The European Union (EU), comprised of 28 member states, currently has a patchwork of privacy and data protection laws, based on the EU’s 1995 Data Protection Directive. This mix of laws has led to inconsistent data protection and enforcement across the member states. The EU seeks to remedy this unequal data protection paradigm by enacting a new reform regulation that will be binding on all EU member states.
The process to enact a uniform EU data protection regulation took its first step in January 2012 when the European Commission (i.e., the executive branch) presented its legislative proposal. Two years later, in March 2014, the European Parliament (akin the U.S. House of Representatives) set forth its position on the reform of the data protection regime. Until earlier this month, the other EU legislative body, the EU Council of Ministers (the EU institution that represents the governments of the 28 EU member states) was in a protracted stalemate over its version of the new regulation.
The reform process took another lurch forward on June 15, when the Council of Ministers finally reached a compromise among its members and issued its draft proposal, which can be read here. It is the result of three years of debate and consideration among Council members and serves as the Council’s opening position for the “trilogue” negotiations (which began earlier this week) with the European Parliament and the European Commission to hammer out a final version of the data protection regulation.
Their goal is to enact the final uniform data protection regulation and parallel law enforcement guidelines by late 2015 or early 2016, presumably to become effective two years thereafter. Only then will all EU member state citizens be covered by a common data protection regulation, with (presumably) uniform enforcement across the EU.
In addition to the Council, the European Parliament and European Commission, the Article 29 Working Party (WP29), comprised of each of the EU’s national data protection authorities responsible for enforcing any new regulations will have a voice in the on-going regulatory process. The chairwoman of the WP29, Isabelle Falque-Pierrotin, stressed that, “it is important that the new regulatory framework should not lower the current level of protection and not undermine the core principles and rights currently provided by Directive 95/46.” (Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data was adopted in 1995 and fundamentally regulates the processing of personal data within the EU. It will be an important component in any future debate of a general data protection regulation.) These comments show that the EU data protection regulators, unsurprisingly, will push to keep the most stringent data protection measures currently enforced by any one EU member state, rather than allow the current data protections to be reduced.
Why This Matters to U.S. Companies
This process, and the resulting data protection regulation, should be of significant interest to any U.S. companies doing business in the EU or with its member states citizens. The EU privacy and data protection rules have taken a different approach than those in the U.S., with generally a more “pro-consumer” or “pro-citizen” focus. Moreover, there are certain privacy concepts in the EU — such as the right to erasure (aka the “right to be forgotten”) — and proposed penalties (including fines up to 2% of a company’s global gross revenues) that are literally and figuratively foreign to U.S. privacy regulations. Consequently, when it comes to privacy and data protection concepts, U.S. companies cannot simply apply a “business as usual” approach when dealing with the EU and its member states.
Key Elements of Interest to U.S. Businesses
Greater data protection rights for individuals:
- Easier consumer access to data about them,
- Greatly enhanced transparency (plain and simple language) regarding how consumer data is collected, used and secured,
- A right to erasure of personal data gathered (i.e., “the right to be forgotten”),
- Better data portability, to allow easier transmission of personal data from one custodian (such as a social network) to another, and
- New limits to the use of electronic profiling whereby personal data is analyzed to assess health, economic situation or future conduct.
Rapid reporting requirements and massive fines:
- Data controllers must implement appropriate data security protocols,
- Data breaches to be reported to regulatory authorities without undue delay, and within 72 hours if possible,
- Data breaches to be promptly reported to affected individuals where the data does not have adequate protections applied to it, subject to the dictates of data authorities on a case by case basis, and
- Data controllers that violate the regulations may face fines of up to one million Euros or 2% of global annual turnover (i.e. gross global revenues), whichever is greater.
Greater data protection guarantees before data transfer outside the EU:
- No transfers of personal data outside the EU absent a regulatory assessment of whether the level of data protection offered by a non EU country or international organization is adequate. In cases where no assessment has occurred, the transfer of personal data can only take place if appropriate safeguards (data protection clauses, binding corporate rules, contractual clauses) are in place.
The Council’s final draft proposal is noteworthy because it is the result of three years of pointed debate and hard negotiations and represents a political compromise predictive of the scope and tenor of the final regulation which will likely substantially impact US organizations doing business in the EU or with citizens of its member states.
This process is far from over – stay tuned for further developments.