Privacy Alert: Sweeping EU Privacy Proposal Unveiled
The long-awaited proposed revision to the privacy and data protection regime within the European Economic Area (EEA) was released on January 25, 2012. The 118-page proposal for a Regulation of the European Parliament and of the Council gives consumers new rights and imposes new obligations on businesses in a system that defines "personal data" to include device identifiers and applies to data processing outside the EU. Penalties could reach 2% of annual turnover, potentially meaning billions of dollars for major companies, and the Article 29 Working Group would be reestablished as an independent agency with enforcement powers. The proposal also includes a new Directive designed to address data protection in the context of law enforcement.
The EU proposal is intended to, and will, influence global debates about privacy and data security, so it merits close attention by any company interested in these issues. It is predicated on the principle that individuals have the right to enjoy effective control over their personal information. Key points in the proposed Regulation include the following:
Personal Data. The proposed Regulation adopts a broad interpretation of the term "personal data." IP addresses are considered personal data, a concept that many global businesses have opposed in connection with proposed revisions to the U.S. Children's Online Privacy Protection Act (COPPA).
Extraterritorial Effect. The Regulation not only applies to controllers or processors located in the EU, but has extraterritorial effect. Article 3 specifies that the Regulation applies to personal data of EU citizens processed outside the EU by an entity active in the EU market, where the organization's activities relate to offering goods or services to EU individuals or monitoring their behavior.
Consent. Consent must be "explicit." Some affirmative action is required to evince consent. "Consent" mechanisms and opt-in versus opt-out have been at the heart of many of the differences between the EU and other regions, like the U.S. and Canada, where implied consent is accepted.
Right to Be Forgotten. The Regulation establishes a "right to be forgotten," basically a right to request deletion of data, subject to some exceptions, such as where retention is legally required. In practice, it is not likely possible to delete all traces of data in all files, and this has implications for social media, cached data, etc. However, this element of the Regulation is sure to influence the U.S. "Do Not Track" and "eraser button" debates.
Data Portability. Individuals would have the right to easily transfer personal data between different service providers.
Children. The Regulation contemplates special rules to protect children, defined as anyone under 18, but also includes a prohibition on processing of personal data of children under 13 without parental consent. This is an effort to mirror COPPA, which is currently under review in the United States. The Regulation delegates authority to the European Commission to determine requirements for obtaining verifiable parental consent, suggesting the need for interested organizations to educate the Commission on practical options.
Controller Responsibility. A fundamental principle of the Regulation is that personal data must be processed under the responsibility and liability of the controller, who must ensure and document compliance for each processing operation.
Privacy Impact Assessments. Privacy impact assessments would be required for "risky" processing, and "privacy by design" and "privacy by default" concepts are incorporated in the proposed Regulation. "Risky" data processing includes, among others, systems that analyze a person's economic situation, location, health, personal preferences, reliability or behavior; video surveillance systems; and personal data "in large scale filing systems" on children, genetic or biometric data. Many businesses will likely be faced with the need to prepare such an assessment.
Data Protection Officer. Organizations with 250 or more employees must appoint a data protection officer.
Documentation. Controllers and processors must document all processing operations and make the documentation available on request to the supervisory authority.
Data Breach Notification. Data breaches are subject to a new, general notification obligation with notices to be issued as soon as possible, and within 24 hours, if feasible.
Streamlined Approvals. The proposed Regulation responds to longstanding complaints from business that multiple, sometimes conflicting, views are taken by data protection authorities (DPAs) in different EU member states. The Regulation proposes that businesses would have to deal only with the DPA where they have their principal EU office. This should facilitate the currently cumbersome Binding Corporate Rule (BCR) approval process. However, the BCR mechanism effectively creates a separate contractual vehicle that requires multinational companies to apply EU standards globally throughout the enterprise.
Co-Regulation. Codes of conduct are subject to approval by the Commission, a approach that is at odds with the framework of self-regulation that has arisen in the U.S. and elsewhere, and which may impede the ability to more swiftly adopt practical best practice recommendations.
Reduced Notification Obligations. Notification to DPAs about data processing will no longer be required, but permission to process certain categories of data is still needed.
Elevated Role for the Article 29 Committee. The Article 29 Committee will be "upgraded" to an independent European Data Protection Board.
Enhanced Enforcement. The Regulation provides for enhanced enforcement powers for DPAs, including expanded investigatory authority, and promotes cooperation and consistency between DPAs in the member states.
Complaints and Remedies. EU citizens have the right to lodge complaints with local DPAs, even where data is processed extra-territorially, and the right to a judicial remedy against supervisory authorities who fail to act and against controllers and processors.
Penalties. Violations may be subject to penalties of up to 2% of global annual turnover for processing data without a sufficient legal basis, processing special categories of data in violation of the law, failing to adopt internal policies or to appoint a data protection officer, failing to issue a breach notification, transferring data to a location that does not provide adequate privacy protection, and more. This could amount to billions for multinational companies.
Effective Date. The rules are expected to take effect two years after adoption.
The extraordinary breadth of the proposed Regulation has already triggered significant discussions within the business community. While some of the measures will serve to make the system less cumbersome, the broad reach, new restrictions, expanded obligations and enhanced penalties will more than offset those reductions. The political process will now move forward with discussions at the European Parliament and the EU Member States meeting in the Council of Ministers.
For more information on privacy and data security, please contact Sheila Millar (+1 202.434.4143, millar@khlaw.com) or Tracy Marshall (+1 202.434.4234, marshall@khlaw.com).