Focus: Why Australian companies should watch out for EU data protection reform
7 June 2012
In brief: Changes proposed to Europe's data protection regime, along with incoming Australian legislative reform, may pose challenges for Australian companies operating in Europe. Allens Partner Michael Pattison and Lawyer Nikki Macor and Linklaters Partner Julian Cunningham-Day and Senior Professional Support Lawyer Peter Church report.
- Australian rules on transborder data flows
- Proposed changes to EU data protection law
- Individual rights
How does it affect you?
- As we reported on 28 May 2012, companies that send personal information outside Australia will soon be subject to tougher Australian rules governing that activity.
- Now, companies with operations in Europe may be facing yet another layer of stricter regulation in the medium term, with changes to EU's data protection regime proposed.
- Penalties under the new European proposals reach up to 2 per cent of annual worldwide turnover for breaches of certain provisions of the Regulation, which could amount to a substantial sum, particularly when applied to large companies with operations throughout the world.
In January this year, European Commissioner Viviane Reding proposed a package of data protection reforms revolving around the replacement of the current data protection 'directive' with a new, stricter 'regulation', strengthening the rules in both form and substance.
The new regulation faces a long, uncertain road. It is not expected to be passed by the European Union until early 2014 and may be followed by a two-year implementation period, meaning these changes would not come into effect until 2016. Nevertheless, for Australian companies with operations in Europe, the European process is one to watch. This is particularly the case because those same companies may need to change their practices in the nearer future to adapt to reforms to Australia's Privacy Act 1988 (Cth). In the longer term, the changes proposed in the European Union may be followed in other jurisdictions, including Australia, affecting an even broader range of Australian organisations.
On 23 May 2012, long-anticipated amendments to the Privacy Act were introduced into Federal Parliament. One of the most significant aspects of the amendments relates to cross-border disclosure of personal information. Australian entities will be held accountable for any privacy breach by an overseas recipient of personal information that the entity sends offshore. There will be exceptions to this, but they are relatively narrow in comparison with the current regime. Our Focus article, 'Tougher Australian data protection regime', describes the amendments in more detail.
In addition to the tightening of the Australian privacy regime, the European Union will now begin a process of considering stronger restrictions on dealing with personal information. The proposed new regime would apply to any company offering goods or services to or monitoring the behaviour of individuals in a European Union member state – a broad definition that could capture many Australian entities doing business in Europe. Therefore, more than ever, Australian companies with operations in Europe must be aware of their data protection obligations and take active steps to ensure compliance.
European data protection laws currently originate from Directive 95/46/EC, which was passed by the European Union in 1995. The Directive must be implemented into each member state's national law to be fully effective and this has led to significant variations in data protection laws across the European Union, increasing compliance difficulties for business operating on a pan-European basis. On the other hand, Regulations, such as the proposed data protection Regulation, are automatically implemented in the same form in each member state. The introduction of a Regulation is therefore expected to lead to greater harmonisation of these laws across the European Union.
However, this benefit may be outweighed by the increased restrictions that are proposed in the draft Regulation, such as:
- a stricter definition of consent;
- increased accountability for data protection and higher penalties for failure to meet requirements; and
- the introduction of individual rights, such as the so-called 'right to be forgotten' and a right to data portability.
These changes are discussed in greater detail below.
Any processing of personal information must meet a statutory justification under European data protection laws. One such justification is that the individual has consented to the processing.
The current definition of 'consent' in Directive 95/46/EC is 'any freely given specific and informed indication' of the individual's wishes signifying agreement to data processing. Under the proposed Regulation, consent will also need to be 'explicit', which European Commission documentation suggests is consent that is based 'either on a statement or on a clear affirmative action' by the person concerned.1 This excludes reliance on 'implied' consent, which is commonly used in some European member states – for example, where an individual has received a privacy statement and continues to interact with the organisation without showing any sign of objecting to the statement.
The proposed Regulation also imposes a number of other restrictions on the use of consent. For example, it makes it clear that consent can be withdrawn at any time and cannot be used where there is a significant imbalance of power between the position of the individual and the organisation. The scope of the latter restriction is unclear and has been subject to criticism by a number of commentators.
The proposed Regulation includes a general requirement to notify the relevant data protection authority of data breaches without undue delay (currently compulsory only in the telecommunications sector). The proposed Regulation states that, in most circumstances, 'undue delay' would be more than 24 hours, which is a relatively short time-frame considering the investigative and governance procedures that would be required to be undertaken by an entity in the case of a data breach. There would also be an obligation to notify individuals where the data breach is likely to adversely affect the protection of their personal information or privacy. However, this appears to be a relatively low threshold.
In addition, entities would be required under the proposed Regulation to appoint a data protection officer unless they have fewer than 250 employees and their main activity does not involve systematic monitoring of individuals. That officer would be responsible for implementing, educating and monitoring the entity's data protection policies and procedures.
The proposed new 'right to be forgotten' has been the most controversial aspect of the draft Regulation. In effect, it constitutes an extension of the existing right for individuals to object to the processing of their personal information. An individual may request a data controller erase data relating to them where a number of grounds apply, including where:
- the individual withdraws the consent on which the data processing is based and there are no other legal grounds for that processing; or
- the data is no longer needed for the purposes for which it was collected or processed.
On receipt of such a request, subject to some exceptions, the controller must erase the personal information (including any links to or copies or reproductions of that data) without delay. Complying with a request to delete all copies of particular data could be extremely onerous, particularly where the data has been processed in the cloud, and so may be residing in multiple servers throughout the world. It is also unclear just what steps will need to be taken where the data has been made publicly available on the web or a social media site and so has potentially been downloaded by millions of users around the world.
The other significant individual right that is proposed is known as the 'right to data portability', which allows individuals to obtain data from an entity in an interoperable electronic format suitable, and able, to be transferred to an alternative entity. This right could be a significant benefit for individuals whose data is being processed in the cloud. However, it will impose a cost burden on cloud providers, who will have to ensure that their data is able to be processed in an interoperable format.
With increased regulation likely to come from various sources domestically and abroad, Australian companies operating in Europe will need to be particularly vigilant about data protection policies and practices over the coming months and years.
- Recital 25.
- Gavin SmithPartner, Sector Leader, Technology, Media & Telecommunications,
Ph: +61 2 9230 4891
- Julian Cunningham-DayPartner,
Ph: +44 20 7456 4048
You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.