6 things you need to know about the new EU privacy framework

Jan 25, 2012 • Thiébaut Devergranne

Today, the European Commission announced a new proposal for the Directive 95/46 on « the protection of individuals with regard to the processing of personal data« . It’s a revolution. Since 1995, the text aged and dramatic technology changes occurred : the Internet (!), social networks, mobile phones, geolocalization, biometrics, globalization, new development models (SaaS, PaaS, IaaS), Cloud computing… And, to say the least, the current Directive failed to impose an effective level of privacy for EU citizens. Moreover, each of the 27 countries members of the European Union adapted the Directive in their local legislation, creating a patchwork of 27 different rules. These challenges led the European Commission to propose a new legislative framework.

The text is more than 80 pages long so we’ll cover some ot the newest and most important aspects of it (check our formation cil for more details).

27 countries, one regulation

The new Directive will be a Regulation ! Simply said this means: one single text for all 27 countries. In the European acts, the Regulation is biding in its entirety and is directly applicable in all Member States (art. 288). As opposed to the Directive, which is binding as to the result to be achieved, but leaves each national authorities the choice of form and methods. The main idea of the Commission using a Regulation is to avoid fragmentation in the way personal data rules are implemented across the Union.

+80 pages, 91 articles this is a lot to implement for startups. Does this really favors entrepreneurship ?

In practice the text is more than 80 pages long, with a little less than 100 articles… This is a lot to digest, especially for small organizations. Concerns will surely raise for small companies : in today’s world can startup really implement 80 pages of legal constraints ?

A wider scope : any processed data of any EU citizens !

The second important innovation is the considerable extension of the scope of the regulation : now, anyone processing personal data of any EU citizen will fall under this legislation. It simply abolishes any geographical boundaries ! This will have a huge impact for US SaaS, Paas, IaaS providers, as well as social networks, search engines… The choice will be, either to accept the obligations set by the regulation, or refuse access to their services to EU citizen.

Here’s an extract of the article 3 that defines the scope of the regulation:

  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.
  1. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to: (a) the offering of goods or services to such data subjects in the Union; or (b) the monitoring of their behaviour.
  1. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.

Note that some definitions are also strengthened and broadened (Article 4) as the regulation will also apply to the processing of IP addresses, Mac addresses, GPS localization data…

24 hours data breach notification, mandatory security assessments

Organizations will also be required to immediately disclose any security breach in regard to personal data, to their supervisory authority (within 24 hours – article 31 ; in France, to the CNIL). This rule has been adopted in reaction to Sony’s Playstation network breach, where the company waited an entire week before informing their 70 million customers that their personal data may have been compromised. 24 hours being a very short time, the rule is heavily criticized, because it could lead to false alarms, or even warn hackers their attacks has been spotted, before having time to catch them.

Another important measure is that the organizations will be bound to a systematic security evaluation of the risks involved on personal data, to prevent : unlawful forms of processing, unauthorized disclosure, dissemination or access, or alteration of personal data (Article 30).

The Commission will define the state of the art in terms of security

The Commission will also be empowered to adopt delegated acts to specify the measures to be taken and will define « what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default » (article 30).

Right to be forgotten, erasure and data portability

EU citizens will have the right to request extended erasure of their personal data. Not only the organization that processes personal data will have to erase it on demand, but the organization will also have to ensure efforts to get any copy, link, or replication removed on the Internet !

Let’s look precisely at the article 17 :

[The organization that made the data public] shall take all reasonable steps, including technical measures (…), to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication

On practical basis, removing data from search engines is not very hard and can be automated for the most part. However, requiring data removal from scrapers site is going to be a real challenge ! A simple request taken from a Wikipedia page shows a lot of websites are copying its information.

Another innovation is the introduction of the right to data portability (article 18). This means that clients will have the right to obtain a copy of the data undergoing processing in a structured format. For example, this will allow users to switch from Gmail, to Hotmail with their entire data.

Mandatory data protection officer, no more notifications !

The next innovation is data protection officers ! They will be mandatory in three cases :

  • for every public authorities or bodies ;
  • for companies employing more than 250 persons permanently ;
  • for companies where core activity consist of monitoring data subjects.

The data protection officers will be designated in regard to their knowledge on data protection laws. They will be independent and will not receive any instructions (article 36) :

The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.

A very important revolution is the end of general notifications to local agencies. This measure alone will simplify the regulatory environment (and will save 130 million euro per year).

Huge administrative fines

National data privacy agencies will have huge administrative sanctions at their disposal. Clearly the idea is to « give the legislation the necessary ‘teeth’ so the rules can be enforced« . Different levels are set up, depending on the violation, but the most important fines will be up to 1M€, or for enterprises, and up to 2% of their annual worldwide turnover (article 79).

2% annual turnover fine would have meant 1.2 Billion dollars in 2008 for a company like Microsoft !

That’s a lot ! To take an example, for Microsoft’s revenues, in 2008, the maximum administrative fine would have been up to 1.2 Billion dollars ! Basically that will cut enterprises from most of their profits. This is pretty much convincing, provided that national supervisory authorities actually use these powers. For example, until now, France’s national data privacy agency has been extremely comprehensive for misconduct (the highest financial sanction since 2004 was Google who got a 100.000 € fine – hardly a weekly coffee budget for the firm…).


The objective of the Commission is to build a stronger and more coherent data protection framework in the EU, allow the digital economy to develop across the internal market, put individuals in control of their own data and reinforce legal and practical certainty for economic operators and public authorities. That’s great on paper. But in practice, even if simplifications are planned for small companies, will every EU organization be able to support 80 pages of legislation each time they decide to add a Facebook Like button on their website, open a new forum, or sell goods online ?

Tell us, how will you be impacted with this regulation ? Do you think it’s fair ?

Eliminez vos risques RGPD !

Téléchargez notre guide pratique et découvrez comment réduire vos principaux risques simplement

L’inscription permet de télécharger le guide et recevoir notre newsletter et nos communications sur activités ainsi que nos offres de produits et de services ; la base légale est l’article 6.1.a du RGPD (consentement) ; les destinataires de données sont le responsable de traitement, ses services internes en charge de la gestion de la mailing list, le sous-traitant opérant la gestion du serveur web (Amazon Web Services), ainsi que toute personne légalement autorisée. Le serveur sur lequel est hébergé la mailing list est hébergé par Amazon Web Services, ce qui implique que vos données peuvent être transférées hors UE dans le cadre strict de l’article 46.2.d - AWS ayant fourni les clauses de protection adéquates sur le modèle établit et approuvé par la Commission européenne. Vous pouvez trouver plus d’informations sur ces clauses ici. La durée de traitement des données est limité au temps pendant lequel vous êtes inscrit à nos services de communication, étant entendu que vous pouvez retirer votre consentement et vous désinscrire à tout moment. Vous disposez du droit de demander au responsable du traitement l'accès aux données à caractère personnel, la rectification ou l'effacement de celles-ci, ou une limitation du traitement relatif à la personne concernée, ou du droit de s'opposer au traitement et du droit à la portabilité des données. Le responsable du traitement est la société A. Erelis, Laisves 60 vilnius, LT. Vous avez également le droit d'introduire une réclamation auprès d'une autorité de contrôle.



As you said, "that’s great on paper".

But as the French example you cited illustrates the point, laws are relevant only when they are applied equally to all.

In this area, France (and Europe) have a tremendous margin of progression ahead of them. Just think of the anti-trust trial againt MSFT which ended with ex-MSFT employees leading the inquiry at the Commission, settling a case in very favourable terms for their ex-employer just before the EU Commission focussed on MSFT's competitors...

The "Rule of Law" may still have traction in the media. It would be more than welcome to have citizens share the views of the appointed voices.

Keep up the good work!

Thiébaut Devergranne

Hi Pierre!

Well I can relate to the data privacy regulation today in France ; one of the main problems we have in data privacy today is the complete lack of enforcement.

So for each person getting caught, there are thousands others doing the same thing, but without any practical restriction, and very often, real economical gains. Very often I get to wonder : should this really be the role of law ?

Paweł Krawczyk

Sorry but this part cited below is just not true – no local regulation cares about “geographical boundaries”, because any local law by definition is limited to the area for which it was established. In this case – European Union. And it’s only because 27 member countries have signed a treaty, where they have agreed that they will actually obey EU law. United States or Russia have no obligations to care about EU directives, much like EU does not care about US patent law:

"anyone processing personal data of any EU citizen will fall under this legislation. It simply abolishes any geographical boundaries ! This will have a huge impact for US SaaS, Paas, IaaS providers, as well as social networks, search engines… The choice will be, either to accept the obligations set by the regulation, or refuse access to their services to EU citizen"

This regulation may still impact foreign companies like Google or Facebook, because most of them do have legal representation in the EU for collecting revenues (e.g. Google Ireland etc), but it’s definitely not even similar to a situation, where US company has to restrict their services to comply with EU law.

Thiébaut Devergranne

Ok, interesting comment ! I agree and disagree with you. Article 3 of the regulation states very clearly " (...) This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to: (a) the offering of goods or services to such data subjects in the Union;"

So if you're a company doing business within the EU or simply processing EU resident's data, legally you'll have to apply the regulation, otherwise you're heading for legal problems (people suing you in their countries). Of course if you're a small company doing a littlebit of business in EU you're not going to be impacted a lot.

But this is not the outcome of this regulation. The outcome is to target Google, Facebook, Twitter, to make sure they comply with EU laws. That's it, period. That's the main target. The rest, well some companies will be practically impacted, some others not.

Les commentaires sont fermés