Recent developments regarding the proposed EU data protection regulation
April 2013 | EXPERT BRIEFING | DATA PRIVACY
financierworldwide.com
In her 8 March 2013 Intervention with the Justice Council in Brussels, Viviane Reding, Vice-President of the European Commission, identified the impact of the proposed EU Regulation on Data Protection on small and medium enterprises (SMEs) that transact business in the European Union via the internet as one of the most significant challenges facing the proposed regulation. Reding noted that there are over 23 million SMEs in Europe alone, which comprises 99 percent of all EU businesses and two-thirds of private sector employment. The US Department of Commerce, International Trade Administration 2010 census statistics reflect that SMEs account for 97.8 percent of all US exporters, and 97.2 percent of US importers. SMEs were responsible for 33.7 percent of all exports and 31.6 of all imports, as well. And SMEs account for 94.7 percent of all US companies that both export and import.
In response to serious concerns regarding the potential “disproportional” impact of the proposed regulation on SMEs, Reding said that protecting the interests of SMEs must be a top priority, and the predominant strategy must be to “Think Small First”, recognising that the interests – and certainly the compliance resources – of SMEs are not necessarily aligned with those of multinational enterprises. Reding noted that “We should provide legal certainty to SMEs who should know clearly what their data protection obligations are”. She cautioned that if EU Ministers “force the butcher on the corner” to prove that he is not a data protection risk, then they will deserve “the Nobel Prize for Red Tape”.
Reding has been the principal champion of the proposed EU Regulation, published by the European Commission on 25 January 2012, with the ambitious goal of reforming the EU’s legal framework for data protection. It has been characterised by one leading expert as a revolution in European data protection law of ‘Copernican’ proportion. Reding’s remarks come in the context of serious concerns of EU authorities regarding perceived forceful ‘lobbying’ by US multinational corporations and the US government concerning the scope of the proposed regulation. One specific concern involves US SMEs with only an EU internet based commercial presence. US enterprises have expressed fear that compliance with new requirements such as a mandatory Data Protection Officer, baking privacy by design and default controls into data processing systems, and strict new breach notification response obligations, among others, will have a ‘chilling’ impact on international commerce.
The EU Justice Commissioner has struck back at critics of the Regulation, accusing them of “scaremongering” tactics. A number of Member States – including the UK, Germany, Sweden and Belgium – have said that the proposed rules are too prescriptive, and US technology companies have lobbied for certain provisions of the draft to be removed entirely. Viviane Reding said lobbyists’ “predictions of doom are not justified”.
The regulation is currently being ‘fast tracked’ through the European Parliament under the direction of the main EU Parliament rapporteur, Jan Phillip Albrecht, German Green Party Member of the European Parliament (MEP). On 8 January 2013, Albrecht issued a draft report (the ‘Albrecht Report’) on the proposed regulation to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (‘LIBE’ Committee) that posed serious questions regarding the formulation and impact of the proposed regulation. The Albrecht report, over 215 pages in length, proposes over 350 draft amendments to the proposed regulation, and is certainly not the last word in where it will land in the EU legislative process.
Some of the key amendments include the following: (i) broadening the notation of ‘personal data’ to include internet protocol (IP) addresses, cookies and other unique electronic identifiers that leave traces that can be used to identify specific natural persons; (ii) recognising a new category of ‘pseudonymous’ data that would qualify for lighter treatment under the regulation, and exempting truly anonymous data from the regulation altogether; (iii) introducing a new role of ‘Data Producer’ for entities that create automated data processing or filing systems, which will need to comply with privacy by design and privacy by default principles; (iv) extending the time, from 24 to 72 hours, for reporting data breaches to data protection authorities (DPAs), and restricting this duty to situations where the breach is likely to adversely affect the protection of personal data or privacy; (v) establishing specific, informed consent by data subjects as the cornerstone of the new data protection framework – that is, “if you want my data, ask for consent”; (vi) limiting the ability of data controllers to rely on protecting their legitimate interests as a legal basis for unilateral processing of personal data; (vii) expanding rights of access and retrieval of one’s personal data; (viii) limiting the scope of the proposed ‘right to be forgotten’, where someone has specifically agreed to make his/her personal data public; (ix) strengthening the right to object to processing of one’s personal data; (x) expanding privacy notice obligations, and extending them to joint data controllers; (xi) providing for effective legal redress before courts or DPAs for regulation violations; (xii) restricting the scope and manner of use of personal data for behavioural profiling; (xiii) requiring the role of Data Protection Officer (DPO) for entities that impact the personal data of more than 500 persons, either internally or externally; (xiv) requiring Data Protection Impact assessments; (xv) mandating data protection by design and default requirements for systems that process personal data; (xvi) increasing the burden on the private sector for approval of international data transfers; (xvii) empowering DPAs to impose strong fines on companies that violate EU data protection rules; and (xviii) establishing a tiered system for sanctions and fines, but making the highest level of fine (up to 2 percent of annual gross global income) apply by default, unless a lower category of fine is established for an infraction.
The immediate next steps in the EU Parliamentary process include: (i) advisory committees have until the end of March to submit final comments; (ii) a final vote on the Albrecht Report in the LIBE committee is tentatively scheduled for 24-25 April; and (iii) thereafter, the Albrecht Report, as amended, will be likely be presented to the EU Parliament in plenary session by the summer of 2013.
One of the Albrecht Report amendments that most directly impacts SMEs is the requirement to have a DPO so long as you impact the personal data of more than 500 persons, globally.As a practical matter, this means that most, if not all internet based companies – and, at minimum, those with e-commerce features – will need to designate a DPO, despite scarce resources for doing so. In her Intervention, Reding suggests exempting SMEs “whose business is not data processing” from the DPO requirement. In addition, Reding suggests that SMEs should not be obliged to create a new DPO position, and that it can be a part-time functional responsibility of an existing employee, or be performed by an external privacy adviser. Reding also cautiously invited a discussion about developing specific, standard criteria for distinguishing different levels of risk for SMEs, so long as they include simple and measurable compliance parameters. In addition, she proposes scrapping meaningless notifications by SMEs of data processing to supervising authorities, except where there is a “high degree of risk” of a significant data protection violation. Reding also agreed, in principle, with the notion of approved codes of conduct and approved certification mechanisms for SMEs and others, so long as they are “in line with standards of the Regulation” and remain subject to the jurisdiction of competent Data Protection Authorities. Lastly, Reding acknowledged efforts to deal with the question of application of the Regulation to the public sector, particularly in the fact of objections from Germany and others.
In sum, Reding’s Intervention is just that – an attempt to diffuse some of the criticism of the proposed Regulation, including ‘hot buttons’ raised by the amendments suggested in the 2013 Albrecht Report. Only time will tell whether Reding’s Intervention has an ameliorative impact on the EU Parliamentary process, and whether it sufficiently incorporates principles of proportionality and flexibility to the impact of the Regulation vis-à-vis SMEs, so as to help quell the cacophony of criticism sparked by publication of the Regulation in 2012, and fuelled by the Albrecht Report amendments in early 2013.
M. James Daley and Laura Clark Fey are partners at Daley & Fey LLP. Mr Daley can be contacted on +1 (913) 948 6302 or by email: jdaley@daleylegal.com. Ms Fey can be contacted on +1 (816) 518 6554 or by email: lfey@daleylegal.com.
© Financier Worldwide
BY
M. James Daley and Laura Clark Fey
Daley & Fey LLP