Media Briefing Note: European Commission Publishes New Data Protection Proposals
25 January 2012
LONDON, 25 JANUARY 2012 - The European Commission has today published its draft proposals for the new General Data Protection Regulation, which sets out stringent rules on how businesses should handle personal data.
The proposals will impose a single set of privacy standards in the European Union's 27 countries for the first time and could see businesses fined up to 2 per cent of their global turnover for privacy breaches.
Crucially the law has been extended to entities outside the European Economic Area (EEA) if they offer goods or services to European Union residents or monitor their behaviour.
While the primary purpose is to update and harmonise European data protection law, the proposal is much more detailed and prescriptive than the original 1995 Data Protection Directive.
Viviane Reding, the European Commissioner in charge of the reform of European privacy law, outlined the main points of the proposal in Brussels on 25 January 2012.
Key features of the draft regulation include:
• Enhanced rights for individuals whose personal data is being processed
• Fines of up to 2% of a company's turnover for companies who commit the more important breaches of the new data protection rules
• A new "right to be forgotten" and a right of data portability, designed (among other purposes) to allow individuals to delete their data from social networks and join others easily
• An enhanced right to object to direct marketing, which must be explicitly offered to individuals
• Rules requiring the reporting of data breaches as soon as possible and within 24 hours where feasible
• New rules requiring organisations employing more than 250 people to appoint independent data protection officers
• The extension of the law to entities established outside the EEA if they offer goods or services to EU residents or monitor their behaviour
Quentin Archer, who is a partner in the Intellectual Property, Media and Technology team at Hogan Lovells, commented:
"The draft regulation will greatly increase the cost of compliance for business, particularly in the UK where we have enjoyed a relatively relaxed but pragmatic, business-friendly regime to date.The bureaucratic notification rules have gone, but they have been replaced by a new principle of accountability which will cost business more in the long term. With the possibility of significant fines, however, no company will be able to afford to ignore data protection rules anymore."
Mac Macmillan, who is of Counsel in the Intellectual Property, Media and Technology team at Hogan Lovells, added:
"Standardisation of data controllers' obligations across Europe is an aim many companies would share – at the moment a company can face a situation where it has a data centre in one country processing data from three different countries, and have different security requirements in respect of each of them, which makes no sense. On the positive side the Regulation clears up some ambiguities around what is permitted and the introduction of significant fines will make companies take data protection seriously. We have already seen a change in attitudes since civil monetary penalties were introduced.
"But harmonisation needs to be practical, and that is an issue with the draft Regulation. For example, the 24 hour personal data breach notification, which has received a lot of attention, has no clear threshold of materiality and it could potentially result in an avalanche of reports of lost laptops for the Information Commissioners Office (ICO) to deal with, which won't really help anyone. It also sounds as if compliance may become a lot more bureaucratic, in the UK at least, as the Commission is given the ability to specify detailed criteria and requirements for how to comply with some of the obligations.
"The reality is that it takes longer than 24 hours to establish all the information. You also have to wonder where supervisory authorities are going to find the resources to handle all these notifications.
"The obligation to notify breaches to data subjects is also potentially very costly; we know from the US experience that if you're a large company the cost of notifying the affected individuals can easily run to the high six figures. And to what end? As the ICO's current guidance says "notification should have a clear purpose" for example enabling individuals to mitigate their risks. I've seen circumstances where a breach was small and fully contained, and we knew there was absolutely no risk for data subjects – in those cases a mandatory notification requirement is a pointless bureaucratic overhead."
About Hogan Lovells
For more information, see www.hoganlovells.com
Hogan Lovells is a leading global law firm providing business-oriented legal advice and high-quality service across its exceptional breadth of practices to clients around the world.
"Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses.
The word "partner" is used to refer to a member of Hogan Lovells International LLP or a partner of Hogan Lovells US LLP, or an employee or consultant with equivalent standing and qualifications, and to a partner, member, employee or consultant in any of their affiliated businesses who has equivalent standing. Where case studies are included, results achieved do not guarantee similar outcomes for other clients.