In 1995, AOL still charged by the hour for dial-up Internet access, Stanford Ph.D. candidates Larry Page and Sergey Brin were a year away from launching the research project that would become Google, and Mark Zuckerberg celebrated his 11th birthday. Fewer than 1 percent of European Union residents were Internet users.
That was the year the EU adopted its Data Protection Directive, which regulates the collection, processing and storage of personal information in Europe. Fast forward to the age of cloud computing, social networking and online behavioral advertising, and the antiquated rules were in need of a face-lift. After more than two years of consultations with industry, governments and individuals, on Jan. 25 the European Commission (EC) released its draft General Data Protection Regulation, an Internet-era revision that will replace the 1995 directive.
The proposed regulation takes rapid technological development and the dramatic increase of data-sharing and collection into account and tightens requirements, introducing a host of new concepts and new corporate responsibilities.
On Feb. 23, the Obama administration released its own framework for privacy protections, the Consumer Privacy Bill of Rights, which marks another step toward omnibus privacy legislation in the U.S. But traditionally, the EU has taken a much more stringent approach to data protection, and its new proposed regulation is no different.
The update presents big challenges to affected companies, but it also offers one huge improvement over the 1995 directive. While the EC has framed the new rules as a way to build a level of trust in consumers that will give Europe a market advantage, the real advantage for companies will be uniformity.
While the 1995 directive instructed each of the 27 member states to incorporate and implement the requirements into law, the update comes in the form of a regulation, which overrides national laws. Companies no longer will have to deal with 27 different interpretations of the 1995 directive. There will be one set of rules, and companies will only work with the national authority of the member state in which the company has its main establishment.
“Having one centralized set of rules is a huge step forward,” says Mary Hildebrand, a member of Lowenstein Sandler.
Much of the EC’s literature on the new regulation focuses on how the new certainty of the streamlined rules will spur innovation and make the EU a friendlier place for businesses that operate in the cloud.
That’s yet to be seen, but it will make Binding Corporate Rules (BCRs) easier for companies to adopt as an alternative to the Safe Harbor mechanism for transferring Europeans’ personal data to the U.S. Now, U.S. companies must satisfy just one data protection authority instead of the authorities in every country in which they operate.
“Right now BCRs are an option but extremely difficult to do—only about 12 companies have successfully done it,” says William Baker, of counsel at Wiley Rein. “My sense is the EU thinks BCRs can be an effective way to make data transfers, and it would like to streamline the process to make life easier for American businesses.”
While it offers important benefits, the 91 articles of the proposed regulation will present numerous new challenges for companies.
The regulation has expanded extraterritorial application: Companies that process EU residents’ personal data are subject to the requirements if they offer goods or services to data subjects in the EU or if they monitor those subjects’ behavior. Under the prior directive, the rules applied to companies only if they had some physical presence in Europe, such as an office, a data processing point or space in a server farm.
“You can see how this is really reaching its tentacles outside of Europe into the U.S. corporate world,” says Susan Foster, a member of Mintz Levin in London.
Companies without a physical presence in Europe now must appoint a representative in Europe—a person or company that “acts and may be addressed by any supervisory authority and other [EU bodies]” in the place of the company.
Companies with 250 employees or more would have to appoint a senior data protection officer in an auditor role.
“Only a small handful of very forward-looking companies have implemented accountability-type frameworks,” says Lisa Sotto, a partner at Hunton & Williams. “You can’t underestimate how significant this change is going to be.”
Another new requirement creates what Foster calls “the toughest data breach notification requirements I’m aware of anywhere,” which requires companies to notify authorities of a personal data breach “where feasible, within 24 hours.”
The new regulation also raises consent standards, requiring companies to get explicit, rather than implied, consent to process personal data. It includes a provision that suggests consent would not be valid “where there is a significant imbalance between the position of the data subject” and the company, language Foster says is troubling.
One of the other major changes addresses fines for noncompliance. The new regulation gives national data protection authorities the right to impose fines totaling up to 2 percent of a company’s global revenues. Previously, fines have been rare and low in this area given the scale of data processing in Europe.
Social Networking Rights
One of the regulation’s most controversial new provisions is the right to be forgotten, or the right to “erasure without delay” of personal data upon request if there is no legitimate reason for keeping it. A related provision is the right to data portability, which gives users to the right to move their personal data and to obtain copies of it from companies that process it in a common format.
“I’m slightly worried that we might not have Facebook in Europe if this regulation actually goes into effect,” Foster says. “I think [authorities] have really underestimated the potential burden on these companies.”
Both provisions look burdensome in the context of social networking—imagine a request that a Facebook user’s every post, “like” and photo tag be deleted or transferred to another service. Foster says that the final regulation might include something like a balancing test between the importance to the individual versus the burden on the company.
While there’s still time for discussion and revision as the EC presents the bill for consideration to the European Parliament and European Council, the draft regulation already has been through two years of formal, extensive consultation (or comment) processes.
“Companies should probably assume that we’ll end up with something pretty similar to what we have in the draft regulation,” Foster says.