The Directorate General for Justice of the European Commission has in recent weeks worked to overcome criticism from other Directorates on its draft proposal to reform Europe’s privacy law. It now appears possible that the proposal for the reform is back on track for adoption at the Commissioner’s Meeting scheduled for 25 January 2012. From there, the proposal would move into the legislative process, requiring approval by the European Parliament and the national Governments via their representatives in the Council of Ministers.
On 22 January 2012, Viviane Reding, the European Commissioner in charge of the reform of the European privacy law, claimed in the keynote speech at a DLD-Conference held in Munich that the reform will help businesses. Reding argued that the reform will bring more certainty, simplify rules, and will provide better protection for third country data transfers. She also made clear that businesses must respect privacy in a stricter way. She did not reveal whether she expects the revised proposal to pass next week, a possible indication that the timeline still is up in the air.
An unofficial draft of the European General Data Protection Regulation dated 16 January 2012 reveals that the Directorate General for Justice has implemented several changes to ease the concerns voiced by the other Directorates. The revisions include:
- The Regulation will be based not only on Article 16 (2) of the Treaty on the Functioning of the European Union but also on Article 114 (1). The change underlines that the purpose of the Regulation is not only to provide strict privacy protection but also to help the functioning of the internal market. Critics questioned whether Article 16 (2) is a suitable legal basis to regulate privacy in the private sector at all. The change, however, does not necessarily result in the Regulation being more business friendly.
- The recitals and provisions relating to the application of the Regulation to non-EU businesses have been modified, but the extra-territorial approach still applies if goods or services are offered to European individuals or contracts are entered into with them. In addition, the Regulation still applies if non-EU businesses monitor behavior of European individuals.
- Small or medium sized enterprises or businesses which only occasionally offer goods or services to European individuals are now exempt from the obligation to appoint a European representative. They do, however, still have to comply with the Regulation.
- The definition of “main establishment” (important as it determines which country’s regulator a company has to deal with) has been altered to cover situations in which the main establishment of a company is outside the European Union. The rule, however, only covers situations in which a company is one single legal entity within the European Union where it does not provide a framework for a one-stop-shop for groups of legal entities. The provision, therefore, will have limited application in practice.
- The ban of commercial direct marketing without consent now has one exemption with respect to existing customers of goods and services. This, however, will not allow businesses to market to potential new customers. Business may also ask for consent without breaching the rules, but the potential success of such requests is questionable.
- The so-called “balance of interest clause”, which allows the processing of data if no overriding legitimate interest of the individual are concerned, still does not allow a company to take into account legitimate interests of third parties. This would appear to make it impossible for the data industry to collect and provide data in the interest of their customers, for example credit information bureaus. The modified draft only mentions that third party interest can be considered for security related processing.
- The limitation to process data only for purposes “compatible” with the purposes for which they have been collected has been modified, but the balance of interest clause still cannot be used to justify a change of purposes not compatible with the original purpose.
- The requirements for a valid consent have been adjusted, but certain limitations, for example with respect to employment relationships, still apply. Only “explicit” consent is stated to be valid. The unlimited right to withdraw a given consent remains as well.
- The limitation to gain consent from individuals below the age of 18 has been cut back and now applies mainly to individuals below the age of 13. The balance of interest clause, however, still does not apply to children under 18.
- The revised draft now confirms that not all identification numbers, location data, or online identifiers need to be considered as personal data. A provision on “processing not allowing identification” has been added, but probably only as a clarification.
- The provision on the “right to be forgotten” has been modified and softened especially in relation to the obligation to delete data that have been published, but the provision would still be difficult to follow in practice. In addition, the broad right to object to data processing has not been limited. Finally, the provisions on the “right of data portability” and on “profiling” remain as well.
- Several exemptions to data subjects rights, like transparency, rectification or erasure rights, have been modified. These exemptions, however, mainly apply for public authorities and have to be implemented by the member states. In this regard, the Regulation departs from its original aim to harmonize privacy laws in the European Union, because each member state will have the right to implement different restrictions on data subject rights.
- The obligations of controllers and processors have been modified to take some of the additional administrative burdens out of the draft Regulations. However, most of the obligations (for example to maintain policies, to implement data protection by design and by default, to maintain extensive documentation, to carry out data protection impact assessment, and to request prior authorization from data protection authorities) remain essentially unchanged. The same holds true for the new obligations of data processors.
- The requirement to inform authorities and data subjects about data breaches within 24 hours has been modified slightly to give some flexibility with respect to the timing of notifications. It still, however, imposes obligations which are unrealistic to be followed in practice.
- The third country data transfer provisions have been modified. Decisions made under the existing Directive shall remain in force until amended. This will help businesses that rely on such decisions, for example with respect to the Safe Harbor Privacy Principles or standard contractual clauses. In the long run, however, the instruments might be amended. The same applies to individual authorization, for example authorizations of binding corporate rules.
- Significantly, the provisions on fines have not been changed much. The maximum fine of 5% of the global turnover has been reduced to 4%.
- The extensive powers of the European Commission to pass delegated acts or to specify the implementation of the Regulation remain.
The next few days will be critical to establish whether the European Commission will formally issue the proposal of the reform or will need more time to come to a compromise between the different Directorates and Commissioners.