A recent draft of the new European Data Protection Framework has leaked from the European Commission. It is still subject to internal discussions between the different Commissioners and Directorates-General, but is likely to be reasonably close to the official Commission draft expected to be published by the end of January 2012. According to the draft framework, the European Data Protection Directive (95/46/EC) will be superseded by a new General Data Protection Regulation. In addition, the framework includes a Police and Criminal Justice Data Protection Directive.
The European Commission aims to set global standards for privacy protection. As such the new Regulation is drafted to apply far beyond the borders of the European Union. For example, whenever a US internet service targets individuals resident in the European Union, the draft would require that use and analysis of the personal data of such individuals comply with the Regulation. If the internet service has no establishment in the European Union, it would have to appoint a representative in one of the member states. The representative would be responsible for the compliance with the Regulation including the obligation to pay fines for breaches of up to 5% of the total worldwide turnover.
The draft Regulation is packed with new concepts and stricter rules in comparison to the current Directive. Many changes originate from existing laws in member states with privacy rules that exceed what is now required:
- Stronger protection for children below the age of 18
- Introduction of extraterritorial effect
- Additional requirements for a valid consent
- Prohibition of any direct marketing without consent
- Extended transparency obligations and access rights
- Introduction of the “right to be forgotten” and the “right to data portability”
- Limitations on profiling
- Obligation to implement privacy “by design” and “by default”
- Strict requirements for the engagement of commissioned data processors
- General breach notification obligation to both the authority and the data subject
- Extended duty to carry out data protection impact assessments
- Obligation to designate a privacy officer
- Revised third country data transfer rules
- Ban of data transfers based on third country court decisions or administrative orders
- Comprehensive powers of data protection authorities
- Enforcement action to be taken by regulator where the main establishment is located
- Rigorous sanctions for breaches
- A new European body to ensure consistent interpretation within the European Union
- Introduction of rules for specific data processing situations (for example health, employment or public interest)
After its official submission by the European Commission, the draft Regulation will have to go through a legislative process involving the European Parliament and the European Council, and, given its terms, extensive lobbying by industry. In the course of this process, the Commission’s proposal is likely to change substantially. If the Regulation is finally passed, it will have direct effect. In contrast, the old Directive from 1995 had to be implemented into national law enabling the member states to take a liberal view of it provisions on the implementation. This approach caused a fragmented regulatory framework in the European Union. That is why the European Commission now proposes a Regulation instead of a Directive to enforce a stricter harmonization between the member states. It also means that the Regulation might become effective earlier than a Directive would, because it would not need the years it usually takes to implement a Directive into national law.
Viviane Reding, Vice President of the European Commission, reiterated today in a speech to the 2nd Annual European Data Protection and Privacy Conference her goal of a “free flow of data” between the European Union and the US. The proposed European reform, however, contradicts this goal. Rather than make things easier for companies trying to operate globally, it is likely to make it more difficult. The debate to come should be interesting.