Publications | eBulletins
eBulletin | Newsflash - New Data Protection Regulation Published
Newsflash - New Data Protection Regulation Published

On 25 January 2012 the European Commission published its proposals for a comprehensive reform of the EU's data protection laws designed to strengthen online privacy and harmonise data protection rules within the EU. As expected the proposal was in the form of a Regulation, which will be automatically enforceable in all Member States once it is fully implemented, rather than by way of a Directive which would have left Member States with some discretion as to how to implement its provisions. Given the importance of the new laws it is likely to be at least a year until a final text is agreed and adopted by the European Parliament and the European Council. There will also then be another two year period until the Regulation will apply to give organisations time to adapt to the changes.

Many of the proposals that were included in a leaked draft towards the end of November remain in the published official version and although there are some changes from that leaked draft, which received criticism for being too draconian from some commentators, the new proposals still appear to place a much higher burden on data controllers than the old regime. Below is our summary of the main changes.

Consent

The data subject's consent is defined in the Regulation as meaning "any freely given, specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or a clear affirmative action, signifies agreement to personal data relating to them being processed". It remains to be seen how this will be interpreted in practice but the requirement for a clear statement or affirmative action places a higher threshold for obtaining consent on organisations who collect personal data. Getting consent through general terms and conditions may not be enough in some cases. In addition where an organisation is collecting data from a child who is under the age of 13 they must obtain the consent of the child's parents or legal guardian for the consent to be valid.

Transparency

Although transparent processing may be implicitly recognised as an important part of processing data fairly under the current Directive the Regulation makes transparency an explicit principle. Article 5(a) provides that personal data must be processed "lawfully, fairly and in a transparent manner in relation to the data subject". In addition, Article 11 requires data controllers to have "transparent and easily accessible policies with regard to the processing of personal data and for the exercise of data subjects' rights" and to "provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child". Although most companies already have privacy policies these will have to be revised to ensure that individuals are properly informed of their new rights and the extent of the companies data processing activities.

More stringent data minimisation principle

Under the current Directive personal data must be "adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed". The Regulation goes further than this requiring data to be "adequate, relevant and limited to the minimum necessary in relation to the purposes for which they are processed". Companies that collect personal data will need to ensure they have effective systems in place to ensure they are only collecting and keeping the minimum amount of personal data they need for their legitimate purposes.

New rights for data subjects

Article 17 of the Regulation introduces a new "right to be forgotten and to erasure" which allows data subjects to force organisations that store their personal data to delete that data permanently. In addition, Article 18 introduces a new "right to data portability" which in essence requires companies that process data by automated means to either provide the data subject with a copy of that data and/or transmit that data to another automated processing system "without hindrance". It is not clear whether data controllers would be allowed to charge for this but there is clearly an issue for companies who collect valuable data on individuals that they will be forced to delete that data or worse still transfer that data to a competitor if requested to do so by an individual.

There is also a right to object to profiling which means organisations must get consent before building a profile on an individual based on their individual characteristics and behaviour and from making any decisions about them based purely on automated processes. This is likely to make it much more difficult for companies to use behavioural advertising techniques and will also place an administrative burden on insurance companies and suppliers of credit who routinely rely on statistical profiling.

Notification of breaches

Articles 31 and 32 of the Regulation introduce new requirements for data controllers to notify the relevant supervising authority and the individuals involved (if the breach adversely affects their data or privacy) of any personal data breaches without undue delay and where feasible not later than 24 hours after the breach has been established. This is not a requirement under the current Directive although electronic communications service providers are already under an obligation to notify by virtue of the EU Privacy and Electronic Communications Directive. This requirement is quite draconian when compared to the current voluntary regime in the UK. The ICO's guidance on notification suggests an assessment of the seriousness of the breach before recommending voluntary notification in suitably serious cases. This strict requirement to notify may lead to a larger number of fines as repeat offenders are caught out.

Increased penalties

Companies who either intentionally or negligently commit serious breaches could face fines of up to 2% of annual worldwide turnover which have the potential to be much larger than the current £500,000 maximum fine under the Data Protection Act 1998.

Data protection officers

There is a new requirement for certain organisations, who can be either data controllers or processors, to appoint data protection officers to monitor compliance with data protection laws. This applies to: (i) any public authority; (ii) any entity employing more than 250 persons permanently; or (iii) any entity whose core activities "consist of processing operations which by virtue of their scope and/or their purposes, require regular and systematic monitoring of data subjects". Articles 36 and 37 give further detail on the data protection officer's role including a requirement that they be independent and details of the minimum tasks they should be responsible for.

Data processors

The relationship between data controllers and data processors is outlined in more detail in the Regulation than the current Directive. In particular there is a requirement for any processing on behalf of a data controller to be governed by a contract. Article 26 stipulates the minimum obligations that must be included in that contract. The Regulation also places some obligations directly on processors which was not the case under the Directive. In addition, if a processor processes personal data other than as instructed by the controller then they will be considered a controller for the purposes of the Regulation.

Territorial scope of the Regulation

There is no longer a requirement that data controllers based outside the EEA make use of equipment in the EEA other than for the purposes of transit through the territory in order for the provisions of the Regulation to apply to them, which was the case under the Directive. This provision has been replaced by Article 3(2) of the Regulation which states that "the Regulation applies to the processing of personal data of data subjects residing in the Union…where the processing activities are related to: (a) the offering of goods or services to such data subjects in the Union; or (b) the monitoring of their behaviour." This could potentially broaden the scope of the regime significantly. Any business who operates a website which is regularly accessed by individuals in the EEA will need to consider whether they comply with the provisions of the Regulation.

This bulletin does not comprise legal advice. It is intended as an update for our clients and contacts. You are included on this distribution list because as a client or contact of the firm we believe it may be of interest to you.

Should you wish to unsubscribe from any future mailings please click here.
If you would like a colleague to receive this newsletter in future please click here.
Please see our Disclaimer and Privacy Notice.

Harbottle & Lewis LLP

Hanover House, 14 Hanover Square, London W1S 1HP
Tel: +44 (0)20 7667 5000 Fax: +44 (0)20 7667 5100 Dx: 44617 Mayfair Web: www.harbottle.com

Lawyers for the business of media and entertainment

Advertising | Aviation | Broadcasting | Charities | Digital Media | eCommerce/ Technology | Fashion | Film and Television Interactive Entertainment | Music | Publishing | Sponsorship | Sport | Theatre

Commercial | Corporate | Employment | Family | Finance | Intellectual Property | Litigation | Private Client | Property | Tax

Harbottle & Lewis LLP is a limited liability partnership registered in England (OC304954),
regulated by the Solicitors Regulation Authority.

© Harbottle and Lewis LLP 2010

Contacts
Mark Owen
Tel: +44 (0)20 7667 5142
Email Mark
Adam Mitton
Tel: +44 (0)20 7667 5082
Email Adam
Alex Hardy
Tel: +44 (0)20 7667 5141
Email Alex
Richard Foster
Tel: +44 (0) 20 7667 5000
Email Richard
Other information
19 Jan 12
Harbottle & Lewis advises on legal aspects of the film War Horse
27 Jan 12
European Patent future held up by City squabbles
Latest/Upcoming Events
Go to www.harbottle.com
Manage personal details
Subscribe to this eBulletin
Unsubscribe from this eBulletin
Set eBulletin preferences
Update contact details