Agreement reached in the trialogue on the EU Data Protection Regulation
Reform of European Data Protection Law on finish straight
The agreement of the responsible EU institutions on a joint text for the new EU Data Protection Regulation (EU-DPR) is a milestone in the reform of European Data Protection Law and at the same time start signal of strategies for EU Data Protection compliance. For the creation of a uniform framework for data protection in the EU only the final adoption by the European Parliament is still needed. This is expected in early 2016.
On 15 December 2015, the so-called trialogue negotiations between the Council of the European Union, the European Parliament and the European Commission to the EU Data Protection Regulation (EU-DPR) ended. The trialogue negotiation in June 2015 started with three partly divergent versions of the EU-DPR but now the negotiators could agree on a common version of the text.
In addition to the unification of the European Data protection law, the central aim of the EU-DPR is the development of technical solutions and new technologies (including Big Data, Internet of Things) to replace the EU Data Protection Directive from 1995 as oriented regulations. After a transitional period of two years after the official publication at the office gazette of the EU the EU-DPR will define uniform rules on data protection for all EU Member States.
In addition to the already widely discussed impending penalties for the infringement of data protection law with fines up to four percent of the global annual turnover or up to EUR 20 million especially those provisions of the EU-DPR seem interesting which impact both the design of business as well as the product portfolio of business. At this point only selected subjects which we identified being discussed yet despite they are considered as trendsetting are briefly outlined as follows:
- Advanced liability risk: Article 77 Paragraph 1 includes the compensation of material damage as well as the compensation of all intangible damages. Under German Law the compensation of immaterial damages exists as a legal exception only.
- High requirements on the release from liability: Under Article 77, para 3 both the organization responsible and the data controller are liable, if the organization responsible cannot prove that it is “not in any way responsible” for the damage.
Whether and to what extent insurance solutions for intangible damages are offered on the market is questionable as it is difficult to calculate the risk. But in any case the transitional period will be a challenge for the insurer. Regardless of this in the future the adoption of appropriate rules on liability in contracts with data processing providers will become more important to capture the increased risk of liability.
- International data transfer
- The EU-DPR holds on to the instrument of binding corporate rules as well as to the so-called EU standard contractual clauses (Article 42).
- The relation between the explicit establishment of the EU standard contractual clauses and the recent findings of the European Court of Justice regarding the safe harbor agreement is doubtful. As a result of the judgement of the European Court of Justice the EU standard contractual clauses were seen by the German Data Protection authorities only as an interim solution until a new international convention on data protection between the EU Commission and the US will be in place [more].
- It has to be followed how the Article 29 Working Group will decide and clarify, if necessary.
- Commissioned data processing
- The EU-DPR throws a new light upon the Commissioned data processing agreement in accordance with § 11 BDSG (ADV) which was established in Germany with the reform of the BDSG.
- Over the years companies of all industries have established standard agreements for data processing and have even adapted regulations in old contracts which were concluded before the regulation came into force. Mandatory subject of the ADV agreements is especially a detailed overview of the technical and organizational measures of the data processor as well as corresponding rights of the responsible body to control and direct. As in the future the EU-DPR will replace the national data protection legislation also § 11 BDSG will be replaced. This leads to the questions whether and if so what will be contractually required in the future.
- The EU-DPR regulates in Article 22 para 1 the general obligation of the organization responsible to establish appropriate technical and organizational measures to “fulfil and demonstrate” its compliance. However this obligation is only defined in detail to the effect that “Data Protection Policies” are required “where appropriate” in relation to the concerned data processing (Article 22 para 2a). In addition, as proof of compliance the implementation of so called Code of Conduct (Article 38) or certification (Article 39, see also below) is sufficient.
Therefore, companies must be prepared that the EU-DPR will also affect the contract drafting in the field of data transfer and data processing.
- In the area of international data transfer no isolated consideration of the EU-DPR can take place as it needs to be seen in the light and development of the Safe Harbor topic.
- Regarding the contracts on data processing each individual case has to be reviewed to figure out what type and scope of agreement is required with respect to the specific data processing involved.
- Also in the area of internal corporate rules adjustments in the field of data protection will take place as existing internal instruments need to be amended or need to be created. Also strategies for certification need to be checked and if necessary developed to provide proof of the compliance with the data protection requirements.
Technical Standards and Certification
The few criticism which say that the EU-DPR is not forward-looking enough may be responded by the fact that the EU-DPR contains some “trend” approaches, which can be understood as principles of a modern data protection law if implemented in practice.
- Article 23: Data protection by design and by default
- The EU-DPR already provides specific rules for data protection on the technical implementation level and is therefore “in vogue” with comparable technology-driven approaches, especially in the area of IT security
- Article 39: Certification
- In the future it will be possible to have the compliance with the data protection requirements of the EU-DPR “sealed”. In particular, there will be a certification procedure by the European Data Protection Board with which companies receive the “European Data Protection Seal”.
- Not only does the certification represent an opportunity to demonstrate compliance, but can also be used to manage the increased liability risk. Because as mentioned above there exist high requirements for a possible release from liability like the proof of full data protection compliance.
It remains to be seen how the market will use these instruments and if thereby a privacy regime which comes close to the idea of self-regulation can be established. Towards an EU wide unification of data protection law the importance of internationally applicable “technical language” should not be underestimated as many EU member states will interpret the terms of the EU-DPR differently. In the future also data protection will become more and more an interdisciplinary task between law and technology and instruments like international standardization and certifications come into the focus of a long term strategy of EU data protection compliance.
Enforcement of the EU-DPR and Responsibilities
At this point just a short note on possible changes of responsibilities in the area of supervision and enforcement of the EU-DPR:
Due to § 38 para 6 BDSG the national data protection authorities are responsible for the enforcement of the data protection laws. The question is how the EU-DPR will affect this responsibility. In accordance with Article 46 and the following a cooperation of the so-called Supervisory Authorities (the supervisory authorities of the member states) and the common European Data Protection Board is planned. It is optional to set up more than one Supervisory Authority for each member state. However, it seems that the EU-DPR favors a centralized structure as general structure, in particular with respect to the representation of member states in the European Data Protection Board, the procedure for the determination of “members” of a Supervisory Authority and the financing. Because of the federal structure in Germany the current structur has to be discussed and propably modified.
The two year transitional period should be seen as an incentive to deal with the regulations and consequences of the EU-DPR as well as with the establishment of a comprehensive EU Data Protection Compliance. So far mainly the threat of penalties for data breaches with fines up to four percent of the global annual turnover or up to EUR 20 million or new regulations such as the changed rules on data protection officers have been discussed. However, more interesting seem especially those provisions of the EU-DPR that certainly affect both the design of business processes as well as the product portfolio of companies. Take advantage of the remaining time to identify in time any need for action particularly with regard to the substantive topics presented above.