Proposed Amendments to EU Draft Privacy Regulation Compound Compliance Concerns

Privacy & Information Security Update

Date: January 11, 2013

Overview

Multinational businesses with operations, customers or business in the European Union are well aware of the strict standards EU law places on the collection, processing, use and transfer of the personal data of EU nationals. Those following European privacy law developments are aware that the EU is considering the most fundamental and extensive revision to its basic privacy laws in decades in the form of the Draft General Privacy Regulation proposed in January 2012, which we reported on last year.

Because the regulation is to be implemented through EU-wide legislation, action on the new law will occur primarily in the European Parliament. On January 8, Jan-Philipp Albrecht, the EU legislator designated as the "Rapporteur" and who is responsible for leading the legislative process for the new law, released his long-awaited report proposing amendments to the Draft Regulation as the culmination of a frenetic and hotly contested period of lobbying and advocacy by both business interests and privacy advocates.

While many had hoped that Mr. Albrecht would advocate tempering some of the more burdensome requirements of the proposed regulation, initial review of the Albrecht Report indicates that, to the contrary, the burdens are only increasing. Among the new developments are:

  • Confirmation of the extraterritorial reach of the new law, meaning that businesses with no physical presence in the EU nonetheless may become subject to the regulation merely by gathering and processing European nationals' personal information.
  • Expansion of the controversial "Right to be Forgotten" to require the business collecting the information not only to "forget" and delete the information, but also to cause those to which it disclosed the information to do so as well.
  • Requirement that online service providers provide users the means to transfer their content to other, even competing, platforms in a common format.
  • Maintenance of the high level of available monetary penalties that are as much as 2 percent of the enterprise's total global revenues for violations, some of which would seem fairly technical in light of the proposed amendments.

The Albrecht Report does advocate retaining business-friendly portions of the Draft Regulation such as the regulatory "one-stop shopping" provision that, if truly implemented, would reduce compliance costs by permitting a business to deal with the Data Protection Authority of the EU Member State where it has its principal European operations rather than the Data Protection Authorities of all Member States where it conducts business. However, because the new regulation would permit Member States to independently (and inconsistently) regulate data protection in the employment setting, the benefits of "one-stop shopping" may be illusory to many businesses.

The Albrecht Report is one further step toward the eventual passage of the legislation, but if adopted in its present form, it will impose new, burdensome compliance obligations. Thoughtful foresight, planning and timely counsel will be required for businesses with European interests to avoid the potential compliance pitfalls the proposed Privacy Regulation presents.