls: Existing notification requirements to data protection authorities would fall away and be substituted by internal controls that document processing operations. Controllers would have to make available upon request to data protection authorities evidence demonstrating their data protection policies and procedures (‘privacy by design and default’).
INCREASED INDIVIDUAL RIGHTS AND SCOPE OF THE LAW
9. Extension of personal data to include cookies and IP address: Online identifiers such as IP address or cookie identifiers now figure explicitly alongside the usual identifiers like name and address, since they may enable direct or indirect identification of a data subject.
10. The right to be forgotten: This would allow EU citizens to have their data deleted by private companies, in essence giving them the opportunity to “wipe the virtual slate clean” (prior to the new law, people’s “indiscretions” could be broadcast for posterity on social media sites).
11. The right to portability: This would allow individuals to transfer all of their data from one cloud provider to another, eg for moving email accounts, photos or medical records from one provider to another.
12. The right to profiling: “Organizations would potentially be barred from profiling individuals based on automatic processing that seeks to predict a person’s performance to work, creditworthiness, economic situation, location, health, personal preferences, reliability or behaviour; unless done so in the course of performing a contract, consent has been obtained or is expressly authorised under law” (quoted from the Lexology article).
COMPANY OBLIGATIONS AND PENALTIES
13. Data Protection Officers for companies > 250 people: Public bodies and private companies employing more than 250 people would be required to designate a Data Protection Officer.
14. Data breach notification within 24 hrs: Controllers (with the full support of their processors) would have to report any breach or data loss to the data protection authority – and the data subjects – within 24 hours of discovery.
15. Fines of up to 5% of world-wide turnover: Businesses could face fines of up to 5 per cent of their global turnover (with intermediate tiers of between 1 and 3 percent) for intentional or negligent breaches of the new laws.
In conclusion, while we cannot predict how much of the above final draft will remain as is, or will be changed, adapted or watered-down between now and ratification in January, it is a safe bet to assume that most of the clauses will retain the spirit outlined above.
The above highlights are based on a consolidation of information from the following in-depth articles:
- Lexology’s “European Commission’s proposed change to the EU data protection laws: detailed analysis”
- Cloud Advisory’s “The Patriot Act and EU data privacy – threats and opportunities”
- DLA Piper’s “First insight into the European Commission’s proposal for a new EU data protection law”
- ZD Net’s “European Data Protection Law Proposals Revealed”