On 28 November 2011 Viviane Reding, the Vice-President of the European Commission and EU Justice Commissioner, laid the foundation for a comprehensive reform of European data protection laws that will impact every business that operates in the EU, including US multinationals. This reform is expected to be formally announced early in 2012.
At the heart of the current proposal is the welcome news that businesses will be subject to just one Member State’s data protection law in the EU – the law of the country where that business has its main establishment. This decision should be applauded as the current regime requiring compliance in each of the 27 Member States has been a major barrier to cross-border trade, innovation and growth. The fragmented approach has made it almost impossible for businesses seeking to target the European marketplace to comply with the rules and regulations, and Viviane Reding’s view is that the administrative burden of fragmentation has cost up to €2.3 billion per annum.
The reform is long overdue as multinationals have been struggling to deal with contradictory laws in 27 Member States. On the one hand, the reform will simplify numerous rules and regulations and seek to remove some of the administrative costs associated with doing business in the EU. However, on the other hand, new rules and regulations will be introduced and it will be important for business to understand these rules and regulations and implement them accordingly.
The Existing Regulatory Environment
The Data Protection Directive adopted in 1995 has been under strain as businesses exploit new technologies and embrace social media, virtualisation, cloud computing and data analytics. In addition, the global transfer of data has matured and businesses now transfer huge volumes of data to and from multiple jurisdictions on a daily basis. My view is that the static, territory-focused data transfer rules and procedures have proven inadequate to reflect this new and dynamic approach to international business. As a result, it has become necessary to reform the existing regulatory regime.
The Proposed Changes
In her speech, Viviane Reding announced the following key areas which are likely to form part of the reform:
- ‘One-Stop Shop’: a ‘one-stop shop’ approach for data protection compliance in the EU, meaning that a business needs to comply only with the data protection laws in place in the jurisdiction in which it has its main establishment.
- Data Breach Notification: introducing a general requirement to notify data protection authorities and data subjects where there has been a data loss.
- Notification: abolishing the general requirement to notify (or register) data processing to data protection authorities. We anticipate that this will also ultimately simplify the complicated regimes in place for SOX hotlines in Europe for US–based multinationals.
- Consent: reinforcing the requirement for consent – all individuals must provide their ‘specific and explicit’ consent when agreeing to the use of their personal data. This is an extremely controversial area, particularly in the context of online behavioural advertising, and we expect continued development on this topic.
- Transparency: reinforcing the requirement for transparency – all individuals must be provided with the necessary information so that they understand how their data is being collected and used, including whether the data is to be transferred to third parties.
- Data Portability: introducing a new requirement dealing with access to personal data, including the right of data portability. This would require organisations (eg, social media businesses, cloud storage providers etc) to permit customers to move their data to new organisations offering similar products or services.
- The ‘Right to be Forgotten’: introducing a ‘right to be forgotten’, requiring a service provider to delete personal data where there is no longer any legitimate reason for keeping it.
- International Transfer of Data: reforming the rules to reflect the current way that data is transferred internationally, including improving the current system of ‘binding corporate rules’ to make compliance simpler and less burdensome. This would mean that all data protection authorities would have to recognise ‘binding corporate rules’ approved by an individual data protection authority.
- Data Protection Officer: the possibility of businesses being required to have a Data Protection Officer.
- Enforcement: the strengthening of coordination and cooperation between national data protection authorities to make sure data protection rules are enforced consistently.
The Reform Ahead
It is clear that some of the changes will be welcomed as they will give rise to significant costs savings for businesses seeking to maintain compliance in numerous Member States – this will help to promote innovation and growth. However, the potential changes relating to data portability, the right to be forgotten and data breach notification will require significant investment and further compliance activity in order for businesses to implement them effectively. This has implications for all organisations, including insurance companies, financial service institutions, social media organisations and search engine providers.
Whilst the reform will ultimately promote confidence in data protection and privacy, we need to be careful not to burden businesses with unnecessary requirements. As we prepare for the impending announcement from the European Commission in early 2012, it is important that businesses understand and prepare to implement the changes. At this stage, we have still not been told how and when exactly the reform will be implemented. If it is to be implemented as part of a revision to the Data Protection Directive, then we risk further inconsistent implementation and interpretation at a Member State level. If it is to be implemented through a Regulation, then the reform will have direct effect at a Member State level and will become law from the relevant date set out in the Regulation.
Richard Graham is a Partner at Edwards Wildman (rgraham@edwardswildman.com).
