The European Commission has unveiled sweeping provisions to reform data protection laws which will apply to all EU countries, including the UK. A number of these have been widely trumpeted, such as the so-called “right to be forgotten”, but the proposals do represent a significant change in the way that protection thresholds will be set and in the compliance steps that businesses will need to take.
These are just proposals which now need to go through the EU legislative process, which can be expected to take a number of years to complete. However, prudent businesses will keep an eye on these proposals and start thinking about how they could be implemented in practice.
The key changes are:
- Each company will have a “one stop shop” for compliance in the form of the supervisory authority in the country where they have their “main establishments”. The idea is that, for example, a UK business will look to the UK rules and will comply with them in their dealings with any European country. Provided they do so they will not have to worry about compliance in other EU countries. Similarly, a German company can comply with the German rules and will not have to implement any different compliance steps for the UK.
- Consumers, on the other hand, will be able to complain about any European company’s handling of their personal data in the country in which they reside; their local supervising authority will be responsible for liaising with the data holder’s supervising authority in whichever country they are located.
- The need to notify data processing will be ended. In the UK there will be no need to notify each year. This is a welcome reduction in red tape but some government agencies have questioned how supervising authorities will be able to fund their regulatory work.
- Any business with more than 250 employees will be required to appoint a “data protection officer” who will have personal and primary responsibility for the business’s compliance with data protection rules.
- Any organisation handling personal data will be under a legal duty to notify their supervising authority of any serious data breaches as soon as possible and, if feasible, within 24 hours.
- People will have easier access to their personal data and will have a legal right to transfer their data from one business to another.
- Where an individual’s consent is used to justify obtaining or using their personal data, that consent will need to be explicit; implying or inferring consent will no longer be possible.
- The “right to be forgotten” is in, and the idea is that consumers will be able to require the deletion of their data if there are no legitimate grounds for retaining it.
- The new rules will clarify that, where data is obtained from a child under 13, responsible adult consent must be obtained.
- One point that has not been flagged up as a specific change but is in the legislation is a change to the “Personal Data” definition. This key definition is incredibly important as it sets out what businesses have to search for and provide where an individual wants to know what data is held about them. Court cases in the UK have narrowed the scope of this definition, meaning that in the frequent cases where the subject access requests are used as a complaint or dispute “fishing expedition”, they are of limited value. The new rules may make data protection requests a much more potent weapon in the future.
- Importantly, for non EU businesses, the EU rules will equally apply to any non EU business which is active in the EU market and offers its services to EU citizens. Larger organisations falling within this description will need to appoint a representative within the EU for data protection purposes.
- The legislation will also permit data protection supervising authorities to levy fines for companies which break the rules; the penalties envisaged are up to €1 million (for an individual) or 2% of the global annual turnover of a business.
- Separately, legislation will also codify rules relating to data protection for police and judicial co-operation in criminal matters.
We can expect that there will be changes to the above, and national governments will no doubt include this in the horse-trading that has become part and parcel of EU legislation. However, it seems likely that a tougher regime will emerge and businesses in the EU as well as outside it need to be thinking about how they will meet this new compliance challenge in the next few years.
Eddie Powell, partner, Fladgate LLP (email@example.com)