6 things you need to know about the new EU privacy framework
• Thiébaut Devergranne
Today, the European Commission announced a new proposal for the Directive 95/46 on « the protection of individuals with regard to the processing of personal data« . It’s a revolution. Since 1995, the text aged and dramatic technology changes occurred : the Internet (!), social networks, mobile phones, geolocalization, biometrics, globalization, new development models (SaaS, PaaS, IaaS), Cloud computing… And, to say the least, the current Directive failed to impose an effective level of privacy for EU citizens. Moreover, each of the 27 countries members of the European Union adapted the Directive in their local legislation, creating a patchwork of 27 different rules. These challenges led the European Commission to propose a new legislative framework.
The text is more than 80 pages long so we’ll cover some ot the newest and most important aspects of it (check our formation cil for more details).
27 countries, one regulation
The new Directive will be a Regulation ! Simply said this means: one single text for all 27 countries. In the European acts, the Regulation is biding in its entirety and is directly applicable in all Member States (art. 288). As opposed to the Directive, which is binding as to the result to be achieved, but leaves each national authorities the choice of form and methods. The main idea of the Commission using a Regulation is to avoid fragmentation in the way personal data rules are implemented across the Union.
+80 pages, 91 articles this is a lot to implement for startups. Does this really favors entrepreneurship ?
In practice the text is more than 80 pages long, with a little less than 100 articles… This is a lot to digest, especially for small organizations. Concerns will surely raise for small companies : in today’s world can startup really implement 80 pages of legal constraints ?
A wider scope : any processed data of any EU citizens !
The second important innovation is the considerable extension of the scope of the regulation : now, anyone processing personal data of any EU citizen will fall under this legislation. It simply abolishes any geographical boundaries ! This will have a huge impact for US SaaS, Paas, IaaS providers, as well as social networks, search engines… The choice will be, either to accept the obligations set by the regulation, or refuse access to their services to EU citizen.
Here’s an extract of the article 3 that defines the scope of the regulation:
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.
- This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to: (a) the offering of goods or services to such data subjects in the Union; or (b) the monitoring of their behaviour.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.
Note that some definitions are also strengthened and broadened (Article 4) as the regulation will also apply to the processing of IP addresses, Mac addresses, GPS localization data…
24 hours data breach notification, mandatory security assessments
Organizations will also be required to immediately disclose any security breach in regard to personal data, to their supervisory authority (within 24 hours – article 31 ; in France, to the CNIL). This rule has been adopted in reaction to Sony’s Playstation network breach, where the company waited an entire week before informing their 70 million customers that their personal data may have been compromised. 24 hours being a very short time, the rule is heavily criticized, because it could lead to false alarms, or even warn hackers their attacks has been spotted, before having time to catch them.
Another important measure is that the organizations will be bound to a systematic security evaluation of the risks involved on personal data, to prevent : unlawful forms of processing, unauthorized disclosure, dissemination or access, or alteration of personal data (Article 30).
The Commission will define the state of the art in terms of security
The Commission will also be empowered to adopt delegated acts to specify the measures to be taken and will define « what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default » (article 30).
Right to be forgotten, erasure and data portability
EU citizens will have the right to request extended erasure of their personal data. Not only the organization that processes personal data will have to erase it on demand, but the organization will also have to ensure efforts to get any copy, link, or replication removed on the Internet !
Let’s look precisely at the article 17 :
[The organization that made the data public] shall take all reasonable steps, including technical measures (…), to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication
On practical basis, removing data from search engines is not very hard and can be automated for the most part. However, requiring data removal from scrapers site is going to be a real challenge ! A simple request taken from a Wikipedia page shows a lot of websites are copying its information.
Another innovation is the introduction of the right to data portability (article 18). This means that clients will have the right to obtain a copy of the data undergoing processing in a structured format. For example, this will allow users to switch from Gmail, to Hotmail with their entire data.
Mandatory data protection officer, no more notifications !
The next innovation is data protection officers ! They will be mandatory in three cases :
- for every public authorities or bodies ;
- for companies employing more than 250 persons permanently ;
- for companies where core activity consist of monitoring data subjects.
The data protection officers will be designated in regard to their knowledge on data protection laws. They will be independent and will not receive any instructions (article 36) :
The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.
A very important revolution is the end of general notifications to local agencies. This measure alone will simplify the regulatory environment (and will save 130 million euro per year).
Huge administrative fines
National data privacy agencies will have huge administrative sanctions at their disposal. Clearly the idea is to « give the legislation the necessary ‘teeth’ so the rules can be enforced« . Different levels are set up, depending on the violation, but the most important fines will be up to 1M€, or for enterprises, and up to 2% of their annual worldwide turnover (article 79).
2% annual turnover fine would have meant 1.2 Billion dollars in 2008 for a company like Microsoft !
That’s a lot ! To take an example, for Microsoft’s revenues, in 2008, the maximum administrative fine would have been up to 1.2 Billion dollars ! Basically that will cut enterprises from most of their profits. This is pretty much convincing, provided that national supervisory authorities actually use these powers. For example, until now, France’s national data privacy agency has been extremely comprehensive for misconduct (the highest financial sanction since 2004 was Google who got a 100.000 € fine – hardly a weekly coffee budget for the firm…).
The objective of the Commission is to build a stronger and more coherent data protection framework in the EU, allow the digital economy to develop across the internal market, put individuals in control of their own data and reinforce legal and practical certainty for economic operators and public authorities. That’s great on paper. But in practice, even if simplifications are planned for small companies, will every EU organization be able to support 80 pages of legislation each time they decide to add a Facebook Like button on their website, open a new forum, or sell goods online ?
Tell us, how will you be impacted with this regulation ? Do you think it’s fair ?