By Marlena Wach
The European Union Data Protection Supervisor, Giovanni Buttarelli, recently released his non-binding recommendations on the draft EU General Data Protection Regulation, which is the subject of a so-called “trilogue” consultative process among officials of the European Commission, European Parliament and Council of Ministers to agree on final language of the regulations. It is largely expected that once finalized, the GDPR will be adopted before year end 2015, which will require approval by both the European Parliament and the Council of Ministers. As reflected in an annex to Mr. Buttarelli’s recommendations, the European Parliament and Council of Ministers have differed in their approach to various aspects of the regulations, particularly as to enforcement and sanctions, necessitating the trilogue discussions.
Among the more controversial aspects of the regulations, is a proposal by the European Parliament that would impose a maximum penalty on companies of 5% of their annual global revenue, up to 100 million Euros ($109 million US) for breaches of the regulations. In the annex to his recommendations, Mr. Buttarelli weighed into the penalty fray, supporting the 5%/100 million Euro penalty. In contrast, the Council of Ministers supports a maximum penalty of 2% of global revenue or 1 million Euros. According to published reports, in supporting the stiffer penalty, Mr. Buttarelli said that “In a limited number of cases [that are] so serious, the five percent sanction is more appropriate,” reportedly noting that “big data is a big market and it’s a very profitable market” and “the money [companies] get in exchange” should be considered.
In other provisions, the proposed regulation would require that appropriate technical and organizational security measures be implemented by businesses. The regulation also would require that security policies contain specific provisions, e.g., a process for regularly testing, as well as assessing and evaluating the effectiveness of security policies. Companies will also need to have detailed documentation and policies on the data that is processed.
Other provisions would require businesses to adopt reasonable steps to implement compliance procedures and policies, which should be reviewed every two years. The procedures should include adopting “privacy by design” throughout the lifecycle of processing, from collection to deletion of data and carrying out privacy impact assessments where there are specified risks or data on a large number of individuals.
There are also new requirements for standardized data protection policies for individuals using symbols or icons. The information should include details on rights of access to the data, rectification and erasure of data, the right to object to profiling, how to bring a complaint to the relevant Data Protection Authority and how to bring legal proceedings. The proposed regulation also includes a new right of erasure, which would give individuals a right to have their personal data erased where the data is no longer necessary or where their consent is withdrawn under certain circumstances.
For many businesses, if adopted, these new obligations will require a significant review of existing security and data protection measures, policies and procedures, with training of staff and the provision of additional resources. Under the proposed regulation, any business that has European customers will need to comply with the new requirements, which could have significant implications for U.S. and other non-European companies with EU customers and operations.