{"id":38307,"date":"2014-06-01T14:13:28","date_gmt":"2014-06-01T14:13:28","guid":{"rendered":"https:\/\/setterwalls.se\/article\/one-regulation-to-rule-them-all\/"},"modified":"2022-02-14T13:42:32","modified_gmt":"2022-02-14T13:42:32","slug":"one-regulation-to-rule-them-all","status":"publish","type":"articles","link":"https:\/\/setterwalls.se\/en\/article\/one-regulation-to-rule-them-all\/","title":{"rendered":"One Regulation to Rule them All"},"content":{"rendered":"<p><strong>Earlier this spring, the EU Parliament voted for the implementation of a new EU Data Protection Regulation, as proposed by the EU Commission. Next step is for the Council to adopt the Regulation, in which case it may become effective from 2016. It may, thus, be time to take a closer look at what news the Regulation will bring.<\/strong><\/p>\n<p>\u00a0<\/p>\n<p><strong>Harmonisation<\/strong><\/p>\n<p>The obvious big leap forward is from a directive to a regulation. While a directive \u2013 such as the current EU Data Protection Directive \u2013 must be implemented by the member states, a regulation \u2013 such as the proposed Regulation \u2013 must be followed directly, regardless of any national<br \/>legislation.<\/p>\n<p>The current Directive has been implemented into the national legislation of each member state. Unfortunately, the implementation and interpretation of the Directive has not been consistent throughout the member states. The discrepancies bring unnecessary costs for businesses that are active in several member states.<\/p>\n<p>Take, for example, a cloud service provider who wants to make its service compatible with applicable data protection legislation, so that its customers who use the service to process personal data can abide by applicable law. Today, the cloud service provider will have to adapt its service to the national data protection legislation of each member state where the services will be offered.<\/p>\n<p>The Regulation will be directly applicable in all member states. Hence, the cloud service provider in the example above would only have to adapt to the Regulation in order to cover all member states. Hopefully, this will make it easier for cross-border business in the future, even if it will<br \/>take some time before all relevant authorities have harmonized interpretation of the Regulation.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Increased stakes<\/strong><\/p>\n<p>In Sweden \u2013 as in many other member states \u2013 the data protection legislation has often been regarded as rather toothless due to the enforcement options available to the local data protection supervisory authority. Individuals may seek damages and prosecutors may prosecute for serious breaches of the data protection legislation, but such options are only really applied in extraordinary cases. The normal enforcement path is for the supervisory authority to order correction of a breach. Only if such order is not followed (or successfully contested) may the company or organisation be obliged to pay a penalty.<\/p>\n<p>The Regulation will introduce more severe sanctions in the form of fines of up to 100 000 000 euro or, if it is a company, 5 % of the annual worldwide turnover. This will increase the stake of data protection compliancy.<\/p>\n<p>The increased stakes are amplified by the Regulation making data processors (entities processing personal data on behalf of another entity) liable for wrongful processing in addition to the data controller (the entity on whose behalf the data is processed). In the example above, the cloud service provider may thus become directly liable for any wrongful processing of its customers by use of the cloud service. The incentive for service providers to provide services which are adapted to data protection legislation will thus increase.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Notable changes<\/strong><\/p>\n<p>In much, the Regulation provides for the same basic rules as are provided for by the Directive, but there are several notable changes.<\/p>\n<p>In addition to the changes described above, notable changes include, for example, the following changes which may make it simpler for businesses:<br \/>\u2013 One-stop shop. Companies and organisations established and operating in several member states will only have to deal with one \u201cleading\u201d data protection supervisory authority \u2013 the supervisory authority the country where they have their main establishment.<\/p>\n<p>\u2013 Notification requirements. General notifications to the supervisory authority are abolished (but mandatory data breach notifications are introduced). Instead, companies and organisations are given an increased responsibility of establishing internal documentation such as policies and impacts assessments.<\/p>\n<p>There are also changes intended to enhance the rights of individuals:<br \/>\u2013 Right to be forgotten. Individuals will have a right to \u201cbe forgotten\u201d, meaning that, if there are no legitimate grounds for retaining personal data relating to an individual, the individual has the right to request that the data is erased and not further disseminated.<\/p>\n<p>\u2013 Right to portability. Individuals will have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of the data.<\/p>\n<p>\u2013 Consent. The Regulation provides that, when consent is required to process personal data, such consent must be presented clearly distinguishable. Further, the execution of a contract or the provision of a service must not be made conditional on the consent, if such consent is not necessary for the execution of the contract or the provision of the service.<\/p>\n<p>Other notable changes include, for example, the following:<br \/>\u2013 Territorial scope. The Regulation will apply primarily to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU. However, the Regulation will also apply to controllers outside the EU, when processing the personal data of<br \/>individuals residing in the EU in relation to the offering of goods or services to such individuals or the monitoring of their behaviour.<\/p>\n<p>\u2013 Data Protection Officers. Under the Regulation, all public authorities must designate a data protection officer (i.e. a person who monitors the data processing and to inform and advise in relation thereto). Companies and organisations must designate a data protection officer if their core activities require regular and systematic monitoring of individuals or consist of processing sensitive data, location data or data on children or employees in large scale filing systems. The same applies if the company or organisation, in any consecutive 12-month period, process personal data that relates to more than 5000 data subjects.<\/p>\n<p>\u2013 Privacy by design. According to the Regulation, appropriate technical and organizational measures are to be implemented at the outset to ensure that data processing activities meet the requirements of the Regulation.<\/p>\n<p>\u2013 Standardised information policies. The Regulation provides that, where personal data relating to an individual are collected, the individual shall be provided with a standardised information policy (standardised icons which are attached to the Regulation) that describes selected particulars of the processing to be carried out.<\/p>\n<p>\u2013 Unstructured processing. In Sweden, simplified rules apply to the processing of personal data in \u201cunstructured material\u201d such as running texts published on the internet, sounds, images and e-mail messages. This is to facilitate such processing of personal data that generally would not<br \/>entail a violation of personal privacy. The Regulation does not include any similar simplifications.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Planning ahead<\/strong><\/p>\n<p>Data protection issues have not normally been regarded as higher management issues for Swedish companies, but the sanctions provided for by the Regulation are likely to elevate the issues to such levels. You may compare this with competition law issues, which due to the applicable sanctions have regularly been discussed on the higher management level.<\/p>\n<p>If the Regulation comes to pass, companies should adapt to the new requirements and establish processes to ensure continued compliance. For companies with established processes regarding data protection, few adaptions are likely to be required. For companies who are only now starting to prioritize data protection compliance, there is a longer journey to take.<\/p>\n<p>In any case, we urge companies and organisations to plan ahead for the adoption of the Regulation and, as soon as the Council has adopted the Regulation, initiate a process to review its data processing and assess compliancy with the Regulation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Earlier this spring, the EU Parliament voted for the implementation of a new EU Data Protection Regulation, as proposed by the EU Commission. Next step is for the Council to adopt the Regulation, in which case it may become effective from 2016. It may, thus, be time to take a closer look at what news the Regulation will bring.<\/strong><\/p>\n<p>\u00a0<\/p>\n<p><strong>Harmonisation<\/strong><\/p>\n<p>The obvious big leap forward is from a directive to a regulation. While a directive \u2013 such as the current EU Data Protection Directive \u2013 must be implemented by the member states, a regulation \u2013 such as the proposed Regulation \u2013 must be followed directly, regardless of any national<br \/>legislation.<\/p>\n<p>The current Directive has been implemented into the national legislation of each member state. Unfortunately, the implementation and interpretation of the Directive has not been consistent throughout the member states. The discrepancies bring unnecessary costs for businesses that are active in several member states.<\/p>\n<p>Take, for example, a cloud service provider who wants to make its service compatible with applicable data protection legislation, so that its customers who use the service to process personal data can abide by applicable law. Today, the cloud service provider will have to adapt its service to the national data protection legislation of each member state where the services will be offered.<\/p>\n<p>The Regulation will be directly applicable in all member states. Hence, the cloud service provider in the example above would only have to adapt to the Regulation in order to cover all member states. Hopefully, this will make it easier for cross-border business in the future, even if it will<br \/>take some time before all relevant authorities have harmonized interpretation of the Regulation.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Increased stakes<\/strong><\/p>\n<p>In Sweden \u2013 as in many other member states \u2013 the data protection legislation has often been regarded as rather toothless due to the enforcement options available to the local data protection supervisory authority. Individuals may seek damages and prosecutors may prosecute for serious breaches of the data protection legislation, but such options are only really applied in extraordinary cases. The normal enforcement path is for the supervisory authority to order correction of a breach. Only if such order is not followed (or successfully contested) may the company or organisation be obliged to pay a penalty.<\/p>\n<p>The Regulation will introduce more severe sanctions in the form of fines of up to 100 000 000 euro or, if it is a company, 5 % of the annual worldwide turnover. This will increase the stake of data protection compliancy.<\/p>\n<p>The increased stakes are amplified by the Regulation making data processors (entities processing personal data on behalf of another entity) liable for wrongful processing in addition to the data controller (the entity on whose behalf the data is processed). In the example above, the cloud service provider may thus become directly liable for any wrongful processing of its customers by use of the cloud service. The incentive for service providers to provide services which are adapted to data protection legislation will thus increase.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Notable changes<\/strong><\/p>\n<p>In much, the Regulation provides for the same basic rules as are provided for by the Directive, but there are several notable changes.<\/p>\n<p>In addition to the changes described above, notable changes include, for example, the following changes which may make it simpler for businesses:<br \/>\u2013 One-stop shop. Companies and organisations established and operating in several member states will only have to deal with one \u201cleading\u201d data protection supervisory authority \u2013 the supervisory authority the country where they have their main establishment.<\/p>\n<p>\u2013 Notification requirements. General notifications to the supervisory authority are abolished (but mandatory data breach notifications are introduced). Instead, companies and organisations are given an increased responsibility of establishing internal documentation such as policies and impacts assessments.<\/p>\n<p>There are also changes intended to enhance the rights of individuals:<br \/>\u2013 Right to be forgotten. Individuals will have a right to \u201cbe forgotten\u201d, meaning that, if there are no legitimate grounds for retaining personal data relating to an individual, the individual has the right to request that the data is erased and not further disseminated.<\/p>\n<p>\u2013 Right to portability. Individuals will have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of the data.<\/p>\n<p>\u2013 Consent. The Regulation provides that, when consent is required to process personal data, such consent must be presented clearly distinguishable. Further, the execution of a contract or the provision of a service must not be made conditional on the consent, if such consent is not necessary for the execution of the contract or the provision of the service.<\/p>\n<p>Other notable changes include, for example, the following:<br \/>\u2013 Territorial scope. The Regulation will apply primarily to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU. However, the Regulation will also apply to controllers outside the EU, when processing the personal data of<br \/>individuals residing in the EU in relation to the offering of goods or services to such individuals or the monitoring of their behaviour.<\/p>\n<p>\u2013 Data Protection Officers. Under the Regulation, all public authorities must designate a data protection officer (i.e. a person who monitors the data processing and to inform and advise in relation thereto). Companies and organisations must designate a data protection officer if their core activities require regular and systematic monitoring of individuals or consist of processing sensitive data, location data or data on children or employees in large scale filing systems. The same applies if the company or organisation, in any consecutive 12-month period, process personal data that relates to more than 5000 data subjects.<\/p>\n<p>\u2013 Privacy by design. According to the Regulation, appropriate technical and organizational measures are to be implemented at the outset to ensure that data processing activities meet the requirements of the Regulation.<\/p>\n<p>\u2013 Standardised information policies. The Regulation provides that, where personal data relating to an individual are collected, the individual shall be provided with a standardised information policy (standardised icons which are attached to the Regulation) that describes selected particulars of the processing to be carried out.<\/p>\n<p>\u2013 Unstructured processing. In Sweden, simplified rules apply to the processing of personal data in \u201cunstructured material\u201d such as running texts published on the internet, sounds, images and e-mail messages. This is to facilitate such processing of personal data that generally would not<br \/>entail a violation of personal privacy. The Regulation does not include any similar simplifications.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Planning ahead<\/strong><\/p>\n<p>Data protection issues have not normally been regarded as higher management issues for Swedish companies, but the sanctions provided for by the Regulation are likely to elevate the issues to such levels. You may compare this with competition law issues, which due to the applicable sanctions have regularly been discussed on the higher management level.<\/p>\n<p>If the Regulation comes to pass, companies should adapt to the new requirements and establish processes to ensure continued compliance. For companies with established processes regarding data protection, few adaptions are likely to be required. For companies who are only now starting to prioritize data protection compliance, there is a longer journey to take.<\/p>\n<p>In any case, we urge companies and organisations to plan ahead for the adoption of the Regulation and, as soon as the Council has adopted the Regulation, initiate a process to review its data processing and assess compliancy with the Regulation.<\/p>\n","protected":false},"author":1,"featured_media":34585,"template":"","meta":{"_acf_changed":false,"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":""},"article_category":[1035,1062],"class_list":["post-38307","articles","type-articles","status-publish","has-post-thumbnail","hentry","article_category-intellectual-property-marketing-and-media-law","article_category-it-technology-telecoms"],"acf":[],"_links":{"self":[{"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/articles\/38307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/articles"}],"about":[{"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/types\/articles"}],"author":[{"embeddable":true,"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/users\/1"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/media\/34585"}],"wp:attachment":[{"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/media?parent=38307"}],"wp:term":[{"taxonomy":"article_category","embeddable":true,"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/article_category?post=38307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}