A Critical Time for the EU Data Protection Regulation

Christopher Wolf

leads the global privacy practice at the Hogan Lovells law firm and co-chairs the Future of Privacy Forum, a privacy think tank.


ZD 2013, 1              Policymakers around the world are re-examining the legal framework that regulates the collection, use, sharing, and storing of personal information - proposing more robust protections afforded to such information, and increasing the legal obligations of business. The new approaches are in response to the dramatically different ways in which technology interacts with personal data and the potential for that data to be exposed and misused.

Within the past year, new privacy frameworks were proposed by the European Commission and also by the Obama-Administration, each seeking more protection for individuals. Despite common foundations - Fair Information Practice Principles - the privacy regimes from opposite sides of the Atlantic exhibit fundamental differences in approach and substance.

The US proposal eschews the EU fundamental rights approach, but focuses on a privacy "Bill of Rights" and a related set of enforceable, multi-stakeholder codes of conduct. At the same time, solutions are being sought to accomplish a "Do Not Track"-option for consumers; the rules for children's privacy are being tightened; mobile and App privacy are in focus; and data brokers are under scrutiny. Major issues associated with new technologies are being addressed in the US, although without the across-the-board approach to privacy protection that characterizes the EU approach.

At the start of the second Obama-Administration, the timetable for changes in American privacy law is indefinite. Progress is being made, but the completion date for any one of the initiative cannot be predicted. (The one exception relates to health privacy, as to which new regulations from the Department of Health and Human Services are expected forthwith.)

In contrast, in the EU it is widely expected that an opinion on the proposed EU Data Protection Regulation will be coming soon from the European Parliament Committee on Civil Liberties, Justice and Home Affairs - the so-called LIBE Committee. And while some adjustments to various provisions are likely to be proposed (such as the time period for reporting data security breaches, tagged at a presumptive 24-hours in the current draft), endorsement of the Regulation to the Parliament and Council is expected. At that point, rapid consideration of the proposed Regulation is likely in the Parliament and Council.

It is the proverbial "home stretch" of the formal consideration of the Regulation introduced January 2012 by Vice-President Viviane Reding. And for that reason, it is time for sharp focus on the EU Regulation, because what happens in the EU has an impact on multinational organizations operating across borders, and on the evolution of privacy frameworks around the world.

Over the past year, there has been little disagreement over the goals of the Regulation to provide region-wide uniformity in privacy law, to reduce bureaucracy, to institutionalize "Privacy by Design," and to establish a new framework that reflects the evolution of technology and social media and their impact on the protection of personal data.

More controversial are the proposed penalties of up to 2% of an entity's global turnover for violations of the Regulation; the extension of jurisdiction and applicability of the Regulation outside the EU borders to companies "offering of goods or services to [...] data subjects in the Union or [engaged in] the monitoring of their behavior;" the establishment of data portability that could create a ban on "tying" information to services that otherwise would be permissible under competition law; and the "right to be forgotten."

There are lingering questions over the operation of the "one stop"-shop, in which one Data Protection Authority (DPA) will have primary jurisdiction over a company based on the location of its "main establishment"; and concerns have been expressed over the impact of the Regulation on Small-Medium Enterprises (SMEs).

In November, the UK-Government published its Impact Assessment of the draft European data protection regulation. When the draft regulation was first published, the European Commission estimated that harmonizing the European data protection regime would bring a net administrative benefit of  2.3 billion to the EU. However, the UK-Ministry of Justice has carried out its own analysis of the proposals and concluded that for the UK alone there would be an annual net cost of between £ 100 million and £ 360 million.

The UK-Government takes the position that the Commission failed to take into account all of the costs that would arise from the draft regulation, and it identifies the following aspects of the regulation that will impose additional costs on businesses:

  • The requirement to employ a data protection officer;
  • The requirement to carry out data protection impact assessments;
  • The requirement to provide notification of all personal data breaches to the supervisory authority; and
  • The administrative costs of demonstrating compliance.

It also points out that supervisory authorities will require substantially more resources to carry out their widened responsibilities, and that the powers the Commission has proposed to give itself to make delegated acts could also affect the costs and benefits of the new proposal. The UK-Government stated that it will use the evidence set out in its Impact Assessment to "continue to push for a lasting data protection framework that is proportionate, and that minimizes the burdens on businesses and other organizations, while giving individuals real protection in how their personal data is processed."

At the same time, also in November 2012, Europe's Network and Information Security Agency (ENISA), released a report on the technical aspects of the "right to be forgotten". ENISA pointed out that any technical solution for the "right to be forgotten" would require an unambiguous definition of the personal data that is covered by the "right to be forgotten", a clear notion of who can enforce the right, and a mechanism for balancing the "right to be forgotten" against other rights such as freedom of expression. According to the Report, the text of the current European proposal leaves each of these subjects open to debate, making it difficult to implement technical mechanisms to deal with the "right to be forgotten".

ENISA also noted that the "right to be forgotten" is virtually impossible to enforce in an open network such as the Internet. Nothing prevents users from freely copying and redistributing digital content, including photos. Subsequently trying to find and erase the distributed copies would be impossible. ENISA states that the only way to prevent such redistribution would be to use digital rights management (DRM) technology similar to that used by certain publishers of digital content such as motion pictures and music. However, most of the DRM technologies can be easily circumvented. ENISA points out that partial enforcement of the "right to be forgotten" could be achieved by requiring search engines subject to European jurisdiction to filter search results so that the information that is supposed to be forgotten does not show up:

"A natural way to "mostly forget" data is thus to prevent its appearance in the results of search engines, and to filter it from sharing services like Twitter. EU member states could require search engine operators and sharing services to filter references to forgotten data. As a result, forgotten data would be very difficult to find, even though copies may survive, for instance, outside the EU jurisdiction".

The French data protection authority, the CNIL, recently made three critical points about the Regulation in its Annual Report. First, the CNIL expressed concern that making a single data protection authority responsible for the Europe-wide activities of an enterprise could result in a significant decrease in the level of protection of individuals. Citing the example of a social network whose main establishment is located in another European member state, the CNIL said it was inappropriate to reduce the role of the French data protection authority to a simple mailbox to forward complaints to the principal DPA responsible for the social network's activities. According to the CNIL, a French user who is harmed by the activities of an enterprise doing business in France should be able to look to the French regulator for redress.

The second point on which the CNIL diverges from the Commission is on the issue on international data transfers. The CNIL believes that transfers to countries that have not been recognized as providing adequate protection should be based on contractual clauses or binding corporate rules (BCRs) that have been approved in advance by the CNIL. Under the proposed regulation, an international transfer based on standard contractual clauses will not require the prior approval of the DPA.

Finally, the CNIL made the point that the new accountability measures included in the draft regulation should not be viewed as a form of self-regulation, or as a trade-off for less regulatory supervision. Instead, the accountability measures should be viewed as a supplement to existing regulatory principles and enforcement practices.

The issues that have been raised about the proposed Regulation are real and substantial. How the reviewers in the European Parliament analyze and report on the proposal will be critical. As important as momentum may be to obtain approval of the Regulation in a timely fashion, equally important is ensuring the passage of a workable and balanced set of new rules.