Reforming EU data protection law

Some of the most significant reforms to EU data protection law are currently working their way through the European legislative process. Within this package is a draft General Data Protection Regulation which, unlike the existing data protection laws, will be directly applicable, and this should result in a more consistent and uniform data protection regime across all 28 member states. The idea behind the proposed Regulation is that it will increase the rights of individuals whilst also simplifying the governance and compliance procedures for companies.

The Draft Regulations contain a number of important changes; however, the following are some of the most significant proposals:

(i) Revised Penalties.

The Commission initially proposed that companies would face fines of up to £1 million or 2% of the global annual turnover of a company, but the European Parliament's Committee on Civil Liberties Justice and Home Affairs ("LIBE") has proposed that this should be increased to the greater of £100 million or 5% of the global annual turnover of a company. This is a clear message to companies that they need to understand their data protection obligations and that data protection compliance needs to be taken seriously.

(ii) Territorial Scope

The Territorial Scope of the draft regulations is one of the most significant amendments to the existing data protection laws. The Regulations will be applicable to organisations situated outside of the EU where they offer goods and services to EU citizens or where they monitor the online behaviour of EU data subjects. This new approach has attracted significant opposition from outside of Europe, particularly from the USA. American opposition to such an approach is not surprising given recent revelations and their less stringent approach to this area of law.

(iii) Consent

Consent for the processing of personal data is something that has caused issues for organisations as the concept has been interpreted differently across different jurisdictions within the EU. The draft Regulation looks to clarify and consolidate the definition by stating that consent must be freely given, informed, specific and explicit. For consent to be valid the data subject will therefore be required to make a statement or take some form of affirmative action to demonstrate its consent; as a result implied consent will no longer be valid and equally it will no longer be possible for data controllers to rely on consent clauses hidden away in their privacy policy.

(v) One-Stop-Shop Principle

This is central to the draft Regulation, it is also the principle that has caused the most disagreement amongst different member states. It is likely that the current arguments on this point will delay the progress of the draft Regulations and is something that could derail the whole reform process.

The one-stop-shop has been proposed to try and address difficulties encountered by companies operating in various jurisdictions across the EU. Under the existing system a data controller operating across the EU must comply with the varying approach of the different European regulators. Under the draft Regulation, such a multinational organisation would only be required to deal with the Data Protection Authority of the member state in which the company is established.

The Council of Ministers had previously expressed its general support to the draft Regulations. However, following legal advice, and pressure from Germany and Belgium, the Council of Ministers has reversed its position.

Here in the UK, whilst the ICO has expressed general support for the one-stop-shop approach it does have concerns about the budgetary requirements of the one-stop-shop and, to that end, it welcomes the LIBE proposal in bringing clearer but more flexible criteria for determining the location of a data controller's 'main establishment'.

Agreement on this one-stop-shop approach is essential for any meaningful reform of the existing data protection regime. It is disappointing that the Council of Ministers has gone back on its earlier acceptance of the draft Regulations. The legislative process has now ground to a halt and the Greek Presidency of the EU, starting in January 2014, will do well to get an agreement on the draft Regulations before the European Parliament elections in May 2014. If the law is not passed before this date we will not see any progress on this matter until after September 2014. This is a very disappointing situation as the current Data Protection legal framework is outdated and in urgent need of reform; it was drafted 18 years ago and did not envisage the technological advances that would occur following its enactment.

This article is taken from Lawyer Monthly and first appeared in the February 2014 edition.

Send us a message