EU Data Protection Regulations
RANE Spotlight Series
EU Data Protection Regulations January 20, 2015
“The new laws come after nearly four years of negotiations and are motivated by the fact that more than 90 percent of Europeans say they want the same data protection rights across the EU, regardless of where their data is processed.” Vinson & Elkins “This will change not only how Europe regulates personal data but how we as a global society regulate the Internet..” Perkins Coie “Perhaps the most important shift here is the focus on the obligation for the Data Controller, who must now be proactive in documenting and logging [data protection] incidents..” Sytorus
Multinational businesses are facing unprecedented regulatory uncertainty and risk in the wake of recent changes in the EU’s data governance regime. To help businesses better understand the potential impacts and ramifications of the ongoing shifts, RANE has curated commentary produced by three expert firms, Vinson & Elkins, Perkins Coie, and Sytorus. BACKGROUND Last October, the European Court of Justice invalidated the Safe Harbor regime, which for 15 years had allowed U.S. companies to store European data in the U.S. and remain compliant with tougher EU privacy laws. A grace period has been granted until early February, during which European regulators will not pursue enforcement actions against companies formerly protected by Safe Harbor. On Feb. 2, European regulators are set to issue guidance on how companies can transfer data legally in the absence of a formal, new Safe Harbor agreement. At the same time, the European Parliament, Council of the European Union, and European Commission in mid-December reached a separate agreement on a proposed uniform panEuropean law on data protection. If adopted and put into effect within two years, these new rules could require companies to implement much stricter and more costly data protection
RANE Corp.
|
RANE Spotlight Series
|
www.ranenetwork.com
|
[email protected]
compliance regimes. Businesses could also face the possibility of much bigger fines and other penalties for any violations of the new regulations, as well as having to grapple with a much broader definition of personal data and expanded user consent requirements. A replacement for Safe Harbor, instituted in the next two years, could potentially ease the burden that businesses face from the new European data protections. However, the future of a Safe Harbor 2.0 is uncertain, and in the meantime businesses would still need to comply with existing European data laws.
IMPLICATIONS FOR ORGANIZATIONS New Burdens for Businesses
Sytorus notes that organizations not based in the European Union must have a representative based in an EU jurisdiction in which they operate. Non-EU entities that use equipment or a service provider in the EU are subject to EU rules.
The EU data law applies to all personal data, regardless of whether the subject resides in or is a citizen of the European Union.
Entities may only transfer data out of Europe if the destination is deemed by the European Commission to have adequate data protection laws. In contrast to Safe Harbor rules, businesses may no longer self-certify international data transfers as adequately compliant unless the destination is on a list of preapproved countries.
Businesses must appoint a Data Protection Officer who is responsible for implementing data protection regulations and who holds accountability for breaches of regulation. Groups of businesses may appoint a single shared Data Protection Officer.
When engaging in certain types of data processing, entities must conduct a data impact assessment. If the results indicate a high level of risk, the entity must consult with its chosen Data Protection Authority before proceeding.
If the security of data held by an entity is breached, the entity must notify its chosen Data Protection Authority, as well as relevant victims of the breach, within 72 hours.
Changes to Data Regulation
The definition of personal data, as Perkins Coie points out, has been greatly expanded to include online identifiers such as IP addresses and cookies.
Businesses must obtain informed, freely given, and express consent in order to process personal data. If the data falls within special categories of sensitive data including religion and political opinions, consent must also be specific and unambiguous. Businesses must be able to produce proof of such consent when requested.
RANE Corp.
|
RANE Spotlight Series
|
www.ranenetwork.com
|
[email protected]
Data must be collected for a specific, legitimate purpose, and may only be used for that purpose.
The right to opt out of marketing data must be made available.
“The Right to Erasure”: The General Data Protection Regulation replaces a previous “right to be forgotten” ruling with a rule of lesser scope. Data controllers must provide individuals the ability to access their data, transfer it from one service provider to another, or, if there are no legitimate grounds for the data to be held, erase all instances of it held by the controller entirely.
In the case of data pertaining to children, data processors must obtain consent from a parent or guardian. Perkins Coie notes that this regulation differs from similar U.S. regulations in that it defines children as under the age of 16, not 13.
Fines and Penalties
The new regulation introduces a tiered sanction system with greatly increased penalties. Some breaches result in a fine of up to 2 percent of an entity’s total annual worldwide revenue, while major breaches can result in fines of up to 4 percent of annual worldwide revenue.
Other Significant Points for Consideration
The new regulation will apply to a wide range of entities. It should be emphasized that the law applies even to entities offering products or services in Europe, regardless of whether or not a fee is charged. Perkins Coie notes that the legislation considers data collection to include behavior monitoring, implying that processes such as web analytics may qualify for regulation.
Vinson & Elkins suggests that compliance with regulation requires data protection safeguards to be built into products and services, and notes that “privacy-friendly techniques such as pseudonomysation will be encouraged, to reap the benefits of big data innovation while protecting privacy.”
Businesses should consider using model clauses in forms approved by the European Commission in situations where express consent to use an individual’s information cannot be obtained or an exemption from such a requirement is applicable.
Sytorus notes that, while the entity that controls data is primarily responsible for compliance, an entity contracted to process data for the controller can in some circumstances share equal liability.
Sytorus notes that European authorities investigating breaches of the new regulations will examine company practices “for evidence of a ‘forward-thinking attitude.’”
RANE Corp.
|
RANE Spotlight Series
|
www.ranenetwork.com
|
[email protected]
Data controllers and processors should “seek certification with recognized international standards” such as ISO 27001, Sytorus adds.
Organizations operating in Europe are advised to avoid simply tweaking existing compliance regimes and data collection systems to conform to the new legislation. The new rules are designed to make companies build new data collection, storage, and processing systems that integrate and emphasize security.
Provisions for Small and Medium Businesses Vinson & Elkins notes a number of exemptions and allowances for small and medium enterprises including the following:
They can charge a fee for data access if requests are unfounded or excessive.
They are exempt from the requirement to appoint a Data Protection Officer.
There is no obligation to perform a data impact assessment before processing data except for in high-risk situations.
More Efficient Regulation
As Perkins Coie notes, this regulation means “each [EU] Member State will have the same law leading to greater harmonization among the Member States.”
The regulation includes a mechanism that allows the European Data Protection Board to rule on data protection issues across the European Union.
Businesses may now choose a single Data Protection Authority jurisdiction with which to register instead of filing data processing notifications with the authorities of every member state in which they operate.
ABOUT THE PARTICIPANTS Founded in 1912, Perkins Coie has more than 1,000 lawyers in 19 offices across the United States and Asia. We provide a full array of corporate, commercial litigation and intellectual property legal services to a broad range of clients, from FORTUNE 50 corporations to small, independent startups, as well as public and not-for-profit organizations. Sytorus offers advice, support and training to assist organizations with putting compliant, practical data management structures in place. Our broad range of expertise in the areas of data and project management, IT and data management, client engagement and training make us one of the foremost providers of Data Protection support services in Ireland. Vinson & Elkins is an international law firm with offices in major energy, financial, and political centers worldwide. It offers clients renowned legal excellence as well as efficiency and deep market intelligence in a manner that reflects the firm’s entrepreneurial spirit. ABOUT RANE RANE is an information services and advisory company serving the market for global enterprise risk management. We provide access to, collaboration with, and unique insights from the largest global network of credentialed risk experts covering over 200 categories of risk. Through our collective insight, we help enterprises anticipate emerging threats and manage today’s most complex risks more effectively.
RANE Corp.
|
RANE Spotlight Series
|
www.ranenetwork.com
|
[email protected]
EU Data Protection Regulations January 20, 2015
“The new laws come after nearly four years of negotiations and are motivated by the fact that more than 90 percent of Europeans say they want the same data protection rights across the EU, regardless of where their data is processed.” Vinson & Elkins “This will change not only how Europe regulates personal data but how we as a global society regulate the Internet..” Perkins Coie “Perhaps the most important shift here is the focus on the obligation for the Data Controller, who must now be proactive in documenting and logging [data protection] incidents..” Sytorus
Multinational businesses are facing unprecedented regulatory uncertainty and risk in the wake of recent changes in the EU’s data governance regime. To help businesses better understand the potential impacts and ramifications of the ongoing shifts, RANE has curated commentary produced by three expert firms, Vinson & Elkins, Perkins Coie, and Sytorus. BACKGROUND Last October, the European Court of Justice invalidated the Safe Harbor regime, which for 15 years had allowed U.S. companies to store European data in the U.S. and remain compliant with tougher EU privacy laws. A grace period has been granted until early February, during which European regulators will not pursue enforcement actions against companies formerly protected by Safe Harbor. On Feb. 2, European regulators are set to issue guidance on how companies can transfer data legally in the absence of a formal, new Safe Harbor agreement. At the same time, the European Parliament, Council of the European Union, and European Commission in mid-December reached a separate agreement on a proposed uniform panEuropean law on data protection. If adopted and put into effect within two years, these new rules could require companies to implement much stricter and more costly data protection
RANE Corp.
|
RANE Spotlight Series
|
www.ranenetwork.com
|
[email protected]
compliance regimes. Businesses could also face the possibility of much bigger fines and other penalties for any violations of the new regulations, as well as having to grapple with a much broader definition of personal data and expanded user consent requirements. A replacement for Safe Harbor, instituted in the next two years, could potentially ease the burden that businesses face from the new European data protections. However, the future of a Safe Harbor 2.0 is uncertain, and in the meantime businesses would still need to comply with existing European data laws.
IMPLICATIONS FOR ORGANIZATIONS New Burdens for Businesses
Sytorus notes that organizations not based in the European Union must have a representative based in an EU jurisdiction in which they operate. Non-EU entities that use equipment or a service provider in the EU are subject to EU rules.
The EU data law applies to all personal data, regardless of whether the subject resides in or is a citizen of the European Union.
Entities may only transfer data out of Europe if the destination is deemed by the European Commission to have adequate data protection laws. In contrast to Safe Harbor rules, businesses may no longer self-certify international data transfers as adequately compliant unless the destination is on a list of preapproved countries.
Businesses must appoint a Data Protection Officer who is responsible for implementing data protection regulations and who holds accountability for breaches of regulation. Groups of businesses may appoint a single shared Data Protection Officer.
When engaging in certain types of data processing, entities must conduct a data impact assessment. If the results indicate a high level of risk, the entity must consult with its chosen Data Protection Authority before proceeding.
If the security of data held by an entity is breached, the entity must notify its chosen Data Protection Authority, as well as relevant victims of the breach, within 72 hours.
Changes to Data Regulation
The definition of personal data, as Perkins Coie points out, has been greatly expanded to include online identifiers such as IP addresses and cookies.
Businesses must obtain informed, freely given, and express consent in order to process personal data. If the data falls within special categories of sensitive data including religion and political opinions, consent must also be specific and unambiguous. Businesses must be able to produce proof of such consent when requested.
RANE Corp.
|
RANE Spotlight Series
|
www.ranenetwork.com
|
[email protected]
Data must be collected for a specific, legitimate purpose, and may only be used for that purpose.
The right to opt out of marketing data must be made available.
“The Right to Erasure”: The General Data Protection Regulation replaces a previous “right to be forgotten” ruling with a rule of lesser scope. Data controllers must provide individuals the ability to access their data, transfer it from one service provider to another, or, if there are no legitimate grounds for the data to be held, erase all instances of it held by the controller entirely.
In the case of data pertaining to children, data processors must obtain consent from a parent or guardian. Perkins Coie notes that this regulation differs from similar U.S. regulations in that it defines children as under the age of 16, not 13.
Fines and Penalties
The new regulation introduces a tiered sanction system with greatly increased penalties. Some breaches result in a fine of up to 2 percent of an entity’s total annual worldwide revenue, while major breaches can result in fines of up to 4 percent of annual worldwide revenue.
Other Significant Points for Consideration
The new regulation will apply to a wide range of entities. It should be emphasized that the law applies even to entities offering products or services in Europe, regardless of whether or not a fee is charged. Perkins Coie notes that the legislation considers data collection to include behavior monitoring, implying that processes such as web analytics may qualify for regulation.
Vinson & Elkins suggests that compliance with regulation requires data protection safeguards to be built into products and services, and notes that “privacy-friendly techniques such as pseudonomysation will be encouraged, to reap the benefits of big data innovation while protecting privacy.”
Businesses should consider using model clauses in forms approved by the European Commission in situations where express consent to use an individual’s information cannot be obtained or an exemption from such a requirement is applicable.
Sytorus notes that, while the entity that controls data is primarily responsible for compliance, an entity contracted to process data for the controller can in some circumstances share equal liability.
Sytorus notes that European authorities investigating breaches of the new regulations will examine company practices “for evidence of a ‘forward-thinking attitude.’”
RANE Corp.
|
RANE Spotlight Series
|
www.ranenetwork.com
|
[email protected]
Data controllers and processors should “seek certification with recognized international standards” such as ISO 27001, Sytorus adds.
Organizations operating in Europe are advised to avoid simply tweaking existing compliance regimes and data collection systems to conform to the new legislation. The new rules are designed to make companies build new data collection, storage, and processing systems that integrate and emphasize security.
Provisions for Small and Medium Businesses Vinson & Elkins notes a number of exemptions and allowances for small and medium enterprises including the following:
They can charge a fee for data access if requests are unfounded or excessive.
They are exempt from the requirement to appoint a Data Protection Officer.
There is no obligation to perform a data impact assessment before processing data except for in high-risk situations.
More Efficient Regulation
As Perkins Coie notes, this regulation means “each [EU] Member State will have the same law leading to greater harmonization among the Member States.”
The regulation includes a mechanism that allows the European Data Protection Board to rule on data protection issues across the European Union.
Businesses may now choose a single Data Protection Authority jurisdiction with which to register instead of filing data processing notifications with the authorities of every member state in which they operate.
ABOUT THE PARTICIPANTS Founded in 1912, Perkins Coie has more than 1,000 lawyers in 19 offices across the United States and Asia. We provide a full array of corporate, commercial litigation and intellectual property legal services to a broad range of clients, from FORTUNE 50 corporations to small, independent startups, as well as public and not-for-profit organizations. Sytorus offers advice, support and training to assist organizations with putting compliant, practical data management structures in place. Our broad range of expertise in the areas of data and project management, IT and data management, client engagement and training make us one of the foremost providers of Data Protection support services in Ireland. Vinson & Elkins is an international law firm with offices in major energy, financial, and political centers worldwide. It offers clients renowned legal excellence as well as efficiency and deep market intelligence in a manner that reflects the firm’s entrepreneurial spirit. ABOUT RANE RANE is an information services and advisory company serving the market for global enterprise risk management. We provide access to, collaboration with, and unique insights from the largest global network of credentialed risk experts covering over 200 categories of risk. Through our collective insight, we help enterprises anticipate emerging threats and manage today’s most complex risks more effectively.
RANE Corp.
|
RANE Spotlight Series
|
www.ranenetwork.com
|
[email protected]
