Transcript Data Protection Masterclass: The New Draft EU Data

19 September 2012
©2012 Morrison & Foerster (UK) LLP | All Rights Reserved | mofo.com
Data Protection Masterclass:
The New Draft EU Data
Protection Regulation
Data Protection Masterclass
London, September 19, 2012
Ann Bevitt & Karin Retzer
©2012 Morrison & Foerster (UK) LLP | All Rights Reserved | mofo.com
EU Data Protection Proposals:
Where we are with the
Draft Regulation
How did we get here?
• Current framework governed by 1995 EU Data Protection Directive
• Amendments required to address challenges resulting from globalization and
technical advances
• Need for greater harmonization across Member States
• January 25, 2012 the Commission proposed two new draft laws
• Draft Regulation on the protection of individuals with regard to the processing of
personal data and on the free movement of such data (General Data Protection
Regulation)
• Draft Directive on the protection of individuals with regard to processing of
personal data for the purpose of crime prevention and investigation
This is MoFo.
3
The Key Players
• The European Commission (Commission)
• Composed of 27 Commissioners and administrative staff
• Proposes draft laws
• The Council of the European Union (Council)
• Composed of ministerial-level representatives from each EU Member State
• Adopts laws, sometimes alone and sometimes jointly with the European
Parliament
• The European Parliament (EP)
• Composed of directly elected members
• Adopts EU laws together with the Council
This is MoFo.
4
How does it work?
• How is the Draft Regulation going to be adopted?
• Commission published Draft Regulation and sent it to the EP and the Council
• The EP and the Council may propose amendments and work on their own
versions of the text
• Institutions have regular exchanges to align their position; Commission assists the
process
• To be adopted Regulation must be jointly approved by the Council and the EP –
both must agree on the same text
• Will there be any changes to the Draft Regulation before it is
adopted?
• Changes are very likely because the EP and the Council must achieve
compromise
This is MoFo.
5
Council’s Position
• Formal note from July 2012 includes comments from 20 Member
States
• Preference for Directive over Regulation – Member States want more for flexibility
in their law-making
• Call for more clarification on application to organizations established outside the
EU and on the place of main establishment
• Call for clearer definitions
• Criticism of high administrative burdens and unrealistic obligations, in particular
breach notification obligations, documentation of processing, mandatory DPOs
• Call for revision of mandatory imposition of sanctions
This is MoFo.
6
Council’s next steps
• Experts from Member States are discussing the Draft Regulation in a
dedicated working group
• First exchange between ministers due December 6-7, 2012
• Ministers to discuss outstanding issues where the working group cannot reach a
common position
• Several Member States demand more discussions; adoption of the
Regulation (or a Directive) may be a long way off
This is MoFo.
7
Parliament’s Position
• LIBE
• Responsible Committee
• Jan Philipp Albrecht
• MEP responsible for leading discussions in the EP and preparing EP’s position
• Supports Regulation as legislative instrument
• Calls for strong rules on DPOs, impact assessments, general data
breach notification, DPA powers, and severe sanctions for breaches
• Calls for clarification of rules on discovery requests from foreign
authorities, profiling of individuals, and technology-neutral rules for
data protection by design and by default
• Calls for adoption of Draft Regulation and Draft Directive on data
protection in criminal investigations in parallel
This is MoFo.
8
Parliament’s next steps
Date
Agenda
September 19, 2012
Second exchange of views
October 2012
Publication of Rapporteur’s working document
October 9-10, 2012
Meetings with national parliaments
November/December 2012
Publication of draft Report
January/February 2013
Discussion and amendment of text
February 2013
Discussion with other committees
March/April 2013
LIBE votes on text
During the course of 2013
Discussion with the Council
Unclear – but likely to be before
summer 2014
EP’s final vote
This is MoFo.
9
Entry into Force
• When is the Draft Regulation going to enter into force?
• Once adopted, Regulation will not require implementation and will be directly
applicable
• Regulation provides for transition period of 2 years following publication
This is MoFo.
10
Reading Materials
• Commission’s proposal for a Regulation
• http://ec.europa.eu/justice/dataprotection/document/review2012/com_2012_11_en.pdf
• Commission’s proposal for a Directive
• http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52012PC0010:en:NOT
• Albrecht’s Working Document
• http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&reference=PE491.322&format=PDF&language=EN&secondRef=01
• Formal Note from the Council July 18, 2012
• http://www.statewatch.org/news/2012/jul/eu-council-dp-reg-ms-positions-9897rev2-12.pdf
• Parliament’s procedure file
• http://www.europarl.europa.eu/oeil/popups/ficheprocedure.do?lang=en&reference
=2012/0011(COD)
This is MoFo.
11
Data Protection Masterclass
London, September 19, 2012
Ann Bevitt & Karin Retzer
LN/207999
©2012 Morrison & Foerster (UK) LLP | All Rights Reserved | mofo.com
EU Data Protection Proposals:
The Business Perspective
The global dimension
• How will the new Draft Regulation affect companies based outside
the EU?
• Will cross border transfers be easier?
• Will BCRs replace the Model Clauses?
• Will the Regulation have positive implications for cloud computing?
• What about compliance with foreign law obligations, like SOX or
FCPA? What about the foreign discovery process?
This is MoFo.
13
Improvements for companies
• How might the Regulation improve things for companies?
• What about the concept of main establishment? How does it work,
and will it apply to non-EU companies?
• Will the legal interpretations be more consistent across Member
States?
This is MoFo.
14
Challenges for companies
• So, what challenges and problematic issues does the Regulation
raise?
• What about the cost of compliance? Will companies have to allocate
more resources?
• Will companies have to appoint DPOs?
• How would the Regulation affect data processors?
This is MoFo.
15
Challenges for companies (2)
• How about handling HR data? Will it be easier for employers?
• Will there be any specific implications for certain sectors?
• What does data protection “by design” and “by default” mean in
practice?
• Will all data security breaches need to be notified? What about
breaches by non-EU companies?
This is MoFo.
16
Contacts
Ann Bevitt
Partner, London
44 20 7920 4041
[email protected]
Karin Retzer
Partner, Brussels
32 2 340 7364
[email protected]
This is MoFo.
17