EU Privacy Reform – First Q&A from EC
The EU Privacy reform was agreed last week and the European Commission has now published the first Q&A clarifying some changes of this data protection revolution.
I had covered in a previous post the breaking news about the agreement reached at the European level on the privacy reform. I am working on a series of posts on the most “hot” topics of the new data protection regulation, but the European Commission has now published the first questions and answers on the topic. Below is my interpretation of some of the questions raised by the European Commission:
Why did the Commission propose a reform of the EU privacy rules?
The position of the European Commission is that the goal is to avoid the inconsistency among European data protection regulations across the European Union deriving from the implementation of the EU Directive 95/EU and to modernize the rules in a digital world. The EU privacy regulation is directly enforceable and therefore no implementation is “in theory” required
The regulation still leaves some “gray areas” that will need local implementation. And indeed, one of the current questions is whether the whole local data protection law shall be fully repealed since it was mainly the implementation of the EU Directive 95/46 or some of its provisions shall survive cross referring to the regulation. Also, the approach followed in the latest version of the regulation on the “one-stop shop” rule still leaves a considerable control to local data protection authorities.
Will cross border businesses have to deal with a single privacy law? And what about non-EU entities?
The previous question is linked to this issue. There will be a single piece of legislation setting data protection rules across the whole European Union with savings for companies that are estimated in the range of € 2.3 billion a year.
Companies established in more than one EU Member State or established in a single EU Member State (or having a processor established in a EU Member Sate), but performing data processing activities in the Union that substantially affect or are likely to substantially affect individuals in more than one Member State will have to deal with a lead data protection authority rather than with 28 different authorities under the “one stop shop rule“
considerable exceptions have been introduced as to matters that are more relevant locally and therefore shall be dealt by the local privacy authority which in any case shall cooperate and agree any decision with the lead authority. A relevant issue is therefore whether such complex structure will really simplify the life of companies and how such “cooperation” will actually work.
And this is an issue also for non-EU entities that either offer their products/services in the European Union or monitor (e.g. by means of cookies) the behavior of individuals located in the EU.
What will change under the EU Data Protection Regulation?
The reform reproduces a number of principles that were already contained in the previous directive or resulting from the case law of the European Court of Justice as in the case of the right to be forgotten with the objective to give individuals more control on their personal data. However, the main change is
the introduction of the accountability principle
which provides that data controllers “shall be responsible for and be able to demonstrate compliance” with the data protection principles provided by the regulation. This means that the burden on proof of showing privacy compliance will be on data controllers and in this respect the arrangement of documentation showing
the compliance with the principles of privacy by design and by default and security by design will be crucial
in case of data breach or mere privacy audit. Also, the development of anonymization techniques it will become exponentially relevant in the context of Big Data and Internet of Things technologies when the processing of personal data is not necessary to achieve the pursued objectives.
Follow this blog for future more in depth reviews of the different issues raised by the privacy regulation.
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.