The European Commission adopted a proposal to reform European privacy law on 25 January 2012. According to the Commission the reform will “strengthen online privacy rights and boost Europe’s digital economy.” Time will tell whether the former is compatible with the latter.
The proposal now moves to the European Parliament and to the Council representing the member state Governments for discussion. Since the first draft leaked in November, a number of amendments have been made to make the proposal less onerous, but it still imposes severe new restrictions and introduces many new bureaucratic obligations.
The draft European General Data Protection Regulation still contains a provision which leads to a wide reaching extra-territorial effect (Article 3). Any business outside the European Union that offers goods or services to individuals in the European Union or monitors their behavior has to comply with the Regulation if it processes and uses personal data about European Union residents. This also applies to B2B contacts details, if they refer to individual employees of the company.
Non-EU companies caught by the Regulation will have to appoint a representative in the European Union (Article 25). This will enable data subjects, data protection authorities and courts to serve notices and enforce the Regulation. In response to criticism from the US, the European Commission added several exemptions to the rule (for example for small- and medium-sized companies or companies that offer goods and services only occasionally to European customers), but it will still apply in many situations.
The proposed Regulation requires breach notification to data protection authorities “without undue delay and, where feasible, within 24 hours” with an explanation for any delay beyond 24 hours and notice to data subjects “without undue delay”. The potential fines for a breach of the Regulation can be up to 2% of the total annual worldwide turnover of an enterprise.
The proposal will surely be the subject of much debate as it proceeds through the European legislative process. Watch this space for details of interest to your global business.