On Jan. 25, 2012, the European Commission first published a proposed draft General Data Protection Regulation (the “Proposed Regulation”). Almost one year later, the Civil Liberties, Justice and Home Affairs (LIBE) Committee (the European Parliament’s lead committee considering the Proposed Regulation) issued suggested amendments to the original proposal (the "Draft Report") and reignited discussion and controversy both within the European Union and on a global scale.
What is the difference between the Proposed Regulation and the Draft Report and how are both related to each other? In what is called the "ordinary legislative procedure," the Commission, one of the three legislative bodies of the Union and surely its most influential institution, publishes a first draft (i.e., the Proposed Regulation). This proposal is open to input and review (i.e., the Draft Report) by various Parliamentary committees and will — after two readings — be voted on by both the Parliament and the Council, the Union’s other legislative bodies. If the two readings are insufficient for the Parliament and the Council to come to an agreement, a conciliatory process will be conducted and result in a third reading. Ultimately, both Parliament and Council must agree before the text is signed into law and published. Other than a directive, which requires transposition by the individual member states, a regulation will be effective as of the date it comes into force.
With the aforementioned LIBE Committee Draft Report published last month, the Proposed Regulation is now awaiting the first reading and current estimates predict the conclusion of the legislative process by mid-2014, followed by a two-year implementation period.
The Proposed Regulation was driven by the aims of creating a comprehensive approach to data protection, strengthening individual rights, improving the internal market, and creating a greater uniformity in the enforcement of data protection rules. To achieve these ambitious goals the Proposed Regulation included controversial concepts such as the right to be forgotten, the very strict consent obligations, as well as a comprehensive data breach notification obligation with a 24-hour notice requirement. The Proposed Regulation also made a not so subtle attempt to expand the global dimension of EU data privacy regulation by including a broad provision for extra-territorial reach.
Keeping in mind the lengthy negotiation procedure ahead and taking into account a high likelihood of significant changes, the amendments proposed by the Draft Report nonetheless provide good insight into the core issues of contention and offer guidance as to possible compromise. After reviewing the more than350 separate comments of Draft Report spread out over more than 200 pages, I created this list of personal highlights and topics I will continue to monitor as the legislative process unfolds.
- Cooperation of Data Protection Authorities: The “One-Stop-Shop” ideal of a lead DPA1 handling all privacy issues related to one data controller or processor still remains intact. The Draft Report, however, proposes a mechanism of close cooperation between the various DPAs by tasking the future European Data Protection Board with the resolution of conflicts between DPAs. While this step will increase the already high levels of bureaucracy, it is rather obvious that the goal of uniform application will fail unless an effective method of dispute resolution can be established.
- Consent: Consent will remain the cornerstone of the EU approach to data protection. The Draft Report restricts the seeking of consent to “one or more specific purposes.” Consent must be explicit and cannot be obtained through pre-ticked boxes, even though the use of standardized logos and icons is encouraged in order to present information to the data subject in easily comprehensible form.
- Legitimate Interest of the Data Controller: What constitutes legitimate interest for data processing is highly contested between privacy advocates and industry representatives. The Draft Report attempts to reign in the legitimate interest exception by requiring publication of the reasons as to why the controller believes it has a legitimate interest and by clearly defining a closed list of examples for both legitimate interests of the Controller and overriding interests of the individual.
- Definition of Personal Data: How will IP addresses and cookies fit into the definitions relating to personal data? According to the Draft Report, if the individual can be singled out alone or in combination with associated data, or by reference to a unique identifier, an IP address should fall under the scope of the Regulation.
- Delegated Acts by the Commission: The Draft Report limits the Commission’s role. The need for delegated acts by the Commission will decrease if the Regulation defines many of the essential elements that have thus far been avoided by the Commission.
- Appointing a Data Privacy Officer: The Proposed Regulation’s threshold of 250 employees for the appointment of a DPO2 created insurmountable conflict between the German law that requires a DPO upwards of 10 employees and the British rejection of any obligation to appoint a DPO. The Draft Report provides a much more realistic solution by taking into consideration how data-heavy the respective business model is and thereby shifting to a risk-based assessment. Only if a business processes the data of more than 500 data subjects per year, will it be required to appoint a DPO.
- Data Transfers outside of the European Economic Area: Will the Regulation change Safe Harbor or otherwise limit international data transfers? While the Commission has thus far maintained its support of the U.S. Safe Harbor Framework, the Draft Report now proposes additional restrictions for data transfers outside of the EEA. This includes a two-year expiration date on all current authorizations of standard contractual clauses after the Regulation comes into force.
- Extra-territorial reach of the Regulation: The Draft Report affirms that all processing activities aimed at the offering of goods and services to data subjects in the Union will have to comply with the Regulation. The Draft Report further clarifies that the extraterritorial reach is irrespective of whether payment is received for these goods or services.
- Data breach responses: Though the suggested 72-hour notification period is still less than ample time to conduct a thorough investigation, it is an improvement from the previous 24 hours. In addition, the Draft Report acknowledges a risk of “notification fatigue” and limits notification to cases where there is a likelihood of an adverse effect for the data subject.
- The right to be forgotten: The Draft Report seeks to strike a balance between the freedom of expression and the right to be forgotten. It limits the right to erasure to publications made without justification and clearly acknowledges that “where the individual has agreed to a publication of his or her data, a “right to be forgotten” is neither legitimate nor realistic.”
In addition to these substantive matters, it will be fascinating to observe how national conflicts will get resolved (which DPA will be the lead DPA to take responsibility for Facebook?) or whether outside lobbying efforts will gain any significant traction. With a possible implementation date of 2016, businesses worldwide are well advised to monitor closely the trends and concepts that will continue to emerge during the legislative process so that future compliance obligations do not come as an unwelcome and expensive surprise.
1Data Protection Authorities (DPA) are independent authorities set up by the EU member states to supervise and enforce compliance with their respective national data privacy and protection laws.
2The Data Privacy Officer (DPO) monitors data processing within the organization and ensures internal compliance.