The European Commission is updating its data protection laws, creating the first pan-European rules to govern electronic information. While that's good news for most European businesses since it will streamline compliance, it's bad news for U.S. companies, many of which will have to comply with European data laws for the first time.
The proposed European Union regulations differ from U.S. laws in several areas, and penalties for non-compliance are harsh: Companies that run afoul of the rules can be fined up to 2 percent of their global revenues, regardless of how much business they do in Europe.
The Commission unveiled its draft legislation on Jan. 25. Once approved by the European Parliament—which could take up to two years—the regulation will immediately become law across the 27-member trading bloc.
When the Commission last issued pan-European data protection rules back in 1995, they took the form of a “directive”—meaning each member state had to adopt the measure into their national laws for it to take effect. Each state added its own tweaks along the way, leaving Europe with a patchwork of national regimes. The resulting compliance headache costs companies $3 billion a year in wasted bureaucracy, the Commission says.
The EU's current data laws only affect foreign companies that have operations based in one of its member states. But the new rules will apply to any U.S. business that offers goods or services to people living in the EU or that “monitors their behavior,” regardless of where the business is located. So Facebook, Google, Amazon, and many other internet businesses that don't have physical offices in Europe but do have customers there will all be forced to comply.
While bringing more U.S. firms under its jurisdiction, the Commission has scrapped plans that would have helped foreign companies to resolve conflicts between their own national laws and European data protection rules. The USA Patriot Act, for example, requires foreign companies that do business in the United States to disclose data to U.S. government agents that European laws would not allow.
A draft of the new EU rules that leaked in December included a legal process to help companies resolve this kind of conflict by negotiating with their national data protection regulator. That provision, however, was deleted from the final version.
“Unfortunately, the position in the event of conflict between the EU rules and U.S. legal requirements remains unclear and has not been improved,” says Jonathan Nugent, a data protection specialist at PwC Legal.
The new rules will create some tough obligations for companies. Among them, a business will have to notify regulators “as soon as possible” if data security is breached. If a company cannot make a notification within 24 hours, it needs to explain the reasons for the delay immediately.
The proposal also includes a notification provision. In most cases, the company will need to warn the people whose data is affected, so they can take precautions. That disclosure needs to describe what has happened and to advise people on how they should protect themselves. But the 24-hour rule doesn't apply; the disclosure can be delayed so the business can liaise with regulators and, if necessary, law enforcement.
There will also be a new “right to be forgotten,” meaning that a company must comply with an individual's request to delete his or her personal data permanently, unless it can show good reasons for not doing so. And the regulation creates a right to “data portability,” forcing companies to let customers transfer their personal data to competing service providers and to design their systems to enable it. The measure is aimed at loosening the grip of social networks, such as Facebook and LinkedIn.
Data protection compliance will also become more “personal” under the proposed rules, the Commission says. Companies that process personal data will have to appoint an independent data protection officer tasked with ensuring compliance and dealing with data regulators.
“Unfortunately, the position in the event of conflict between the EU rules and U.S. legal requirements remains unclear and has not been improved.”
—Jonathan Nugent,
Data Protection Specialist,
PwC Legal
Other measures are aimed at making life easier for multi-national companies with operations in Europe that want to move data out of the trading bloc and into other countries. The rapid growth of cloud computing services has made controlling the physical location of data a real headache.
Under current European laws, companies need to secure the approval of their national data protection regulator before they can move personal information to other countries. A process to do this already exists, called the “binding corporate rules” system: A company can submit its data controls to one regulator for approval, which other national regulators are then encouraged to recognize.
But the process is a complicated one. Currently, each of the EU's 27 national data regulators has its own approach to reviewing and approving corporate rules. Viviane Reding, the EU commissioner responsible for data protection, says the new laws will create a “consistent and streamlined approval process with a single point of contact for companies.” Moreover, companies that operate across Europe will be able to designate the EU member state where they have their “main establishment,” and then only deal with that country's data protection authority.
The pending regulation streamlines the data security process in other ways as well. Currently, Europe's national data authorities have different approaches to dealing with companies, some far less business-friendly than others. That will change, Reding says. Once the new rules take effect, “It will not matter anymore which data protection authority deals with a case. All data protection authorities in whichever EU country will have the same adequate tools and powers to enforce EU law.”
The proposals have received a cautious welcome, at least in the EU. Belinda Doshi, a partner at law firm Nabarro, describes them as “an immense achievement [that] puts the EU at the forefront of privacy and data protection law, and rightly puts a strong emphasis on data security with the introduction of data breach notification.”
KEY CHANGES
The following information from the European Commission Website details what key changes will be made to data protection legislation:
What will be the key changes?
A ‘right to be forgotten' will help people better manage data-protection risks online. When they no longer want their data
to be processed and there are no legitimate grounds for retaining it, the data will be deleted.
Whenever consent is required for data processing, it will have to be given explicitly, rather than be assumed.
Easier access to one's own data and the right of data portability, i.e. easier transfer of personal data from one service
provider to another.
Companies and organisations will have to notify serious data breaches without undue delay, where feasible within 24 hours.
A single set of rules on data protection, valid across the EU.
Companies will only have to deal with a single national data protection authority – in the EU country where they have
their main establishment.
Individuals will have the right to refer all cases to their home national data protection authority, even when their
personal data is processed outside their home country.
EU rules will apply to companies not established in the EU, if they offer goods or services in the EU or monitor the online
behaviour of citizens.
Increased responsibility and accountability for those processing personal data.
Unnecessary administrative burdens such as notification requirements for companies processing personal data will be removed.
National data protection authorities will be strengthened so they can better enforce the EU rules at home.
Source: European Commission.
Yet the cost of compliance, especially for U.S. companies, is cause for worry among some. “There is no doubt that as written, this proposal will have major repercussions for business in terms of compliance costs,” Doshi admits. And even though the maximum potential fine has come down from 5 percent of global turnover to 2 percent, that remained an “eye-watering” threat and “a deterrent with teeth,” she says.
Wim Nauwelaerts, a partner at law firm Hunton & Williams' privacy and data security practice in Brussels, praised the Commission for “finally taking data protection seriously” and adapting its legal position to the realities of the internet age. The promise of a single pan-EU approach, the elimination of bureaucratic formalities, the creation of the “lead regulator” concept, and greater consistency between national regulators, were all good news for business, he says.
But the regulation will create new compliance requirements, he warns, pointing to the need to assess formally whether every change to data processing practices might affect privacy. The Commission estimates that assessment will cost €14,000 ($18,500) each time, and will require companies to keep extensive documentation of data processing practices.
Nauwelaerts also criticizes the new right to be forgotten, which he said “goes beyond a justifiable desire to enhance individuals' ability to erase their personal data on the internet, and creates a right that will be difficult to implement and that may have a chilling effect on the use of the internet in the EU.”
Over time, the creation of a single European approach should benefit U.S. companies, says Mark Jansen, a data protection specialist at Dutch law firm Dirkzwager. Shifting the responsibility for creating new data protection laws from member states to the Commission should make European law in this area more responsive to technological changes, he adds.
In the meantime, U.S. compliance executives should make sure their organization identifies and documents any data processing that relates to EU residents, and adopt a privacy policy that meets the criteria listed in the draft regulation, Jansen says. “Be as transparent as possible about all the data processing taking place in your company toward data subjects, such as your customers,” he advises.
No comments yet