Reform of the EU data protection regime In house lawyers forum – spring 2013

• key dates

– July 2009 – Commission’s online

consultation

– April 2010 – plans announced to prepare

a new comprehensive framework for

data protection

– November 2010 – issues approach to

revising framework and public

consultation launched

• key dates

– March 2011 – Council of EU published

conclusions on ‘approach’

– November 2011 – ICO issued briefing on

the future of the data protection in EU

– January 2012 – Commission proposals

published

• key dates

– January 2012 – Commission proposals

published

– February 2012 – ICO’s initial analysis of

proposals

– 7 March 2012 – opinion of the European

DP Supervisor

• key dates

– 23 March 2012 – Article 29 working party

opinion

– December 2012 – LIBE (Committee on

Civil Liberties, Justice and Home Affairs)

draft report

– February 2013 – ICO article-by-article

analysis of Commission’s proposal

• structure of the regulation

– general provisions

– data protection principles

– rights of data subjects

– obligations on controllers and processors

– transfer of personal data to third

countries or international organisations

• structure of the regulation

– nature, status, duties and powers of

national supervisory authorities

– co-operation and consistency between

member states

– remedies, liability and sanctions

– provisions relating to specific data

processing situations

• regulation

– two year implementation period

– intention is to harmonise

– ICO believes too detailed and

prescriptive

• power to adopt delegated acts

• interaction between regulation and

national laws

Articles 1 to 4

• subject matter

• scope of regulation

• territorial scope

– some of most significant change to

current regime

Articles 1 to 4

• definitions

– data subject and personal data

– online identifiers

– consent

– genetic and biometric data

– child

Articles 5 to 10

• data protection principles

• legal grounds for processing

– legitimate interests conditions

– further incompatible processing

• sensitive personal data

• concept of consent

Articles 11 to 21

• transparent information and

communication

• subject access

• rectification and erasure

– ‘the right to be forgotten’

• right to data portability

Articles 11 to 21

• right to object

– burden of proof

– objecting to processing for the purpose

of direct marketing

• measures based on profiling

Articles 22 to 39

• accountability principle

– document all processing (name, contact

details of controller, purposes of

processing, name of DPO, categories of

data subject, recipients, any transfers,

time limits for erasure of data)

Articles 22 to 39

• data security breach notification

• data protection impact assessment

– before processing that presents ‘specific

privacy risk by virtue of its nature, scope

or purposes’

– appointment of Data Protection Officer

(DPO)

Articles 22 to 39

• data protection by design and by default

• processors

Articles 41 to 45

• commission finding of adequacy

• binding corporate rules

• standard contractual clauses

Articles 41 to 45

• derogations

– consent

– necessary to…

perform a contract

important grounds of public interest

establishment, exercise or defence of

legal claims

protect the vital interests of data subject

or other person

Articles 41 to 45

• derogations

– transfer made from public register

– one off infrequent transfers necessary

for legitimate interests of DC

Articles 46 to 54

• independent

• duty to co-operate

• duties and powers of authorities

– to act as lead authority where DC or DP

established in several member states

– to sanction administrative offences

Articles 55 to 72

• co-operation

• consistency

– creation of EDPB consisting of heads of

DPAs, and Euro Data Protection

Supervisor

Articles 73 to 79

• written warning

• fines, up to

• EUR250,000 (or 0.5%) failure to operate

proper SAR mechanism

• EUR500,000 (or 1%) failure to respond to

SAR

• EUR1,000,000 (or 2%) other compliance

failures

Articles 73 to 79

– amount fixed with regard to nature,

gravity and duration of the breach

– whether intentional or negligent

– degree of responsibility

– technical and organisational compliance

measures in place

– degree of cooperation with authorities to

remedy

Articles 80 to 85

• creates special rules for specific

situations:

– derogations from regulation for

journalism, literary or artistic

expression, freedom of expression

– health data

– employment context

– historical, statistical or scientific

research

• EU: Commission proposes mandatory

notification of cyber incidents

Get in touch if you have any questions or

would like further information.

t +(0)121 237 3992

e richard.nicholas@brownejacobson.com