Lee & White

With 621 votes in favour of the Regulation (10 against and 22 abstentions) on the 12th of March 2014, the European Parliament has secured the support given at committee level to the European Commission's data protection reform.

With the constant abuse and misuse of personal data, this reform is more than ever a necessity to return and strengthen the data protection rights of the people. Companies will have to step up to complying with the Regulation and put data protection compliance top on their agenda - or face the consequences of breach.

Through this reform, several changes are noted and include the following points:

• The Regulation will establish a single law on data protection in the EU and replace the current conflicting national laws. This blanket of uniformity means that companies will have one law to deal with instead of the differing national laws which have proven to be quite problematic and time-consuming to deal with under the current 1995 Data Protection Directive. Whilst some national laws are quite stringent, there were others which are regarded as watered-down equivalents. The benefits have been estimated at 2.3 billion EUR per year.
• There will be one single supervisory authority which will make it easier and cheaper to do business in the EU.
• Enforcement powers will be stronger and companies outside the EU must comply with the same rules, failing which, data protection authorities are equipped to fine wayward companies a much higher fine (up to 100 000 000 EUR or up to 5% of the worldwide annual turnover in case of an enterprise, whichever is greater) than currently.
• Economic growth is encouraged, especially with regard to small and medium enterprises (SMEs) where several exemptions will apply.
• "Privacy by design" whereby data protection safeguards are built into products and services from the earliest stage of development rather than a case of "going back to the drawing board" and "Privacy by default" whereby privacy-enhanced default settings are the norm are two important elements in the EU data protection rules. 

The bottom line is that, data subjects will have control over their personal data and companies who are still lagging behind in safeguarding personal data entrusted to them are in for hot water if they refuse to priotise the seafety and security of the data.

Feeble excuses for non-compliance often heard such as "no one ever gets caught anyway", "nobody else is doing it", or "we've other things which are more important" will thankfully, have to exit.

On 25th of June 2013, the Belgian Privacy Commission and the Ministry of Justice entered into a protocol agreement which forms the framework for the transfer of personal data outside the EU. Following this, contracts governing the exchange of personal data between companies outside the EU will be handled more smoothly from now on.

The immense volume of personal data transferred between countries has rightly demanded the need for the protection of such personal data. Where the data is transferred within Belgium and the EU, personal data may be transferred subject to the Belgian Data Protection Law. EU member states are accorded the same level of protection for the processing of personal data by virtue of the European Directive 95/46/EC.

Where the data is transferred outside the EU, personal data can only be transferred to countries which provide an adequate level of protection of the data - similar to the protection accorded within the EU. The European Commission has recognised a number of countries which are regarded as providing an adequate level of protection of personal data. This can be viewed on the European Commission's website.

Where a country is not recognised as offering an adequate level of protection, personal data may still be transferred through:

• European Commission's model contracts or contractual clauses drawn up by organizations themselves offering an adequate level of protection of the personal data to be transferred
• Binding Corporate Rules
• Exceptions provided by law.

In Belgium, where the European Commission's model contracts are used, these contracts are sent to the Belgian Privacy Commission to be checked to ensure conformity with the European Commission's standard contractual clauses. There is however, no need for a Royal Decree to validate such contracts and this has been clearly stated in the recent protocol agreement between the Belgian Privacy Commission and the Ministry of Justice. The date on which conformity with the standard contractual clauses is confirmed in writing by the Privacy Commission is also the date on which the data transfer is allowed.

In the second instance where organizations themselves draw up their own contractual clauses binding themselves and the receivers of the personal data, the existing situation is such that a Royal Decree is necessary. However, owing to the shared jurisdiction of the Belgian Privacy Commission and the Ministry of Justice, the process became long and cumbersome and meant that very few organizations took up this method of providing an adequate level of protection.

The protocol agreement has changed that - the Privacy Commission will now play the leading role in this procedure and quicken the process. Organizations can send the contracts to the Privacy Commission for review. If the necessary guarantees for the protection of personal data are in place, the Privacy Commission will forward these contracts to the Ministry of Justice along with a positive assessment and a proposed wording for a Royal Decree for the King's signature and publication in the Belgian Official Gazette. If not, the Privacy Commission will contact the applicant and refer to the principles which are required to be addressed properly in the contractual clauses.

The new procedure will significantly shorten the period of approval of such contracts and is said to be a win-win situation for the government, organizations and citizens. It will also prevent the possible consequences of violation and provide more legal certainty for the data subjects whos personal data is transferred as well as the organizations involved. The protocol agreement takes effect immediately.

Facebook, as mentioned in detail in the news, was exposed for keeping shadow profiles on users and non-users.

Through an incident (which should have been classified as a bug as it had been available for months) it was revealed that Facebook is keeping so-called shadow profiles of its users as well as data subjects who do not use their services.

A shadow profile is information about a certain data subject which the data subject in question did not give to the data processor. This profile is created without consent of the data subject and possibly without his knowledge. This means the data processor gathered this information through or by combining other sources, either through other data subjects or from other sources such as other web sites, chat sessions, search history, phone conversations…

European Data Protection law forbids this kind of ‘data brokerage’, gathering, combining and reprocessing data from different sources to build a file with personal data for these reasons:

• Data processors can only process your data with your explicit consent.
• Data processors can only process such personal data which is relevant to their services to you.

Your personal data has become a commodity which they use for their own profit and without a relationship with you, the data subject. Quite a number of companies, small and large, have made it their business to gather everybody’s personal data and sell it on to the highest bidder. Recent times have made it very easy for such companies to gather all information in an automated way and from the comfort of their own office. They are also not bothered by the fact that they are serving stale information which is no longer or never was correct, but can have very deep implications on your personal life.

European Data Protection Law has several safeguards:

• If a data subject suspects a data processor has such a shadow profile, the law provides a means to officially request a complete list of data kept by the data processor concerning the data subject.
• If a data subject objects to the data processor’s use of the data subject’s data, the data subject can submit a request to cease processing such data.
• The new EU Data Protection proposal mentions the right to be forgotten, but lobbying by major data processors is probably going to water this down.

The lessons for our clients are clear:

• Be transparent, only gather personal data from your data subjects through informed and explicit consent.
• Do not process other information than that given by the data subject and only if it is relevant to the purpose of your relationship with the data subject.
• Keep it alive, keep data up to date and do not keep data of data subjects beyond the duration of the relationship with your data subject.
• Protect the personal data entrusted to you.

It is looking good for Data Protection in Belgium and the EU as Ms. Viviane Reding, Vice-President of the European Commission and EU Commissioner for Justice, Fundamental Rights and Citizenship, announced groundbreaking changes to EU Data Laws to be introduced in a Bill to the EU Parliament this week.

Speaking at the “Digital, Life, Design” conference in Munich on January 22^nd, 2012, she confirmed that personal data is indeed an asset, a  message which has already begun passing around since the UK Information Commissioner commissioned a report on privacy by design to help articulate the business case for proactive protection of privacy in 2008 and which we believe and preach with conviction. “Personal Data is the currency of today’s digital market, and like any currency, it needs stability and trust. Only if consumers can ‘trust’ that their data is well protected, will they continue to entrust businesses and authorities with it, buy online, and accept new services.”, she stated. And the amount of data, including Personal Data, is growing by a whopping 40% a year worldwide.

Given the fact that 72% of European Citizens said in a recent poll that they are concerned about how their personal data is used by companies, and given that businesses are concerned too, how can they keep control over data which races around the globe in a virtual cloud?

“Trust has to prevail”, states Ms. Reding. Rightly so. If the population is to give the current growth continued support, they need to have a good understanding of the issues and be able to trust that their data is not being abused. They entrust the EU with the task to draw up the rules and follow up on their correct implementation and execution. Trust is the key to any relationship - and how much more in the business world?

We have a unified currency in the EU, but Data Protection law is fragmented into 27 different, and sometimes conflicting, regulations. Whilst some member states are top of the class, others have watered the 1995 EU Directive down so much that it is no more than a sign on the wall showing how bad things are. A lot of burden has been added, sometimes in the form or red tape and lengthy cumbersome administrative procedures. As such, it has all been a futile exercise as it missed its economic goal.

Ms. Reding states “Privacy concerns are one of the most frequent reasons why people don’t buy goods and services online.”. She is adamant about the way forward: “This needs to be changed.”

Two legislative texts will be proposed:

“First, a Regulation to enhance opportunities for companies that want to do business in the EU's internal market, while ensuring a high level of data protection for individuals.

Second, a Directive to ensure a smoother exchange of information between Member States' police and judicial authorities in the fight against serious crime while at the same time protecting people’s fundamental right to data protection.”

The first point, legal certainty, will be achieved by one Data Protection Law in the form of a directly applicable Regulation which will apply to all Member States in the European Union, and to all organisations offering their goods and services to consumers in the EU – even if their servers are based outside the EU.

This new Regulation will unleash the potential of the Digital Single Market, and will save businesses around 2.3 billion Euros per year, removing barriers to market entry, which were especially affecting our clients, the small and medium-sized enterprises. It will simplify the regulatory environment and drastically cut red tape. Current notification requirements are replaced by a duty for companies to be responsible and accountable for the protection of Personal Data in their business field. Each company will have to appoint a Data Protection Officer.

There will be one law, applicable to all member states, and companies will only have to deal with a single Data Protection Authority linked to the country of its main establishment.

All Data Protection Authorities will have the same adequate tools and powers to enforce the EU Law.

They will:

• Deal with complaints
• Carry out investigations
• Take binding decisions
• Impose effective and dissuasive sanctions.

The rules for international data transfers will be strengthened and simplified - a necessary step in a world where data travels freely around the world and major companies have made it their specialty to circumvent the more ‘difficult’ countries by operating in or via countries with weaker Data Protection legislation.

Trust from the individuals will be earned through a few key principles, boiling down to one point: Transparency.

• Informed
  • People need to be informed in simple, clear, and unambiguous language.
• Consent
  • People need to freely give their specific and informed consent.
• Control
  • People need to have control over their own data at all time. Aside from the control we know already, it will also include portability, the possibility to take one’s data and easily move it from one provider to another, and the right, not the option, to be forgotten.
• Alert
  • Individuals need to be swiftly informed, within 24 hours, when any of their personal data is lost or stolen.
  • Companies suffering such a breach need to notify their Data Protection Authority without undue delay, i.e. ‘within 24 hours’.

Ms. Reding concludes:

"We will get a strong, consistent and future-proof framework for data protection, applied consistently across all Member States and across all European Union policies. We will make our data protection legislation fit for the digital age so it encourages innovation and development of new technologies and services.

We will adjust the rules to the reality of multinational businesses. And will adjust the rules to the reality of people's lives. Europeans live, work, shop and travel freely in the EU, so their data must travel freely as well: Freely and safely. The reform will become a golden opportunity for business: complying with the EU’s laws on data protection will lead to a competitive advantage. European data protection rules will become a trademark people recognise and trust worldwide. I would welcome if everyone here put these new rules to life."

Well said. Data Protection without a doubt enables businesses to make more and better business, leading to a competitive advantage over competitors, having a solid and healthy relationship with loyal customers. Any organisation would pay good money for this.

You can read the full text of Ms. Reding's speech here

It will take some time to bring the new law into practice, but organisations should be aware and prepared, making the necessary changes sooner rather than later.

If you need to assess your current status with relation to the new Data Protection Law or need advice on implementing or improving compliance with current or the next legislation, review our services and contact us.