One Regulation to Rule them All

Earlier this spring, the EU Parliament voted for the implementation of a new EU Data Protection Regulation, as proposed by the EU Commission. Next step is for the Council to adopt the Regulation, in which case it may become effective from 2016. It may, thus, be time to take a closer look at what news the Regulation will bring.

Harmonisation

The obvious big leap forward is from a directive to a regulation. While a directive – such as the current EU Data Protection Directive – must be implemented by the member states, a regulation – such as the proposed Regulation – must be followed directly, regardless of any national
legislation.

The current Directive has been implemented into the national legislation of each member state. Unfortunately, the implementation and interpretation of the Directive has not been consistent throughout the member states. The discrepancies bring unnecessary costs for businesses that are active in several member states.

Take, for example, a cloud service provider who wants to make its service compatible with applicable data protection legislation, so that its customers who use the service to process personal data can abide by applicable law. Today, the cloud service provider will have to adapt its service to the national data protection legislation of each member state where the services will be offered.

The Regulation will be directly applicable in all member states. Hence, the cloud service provider in the example above would only have to adapt to the Regulation in order to cover all member states. Hopefully, this will make it easier for cross-border business in the future, even if it will
take some time before all relevant authorities have harmonized interpretation of the Regulation.

Increased stakes

In Sweden – as in many other member states – the data protection legislation has often been regarded as rather toothless due to the enforcement options available to the local data protection supervisory authority. Individuals may seek damages and prosecutors may prosecute for serious breaches of the data protection legislation, but such options are only really applied in extraordinary cases. The normal enforcement path is for the supervisory authority to order correction of a breach. Only if such order is not followed (or successfully contested) may the company or organisation be obliged to pay a penalty.

The Regulation will introduce more severe sanctions in the form of fines of up to 100 000 000 euro or, if it is a company, 5 % of the annual worldwide turnover. This will increase the stake of data protection compliancy.

The increased stakes are amplified by the Regulation making data processors (entities processing personal data on behalf of another entity) liable for wrongful processing in addition to the data controller (the entity on whose behalf the data is processed). In the example above, the cloud service provider may thus become directly liable for any wrongful processing of its customers by use of the cloud service. The incentive for service providers to provide services which are adapted to data protection legislation will thus increase.

Notable changes

In much, the Regulation provides for the same basic rules as are provided for by the Directive, but there are several notable changes.

In addition to the changes described above, notable changes include, for example, the following changes which may make it simpler for businesses:
– One-stop shop. Companies and organisations established and operating in several member states will only have to deal with one “leading” data protection supervisory authority – the supervisory authority the country where they have their main establishment.

– Notification requirements. General notifications to the supervisory authority are abolished (but mandatory data breach notifications are introduced). Instead, companies and organisations are given an increased responsibility of establishing internal documentation such as policies and impacts assessments.

There are also changes intended to enhance the rights of individuals:
– Right to be forgotten. Individuals will have a right to “be forgotten”, meaning that, if there are no legitimate grounds for retaining personal data relating to an individual, the individual has the right to request that the data is erased and not further disseminated.

– Right to portability. Individuals will have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of the data.

– Consent. The Regulation provides that, when consent is required to process personal data, such consent must be presented clearly distinguishable. Further, the execution of a contract or the provision of a service must not be made conditional on the consent, if such consent is not necessary for the execution of the contract or the provision of the service.

Other notable changes include, for example, the following:
– Territorial scope. The Regulation will apply primarily to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU. However, the Regulation will also apply to controllers outside the EU, when processing the personal data of
individuals residing in the EU in relation to the offering of goods or services to such individuals or the monitoring of their behaviour.

– Data Protection Officers. Under the Regulation, all public authorities must designate a data protection officer (i.e. a person who monitors the data processing and to inform and advise in relation thereto). Companies and organisations must designate a data protection officer if their core activities require regular and systematic monitoring of individuals or consist of processing sensitive data, location data or data on children or employees in large scale filing systems. The same applies if the company or organisation, in any consecutive 12-month period, process personal data that relates to more than 5000 data subjects.

– Privacy by design. According to the Regulation, appropriate technical and organizational measures are to be implemented at the outset to ensure that data processing activities meet the requirements of the Regulation.

– Standardised information policies. The Regulation provides that, where personal data relating to an individual are collected, the individual shall be provided with a standardised information policy (standardised icons which are attached to the Regulation) that describes selected particulars of the processing to be carried out.

– Unstructured processing. In Sweden, simplified rules apply to the processing of personal data in “unstructured material” such as running texts published on the internet, sounds, images and e-mail messages. This is to facilitate such processing of personal data that generally would not
entail a violation of personal privacy. The Regulation does not include any similar simplifications.

Planning ahead

Data protection issues have not normally been regarded as higher management issues for Swedish companies, but the sanctions provided for by the Regulation are likely to elevate the issues to such levels. You may compare this with competition law issues, which due to the applicable sanctions have regularly been discussed on the higher management level.

If the Regulation comes to pass, companies should adapt to the new requirements and establish processes to ensure continued compliance. For companies with established processes regarding data protection, few adaptions are likely to be required. For companies who are only now starting to prioritize data protection compliance, there is a longer journey to take.

In any case, we urge companies and organisations to plan ahead for the adoption of the Regulation and, as soon as the Council has adopted the Regulation, initiate a process to review its data processing and assess compliancy with the Regulation.