Since its publication in January 2012, the proposed draft of the EU General Data Protection Regulation, which is intended to replace the 1995 EU Data Protection Directive, has been the subject of much lobbying and discussion in Brussels. Tasked by the European Union (EU) Parliament to evaluate the 2012 draft, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) announced that it had agreed on 91 amendments to the 2012 draft ("Amendment"). The EU Parliament now has a mandate to start negotiations with the governments of member states, and it is hoped that a final agreement on the document will be reached before the May 2014 European Parliament elections.
The 2012 draft outlines … fines up to 1 million Euros or ranging from .5% to 2% of the annual worldwide turnover (i.e., total revenue) of a corporation, whichever is larger.
Though the regulation is not expected to take effect until 2016 at the earliest, any enterprise that does business with the EU or the European Economic Area, including cloud computing providers, needs to be aware of the upcoming changes to the EU data protection laws. In this tip, we'll provide an overview of the EU General Data Protection Regulation and the recently proposed amendments, with a focus on the major changes ushered in by the legislation.
By far, the most important change brought on by the EU General Data Protection Regulation is the significant uptick in the amount of financial penalties that a company might face in the event of a violation. The 2012 draft outlined a staged approach, with fines up to 1 million Euros or ranging from .5% to 2% of the annual worldwide turnover (i.e., total revenue) of a corporation, whichever is larger. This is in stark contrast with the 1995 Data Protection Directive, which offers no guidance on penalties.
Article 79 of the Amendment would define three categories of sanctions, which may be imposed cumulatively: (i) a warning, in the case of a first and unintentional offense; (ii) regular periodic data protection audits; and/or (iii) a fine of up to 1 hundred million Euros or, in the case of an enterprise, up to 5% of annual worldwide revenue, whichever is larger. To put that number into context, Google announced $50 billion in revenue for 2012, meaning a maximum fine under the proposed EU data protection laws could total up to $2.5 billion. That represents a fine that would be 100 times larger than the one assessed by the Federal Trade Commission against Google in 2012, which also happens to be the biggest fine ever assessed in the U.S. for privacy violations.
According to Article 79 (2c) of the regulation, the severity of such sanctions would be determined by taking into account a number of factors, including: the nature, gravity and duration of the non-compliance; the intentional or negligent character of the infringement; the degree of responsibility; whether the infringement was a repeated occurrence; the categories of personal data affected; the level of damage suffered by the affected individuals; the action taken to mitigate the damages; and the financial benefits intended or gained from the infringement.
Broadened territorial scope
The agreed-upon amendments would expand the scope of the proposed regulation considerably. In fact, according to Article 3 of the legislation, the updated regulations would apply to the processing of personal data in the context of the activities of a data processor regardless of whether the processing applies in the EU or not. So long as a data controller or data processor is located within the EU, all processing conducted by said controller or processor would be subject to the EU General Data Protection Regulation, even if these activities are not actually conducted within EU territory.
In addition, the regulation would apply to the processing of personal data within the EU by a controller or processor not established in the EU. Even if the data processor is providing a free service, any data-processing activities related to the offering of goods or services involving data subjects in the EU or the monitoring of EU data subjects would be subject to the proposed regulation.
Recital 20 of the proposed regulation lays out the criteria for determining whether a data controller is offering goods or services to data subjects in the EU; basically, if it is apparent that the data controller is envisaging the offering of services to data subjects residing in one or more EU member states, the legislation would apply. Thus a website or application would become subject to the law only to the extent that it actively markets to the particular geographic area, not if it merely provides a site or application that is available to individuals in a particular geographic area.
In practice, this means that all websites and cloud services developed by U.S.-based companies may be subject to the regulation merely because they are available to EU-based individuals, even if the company is not "established" in the EU. This is a significant change to the current law, which most courts generally agree only maintains jurisdiction over companies with an established business in a particular state.
Data transfers to non-EU countries
Some of the amendments made to the EU General Data Protection Regulation serve as a reaction to the recent disclosures brought forth by former National Security Agency (NSA) contractor Edward Snowden regarding mass surveillance activities performed by the U.S. government.
For example, the newly added Article 43a would require an EU data controller or data processor (e.g., a search engine, social network or cloud provider) to notify the supervisory authority of any received request to disclose personal data as a result of a third country's judgment or decision of a court, tribunal or administrative authority. The notification would have to be made without undue delay and the EU entity would have to obtain prior authorization for the transfer or disclosure from the supervisory authority. In addition, the data controller or processor would be required to notify the affected individual of the request, and of the authorization granted by the supervisory authority.
From the author: More on the EU General Data Protection Regulation
Though we've covered perhaps the most important changes brought on by the proposed EU data protection legislation, enterprises must also be aware of the many less-known rules included in the regulation. For example, Article 13a stipulates that privacy notices would have to be provided in two ways, using both an icon-based table and a detailed notice. Article 9 establishes a new category of sensitive data known as "gender identity." Article 20.2 introduces two sorts of profiling subject to different obligations. Additionally, the concept of "joint-controller" is introduced.
In the case of a security breach, Article 31 would require that notification must occur "without undue delay," a major improvement over the prior, unrealistic 24-hour time frame. Other significant changes include new criteria brought forth by Article 41.8 for assessing "adequacy" for cross-border data transfers; existing adequacy decisions would expire five years after enforcement of the regulation unless amended, replaced or repealed by the LIBE commission.
Just as important as the new additions, the regulation would also reinstate a provision that was in a prior version of the 2012 document, which addresses the long-standing problem of e-discovery requests made to EU affiliates of U.S. companies when a U.S.-based judge determines that information held by the EU affiliate is critical to a lawsuit filed within the United States. The revived provision, which had been removed just before the publication of the January 2012 draft, shows a renewed interest in setting up clear barriers to the transfer of data out of the EU in response to a court order.
The transfer of data out of the EU in response to a request made by a U.S. judge has been the source of numerous disputes between U.S. litigants, where one argues that US law requires the provision of certain evidence, and the other argues that doing so would make its EU subsidiary or parent violate the applicable EU law. Unless a mutually acceptable solution is found, U.S.-based companies and their EU affiliates will continue to be torn between two conflicting regimes.
Right to erasure
The unpopular "right to be forgotten" that was introduced in Article 17 of the 2012 draft would be replaced by a "right to erasure" in the new legislation. Despite the name change though, the concept remains largely similar. Essentially, individuals would have the right to have their personal data erased or blocked if they so request. Additionally, when a request is made to a company to erase data, that company would be required to forward the request to other entities that may control replications of the data.
Though the right to erasure may seem overly burdensome for enterprises, there are some important limitations to exercising the right. First, Section 17(1a) of the regulation stipulates that the application of this right to erasure would be dependent upon the data controller's ability to verify that the person requesting the erasure is also the data subject. In cases where a particular technology does not allow data to be erased, Section 17(4)(da) would allow companies to block the data instead.
Recital 53 further clarifies that the right to erasure would not apply when the retention of personal data is necessary for the performance of a contract with a data subject, or when there is a legal obligation to retain this data.
The modified Article 7 would change the proposed rules regarding user consent. Now, consent would be limited to a particular purpose and would lose its validity either when the purpose ceases to exist, or as soon as the processing of personal data is no longer necessary for carrying out the original purpose.
Where processing is based on consent, an organization would be allowed to process personal information only after obtaining clear permission from the data subject, who would also be able to withdraw consent at any time. Further, the execution of a contract or the provision of a service would not be able to be made conditional upon the user giving consent to the processing of personal data that is not strictly needed or necessary for the completion of that contract or service.
The amended proposed EU General Data Protection Regulation introduces extensive changes to the 2012 draft, most of which tend to create additional burdens, requirements or restrictions for businesses. Even enterprise operations performed outside the European Union may come under the purview of the updated laws. While it is impossible to predict exactly how the final draft of the Regulation will affect enterprise cloud computing in the EU if approved, it is fair to speculate that cloud computing customers would benefit from a stringent set of data protection standards, but those protections may come at a cost since providers would likely pass along the increased cost of compliance. Consequently, U.S. businesses should pay close attention to the upcoming developments and budget negotiations accordingly.
About the author:
Francoise Gilbert focuses on information privacy and security, cloud computing and data governance. She is the founder and managing director of the IT Law Group and serves as the general counsel of the Cloud Security Alliance. She has been named Best Lawyers' San Francisco Lawyer of the Year for 2014, for her work in Information Privacy and Security. For several years, she has been recognized by Chambers USA and Best Lawyers in America, among others, as a leading lawyer in the field of information privacy and security. Gilbert is the author and editor of the two-volume treatise Global Privacy and Security Law, which analyzes the data protection laws of 66 countries on all continents. She serves on the Technical Board of Advisors of the ALI-CLE and co-chairs the PLI Privacy and Security Law Institute. This article only reflects her personal opinion and not that of her clients or the Cloud Security Alliance.