The new President of the European Commission, Mr. Jean-Claude Juncker, has declared that data protection is “a fundamental right of particular importance in the digital age.” This push for data protection rights is apparent in the General Data Protection Regulation (the “Regulation”), which is still in draft form. In addition to Mr. Juncker, the new European Data Protection supervisor, Mr. Giovanni Buttarelli, and several members of the European Parliament, including the German member of parliament who has been central to driving through the Regulation, Mr. Jan Philipp Albrecht, have all called for the Regulation to be finalized this year. This article summarizes the key aspects of the Regulation and the new EU cybersecurity directive (also still in draft form) and their potential impact on U.S. companies.
General Data Protection Regulation
If finalized in its existing form, the Regulation will impose key obligations on organizations processing personal data in the EU. The Regulation will extend to non-EU-based organizations that offer products or services to EU citizens or otherwise process personal data about EU citizens even if they do not have a physical presence in the EU. U.S. companies, for example, that process personal data relating to EU citizens will need to appoint a representative as the point of contact for a supervisory authority who has a mandate from the organization to act on its behalf in relation to its obligations under the Regulation. The representative will, therefore, need to be sufficiently senior and should also report directly to senior management on matters relating to the Regulation. If the organization fails to comply with regulatory requirements, the representative and the U.S. Company could be subject to direct enforcement action by the supervisory authority.
The Regulation’s definition of “personal data” is broad and covers all information relating to a living individual (who is identified or can be identifiable from the data, e.g. from a code, genetic information or other identifying information). The breadth of this definition is more expansive than most definitions under U.S. federal and state law.
Organizations are required to obtain express consent to process personal data. Such consent must be explicit and freely given. Comprehensive information about the purposes for which personal data is collected and processed, as well as disclosed to others and transferred out of the U.S., must be provided to individuals before consent is obtained. Businesses should review their terms and conditions of business in this respect as well as their online and other privacy policies. Employers should also review the data processing provisions of their employment contracts.
Organizations, and any third party processors appointed to process personal data on their behalf, will need to keep relevant records of their respective processing activities for inspection by the supervisory authority as required.
Data Protection Impact Assessments
Organizations that process personal data of a nature or in a manner that is likely to result in a high risk of a breach of data protection rights for individuals must carry out data protection impact assessments to evaluate the nature and severity of the risks and, ultimately, to determine appropriate measures to mitigate these risks (as required by the Regulation). If the assessment indicates that processing operations involve a high risk to personal data protection rights that cannot be mitigated with appropriate measures, it should inform the supervisory authority (before processing takes place) to discuss how to deal with such a risk. This requirement will likely generate many questions about the appropriate trigger point for disclosure to the supervisory authority.
Surveillance
Following the PRISM revelations, the EU commenced discussions with its U.S. counterparts regarding amending the Safe Harbor program. The EU Commission published draft recommendations to improve the Safe Harbor program but they are yet to be finalized. These related to transparency, redress, enforcement and access to information by U.S. officials. All but one of the recommendations have been addressed by the U.S. Federal Trade Commission (“FTC”). The only sticking point is the national security exception and the extent that it may be applied. It is the view of Andrus Ansip, vice-president designate for the Digital Single Market, who is leading the issues, that the exception of national security should not be applied on a regular basis and that it must remain an exception. If an agreement with the U.S. government cannot be reached on this point, he believes that suspension of the Safe Harbor program should not be ruled out. In his view, the U.S. government needs to provide more specific conditions for when this exemption may be applicable. Mr. Ansip is quoted as saying Safe Harbor is not secure. The agreement has yet to live up to its name. If the U.S. government does not make a clear statement, we must consider suspending the agreement.” Such a suspension would impact the ability of U.S. companies to transfer personal data out of the EU.
Mr. Juncker also expressed concern about protecting the personal data of EU citizens: the U.S. “must guarantee that all EU citizens have the right to enforce data protection rights in the U.S. courts, whether or not they reside on U.S. soil.”
Encryption
While some fight for tighter data security, others argue that it interferes with law enforcement. Following the terrorist attacks in Paris earlier this month, David Cameron, the British prime minister, called for greater access to encrypted information. “Are we going to allow a means of communications which it simply isn’t possible to read?” Mr. Cameron said in reference to services like WhatsApp, Snapchat and other encrypted online applications. “My answer to that question is: ‘No, we must not.’” He went on to explain that, “The attacks in Paris demonstrated the scale of the threat that we face and the need to have robust powers through our intelligence and security agencies in order to keep our people safe.”
Unsurprisingly, the response by the technology community has been overwhelming negative, with some calling Mr. Cameron’s proposals “insane.” Ladar Levison (founder of the encrypted email service Lavabit) is quoted as saying, “Encryption underpins the entire network of trust on the Internet, from downloading applications to banking and software updates. If you have to hand over the keys, you’d be advised not to use some services.”
In fact, encryption is recognized in U.S. federal and state laws as a key aspect of appropriate security measures to protect personal data.
Data Protection Officers
The Regulation also would impact how organizations manage data security. Large organizations, with 250 or more employees, have to appoint a Data Protection Officer to manage the organization’s compliance with data protection requirements and to be the liaison officer with the relevant data protection authority. Recently debate has ensued about whether this requirement should change from large organizations to those processing personal data relating to 5,000 data subjects in any consecutive 12-month period. The European Council, however, has proposed to scrap the requirement in the Regulation altogether and leave the requirements to other EU legislation or national laws.
If the requirement is retained, the role of the Data Protection Officer would be to advise the organization of its obligations under the Regulation and monitor compliance. He or she also will have to consider any data protection impact assessments, advise on the organization’s obligations and liaise with the supervisory authority from time to time. The person appointed in this role should be sufficiently knowledgeable in data protection matters to advise the organization and also report to senior management on its compliance with the Regulation.
Data Breach Notifications
After extensive debate in the European Parliament, the data breach notification provision in the Regulation has now been revised to require a notification by the organization to a supervisory body “without undue delay and, where feasible, within 72 hours.” Given the difficulty of quickly conducting a thorough forensic analysis, 72 hours may be infeasible for U.S. companies that experience significant security incidents. If the organization cannot do so within 72 hours, an explanation of the delay must be submitted with the notification. The obligation to notify the affected individuals themselves, however, would only trigger if their personal data protection rights could be “severely” affected by the breach. In this event, the individuals must be notified “without undue delay” along with recommendations to mitigate the risk of loss to the individuals. The supervisory authority should also be kept informed of the notifications made to the individuals.
The “Right to be Forgotten”
Spanish citizen Mario Costeja González sued Google after it refused initial requests for the removal of old legal notices from the 1990s from Google’s search engine. The European Court of Justice (“ECJ”) decided that search engines had to balance the individual’s fundamental data protection rights against the interests of Internet users in accessing information. Even if the news report were true and the original publication was lawful, an individual can still enforce a right against a search engine to restrict the processing of that information where it adversely affects his data protection rights. In this case, the ECJ agreed with Costeja González that the information had become inadequate, irrelevant or excessive, and Google was required to restrict access to that information. Google’s public interest argument was not deemed persuasive. This “right to be forgotten” will become entrenched in the new Regulation.
Typically, such rights start with the individual issuing a subject access request against a company to gather information about the personal data being processed about that individual.
Cybersecurity
In December last year the European Commission and Council of Ministers met for a final meeting over the wording of the draft Network and Information Security Directive (the “NIS Directive”). The NIS Directive has been subject to much debate and controversy amongst the Member States with some, namely the UK, advocating for a voluntary, industry-led approach similar to the Cybersecurity Framework established in the U.S. by the National Institute of Standards and Technology (“NIST”) following President Obama’s Executive Order in February 2012.
However, the EU has opted for a legislative regime and the draft Directive, which had been approved by the European Parliament in early 2014 and is now in the final stages of amendments. As it currently stands, the aim of the NIS Directive is twofold:
- to ensure that there is a suitable strategy within the EU with regard to the management of cybersecurity threats; and
- to enable information sharing amongst Member States as to cybersecurity threats.
Specifically, the draft NIS Directive includes:
- an obligation on all Member States to produce a national cybersecurity strategy as well as establishing points of contact for information sharing and cyber incident handling;
- a requirement to establish a “competent authority” and a Computer Emergency Response Team (CERT) in each Member State;
- a mandate for information sharing between Member States, as well as establishing a pan-EU cooperation plan and coordinated early warning and procedure for agreement of EU coordinated response for cyber incidents;
- the disclosure of security breaches by the finance, energy, transport and health sectors, as well as to “providers of Internet society services”; and
- encouraging the take up of cybersecurity standards, with possible harmonization measures being taken by the EU Commission.
The usual concerns have arisen over harmonization of the NIS Directive – as is always the case with EU directives given that it requires each Member State to independently enact it into national law. However, the main issues arise out of its scope and circumstances under which security breaches must be noticed and the extent to which they can and will remain anonymous.
Once the NIS Directive is ultimately finalized and approved by the EU Commission, the Member States will have 18 months in which to enact it into national law. Therefore it is unlikely that the effects of the NIS Directive will be felt until mid-2016 at the very earliest.
Penalties
Fines of up to the greater of 5 percent of annual global turnover or EUR 100,000,000 could be levied for a breach of the Regulation. This alone is likely to give teeth to the Regulation and empower the supervisory authorities and, ultimately, the European Data Protection Board. Organizations that process personal data of EU citizens, wherever they are based, are paying close attention to this important piece of legislation.
Conversely, the draft NIS Directive lacks the bite that the Regulation possesses and does not provide for any sanctions per se. Instead it has delegated the form and level of punishment for breaching the NIS Directive to the individual Member States. Commentators have speculated that the sanction will be equal to the current regulatory fines and/or notices imposed by each Member State.
As this new era of EU data privacy dawns, U.S. companies that offer products and services to EU citizens will feel the impact of these stricter data privacy laws.
Published January 24, 2015.