EU Data Protection Reform: A game-changer for employers
It has been 20 years since Europe introduced the Data Protection Directive (95/46/EC). At that time, electronic data management was still in its infancy. In 2012, the European Commission published its proposals for sweeping reforms to the EU’s data protections laws in light of the far-reaching changes to data use and privacy in the digital age. The General Data Protection Regulation (“the Regulation”), the aim of which is to harmonise data protection procedures across the EU, is the centrepiece of this reform.
The Regulation is an ambitious and stringent piece of draft legislation which repeals the Data Protection Directive and an amending Directive 2002/58/EC (protecting privacy in the electronic communications sector). Employers, as data controllers (i.e. those who process data), will need to prepare for the high level of compliance which will be required once the Regulation is in force, particularly given the threat of huge financial sanctions for companies who are found to be in breach (potentially 5% of annual worldwide turnover).
We summarise below 10 key aspects of the reforms which may be of particular interest to HR advisers and employers (it is not exhaustive). It should be borne in mind that the proposed provisions are currently in a state of flux remaining subject to negotiation and therefore change:
1. National rules to specifically govern employment data
The Regulation envisages the adoption – for the first time – of national legislation (in accordance with the Regulation) to govern the processing of employment law data for the purposes of e.g. recruitment, contract performance, rights and benefits relating to employment, health and safety, the termination of the employment relationship etc.
A high threshold for consent from employees to “process” data will be required. This consent must be “freely given, informed, specific and explicit”. As a general rule consent will not be implied and the data controller will bear the burden of establishing that it has obtained consent.
3. Definition of “personal data”
Typically in the UK the definition of “personal data” in the context of data protection legislation, has been interpreted narrowly. Therefore, proposed changes to this definition in the Regulation have been thought by many to potentially widen the scope of “personal data”. However, in the recent case of Vidal-Hall and others v Google Inc  EWHC 13 (QB), the Court suggested that the definition of personal data under the DPA is in fact significantly wider than interpreted in decisions made by English courts. Therefore, whether the definition in the Regulation does end up being more expansive in practice than the current definition remains to be determined.
4. Territorial Scope
This is a significant area of difference from the current Directive. Data processors will now be included within the scope of the Regulation. The Regulation will also apply where, for example, a data controller is not established in the EU but offers goods or services to data subjects in the EU or monitors their behaviour. In certain prescribed circumstances a non-EU data controller will also be required to nominate a representative (who can be addressed by any supervisory authority and other bodies in the EU regarding obligations under the Regulation).
The territorial scope of the Regulation has caused consternation particularly from on-line companies based in Silicon Valley. Previously the patchwork nature of the data protection regime had allowed for some regulatory forum shopping but the new Regulation will limit this ability. The 2014 CJEU case of Google Spain v AEPD and Costeja Gonzales (“Google Spain”) has anticipated some of these developments, including holding that Google Inc’s search engine is subject to EU data protection laws, where it is commercially supported by an EU subsidiary (in this case Google Spain).
5. Cross Border Transfers
The Regulation proposes a number of changes to the cross border transfer of personal data, including legislative recognition being provided to binding corporate rules (a set of legally enforceable corporate rules approved by a national data protection authority allowing multinational corporations to transfer data between groups). The Regulation introduces a one-stop-shop approval process for BCRs as opposed to the current convoluted process.
6. Extension to data subject access rights
A data subject (i.e. employees) will be given the ability to establish quickly what types of data are held about them and to extract that data for their own personal use. The current charge of a fee to access personal data will be removed. The European Parliament has also proposed that data subjects should have the right to receive intelligible information about the logic involved in any automated processing. If personal data has been disclosed to a public authority, as a result of a public authority request, confirmation of the fact that such a request has been made should also be provided.
7. Right to be forgotten
Data subjects would be entitled to request that a data controller deletes all personal information relating to them and refrain from disseminating such information. The UK government, in particular, has expressed concern about how this would work in practice, particularly with the complete removal of information from the internet. Google Spain (mentioned above) has partly anticipated this development in respect of search engine providers.
8. Data Protection Office Appointment
A Data Protection Officer (“DPO”) may be required to be appointed in an organisation if, for example, it employs 250 or more people (or as the European Parliament has proposed, is an organisation which processes personal data of more than 5000 data subjects in any consecutive 12-month period). Any such appointment must be for a minimum two year period (or four years, if an employee; two years if an external contractor, as proposed by the European Parliament). The DPO must operate independently and report directly to management level. In addition, they may only be dismissed if they no longer fulfil the conditions required for the performance of their duties.
9. Notification of data breaches
Data controllers will be required to notify data protection authorities of breaches of data security without undue delay and in any event within 24 hours as proposed by the Council (or within 72 hours as currently proposed by the European Parliament). The individuals whose personal data could be adversely affected by the breach should also be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in e.g. identity theft or fraud, physical harm, significant humiliation or damage to reputation.
The sanctions under the Regulation will be far greater than those currently available under the existing Directive (for serious breaches the ICO currently has the power to issue penalties to data controllers of up to £500,000). A breach of the Regulation could result in a fine up to €100,000,000 or, the European Parliament has proposed a fine of up to 5% of the annual worldwide turnover (the European Council has proposed a 2% figure). The penalties are far more punitive than currently available and for this reason alone, employers need to get on top of the Regulations.
Practical steps for employers:
It is difficult to give a comprehensive list of practical steps that employers should now be adopting whilst the Regulations are still subject to negotiation. The necessary reforms within a business will be affected by the nature of the data that business processes. However, advance thought should be given as to the impact of the Regulations on organisations, including:
- Companies who process large amounts of data will need to consider the additional support they will require to help implement the requirements of the new Regulation. For larger employers or those companies which process special categories data, thought will need to be given to the potential appointment of a DPO; how this role will operate within their organisation (including a reporting line which retains the DPO’s independence and the format of any employment documentation relating to that role).
- Employers need to audit their data processes now to ensure they know what changes they may need to take, for example: What data do they currently process? What is the data used for? How long is it stored and how (and the legitimacy of doing so)? How secure is the data? What third parties have access to the data and why? What processes are in place to investigate and report breaches? Etc. Establishing and reviewing answers to these sorts of questions now will help employers prepare for compliance with the new regime.
- Privacy and data protection policies will need to be reviewed in light of the potential changes to data protection legislation. In particular, employers will need to consider the issue of consent in respect of data processing and whether this has been “freely given, informed, specific and explicit.”
- Comprehensive training on the new regime should be provided to HR managers and their teams.
There is no published timetable for the Regulation’s implementation, so it is difficult to give precise details on any enforcement schedule. The text of the Regulation is currently under complex and lengthy EU negotiation: the Council of the European Union is considering the technical detail of the Regulation, following the European Parliament’s approval of the draft last year. The ICO anticipates a “final form” of the legislation this year (see their ICO plan 2015-2018). Therefore, whilst it is likely to be several years before the rules come into force (reports suggest 2017/2018), preparation for compliance will be burdensome and lengthy so employers should start grappling with the Regulation’s complexities now.
Assuming the Regulation is passed, it will be directly binding on data controllers without an implementation period, unlike a European Directive. Employers will also need to ready themselves for a regulatory shift as, to date, the ICO has been perceived as one of the most lenient of supervisory authorities across the EU but going forward such leniency and differentiation of treatment is unlikely to continue.