I. Introduction
In the 18th century Immanuel Kant famously initiated a “Copernican revolution” in philosophy by shifting the understanding of reality away from external objects and toward the cognitive powers of the individual.
The Proposed Regulation is part of a package of measures (the “Proposal”) issued on Jan. 25, 2012 that also includes a Communication outlining the Commission’s strategy (the “Communication”),
Completion of the EU legislative process is a politically charged undertaking that will likely take at least one to two years to complete,
The Proposed Regulation would remake the data protection landscape in Europe by introducing far-reaching changes such as the following:
• The law would be largely harmonized among the EU member states, so that the provisions of the Regulation would apply EU-wide.
• Companies with operations in multiple EU member states would be subject to the jurisdiction of a single data protection authority, and the jurisdictional rules over data controllers outside the EU would be changed.
• The use of consent for legitimizing data processing would be significantly restricted.
• Certain bureaucratic requirements, such as notification of data processing to the data protection authorities (DPAs), would be eliminated, but other ones (such as to maintain extensive internal documentation about data processing) would be introduced.
• Companies with more than 250 employees would have to appoint a data protection officer.
• A number of new fundamental rights (such as the “right to be forgotten”) would be introduced, as would requirements to use data protection “by design” and “by default.”
• Regulators and affected individuals would have to be notified of data security breaches.
• There would be some simplification of the procedures for transferring personal data outside the European Union.
• Independence of the DPAs would be strengthened, and they would receive enhanced resources and enforcement powers, but much policymaking power would shift from the member states to the European Commission.
• Administrative fines for data protection violations could range up to 2 percent of a company’s annual worldwide income.
These are just a few changes of greatest interest to companies, and are discussed in more detail below.
II. Background
On May 15, 2003, Directorate General Internal Market of the Commission (which had jurisdiction over data protection policymaking at that time) published its “First report on the implementation of the Data Protection Directive (95/46/EC),”
One of the major reasons for the Commission’s decision to rethink the EU data protection framework was the Treaty of Lisbon (Lisbon Treaty or Reform Treaty), which entered into force on Dec. 1, 2009,
There had been a great deal of discussion as to whether the new instrument should take the form of a directive or a regulation. A regulation has general application and is directly applicable (i.e., it does not require implementation by EU member states), whereas a directive sets forth the results to be achieved, but leaves the means for achieving them largely up to implementation into national law by the member states.
But even a regulation cannot result in complete, 100 percent harmonization of all legal provisions affecting data protection, or totally eliminate the need to amend national laws. For example, member states may need to enact complementary legislation to deal with the effects of a regulation on their national legal systems. In addition, the Proposed Regulation would not harmonize issues governed by laws outside the area of data protection, such as the powers of works councils under national labor laws,
Recital 10 of the Proposed Regulation states that its legal basis is to be found in Article 16(2) TFEU, meaning that it is to be adopted by the so-called “ordinary legislative procedure” under Article 294 TFEU.
III. Analysis of Key Provisions
Given the length and complexity of the Proposed Regulation, this article can only provide an overview of its most significant provisions. The analysis is structured based on its chapters, with the most important concepts and issues listed below the chapter title. The text discussed is that of the final text of the Proposed Regulation issued Jan. 25; in some cases, the final text is compared to the interservice draft (of Nov. 29, 2011), to show how it evolved. The reader should remember that, even though they are not legally binding, the recitals provide crucial clarification of many points in the text, and should be read together with it.
Chapter I: General Provisions
subject matter and objectives—material and territorial scope—definitions
Article 3 of the Proposed Regulation contains the rules governing its territorial scope. It retains from Article 4 of Directive 95/46 the concept of “the processing of personal data in the context of the activities of an establishment” in the EU as the basic test for determining when EU data protection law applies (Article 3(1)). However, the Proposed Regulation goes on to make several significant changes with regard to jurisdiction. Under Article 3(2), data controllers not established in the EU may be subject to EU law when their processing activities are related to “the offering of goods or services” to data subjects residing in the EU, or to the monitoring of the behavior of EU residents; the abandonment of the “use of equipment in the EU” test contained in Article 4(1)(c) of Directive 95/46 as the criterion for jurisdiction over non-EU data controllers is welcome. The effect of these changes is to bring more non-EU-based companies offering services over the internet within the reach of EU law. The meaning of “monitoring” the behavior of EU residents seems to be linked to whether the non-EU data controller is creating “profiles” of them (Recital 21). The territorial scope of EU data protection law with regard to processing by non-EU data controllers is explicitly limited to individuals “residing” in the EU, but it is not explained whether such residence must be permanent or may only be temporary, and what protection, if any, would be enjoyed by individuals who may have a residence both inside and outside the EU. Indeed, the emphasis in this and other articles (e.g., Articles 41(2)(a) and 41(5)) on residence in the EU is surprising, given that the Proposed Regulation states elsewhere that its protections should apply regardless of nationality or residence (e.g., in Recitals 2 and 12).
The interservice version of these provisions based jurisdiction over non-EU data controllers on “directing activities” to EU residents or monitoring their behavior, using criteria articulated in the 2010 judgment of the European Court of Justice in the joined cases Pammer and Alpenhof,
As mentioned above, one of the main changes to the data protection framework under the Lisbon Treaty and the accompanying instruments is the need to provide a harmonized regime also for data processing under the former “third pillar” of EU law (i.e., for matters involving law enforcement). Such matters are currently outside the scope of Directive 95/46;
However, data processing by “competent authorities” (i.e., public authorities) for the purpose of preventing, investigating, detecting, or prosecuting criminal offenses or for executing criminal penalties is exempted from the scope of the Proposed Regulation, as are any activities falling outside the scope of EU law, “in particular concerning national security”; data processing by EU institutions; and data processing by member states that falls within the EU Common Foreign and Security Policy (Article 2(2)). Determination of whether the Proposed Regulation or the Proposed Directive applies to a particular act of data processing is presumably based on who was processing the data, so that if, for example, EU criminal justice authorities were seeking access to personal data held in a database by a private company, the Proposed Directive would be applicable. However, certain inconsistencies in the terminology used in the Proposed Directive and Regulation could lead to confusion. For example, the Proposed Directive only applies to data processing by “competent authorities,” meaning EU criminal justice authorities.
The Proposed Regulation also excludes from its scope data processing by a natural person “without any gainful interest in the course of its own exclusively personal or natural or household activity” (Article 2(2)(d)). There has been concern among European data protection authorities and the European Commission that the current scope of the exemption under Article 3(2) of Directive 95/46 is too broad, since it could be construed to exempt from EU data protection law activities such as the processing of personal data by online social networks.
Important changes have been made to other definitions currently contained in Directive 95/46, which are set forth in Article 4 of the Proposed Regulation. In particular, the elements of the existing definition of “personal data” (in Article 2(a) of Directive 95/46) have been moved into the definition of “data subject,” with certain changes. Article 4(1) implies that “online identifiers” such as internet protocol addresses and cookies are generally to be considered as personal data, but a sentence has been added to Recital 24 since the interservice version clarifying that “[i]dentification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.” This clarification is welcome, given that an overly inclusive definition of personal data could effectively require data controllers to identify individuals in borderline cases so that they could comply with other legal requirements, and would thus be counterproductive. Thus, Article 10 specifies that data controllers do not need to identify a person just to comply with the provisions of the Proposed Regulation, and Recital 23 states that “the principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable”; this provides powerful incentives for the use of anonymization techniques.
Highly significant also is the tightening of the definition of consent, which now must always be “explicit” (i.e., opt-in, see Article 4(8)). Together with other new rules on consent discussed later on, mandating the use of opt-in consent in all cases will have significant implications for companies engaged in e-commerce and online activities (e.g., by requiring an increased use of pop-up boxes and other mechanisms on websites that indicate an individual has affirmatively agreed to their personal data being processed).
A number of new definitions are also introduced, including “personal data breach,” “genetic data,” “data concerning health,” “binding corporate rules,” “main establishment,” and others. The Proposed Regulation defines a “child” as any person below 18 years (Article 4(18)), and introduces a number of protections when the personal data of children are processed (e.g., Articles 8, 33(2)(d), and 52(2)). However, a revision introduced during the interservice consultation resulted in the age at which personal data of a child may not be processed online without consent of the parent or custodian being lowered to 13 years (Article 8(1)).
Chapter II: Principles
data processing principles—lawfulness of processing—consent—data of a child—sensitive data—processing not allowing identification
The Proposed Regulation foresees a strengthening of the general conditions for data processing. This is reflected first of all in Article 5, which is an amended version of Article 6 of Directive 95/46. The basic principles of that article have been retained, with some notable additions. Article 5(c) provides a more explicit expression of the “data minimization” principle than is currently contained in Directive 95/46, and will require companies to limit much more strictly the amount of data they collect. Article 5(f) strengthens the accountability of data controllers by requiring that personal data be processed under the responsibility and liability of the controller, who also is responsible for compliance with the Proposed Regulation. However, this provision does not reflect the fact that other articles foresee compliance responsibility by the data processor as well (such as Articles 26, 31, and 34(1)).
Article 6 (corresponding to Article 7 of Directive 95/46) contains several important changes to the legal bases for data processing. Article 6(3) states that any data processing may only be based on EU law or member state law; this will clarify that the law of a non-EU country may not serve as the legal basis for processing. Recital 39 states that the processing of data strictly necessary to ensure network and information security is to be considered a “legitimate interest” of the data controller, thus allowing the balancing of interests tests to legalize such activities. Since it is often difficult to find a clear legal basis for the processing of personal data for network and IT security purposes, this clarification is a welcome step that should facilitate activities to improve the level of information security in the EU. The Commission is to adopt a number of delegated acts under this article, including one to clarify use of the “balancing of interests” test for data processing under Article 6(1)(f); given the complexity of this issue, the permissibility of which can often only be judged based on the facts of a particular case, it is unclear how the Commission can produce guidance that is both authoritative and specific enough to be useful. A requirement that sending direct marketing requires the consent (i.e., opt-in consent) of the recipient, which was contained in the interservice version, was deleted from the final version; Article 19 now only requires a right to object for the sending of direct marketing.
The limitations on the use of consent contained in Article 7 are highly significant, given the widespread use of consent as a legal basis for data processing in both the private and public sectors. Under Article 7(1), data controllers bear the burden of proof in showing that data subjects consented to the processing of their personal data. Under Article 7(4), the use of consent is not allowed “where there is a significant imbalance between the position of the data subject and the controller”; Recital 34 clarifies that this applies especially “where personal data are processed by the employer of employees’ personal data in the employment context.” Thus, the use of consent as a legal basis for processing employee data will be made more difficult.
Finally, Article 9(1) expands the definition of sensitive data somewhat to also include genetic data and data concerning “criminal convictions or related security measures.” The processing of such criminal data is possible only under restrictive conditions based on Article 9(2)(j), though deletion of the word “offenses” from the definition of sensitive data, together with reformulation of the clause during the interservice process, should make it somewhat easier than was the case under the interservice version for companies to comply with legal obligations, such as those under national laws implementing the third EU anti-money laundering and terrorist financing directive (2005/60/EC).
Chapter III: Rights of the Data Subject
transparency—procedures and mechanisms for exercising data subject rights—information rights—right of access—rectification—right to be forgotten and erasure—data portability—objection—profiling—restrictions
The Proposed Regulation aims to increase the transparency of data processing, and to this end imposes stricter informational and transparency obligations on data controllers. Some of these requirements are phrased in broad terms (e.g., Article 11, mandating that data controllers have “transparent and easily accessible policies with regard to the processing of personal data and for the exercise of data subjects’ rights”), and others in quite detailed form (e.g., Article 14, which contains a list of the types of information that data subjects must be provided with). Furthermore, data controllers are obliged to implement detailed procedures for allowing individuals to exercise their rights (Article 12). These requirements will cause many companies to review and revise their privacy policies and informational practices. The Commission is empowered to adopt acts setting forth standard forms and procedures for individuals to exercise their rights (e.g., Article 12(6)), which should eliminate the need to follow separate procedures in individual member states.
Article 17, dealing with the “right to be forgotten and to erasure,” is likely to be one of the most controversial provisions of the Proposed Regulation. It seems to be an extension of the existing right currently contained in Article 12 of Directive 95/46 to have data erased, and it is not clear why it was necessary to create a new right under a new name. This provision was amended during the interservice consultation to limit it somewhat; in particular, in the previous version controllers who made data public had a duty to ensure the erasure of any internet link to or copy of the data, which would have made them responsible for policing the entire internet. This duty has now been limited to informing third parties processing the data that the data subject has requested that they be erased (Article 17(2)), and such duty has been limited to what is possible and does not involve a disproportionate effort (Article 13). During the interservice consultation, it was clarified in Article 2(3) that the liability rules of intermediary service providers contained in Articles 12–15 of the E-Commerce Directive
Article 20 of the Proposed Regulation regulates the use of “profiling,” and is based both on Article 15(1) of Directive 95/46 and on the recent Council of Europe Recommendation on profiling.
The Proposed Regulation states that data protection is not an absolute right, but must be considered in relation to its function in society, and must be balanced with other fundamental rights (Recital 139).
Chapter IV: Controller and Processor
responsibility of controllers—data protection by design and by default—joint controllers—representatives of non-EU controllers—data processors—processing under the authority of the controller and processor—documentation—cooperation with DPAs—data security—security breach notification—data protection impact assessments—prior authorisation—data protection officers—codes of conduct—certification
This is a highly complex and diverse section, covering many different topics, but with a common theme of enhancing the responsibility and compliance obligations of data controllers and processors.
Article 22 imposes duties of responsibility and accountability on data controllers, and mandates that compliance measures be independently verified (Article 22(3)), though the use of “independent internal or external auditors” is only required if this is “proportionate.” The concept of accountability seems to include the measures listed in Article 22(2), namely keeping documentation of data processing; implementing data security requirements; performing data protection impact assessments; complying with requirements for prior authorization by or in consultation with the DPAs; and designating a DPO. An earlier provision requiring that data protection compliance be mentioned in annual corporate reports and other documents that companies are required to file by law was deleted following the interservice consultation. Article 23 requires that data controllers implement “appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject” (Article 23(1), data protection by design), and that measures are implemented “by default” so that “only those personal data are processed which are necessary for each specific purpose of the processing” (Article 23(2), data protection by default). The meaning of the phrase “by default” is unclear, but presumably it would mean that privacy-friendly features of products and services would have to be activated automatically when they are used (e.g., that certain settings in internet browsers are turned on from the time the browser is first used). Privacy by design and by default will have profound implications in particular for hardware and software companies, data processing service providers, and other companies that either produce products for the processing of personal data or that process data intensively. The details of what they mean in practice are to be set forth in delegated acts and technical standards issued by the Commission (Articles 23(3)–(4)).
The Proposed Regulation contains a provision dealing with joint data controllers (Article 24), which requires them to conclude an “arrangement” allocating data protection responsibility between them, which will require many companies to modify their commercial agreements. Article 26 also will have important implications for many outsourcing arrangements (e.g., Article 26(2)(d), which allows a data processor to enlist a sub-processor only with the prior permission of the data controller). Non-EU-based data controllers processing the data of EU citizens related to the offering of goods or services to them or to the monitoring of their behavior are obligated to appoint a representative established in an EU member state (Article 25), with some important exceptions as stated in Article 25(2) (such as when the controller is established in a country that has been found “adequate,” the controller has fewer than 250 employees, or when the controller “only occasionally” offers goods or services to individuals in the EU). The representative is subject to substantial liability risks, since it is liable for penalties that can be levied against the controller (Article 78(2)).
The responsibilities of data processors as set forth in Article 26 are much more extensive than those contained in Article 17 of Directive 95/46, and will likely require amendment of contracts between data controllers and data processors (such as IT service providers and hosting companies). Data processors that exceed the data processing instructions given them by data controllers will be subject to all the obligations of controllers contained in Article 24 (Article 26(4)). Data controllers and processors, with some exceptions, also are responsible for keeping detailed documentation of all data processing operations, which must be produced upon request to DPAs (Article 28), though a late addition to the text exempts companies with fewer than 250 employees from this requirement (Article 28(4)). Article 29 requires controllers, processors, and the representatives of controllers to cooperate with DPAs.
The Proposed Regulation contains a number of important provisions concerning data security. Article 30 imposes wide-ranging data security obligations on both data controllers and data processors, the details of which are to be specified by the Commission. A general data breach notification requirement applicable horizontally to all types of data controllers
Data protection impact assessments are to be carried out by data controllers and data processors in certain circumstances, some of which are clear (e.g., when processing biometric data, Article 33(2)(d)), but others of which are vague (e.g., when data processing operations “are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes,” Article 33(1)). However, during the interservice consultation a Recital was added (Recital 71) indicating that the requirement to conduct them should apply in particular “to newly established large scale filing systems, which aim at processing a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects”; this would presumably exclude most small and medium-sized enterprises (SMEs). In addition, provisions that would have required data protection impact assessments in most routine situations under which employee data are processed were deleted during the interservice process. The Commission estimates that such impact assessments can range in cost from €14,000 (approximately $18,400) for a small-scale one, to €34,500 (approximately $45,344) for a medium-scale one, and then to €149,000 (approximately $195,834) for a large-scale one.
Data protection officers (DPOs) have long been required in some member states, but are almost totally unknown in others. The Proposed Regulation would make DPOs mandatory for all public authorities, and for all companies with more than 250 permanent employees (Article 35(1)). Articles 35–37 regulate in detail the designation, position, and tasks of DPOs, including requirements that they must exercise their duties in complete independence (Article 36(2)), and must be employed for at least two years (Article 35(7)). These provisions will create a new industry in the EU for the appointment, education, and training of DPOs.
While the strengthening of the position of DPOs is a positive development, the provisions do raise certain questions. The threshold of 250 permanent employees means that in some member states (such as Austria, where there are few companies with this number of employees) most companies would be exempt from the requirement, while in others (such as Germany, which already has a requirement that most companies with over 10 employees must have a DPO) many companies that now have them would no longer be required to do so. The threshold of 250 employees was derived from the Commission definition of SMEs,
Based on Article 35(2), it seems that a company with its headquarters in one member state and subsidiaries in others could appoint a single DPO based at the headquarters with functional responsibility over the subsidiaries as well. Thus, it will not be legally required to have a separate DPO physically based in each subsidiary, even if it may sometimes be practically advisable.
The Proposed Regulation also foresees the drafting of codes of conduct covering various data protection sectors, and allows them to be submitted to DPAs, which may give an opinion as to whether they are “in compliance with this Regulation” (Article 38(2)), and to the Commission, which may adopt implementing acts determining that codes “have general validity” (Article 38(4)). Presumably such determinations by a DPA or the Commission would mean that compliance with a code of conduct would also satisfy the legal requirements of the Proposed Regulation, but this should be made more explicit in the text. Finally, the establishment of “data protection certification mechanisms and of data protection seals and marks” also is encouraged, and the Commission may recognize them (Article 39), but again, the legal effect of such recognition should be clarified.
Chapter V: Data Transfer of Personal Data to Third Countries or International Organisations
general principles—adequacy decisions—appropriate safeguards—binding corporate rules—derogations—international cooperation
No topic addressed in the Proposed Regulation has received more attention than the transfer of personal data outside of the EU. Individuals, companies, DPAs, and governments all have been dissatisfied with the existing rules for various reasons, and reform of the legal framework for transborder data flows was one of the biggest challenges faced by the Commission. The proposed new rules make some valuable improvements to the current situation, but also raise many questions.
Article 40 abandons the presumption under Directive 95/46 that personal data may not be transferred absent an “adequate level of protection” in the recipient country, and instead sets forth general principles that must be fulfilled when data are transferred outside the EU. There are three categories of mechanisms that may legalize international data transfers, namely a Commission adequacy decision under Article 41; the use of “appropriate safeguards” under Article 42 (which include binding corporate rules under Article 43); or the application of a derogation under Article 44.
Article 41 expands the scope of Commission adequacy decisions somewhat, by explicitly providing that they may cover not only an entire country, but also a territory within a third country, a processing sector, or an international organization (Articles 41(1) and (3)). The fact that adequacy decisions may no longer be subject to any kind of authorization will reduce the administrative burden for data controllers in some member states that currently require them. The Proposed Regulation also gives the Commission increased power to decide that a territory, processing sector, or international organization does not provide adequate protection, and to enforce such decisions by prohibiting data transfers to it (Articles 41(5)–(6)). Unfortunately, the Proposed Regulation does not discuss at all the logistics of how adequacy decisions are to be issued, a process which is in urgent need of reform given the lengthy and convoluted procedures now in place. Article 41(2)(c), which provides that “the international commitments” a third country or international organization has entered into are to be assessed by the Commission in the process of deciding whether adequate protection exists, may increase the importance of Council of Europe Convention 108
International data transfers also are possible if “appropriate safeguards” are in place (Article 42(2)), meaning one of the following mechanisms: binding corporate rules (BCRs); “standard data protection clauses” approved by the Commission (the counterpart of the present “standard contractual clauses”); standard data protection clauses adopted by a DPA in accordance with the consistency mechanism; “ad hoc” contractual clauses authorized by a DPA; or other appropriate safeguards “not provided for in a legally binding instrument.” Of these, transfers based on ad hoc contractual clauses and those using other appropriate safeguards not provided for in a legally binding instrument require further authorization by the DPA (Article 34(1)). The fact that DPAs may no longer require authorization of transfers using the EU standard contractual clauses will be a great boon to data controllers. It is not clear what is meant by “other appropriate safeguards not provided for in a legally binding instrument” (Article 42(5)), but presumably this could include measures such as a code of best practices for a cloud computing service that was not contained in a contract or other legally-binding instrument, and which would then have to receive approval of the DPA. The Commission may also declare generally valid standard contractual clauses that have been adopted by DPAs (Article 42(2)(c)).
Articles 41(8) and 42(5), together with Recital 134, confirm that despite the repeal of Directive 95/46, Commission decisions (such as adequacy decisions and those approving the standard contractual clauses) and those of DPAs remain in force; this language was not in the interservice version. Thus, data transfers under adequacy mechanisms that have already been approved (such as the U.S. Safe Harbor system), standard contractual clauses, and data transfer arrangements approved by DPAs can continue (though it is likely that the Commission may eventually merge the various sets of standard contractual clauses). However, the Proposed Regulation does raise some important questions about the functioning of certain adequacy decisions. For example, Article 40 seems to suggest that the conditions for data processing contained in the Proposed Regulation, and in particular those governing international data transfers, must also be applied to “onward transfers” of personal data that are sent to a third country and then subject to further transfers. Some Commission adequacy decisions (such as the safe harbor) already contain rules for conducting onward transfers, and it is not clear how such rules are to interact with the rules of the Proposed Regulation. The fact that the requirements for collecting and processing data in the EU will become much stricter under the Proposed Regulation also means that the threshold for transferring data outside the EU will effectively be raised (i.e., since no data may be transferred unless they were legally collected and processed in the first place, as provided in Article 40).
Explicit legal recognition of BCRs is to be welcomed, so that any remaining legal barriers to their use under member state law will be removed (Article 43). Use of BCRs is limited to companies in “the same corporate group of undertakings” (Recital 85). The Proposed Regulation also explicitly recognizes the use of BCRs for data processors, thus responding to a call that business has long made. The requirements for BCRs contained in Article 43 are generally similar to those that have been set forth already by the Article 29 Working Party. One difference concerns the liability rules. At present, the Working Party requires that the BCRs contain a duty for the EU headquarters of the company, or a delegated subsidiary in the EU, to assume liability for violations.
The use of so-called “derogations” to transfer personal data is possible under Article 44, though their scope has been changed somewhat in comparison with Article 26 of Directive 95/46. In particular, new restrictions on the use of consent to transfer personal data are introduced (Article 44(1)(a)). One revolutionary change is introduced in Article 44(1)(h), which provides that “a data transfer may, under limited circumstances, be justified on a legitimate interest of the controller or processor, but only after having assessed and documented the circumstances of that transfer operation.”
A provision in the interservice version that would have prohibited the transfer of personal data based on orders or requests from non-EU courts, tribunals, administrative authorities, and other governmental entities, unless mutual legal assistance treaties or procedures under international agreements were followed, or unless the relevant DPA had approved the transfer, was obviously targeted at requirements under U.S. law for the disclosure of data, in particular based on law enforcement requirements or e-discovery requests. However, this provision was unexpectedly deleted in the final version of the Proposed Regulation. Nevertheless, the Commission has stated publicly that the final sentence of Recital 90
Chapter VI: Independent Supervisory Authorities
supervisory authorities—independence—membership and establishment of DPAs—professional secrecy—competence—duties—powers
The Proposed Regulation contains enhanced protections for the independence of the DPAs (Article 47), and provisions designed to ensure their effective functioning, which is important following the decision of the European Court of Justice in the case Commission v Germany,
Article 51 confirms that each DPA has jurisdiction on the territory of its own member state. Of great benefit to companies is the fact that if a data controller or data processor has establishments in multiple member states, the DPA of the member state of the company’s main establishment is competent to supervise the data processing activities of the company in all member states (Article 51(2)). This rules establishes a “lead DPA” for companies with operations around the EU, so they can deal with a single DPA rather than with up to 27; the DPAs of the various member states where the company has operations are supposed to work together under the so-called mutual assistance and cooperation procedures under Articles 55–56 (discussed below) to ensure effective supervision. The details of what should be considered a data controller’s “main establishment” are specified in Recital 27, which states that this should be the place of the company’s “central administration,” irrespective of whether the processing of personal data is actually carried out at that location. However, the Recital seems contradictory, as it also states that the determination of the main establishment should imply “the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements.” In fact, there are many companies with decentralized corporate structures where the central administration and the place where management decisions about data processing are made may differ. It is also not clear how determination of the place of main establishment is to be made in practice, i.e., whether the company should make it, or whether a DPA will decide it, and how disputes in this regard are to be resolved. For data processors, the main establishment is its place of central administration in the EU (Recital 27). These rules will mean that, for instance, a smaller and less-resourced DPA in a member state where the company has its main establishment may become competent to supervise the company’s activities all over the EU, which could place great pressure on its capacities and cooperation with other DPAs.
Individuals may bring suit against a controller or processor either before the courts of the member state where the controller or processor has an establishment (i.e., not just before those of its main establishment), or before those of the individual’s habitual residence (except in the case of suits against public authorities under Article 75(2)).
Chapter VII: Cooperation and Consistency
mutual assistance—joint enforcement—consistency mechanism—implementing acts—enforcement—European Data Protection Board
The harmonization of data protection law can only be achieved if the DPAs cooperate much more closely than has so far been the case, and if data protection rights can be enforced seamlessly across the entire EU. The Proposed Regulation contains several provisions designed to realize these objectives, including a duty for DPAs to take action on a request of another DPA within one month (Article 55(2)), and a provision empowering DPAs to conduct joint enforcement actions (Article 56). It is also provided that when, in certain circumstances, a DPA does not act within one month of being requested to by other DPAs, those other DPAs may take provisional enforcement or compliance actions in the member state of the first DPA (Articles 55(8) and 56(5)); this may cause a clash with constitutional law in some member states, since it affects basic principles of national sovereignty.
Of particular importance is the creation of a “consistency mechanism,” which is designed to ensure that the DPAs take a more consistent view of data protection questions of common interest. In a highly-complex procedure too detailed to go into here, a DPA is supposed to communicate certain enforcement and compliance measures it intends to take in advance to the Commission and the European Data Protection Board (the successor to the Article 29 Working Party). The Board is then supposed to vote by a simple majority on the measure, and the DPA is to “take account” of the opinion of the Board, and communicate to it within two weeks whether it will take the measure or not (Article 58). The Commission is also supposed to adopt an opinion in relation to such measures, of which the DPAs are to take the “utmost account” (Article 59). The Commission has gained substantial powers to force the DPAs to take a more harmonized approach, since it may request that any matter be dealt with via the consistency mechanism (Article 58(4)), and may also adopt a reasoned decision requiring a DPA to suspend the adoption of a measure when it has “serious doubts as to whether the draft measure would ensure the correct application of the Regulation or would otherwise result in its inconsistent application” (Article 60(1)). It is questionable whether these powers are consistent with the independence of the DPAs, and they are likely to be politically controversial. DPA decisions and measures are made enforceable in all member states, except when the DPA did not convey them to the Commission and the Board under the consistency mechanism (Article 63(2)).
As stated earlier, the Article 29 Working Party is renamed “European Data Protection Board,” and its functioning is set out in more detail than in Directive 95/46. The secretariat of the Board is moved from the Commission to the European Data Protection Supervisor (EDPS) (Article 71), though the Commission remains an observer (Article 64(4)). This would seem to free up resources in the Commission for other tasks, such as adopting delegated and implementing acts, and will increase the power of the EDPS, which can be seen as one of the “winners” of the Proposed Regulation. The Board is to be independent (Article 65), and its tasks (Article 66) and decision-making procedures (to be taken by a simple majority of members, Article 68(1)) are also set forth.
Chapter VIII: Remedies, Liability and Sanctions
complaints to DPAs—judicial remedies
against DPAs—judicial remedies against controllers and processors—court proceedings—compensation and liability—penalties—administrative sanctions
There have long been complaints that the DPAs lack uniform enforcement powers, and that the available mechanisms to sanction data protection violations were insufficient, which have been addressed in the Proposed Regulation. Article 73(1) provides that an individual in any member state can lodge a complaint with any DPA, not just the one where they reside. The draft also gives organizations and associations the right to bring claims before the DPAs, both on behalf of individuals (Article 73(2)) and on their own behalf (Article 73(3)). These types of collective actions are already used in some member states.
Highly significant is the new regime for penalties and administrative fines, which are, for the first time in the history of data protection law, of such a magnitude that they will get attention from companies’ CEOs and general counsel. Indeed, one of the purposes of the Proposed Regulation seems to be to elevate the significance of data protection so that it is on a par with other corporate compliance topics such as competition law, anti-bribery, and money laundering requirements. Besides the size of the penalties, all controllers and processors involved in the data processing are jointly and severally liable for the entire amount of any damage suffered, unless they can prove that they are not responsible for the event giving rise to the damage (Article 77(2–3)). However, the drafters should have included here a reference to Article 24, so that joint data controllers could apportion their liability in advance by means of a written agreement. The representative of a non EU-based data controller is also liable for any penalties assessed against the controller (Article 78(2)).
Under Directive 95/46, the amount of administrative sanctions was left to implementation by the member states,
The provisions on fines and penalties give rise to some questions. For example, the wording in Article 79(1) that sanctions may be imposed by “each supervisory authority” suggests that in theory a company could be sanctioned separately by 27 different DPAs for the same violation if it occurred within each jurisdiction, which stands in contradiction to the fact that supervision of a company is limited to the DPA of the company’s main establishment (Article 51(2)). While this is not explicitly stated, the imposition of fines presumably should be subject to the consistency mechanism, since it constitutes “a measure intended to produce legal effect” under Article 58(2).
Chapter IX: Provisions Relating to Specific Data Processing Situations
freedom of expression—processing for health purposes—employment data processing—historical, statistical and scientific research—secrecy—
existing rules of churches and religious associations
The Proposed Regulation contains articles dealing with a number of specific data processing situations. Article 80 requires member states to provide exemptions or derogations for the processing of personal data for journalistic purposes or for artistic and literary expression, and is an elaboration of Article 9 of Directive 95/46. The definition of “journalistic activities” as explained in Recital 121 reflects the broad interpretation of that term by the European Court of Justice in the case Satamedia,
Chapter X: Delegated Acts and Implementing Acts
exercise of delegation—committee procedure
One of the most striking elements of the Proposed Regulation is the number of instances in which the Commission has granted itself the power to adopt so-called “delegated acts” or “implementing acts,” both of which may take the form of a regulation, a directive, or a decision,
In total there are 26 instances
Legal commentators have predicted that it will often be difficult to determine whether a particular measure should be adopted based on a delegated act or an implementing act,
Another issue concerns the resources necessary for the Commission to adopt so many acts, and the time frame for their adoption. Many of the issues about which acts are to be adopted are complex and subject to disagreement even among experts (an example is determining the lawfulness of data processing based on balancing the legitimate interests of the data controller against the interests or fundamental rights of data subjects, conditions that are to be determined by a delegated act of the Commission (Article 6(5)). In addition, since important details of many provisions will only become clear once the relevant delegated and implementing acts have been adopted, it is essential that the Commission be able to do so soon after the Regulation is enacted. However, the complexity of the issues involved, together with political forces, likely will lead to a delay in adoption of many of them, which could leave data controllers and processors with little guidance as to how to implement the Regulation in practice. This assumption is supported by the “Legislative Financial Statement” attached to the Proposed Regulation, which estimates that “up to three implementing measures may be handled per year, while the process may take up to 24 months,”
Chapter XI: Final Provisions
repeal of Directive 95/46—e-Privacy Directive—evaluation—entry into force
and application
Under Article 88, Directive 95/46 is repealed and references to it are to be construed as references to the Proposed Regulation. The Proposed Regulation is directly applicable in the member states (recital following Article 91), so that it does not need to be implemented into national law. The relationship between the Proposed Regulation and the e-Privacy Directive
The Commission is to submit evaluation reports on the Proposed Regulation to the European Parliament and the Council at regular intervals, initially no later than four years after its entry into force (Article 90); the national DPAs (Article 54) and the European Data Protection Board (Article 67) also are supposed to publish annual reports of their activities. It is to be regretted that the Proposed Regulation does not foresee the establishment of a permanent stakeholder group or expert advisory group to provide input to the Commission on how it is functioning in practice. It is to enter into force on the 20th day after its publication in the EU Official Journal, and shall apply as of two years from that date (Article 91). Thus, the Proposed Regulation will likely not come into force before 2015 at the earliest.
IV. Conclusions
The Proposed Regulation deserves to be considered a “Copernican revolution” in EU data protection law. It constitutes a bold attempt to make the legal framework more efficient and effective; increase protection of fundamental rights; and provide more legal certainty. Such a complete revision is justified, as it has been widely recognized that Directive 95/46 is out of date, and given the current political climate, the revision process now underway may be the best opportunity to update the framework for the foreseeable future.
Some of the reforms are highly welcome. For example, because the Proposed Regulation would be directly applicable, it would provide as near complete harmonization as is possible under EU law. It would also make companies with operations in multiple EU member states subject to the jurisdiction of a single DPA, based on their main place of establishment in the EU. Notifications to DPAs of data processing activities would be eliminated. The legal certainty of “adequacy” decisions and standard contractual clauses for transferring data outside the EU would be increased, and BCRs would be explicitly recognized. DPAs would be forced to cooperate, and the Commission would be empowered to issue EU-wide interpretations of important provisions. These are all highly significant improvements to the legal framework, and represent changes that business has been requesting for years.
It is much easier to criticize such an ambitious proposal than to draft one. Nevertheless, the Proposed Regulation also gives grounds for criticism. First of all, it sometimes loses sight of the need to adopt provisions that can actually be implemented in practice, and to be precise and meticulous in drafting. While the text emphasizes the need for data controllers to use understandable language,
The commendable reduction of bureaucracy in some areas is at least partially offset by the introduction of other procedural requirements (such as the need to keep extensive internal documentation of data processing). While a number of last-minute changes to the text were adopted to reduce the burden put on SMEs, it can be feared that they still will be burdened by extra costs. Despite its status as a regulation, the use of vague language is likely to lead to difficulties of interpretation, and may cause greater divergence in national approaches than the Commission thinks. Basic differences in legal systems and administrative cultures in member states may be one of the greatest risks to the Proposed Regulation, since these are not easily susceptible to harmonization from Brussels.
In addition, some of its specific innovations seem misguided. The “right to be forgotten” seems to be a version of the existing right to erasure which has been extended so far as to pose risks to other fundamental rights and to the use of the internet. The rules on profiling will prove difficult to understand and apply in practice. And while there is a need for more stringent enforcement of the law and more harmonized enforcement powers, the combination of ill-defined offenses and huge mandatory fines raises basic questions of fairness.
Another point of concern relates to the role of EU data protection law in the current global environment. The apparent assumption that the majority of international data transfers can be legalized by the use of BCRs and standard contractual clauses insufficiently takes into account the realities of massive international data transfers via phenomena such as cloud computing. It is also unfair that the requirements for transferring personal data internationally for criminal justice purposes under the Proposed Directive are much more lenient than are those under the Proposed Regulation.
While the Proposed Regulation would in general harmonize the law at a high level, some member states may raise legitimate questions as to the affect it would have on data protection in their own countries. For example, a member state such as Austria has only a very small number of companies with over 250 employees, and thus the vast majority of companies there will be exempt both from the duty to appoint a DPO and from the documentation requirements, while the duty to notify the DPA of data processing also would be eliminated. Since the requirement to appoint a DPO and to keep documentation of data processing would be introduced largely as a replacement for the notification requirement,
Despite the above criticisms, the author’s overall view of the Proposed Regulation is cautiously positive, as it constitutes an improvement on Directive 95/46, and demonstrates a commendable willingness to take on some of the “sacred cows” of data protection law that have outlived their usefulness. For the private sector, the final success of the Proposed Regulation will perhaps depend on three key factors, namely the effectiveness of the “lead DPA” concept; the operation of the consistency mechanism; and the ability of the Commission to issue delegated and implementing acts of high quality in a way that is timely and transparent and gives stakeholders an opportunity to provide input. If these three factors are realized, then it may work as designed to bring about a more harmonized level of data protection throughout the EU, and the benefits could be great for data controllers, individuals, and the EU economy. But if they are weakened during the EU legislative process, or if member states and DPAs undermine them, then many of the other positive changes foreseen in the text may lose much of their effect. Only time will tell if the final result is a revolution that brings about lasting improvements.
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.