Kathryn Wynn, data protection law expert at Pinsent Masons, the law firm behind Out-Law.com, said that plans contained in a leaked draft 'General Data Protection Regulation' were to be welcomed, but that many would place extra requirements on businesses that currently comply with the law.
Changes to EU data protection laws are expected to be formally proposed in late January, but a leaked draft (116-page / 661KB PDF) of those proposals has outlined new requirements that organisations would have to comply with when collecting and processing personal data if the proposals are introduced.
Organisations will have to be more transparent about the way they process personal data if leaked draft changes to the EU's data protection regime are introduced in their current form.
Organisations would have to ensure personal data is "processed lawfully, fairly and in a transparent manner in relation to the data subject" and "collected for specified, explicit and legitimate purposes".
Companies would be required to "have transparent and easily accessible policies with regard to the processing of personal data and for the exercise of data subjects' rights" and "provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child".
The current EU Data Protection Directive does require data protection authorities in EU countries to "help to ensure transparency of processing" of personal data but it does not include explicit provisions requiring companies to be transparent about that processing.
The leaked draft outlining what may be in a new 'General Data Protection Regulation' was published by civil liberties group Statewatch and has been confirmed as authentic by the European Commission, according to a report by The Register. The draft, which Commissioners are said to be considering, was issued on 29 November, the report said. A spokesman for the EU's Justice Commissioner, who has been driving for reforms to the current data protection regime, would not comment on whether the leaked draft was authentic when contacted by Out-Law.com.
If the proposals are genuine and are ever introduced in the current form they would require companies to obtain individuals' "freely given specific, informed and explicit" consent in order to process their personal data. Consent would only be said to be given via silence or inactivity on the part of the individual.
In November EU Justice Commissioner Viviane Reding said that "EU law should require that consumers give their explicit consent before their data are used," but the leaked draft suggests prior consent would only need to be obtained if personal data is to be processed as part of "direct marketing for commercial purposes".
There would be no legal basis for saying consent had been given "where there is a significant imbalance in the form of dependence between the position of the data subject and the [organisation]," the leaked draft said.
Organisations would have to ensure personal data is "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed," under the regime being considered.
A so-called 'right to be forgotten' is also under consideration, where individuals could order organisations that store their personal data to delete the information under certain circumstances. Media and other organisations would be able to argue against the request if the deletion of personal data is contrary to "the right of freedom of expression".
Companies that process personal data by "automated means" could also have to transfer individuals' personal data over to systems operated by competitors "without hindrance" under new 'data portability' rights proposed.
A new 'data protection by design' requirement could also be placed on organisations to ensure that when any mechanisms for processing personal data are introduced, the personal information stored is "not made accessible to an indefinite number of individuals".
All companies could also be forced to notify individuals and a supervising data protection authority without "undue delay" – and generally within 24 hours – of identifying a breach of personal data security. Currently this is only required of telecoms companies under the EU's Privacy and Electronic Communications Directive.
Businesses with more than 250 employees, public bodies and firms whose "core activities" involve "processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects" would be required to appoint experienced, expert and independent data protection officers responsible for monitoring the organisations' data protection laws compliance and advising them of their obligations.
A new body – a European Data Protection Board – is also to be established. EU Justice Commissioner Viviane Reding confirmed the plans in a speech last Wednesday. The new Board would replace the existing Article 29 Working Party privacy watchdogs and oversee regulatory enforcement of the Regulation.
Reding said that, when a problem cuts across national borders one national authority should be the "lead authority" in dealing with the issue. Under the plans data protection authorities from other countries would be allowed to collaborate in investigations where issues crossed borders, would be able to force the lead authority to take enforcement action and "discuss remedies," whilst the new Board would also have a say in enforcement action, she said.
Reding has also recently said companies should be able to agree legally-binding corporate rules (BCRs) with any national data protection authority within the EU and for those rules to be "recognised" by the other data protection authorities across the trading bloc. She said BCRs would be assessed on the basis of compliance with EU data protection laws and that national data protection authorities would be given consistent powers to hand out "administrative sanctions" for breaches of those laws.
"The draft regulation is far more prescriptive and detailed than the current directive and it seems unlikely that a ‘one size fits all’ approach will be effective given the way that EU data protection law has developed across the EU Member States; the practical implementation could introduce as many problems as the new regulation seeks to resolve," said Kathryn Wynn, expert in data protection law at Pinsent Masons, the law firm behind Out-Law.com.
"Many of the provisions are incredibly draconian, such as the requirement to notify the regulator of a security breach within 24 hours and for all consent to be explicit, which will not be well received by organisations. Further, for the first time, data processors will have obligations under the law, which could fundamentally impact on some organisations’ business model, as statutory and contractual liability will now need to be factored into their cost / benefit analysis," Wynn said.
"The draft regulation has gone some way to modernising EU data protection law by introducing the right to be forgotten, the right to object to profiling and privacy by design, which address the often reported privacy concerns surrounding social networking. However, the regulation has a wider remit and means that for many privacy conscious organisations, the new EU law will impose additional burdens upon them, even though they do not currently deploy intrusive data protection practices," she said.
The current EU Data Protection Directive came into force in 1995 and is applied slightly differently across EU member states. The Commission has said that the Directive needs to be updated to reflect technological changes. If the reforms are implemented in the form of a Regulation, as the leaked draft suggests, it would apply to all EU countries from the moment it was enforced. The leaked draft suggests that a regulation will "reduce legal fragmentation and provide greater legal certainty by introducing a harmonised set of core rules.....".EU directives have to be implemented into national laws and this often takes a couple of years after they are passed at EU level.