By means of an innovative and modern directive (Directive 95/46/EC – the “Data Protection Directive”), in 1995, the European Community adopted its first data protection legislation aimed at providing common legal principles (to be implemented by European Union (“EU”) Member States by means of national legislation) to protect personal data and to align the bases of Member States’ provisions in respect to privacy and data protection.
However, the Data Protection Directive was adopted when the Internet was not widely used. The Internet technology has advanced in recent years and has posed new challenges to the protection of individuals’ data. The accelerating take-up of social networking, user-generated content platforms, mobile apps, cloud computing, location-based services, the “Internet of Things” (i.e. the ability of everyday objects to connect to the Internet and to send and receive data, e.g. wearables devices, home automation, etc.) and the growing globalization of data flows have significantly increased the risk for individuals to lose control on their own personal data.
Further, one of the main recurrent complaints about the Data Protection Directive is the lack of actual harmonization, which led to a certain fragmentation in the way personal data protection has been implemented across EU Member States. This resulted in additional costs and administrative burdens for operators as well as widespread uncertainty. This is particularly true for data controllers established in several Member States, who should comply with the requirements and practices in each of the countries where they are established. Guidance provided by the Article 29 Data Protection Working Party, an independent advisory body to the EU Commission set up under Article 29 of the Data Protection Directive (the “Working Party 29”), on several data protection issues certainly contributed to harmonization of data protection principles at EU level, although the Working Party 29’s opinions are not binding.
A uniform and coherent application of the data protection rules among the European countries is fundamental, in light of the proposed creation of the Digital Single Market.
Seventeen years after, on January 25, 2012, the EU Commission proposed a new uniform legislation on privacy and data protection in Europe, by means of a General Data Protection Regulation (the “Regulation”) which, once adopted, would be directly applicable in all Member States without the need for national legislation. The Regulation comes together with a proposed directive 5833/12 on the processing of personal data with the purpose to prevent, investigate or prosecute crimes or to adopt criminal sanctions, intended to replace the 2008 Data Protection Framework Decision (see Article 29 Data Protection Working Party’s Opinion no. 1/2013, of February 26, 2013, providing further input into the discussions on the draft Police and Criminal Justice Data Protection Directive).
Henceforth, the European legislators have been discussing on the new proposals and on March 12, 2014 the European Parliament adopted its position on the Regulation, proposing amendments aimed at enhancing the guarantees on data protection, in respect to the text approved by the EU Commission.
On June 11, 2015, the EU Council (the “Council”) approved its General Approach and the discussion among the three organisms (the so-called ‘trilogue’) has officially started, with the purpose to reach an agreement and to finalize the approval of the Regulation and the attached directive before the end of 2015.
This article focuses on some of the most groundbreaking provisions of the proposed Regulation which are expected to be a major concerns for in-house counsel, in particular those advising businesses with multi-jurisdictional operations. The Regulation also introduces new provisions that, amongst others, would: (i) make international data transfers easier; (ii) decrease the requirements and the costs of dealing with more than one Privacy Authority with differing rules (so-called “one-stop shop”); (iii) implement specific provisions on the so-called “right to be forgotten,” as interpreted by the European Court of Justice in the Google Spain case (European Court of Justice, decision of May 13, 2014, case C-131/12); (iv) provide for more effective sanctions and penalties to data controllers and data processors.
Territorial Scope of the Regulation
One of the major changes to be brought by the Regulation concerns the territorial scope of the EU data protection laws.
Today, Article 4 of the Data Protection Directive contains the rules governing its territorial scope and jurisdictional reach. According to this provision, the EU rules apply to personal data processing:
- where the processing is carried out in the context of the activities of an “establishment” of the data controller in the territory of the Member State. If the same controller is established in more than one Member State (e.g., by means of subsidiaries), the controller must take the necessary steps to ensure that each of these establishments complies with the obligations laid out by the applicable national law. Security measures depend on the location of a possible processor, as provided in Article 17, paragraph 3 of the Directive; and
- where a controller not established in the EU, for purposes of processing personal data, makes use of “equipment,” automated or otherwise, located on the territory of that Member State, unless such equipment is used only for purposes of transit through the territory of the EU.
Article 3, paragraph 1, of the Regulation, as recently amended by the Council based on the Parliament’s position, would still keep the “establishment criterion” mentioned above for the applicability of its provisions to controllers or processors established in the European Union. In addition to that, however, the Regulation would expand the “use of equipment” criterion currently provided by the European data protection law by making data controllers established outside the EU, but “targeting” EU residents, subject to EU data protection obligations.
Indeed, the Regulation would be applicable whether the processing of personal data concerns:
- the offer of goods or the provision of services to residents in the EU, even where no payment is required (e.g. “free” services, where individuals in fact pay for the service by providing their personal data);
- the monitoring of data subjects’ behavior within the EU. In order to determine whether a processing activity can be considered to ‘monitor the behavior’ of data subjects, it should be ascertained whether individuals are tracked on the Internet with data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes (see Recital 21 of the Regulation, in the text approved by the Council on June 11, 2015).
Because of its potential broad reach, the new criterion poses challenges for businesses directing their activity to the EU and also gives rise to questions on how the Regulation’s requirements can be readily enforced outside the EU.
It is worth mentioning that the Council uses different wording from the position adopted by the Parliament: in fact, the latter proposed that controllers, and even processors not residing in the EU, would be subject to the provisions of the Regulation. In its opinion regarding the proposed regulation, the Working Party 29 stressed the fact that the Regulation should also cover non-EU processors, in order to provide for a legal liability for these subjects.
Automated Data Processing and Profiling
Generally speaking, “profiling” enables an individual personality or aspects of his or her personality – especially behavior, interests and habits – to be determined, analyzed and predicted. “Profiling” of individuals is increasingly used by companies to offer personalized and targeted services (e.g., discounts, special offers and targeted advertisements based on the customer’s profile).
The Data Protection Directive does not contain any specific provision on “profiling”, but it includes a general provision concerning “automated individual decisions” in Article 15, which grants to data subjects the right not to be subject to a decision which “produces legal effects” concerning him or “significantly affects” him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. An automated decision by a bank not to grant credit may fall within the aforementioned provision.
Automated decisions can, however be made in certain cases, notably in the course of entering into or performance of a contract, provided that data subject’s legitimate interests are protected, e.g. by taking arrangements allowing him to express his point of view, or as otherwise provided by the law.
This provision has sometimes been implemented across EU Member States in different ways. It is worth mentioning Italy, where the prohibition to make decisions involving the assessment of a person’s conduct based solely on the automated processing of personal data aimed at defining the data subject’s profile or personality is limited to measures or act taken by judicial or administrative authorities (see article 14 of Legislative Decree of June 30, 2003, no. 196 – the Italian Data Protection Code).
The Regulation builds on Article 15 of the Data Protection Directive and on the Council of Europe’s Recommendation on profiling of November 23, 2010 and it specifically addresses “profiling” of data subjects.
Article 4 of the Regulation defines “profiling” as “any form of automated processing of personal data evaluating personal aspects relating to a natural person, in particular to analyze or predict aspects concerning performance at work, economic situation, health, personal preferences, or interests, reliability or behavior, location or movements”.
The main provision on profiling is Article 20 of the Regulation (“Automated individual decision making”), which, similar to the Data Protection Directive, grants to the data subject the right not to be subject to a decision based solely on automated processing (like automatic refusal of an online credit application or e-recruiting practices without any human intervention – see Recital 58 of the Regulation), including profiling, which produces legal effects concerning him or her or significantly affects him or her. The Regulations expands the cases in which decision-making based on such processing, including profiling, is allowed, introducing the possibility to carry it out with the data subject’s explicit consent.
Different from the various national provisions adopted in each Member State, profiling would be treated by the new EU rules as a processing alone and, as a consequence, it would require, amongst others, that controllers:
- inform data subjects about the existence of profiling, and the consequences of such profiling;
- obtain a specific and explicit consent for it (unless one of the exceptions provided by the Regulation applies).
This course of action would not be a new one for Italy, where, for example, profiling is traditionally considered as an autonomous processing, which requires a specific consent, separate from the consent for other purposes (such as, marketing purposes). In other European countries, profiling is usually treated as a modality of processing personal data and not as an autonomous processing, therefore it is generally deemed that no specific consent is required for profiling once the controller has obtained consent for marketing purposes.
In conclusion to this brief overview of the most groundbreaking provisions of the proposed Regulation, it is worth reminding that the latter is currently subject to discussions between the Parliament and the Council. Even though it is likely that the proposal will be amendment before the enactment, the general structure would probably remain the same, especially in the parts described above, which represent momentous innovations and will surely ensure effectiveness and confidence in the processing of people’s personal data.