The European Commission has prepared and circulated a draft new General Data Protection Regulation (the “Regulation”). The draft is consistent with many of the expectations the Commission set in its November, 2010, communication titled, “A Comprehensive Approach on Personal Data Protection in the European Union,” and in public statements since made by EU policymakers. The new draft Regulation, which would repeal Directive 95/EC/46 (the “Directive”), confirms that the EC is continuing to advocate dramatic changes to the regulation of privacy and data security in the EU.
An outline of some of the key points:
-
Existing law under the Directive requires each EU member state to enact and maintain a data protection law that conforms to the Directive’s standards. The Regulation, in contrast, proposes to regulate privacy and data security directly from the EU level. The draft is silent, however, on its preemptive effect, if any, and on whether current member state laws will remain in force.
-
Several aspects of existing law are clarified, such as the standards for securing consent from data subjects and the requirement to limit the processing of personal data to the minimum amount necessary (commonly referred to as the “data minimization” principle).
-
The Regulation also introduces a number of new elements:
-
A right to require a controller to transfer personal data to the data subject’s designee in a commonly-used format (referred to as “data portability”).
-
A right to be “forgotten.”
-
A requirement to apply privacy by design principles to new data processing activities.
-
Standards for mandatory internal data protection governance and compliance measures.
-
Data breach notification standards.
-
-
The Regulation would replace the framework for registration/notification of data processing operations that exists under the Directive, and which is implemented in widely-divergent member state laws, with an EU-level requirement to maintain internal documentation that meets certain standards.
-
The Regulation would apply the legitimate interest justification for the processing of personal data across the EU, subject to a data protection authority notification requirement. This would be a significant departure from existing law, which varies among member states.
-
The potential impact of the Regulation on business is punctuated by an extraordinary proposed scope of liability that includes private rights of action, administrative enforcement authority, and penalties of up to €1 million or 5% of annual worldwide revenue for certain negligent and intentional violations.
The Regulation is in draft form only and significant debate and consideration is expected before a final enactment comes up for a vote before the European Parliament. We will continue to monitor these developments for our clients closely.
Written by David Keating, Partner | Alston & Bird LLP