170 likes | 256 Views
Data Protection Masterclass: The New Draft EU Data Protection Regulation. 19 September 2012. EU Data Protection Proposals: Where we are with the Draft Regulation. Data Protection Masterclass London, September 19, 2012 Ann Bevitt & Karin Retzer. How did we get here?.
E N D
Data Protection Masterclass:The New Draft EU DataProtection Regulation 19 September 2012
EU Data Protection Proposals: Where we are with the Draft Regulation Data Protection Masterclass London, September 19, 2012 Ann Bevitt & Karin Retzer
How did we get here? • Current framework governed by 1995 EU Data Protection Directive • Amendments required to address challenges resulting from globalization and technical advances • Need for greater harmonization across Member States • January 25, 2012 the Commission proposed two new draft laws • Draft Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) • Draft Directive on the protection of individuals with regard to processing of personal data for the purpose of crime prevention and investigation
The Key Players • The European Commission (Commission) • Composed of 27 Commissioners and administrative staff • Proposes draft laws • The Council of the European Union (Council) • Composed of ministerial-level representatives from each EU Member State • Adopts laws, sometimes alone and sometimes jointly with the European Parliament • The European Parliament (EP) • Composed of directly elected members • Adopts EU laws together with the Council
How does it work? • How is the Draft Regulation going to be adopted? • Commission published Draft Regulation and sent it to the EP and the Council • The EP and the Council may propose amendments and work on their own versions of the text • Institutions have regular exchanges to align their position; Commission assists the process • To be adopted Regulation must be jointly approved by the Council and the EP – both must agree on the same text • Will there be any changes to the Draft Regulation before it is adopted? • Changes are very likely because the EP and the Council must achieve compromise
Council’s Position • Formal note from July 2012 includes comments from 20 Member States • Preference for Directive over Regulation – Member States want more for flexibility in their law-making • Call for more clarification on application to organizations established outside the EU and on the place of main establishment • Call for clearer definitions • Criticism of high administrative burdens and unrealistic obligations, in particular breach notification obligations, documentation of processing, mandatory DPOs • Call for revision of mandatory imposition of sanctions
Council’s next steps • Experts from Member States are discussing the Draft Regulation in a dedicated working group • First exchange between ministers due December 6-7, 2012 • Ministers to discuss outstanding issues where the working group cannot reach a common position • Several Member States demand more discussions; adoption of the Regulation (or a Directive) may be a long way off
Parliament’s Position • LIBE • Responsible Committee • Jan Philipp Albrecht • MEP responsible for leading discussions in the EP and preparing EP’s position • Supports Regulation as legislative instrument • Calls for strong rules on DPOs, impact assessments, general data breach notification, DPA powers, and severe sanctions for breaches • Calls for clarification of rules on discovery requests from foreign authorities, profiling of individuals, and technology-neutral rules for data protection by design and by default • Calls for adoption of Draft Regulation and Draft Directive on data protection in criminal investigations in parallel
Entry into Force • When is the Draft Regulation going to enter into force? • Once adopted, Regulation will not require implementation and will be directly applicable • Regulation provides for transition period of 2 years following publication
Reading Materials • Commission’s proposal for a Regulation • http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf • Commission’s proposal for a Directive • http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52012PC0010:en:NOT • Albrecht’s Working Document • http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&reference=PE-491.322&format=PDF&language=EN&secondRef=01 • Formal Note from the Council July 18, 2012 • http://www.statewatch.org/news/2012/jul/eu-council-dp-reg-ms-positions-9897-rev2-12.pdf • Parliament’s procedure file • http://www.europarl.europa.eu/oeil/popups/ficheprocedure.do?lang=en&reference=2012/0011(COD)
EU Data Protection Proposals: The Business Perspective Data Protection Masterclass London, September 19, 2012 Ann Bevitt & Karin Retzer LN/207999
The global dimension • How will the new Draft Regulation affect companies based outside the EU? • Will cross border transfers be easier? • Will BCRs replace the Model Clauses? • Will the Regulation have positive implications for cloud computing? • What about compliance with foreign law obligations, like SOX or FCPA? What about the foreign discovery process?
Improvements for companies • How might the Regulation improve things for companies? • What about the concept of main establishment? How does it work, and will it apply to non-EU companies? • Will the legal interpretations be more consistent across Member States?
Challenges for companies • So, what challenges and problematic issues does the Regulation raise? • What about the cost of compliance? Will companies have to allocate more resources? • Will companies have to appoint DPOs? • How would the Regulation affect data processors?
Challenges for companies (2) • How about handling HR data? Will it be easier for employers? • Will there be any specific implications for certain sectors? • What does data protection “by design” and “by default” mean in practice? • Will all data security breaches need to be notified? What about breaches by non-EU companies?
Contacts Ann Bevitt Partner, London 44 20 7920 4041 abevitt@mofo.com Karin Retzer Partner, Brussels 32 2 340 7364 kretzer@mofo.com