François Gilbert

2012-05-01

Abstract:The proposed data protection package that the European Commission unveiled on January 25, 2012 provides a sneak preview of the plans for a comprehensive reform of the data protection rules in the European Union. The new data protection framework would be based on two documents: a Regulation, (1) which would address the general privacy issues, and a Directive, (2) which would address the unique issues associated with criminal investigations. The proposed legislative texts are intended to redefine the legal framework for the protection of personal data throughout the European Economic Area. (3) The vision revealed in the documents published on January 25, 2012 (4) is generally consistent with the plan of action that was presented in late 2010. (5) What is new, or was not clearly specified in 2010, is the shift to a single law that would be common to all of the Member States. (6) The publication of the Proposed Regulation and Proposed Directive signals a very important shift in the way data protection will be handled in the future throughout the European Union. If the draft legislative texts are adopted in a form substantially similar to that which was presented on January 25, by 20157, the European Union Member States will be operating--for most types of activities--under a single data protection law that applies directly to all entities and individuals. (8) In many cases, companies will no longer have to suffer the fragmentation resulting from the significant discrepancies in the manner in which the 27 Member States interpreted and implemented the principles set forth in Directive 95/46/EC to create 27 different sets of national laws. (9) A single set of rules on data protection, valid across the EU, would make it easier for companies to know and understand the rules. Unnecessary administrative burdens, such as notification requirements for companies, (10) would be abolished. (11) Instead, the proposed Regulation provides for increased responsibility and accountability for those processing personal data. (12) In the new regime, organizations would only have to deal with a single national data protection authority in the EU country where they have their main establishment. (13) Likewise, people would be able to refer to the data protection authority in their country, even when their data are processed by a company based outside the EU. (14) The proposed reform would create more obligations for companies (15) and more rights for individuals, (16) while removing some of the administrative burdens that currently cost billions of Euros to companies.17 However, numerous additional requirements would come instead. While the new data protection regime would reduce red tape, it would require entities to be more accountable, (18) to have in place written procedures and processes that they actually use, (19) and to be able to show that they do comply with the applicable legal requirements. (20) Entities would be responsible for conducting privacy impact assessments in some circumstances, (21) to comply with individual requests to exercise their "right to be forgotten," (22) and to notify data protection authorities and individuals in the event of a breach of security. (23) U.S. companies that do business in or with the European Economic Area should start preparing for this dramatic change in the data protection landscape. Some of the provisions will require the development of written policies and procedures, documentation, and applications as necessary to comply with the new rules. Security breaches will have to be disclosed, (24) and incident response plans will have to be created accordingly. The development of these new structures will require significant investment and resources. IT and IS departments in companies will need to obtain greater, more significant budgets in order to finance the staff, training, policies, procedures and technologies that will be needed to implement the new provisions. …

Business,Law