EU Data Protection Legislation
And Its Potential Impact on US Companies
The proposed Regulation is intended to replace the current EU Data Protection Directive. Its objective is to amplify and clarify current EU data protection rules, to adapt these to the constant developments occurring in information technologies, and to ensure the direct application of uniform data protection rules throughout EU Member States.
The aim of ensuring the direct application of uniform data protection rules would be achieved by adopting the proposed modifications to the existing Data Protection Directive in the form of a regulation. Unlike directives, regulations have direct effect in EU Member States with no related implementation measures required at national level.
Territorial Scope of the Draft Regulation
The draft Regulation would apply, in certain cases, to the processing of personal data by entities not established in the EU of individuals residing in the EU even if the entities do not use any EU-based equipment.
This could occur where data processing activities conducted by the non-EU entity are related to the supply of goods or services to individuals residing in the EU, or to monitoring the behavior of individuals residing in the EU.
The provision arguably extends the territorial scope of the EU data protection rules as compared to the provisions of the Data Protection Directive.
Requirement to Appoint a Representative for Data Processing in the EU
The obligation to appoint a representative for processing personal data in the EU that is imposed by the Data Protection Directive on data controllers who are not established in the EU is maintained in the draft Regulation. This obligation does not apply, however, to a non-EU entity established in a third country that offers an adequate level of protection of personal data. Currently, the US does not qualify.
However, non-EU data controllers would no longer be required to appoint a data representative in each EU Member State where personal data is processed. One data representative in any EU Member States would suffice.
Moreover, as an exception, a US entity would not be required to make such an appointment if it employs fewer than 250 employees or if it offers only occasionally goods or services to individuals residing in the EU.
Transfer of Personal Data Outside the EU
The draft Regulation maintains and further clarifies the strict rules imposed by the Data Protection Directive concerning the transfer of personal data outside the EU to third countries not offering an adequate level of protection. Specifically, it provides for the possible transfer of personal data out of the EU to the US on the basis of internal, binding corporate rules developed by the US entity, approved by the supervisory data protection authority of an EU Member State, and implemented by the entity transferring the personal data.
Such a transfer could also be performed on the basis of contractual clauses that ensure an adequate level of protection for the personal data being transferred. These would include standard data protection clauses adopted by the European Commission or the EU Member States supervisory authorities, as well as contractual provisions drafted by the parties involved in the transfer and approved by the supervisory authorities of the EU Member States.
As a derogation from the above principle, personal data may be transferred to third countries that do not offer an adequate level of protection if the individual to whom the personal data pertains has granted their specific consent after being informed of the risks involved.
Conditions for Obtaining the Consent of Individuals
The draft Regulation clarifies existing rules and requirements concerning the consent granted by individuals whose personal data is processed. The data controller would carry the burden of demonstrating that the individuals have granted their consent to the specific purposes for which the data is to be processed.
One key point is that consent does not suffice where there is a significant imbalance between the position of the data subject and the controller. This restriction may cover, among other things, the consent granted by employees to the processing of their data by their employer.
Other New Obligations for the Data Controller
The draft Regulation imposes new obligations on data controllers, including: the requirement to notify the competent supervisory authorities of the EU Member States of breaches of the confidentiality or security of the processed personal data, appointment of a Data Protection Officer, maintaining detailed documentation regarding the data processing operations conducted, as well as conducting a data protection impact assessment. This last requirement is intended to replace the current notification mechanism provided for in the Data Protection Directive.
Administrative Sanctions Imposed by the Supervisory Authorities
If the draft Regulation is adopted in its current form, the supervisory authorities of the EU Member States may be given power to impose administrative sanctions on natural persons or entities that process personal data in a non-compliant manner. These sanctions include warnings and fines of up to €1,000,000 for individuals and up to two percent of annual global turnover in case of companies.
Future Steps
The draft Regulation will be now discussed by the European Parliament and the Council. Given that some of the provisions included in the draft are controversial, intense debate is anticipated. It is currently very difficult to speculate when – or even whether – the draft Regulation will be adopted and, if so, in what form.