The European Commission’s new draft data protection regulation was leaked to the press earlier this month. The proposal includes repeal of the present EU Data Protection Directive 95/46 and recommends a General Data Protection Regulation, as well as a Police and Criminal Justice Data Protection Directive.
The Commission appears to have made good its threats to increase enforcement to make U.S. and other companies outside the EEA comply. Some of the ground-breaking proposals include a harmonised enforcement and sanctions mechanism which include penalties of 1%, 3% or 5% of a enterprise’s annual worldwide turnover for intentional or negligent breaches of various data protection obligations. Those penalties will certainly force organisations to sit up and take notice of their data protection obligations.
As suspected, the draft regulation includes new elements in relation to the principles of transparency and data minimisation, as well as a new principle of accountability for data controllers. Built into the new principle is an obligation for Privacy by Design “and by default”.
In addition, the right to be forgotten shifts the burden from individuals to organisations by requiring organisations that seek to continue to process personal data to demonstrate compelling legitimate grounds for the processing which override the interests or fundamental rights of the individual. This new right to be forgotten extends to erasure of information in the public domain available via the Internet or other communication service, and links to a new right to have the data restricted.
The draft Regulation also includes an obligation on large enterprises to appoint a data protection officer for both data controllers and data processors, where the processing of personal data requires regular and systematic monitoring.
The draft Regulation further proposes a new ‘super’ regulator, a European Data Protection Board to consist of the heads of each of the Member States’ Data Protection Authorities to replace the Article 29 Working Party. This new ‘super’ regulator will have the power to review and opine on measures at the national level relating to cross-border data processing whether within the European Union or outside of it, including approvals of data transfer agreements and binding corporate rules.
As we recently saw with France’s implementation of a data protection label, the proposed Regulation encourages the use of data protection certifications, such as seals and marks, for data controllers, aimed at helping individuals assess an organisation’s privacy practices.
Unless organisations raise data privacy and protection up the priority list of importance, they would be sitting on a time bomb. The issue is not whether this proposal will come into force, but when, and while there may be some changes while the proposal makes its way through the European Parliament, the way forward for organisations is now clear, and organisations will have at least two years to bolster their processes and procedures and get ready for the new horizon.