CWS 3.0: October 29, 2014

Print

Imminent EU data protection reforms: benefit or burden?

October 29, 2014

A proposed regulation to increase data protections is expected to pass by 2015, and staffing industry insiders are expressing concerns over what compliance will cost in terms of time and money.

The goal of the regulation is to standardize data protection law across all 28 EU Member States (MS), and to bring the law up to date with technological and societal advances in data sharing. The European Parliament approved the European Commission’s proposal for a General Data Protection Regulation, with amendments, in March and Justice Ministers of the European Council met on Oct. 10 to approve the rules. According to Martine Reicherts, the new EU Commissioner for justice, fundamental rights and citizenship, heads of state have committed to adopting a strong EU General Data Protection framework by 2015.

Computer Weekly hails the European Commission’s proposal for a general data protection regulation as "the most significant global development in data protection law since the European Data Protection Directive in 1995." Unlike a directive, though, a regulation is applicable immediately in each member state, meaning each member state need not implement national legislation in order to comply.

The regulation will:

  • Establish a single pan-EU law for data protection, replacing the different national laws and saving €2.3 billion per year
  • Establish the principle of a single supervisory authority to take the lead in relation to complaints so that companies will only have to deal with the authority in the member state in which they have their main establishment. However, individuals may bring a complaint in any member state.
  • Apply the same rules to all companies doing business in the EU. Companies will have to appoint a data protection officer, and foreign companies will have to nominate a representative in the EU to enable the authorities to supervise their activities within the EU. Small and midsize businesses are exempt. The Parliament increased the maximum level of fines from the commission’s proposal of 2 percent of annual global turnover (revenue) to 5 percent.
  • Provide a right to be forgotten. The proposal allows individuals who no longer wants their data to be processed or stored, or where it is no longer necessary for the data to be kept for the purposes for which it was given, to require their data to be removed from the system of the data controller, provided there is no legitimate reason for keeping it. This goes further than the decision of the European Court of Justice in the case involving Google in May 2014. It is not a right to erase or rewrite history, nor does it take precedence over freedom of expression or freedom of the media. The proposal also allows individuals to obtain from third parties, to whom their data has been passed, the erasure of any links to, or copies of the data; but it is the responsibility of the data controller to whom the data was originally given to take all reasonable steps to have the data erased.
  • Data transfer rights. Provide a right for individuals to obtain a copy of their personal data that is processed electronically in a structured format, and to transmit it, and any other data provided by them to a data controller, into another automated processing system in electronic format without hindrance from the controller. This is likely to be a further administrative burden for staffing firms in particular with the regular movement of temps from one staffing firm to another.
  • Require explicit consent when consent is required for processing, and where there is a significant imbalance of power between the data controller and the data subject, in an employment context, for example. This will mean all candidates, temporary workers and contractors must sign an explicit consent to the processing of their data rather than rely on implicit consent for the use of data for work or work-finding purposes.
  • When a data security breach occurs, notification must be made to the relevant authority within 24 hours, and to the affected individuals without undue delay. Businesses will have to set up controls and protocols to ensure that any breaches are identified and then notified to the national data protection authority and individuals immediately.
  • To remove the need for businesses to notify the national data protection authority of data processing carried on by them.

There seems to be little awareness of the potential impact of these reforms, but staffing firms in the UK have expressed concerns that their systems will need to be re-configured to provide for certain elements of the reforms such as explicit consent, the right to be forgotten and the right to request a transfer of data. Any business operating in the EU will also need to appoint a data protection officer and inform the relevant authorities of his/her identity.

For larger businesses, compliance with these new obligations will be costly and cannot be offset by the removal of the requirement to notify the relevant data protection authority of the data processing undertaken, and payment of the accompanying fee, which in the UK is only £35 annually (US$56). If the EU Commissioner is right and the regulation passes by 2015, its direct effect means businesses operating in the EU face further costs in terms of time and money.

Related

Middle East and Africa Legal Update Q4 2023
Middle East and Africa Legal Update Q4 2023
Europe Legal Update Q1 2024
Europe Legal Update Q1 2024
Data Privacy and AI: 2023 Global Legal Update
Data Privacy and AI: 2023 Global Legal Update
Europe Legal Update Q4 2023
Europe Legal Update Q4 2023