In focus EU proposed data protection Regulation

Transcription

1 In focus EU proposed data protection Regulation Less than adequate cross-border data transfers under the proposed Regulation The restriction on cross-border transfers of personal data is perhaps one of the best known features of the existing European data protection framework, notwithstanding that few data subjects will ever have heard of it. In practice, of course, the cross-border transfer of personal data has become increasingly commonplace, in parallel with the proliferation of connected IT systems and the trend towards globalisation, so the restriction has particular significance. The principle that personal data should not be transferred outside the European Economic Area, to countries that do not offer adequate protection of personal data, in practice requires data controllers to put in place some form of adequate safeguards this could involve the execution of model contractual clauses between exporter and importer, or putting in place binding corporate rules. Alternatively, in limited circumstances data controllers can instead rely on one of the narrowly construed derogations to the principle, such as consent or performance of a contract. Achieving compliance with the restriction on cross-border transfers presents considerable administrative challenges, and huge costs, for businesses operating across borders. Many (including businesses, data protection authorities and governments) hoped for significant reform of the restrictions on cross-border transfers set out in Directive 95/46/EC (the Directive). However, as this article examines, for the most part the existing regime, and a great many of its flaws, will survive under the proposed Regulation.

2 2 Less than adequate cross-border data transfers under the proposed Regulation May 2012 What happens today? Transfers to third countries are restricted under Chapter IV (Transfer of Personal Data To Third Countries) of the Directive. Article 25 provides that data can only be transferred to a third country where it ensures an adequate level of protection. The adequacy of a country is assessed in light of all the circumstances surrounding a data transfer, by reference to certain criteria, such as the nature of the data and the purpose of the transfers, as well the rules of law in force in the third country and the professional rules and security measures which are complied with in that country. So-called derogations to Article 25 permit transfers to third countries not ensuring adequate protection to take place on condition that: the data subject has given his consent unambiguously; the transfer is necessary for the performance of a contract between the data subject and data controller; the transfer is necessary for the performance of a contract in the interest of the data subject between the data controller and a third party; the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; the transfer is necessary in order to protect the vital interests of the data subject; or the transfer is made from a public register. Adducing adequate safeguards to the protection of personal data may be used as an alternative to relying on a derogation. These can include appropriate contractual clauses, including those prescribed by the Commission (often referred to as model clauses ), which are recognised in the Directive. Other than relying on a self-assessment of adequacy by a data controller, where this is permitted (most member states do not recognise this), this is by far the most commons means employed by businesses operating across borders to legitimise transfers. Although there is arguably no requirement under the Directive to notify or obtain prior authorisation from the supervisory authority in relation to any transfer outside the EEA, this requirement has been introduced across the majority of EU member states, including France and Spain, by virtue of national implementing legislation. These processes can take anywhere between two weeks and more than six months to complete and can be incredibly onerous, for example requiring the production of translations, board minutes or powers of attorney demonstrating the authority of persons to sign, as well as legalisation of documents. Binding corporate rules are not specifically recognised, but have been recognised by the A29 Working Party and by various national data protection authorities and have been approved to legitimise cross-border transfers intra-group by a small and pioneering band of international companies, including Accenture, Citibank, ebay, Hyatt Hotels and JPMorgan.

3 3 Less than adequate cross-border data transfers under the proposed Regulation May 2012 How does the proposed Regulation change this? Cross-border flows of personal data are necessary for the expansion of international trade and international co-operation. The increase in these flows has raised new challenges and concerns with respect to the protection of personal data. However, when personal data are transferred the level of protection should not be undermined. (Recital 78 to the proposed Regulation) It is clear from Recital 78 that the overriding principle behind the restrictions on cross-border transfers remains the same. The new rules on cross-border transfers are set out in Chapter V (Transfer of Personal Data to Third Countries or International Organisations). Harmonisation One of the greatest overall benefits of the new Regulation, harmonisation, should relieve considerably the burden on data controllers undertaking cross-border transfers outside the EEA. For data controllers operating across several EU member states, the diversity of national rules implementing Article 25 currently requires a country specific approach, which can involve undertaking filings in relation to what is effectively a single cross-border transfer with several separate data protection authorities. The introduction of the Regulation, which will be directly applicably across member states, should at least alleviate inconsistencies across jurisdictions. This feature of the Regulation, however, is subject to challenge in some member states, where it is considered that it would constitute an unwelcome (and, potentially, unlawful) dilution of existing national rules. Overall framework The general prohibition on transfers to countries which lack adequacy is replaced with a general prohibition on cross-border transfers except by means of one of three broad mechanisms: (i) reliance on an adequacy decision; (ii) adducing appropriate safeguards ; or (iii) the application of a derogation. This slight re-structuring of the rules is not of much significance.

4 4 Less than adequate cross-border data transfers under the proposed Regulation May 2012 Adequacy The conditions for issuing adequacy decisions have been reformed. They are more specific and now include consideration of: (i) effective and enforceable rights of data subjects, including effective administrative and judicial redress for data subjects; (ii) the existence and effective functioning of an effective supervisory authority in the third country; and (iii) the international commitments the third country or international organisation has entered into. The procedure for making adequacy decisions will be streamlined. The A29 Working Party (the current group of representatives of national regulators) has suggested that it, as the new body representing national supervisory authorities that is to be formed under the Regulation, the European Data Protection Board, should be consulted on adequacy decisions (A29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals, 23 March 2012). In addition, under the Regulation adequacy decisions could be applied to a sector, a territory within a country or an international organisation, as opposed to an entire country. Existing adequacy decisions will remain in force. In addition, the US safe harbor framework will remain in place for the time being at least. The ability of data controllers to self-assess adequacy, which exists at least in some EU member states (including the UK), will be withdrawn. This is a move which has been criticised by the UK Information Commissioner: We would prefer the Regulation to take an approach to international transfers that is very much based on data exporters assessing risk and putting their own arrangements in place for making sure that when they do transfer personal data overseas it continues to be protected to an adequate standard (ICO: initial analysis of the European Commission s proposals for a revised data protection legislative framework, 27 February 2012). The British Bankers Association is also critical of this change: Members feel that where a less prescriptive approach has demonstrably been effective, that undermines the case for requiring a more prescriptive approach, particularly bearing in mind the principles of better regulation (Letter to the Ministry of Justice, 6 March 2012). The impact of the removal of self-assessment of adequacy is likely to hit small and medium sized enterprises the hardest. Appropriate safeguards model clauses Three categories of standard data protection clauses are recognised under the Regulation, specifically those: (i) adopted by Commission the three existing forms of model clauses, approved by the Commission, will remain in force, at least initially; (ii) adopted by supervisory authority (by means of a consistency mechanism); and (iii) ad hoc clauses, which are authorised by a supervisory authority on a case by case basis. The great advantage offered by the Regulation over the existing Directive will be the removal of the requirement to notify, or obtain approval from, a supervisory authority to the use of model clauses in connection with a particular transfer. This should represent a considerable lightening of the administrative burden, and costs, associated with reliance on model clauses.

5 5 Less than adequate cross-border data transfers under the proposed Regulation May 2012 Appropriate safeguards binding corporate rules Binding Corporate Rules (BCRs) are now explicitly recognised by the Regulation. BCRs can apply to processors as well as controllers. However, they will continue to be limited to use within the same corporate group (i.e. no third parties). Although the current proposal provides that they must apply to every member of the controller or processor s group of undertakings, we understand having discussed with the Commission that this was not an intended result so it is likely it will still be possible to ring-fence parts of a corporate group from the application of BCRs. Binding corporate rules must be legally binding, expressly confer rights on data subjects and contain certain minimum contents, including, among other things: (i) the structure and contract details of the group; (ii) details of the transfers (including the categories of data, purposes and countries in question); (iii) the general data protection principles; (iv) details of the rights of data subjects; (v) an assumption of liability by EU established controllers and processors for breaches by other members of the group; (vi) the mechanisms for ensuring verification of compliance with the rules; and (vii) the cooperation mechanism with the supervisory authority, to ensure compliance by the group. BCRs will continue to require authorisation by a lead data protection authority under the Regulation. This has been criticised by the ICO: [We] do not believe that supervisory authorities need to have a role in authorising or approving binding corporate rules (ICO: initial analysis of the European Commission s proposals for a revised data protection legislative framework, 27 February 2012). The requirement for authorisation could well mean that BCRs will remain out of reach for all but the most ambitious businesses, which will generally be larger multi-national enterprises with a sophisticated internal data protection compliance Other appropriate safeguards As an alternative to relying on binding standard contractual clauses, or BCRs, it will be possible to rely on appropriate safeguards not provided for in a legally binding instrument. This is likely to encompass codes of practice or documents with a similar status. Reliance on such an instrument will require prior authorisation by supervisory authority. The A29 Working Party has suggested this provision be deleted, on the basis it considers bindingness (sic) to be an important requirement (A29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals, 23 March 2012).

6 6 Less than adequate cross-border data transfers under the proposed Regulation May 2012 Derogations For the most part, the existing derogations are preserved. If relying on consent to undertake cross-border transfers, not only must that consent be explicit, but the data subject must also be informed of the risks due to the absence of adequacy or appropriate safeguards. If relying on an important public interest, the Regulation clarifies, consistent with earlier A29 Working Party opinions in relation to the Directive, that it must be a public interest provided for in EU law or EU member state law. The Commission may also adopt delegated acts to define the scope of this provision. The derogations have been expanded to include a legitimate interests derogation, which is available in relation to transfers which are not frequent or massive (neither of these terms are defined but they reflect the thinking of the A29 Working Party) and provided the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on the assessment adduced appropriate safeguards, which are documented and notified to the supervisory authority. The data controller must have regard to certain factors, including the nature of the data, the purpose and duration of the proposed processing, as well as other factors. The A29 Working Party has expressed concern at this and other derogations which it deems very wide (A29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals, 23 March 2012). The ICO on the other hand has said they do not understand why this derogation is restricted to transfers which are not frequent or massive, and that it should also apply to ordinary routine transfers provided there is adequate protection (ICO: initial analysis of the European Commission s proposals for a revised data protection legislative framework, 27 February 2012). Sanctions The Regulation provides for the imposition of fines up to EUR 1,000,000, or in the case of an enterprise up to 2% of its annual worldwide turnover, in relation to a data controller that carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation.

7 7 Less than adequate cross-border data transfers under the proposed Regulation May 2012 So what does this mean? What really happens today is that a great many businesses, including many small and medium sized enterprises, likely ignore the restrictions on cross-border data transfers either altogether or to a large extent. Larger or more responsible businesses will endeavour to comply, spending large amounts of resources and money to put in place paper-based structures to meet the requirements of the Directive, but in reality will achieve compliance only some of the time. The benefits to data subjects of their efforts are difficult to perceive. It seems doubtful, notwithstanding the threat of eye-watering fines, whether there will be a shift in approach under the proposed Regulation. The Regulation contains some positive changes: increased harmonisation; the removal of the requirement to file model clauses and obtain approval to undertake transfers; and explicit recognition of BCRs. Some changes which on the surface look significant will in practice make little impact, such as the new legitimate interests derogation, which has provoked the ire of the A29 Working Party but which in its present form cannot be applied to transfers which are massive or frequent and requires notification to the supervisory authority, each of which will considerably undermine its usefulness. Regrettably, the proposed changes merely represent tinkering around the edges by the Commission, which has remained faithful to the existing framework set out in the Directive. This is apparently borne out of the need to strike a compromise between the member states. Most agree that a much more radical overhaul is required, which recognises the practical challenges of compliance with the existing framework properly weighed against the benefits it delivers for data subjects. The proposed cross-border transfers regime under the Regulation remains much too bureaucratic, continuing to focus on paper-based compliance mechanisms such as model clauses, and will likely fail to deliver measurable benefits to data subjects. Nigel Parker is a Senior Associate in the London office of Allen & Overy. Nigel Parker Tel nigel.parker@allenovery.com

8 FOR MORE INFORMATION, PLEASE CONTACT: Belgium Germany Luxembourg Romania Tom De Cordier Counsel, Brussels Tel tom.decordier@allenovery.com Bettina Enderle Counsel, Frankfurt bettina.enderle@allenovery.com Cyril Pierre-Beausse Counsel, Luxembourg cyril.pierre-beausse@allenovery.com Radu Diaconu Associate, Bucharest radu.diaconu@rtprallenovery.com Czech Republic Hungary Netherlands Spain Prokop Verner Senior Associate, Prague prokop.verner@allenovery.com Balázs Sahin-Tóth Counsel, Budapest balazs.sahin-toth@allenovery.com Hendrik Jan Biemond Partner, Amsterdam hendrikjan.biemond@allenovery.com Rafael Beneyto Associate, Madrid rafael.beneyto@allenovery.com France Italy Poland Slovakia Ahmed Baladi Partner, Paris ahmed.baladi@allenovery.com Lydia Mendola Senior Associate, Milan lydia.mendola@allenovery.com Magdalena Bartosik Senior Associate, Warsaw magdalena.bartosik@allenovery.com Zuzana Hecko Associate, Bratislava Tel zuzana.hecko@allenovery.com UK UK UK UK Jane Finlayson-Brown Partner, London Tel jane.finlayson-brown@allenovery.com Mark Mansell Partner, London Tel mark.mansell@allenovery.com Nigel Parker Senior Associate, London Tel nigel.parker@allenovery.com Charlotte Mullarkey Senior PSL, London Tel charlotte.mullarkey@allenovery.com This note is for general guidance only and does not constitute definitive advice. In this document Allen & Overy means Allen & Overy LLP and/or its affiliated undertakings. Any reference to a partner is used to refer to a member of Allen & Overy LLP or an employee or consultant with equivalent standing and qualifications or an individual with equivalent status in one of Allen & Overy LLP s affiliated undertakings. Allen & Overy LLP or an affiliated undertaking has an office in each of: Abu Dhabi, Amsterdam, Antwerp, Athens (representative office), Bangkok, Beijing, Belfast, Bratislava, Brussels, Bucharest (associated office), Budapest, Casablanca, Doha, Dubai, Düsseldorf, Frankfurt, Hamburg, Hong Kong, Jakarta (associated office), London, Luxembourg, Madrid, Mannheim, Milan, Moscow, Munich, New York, Paris, Perth, Prague, Riyadh (associated office), Rome, São Paulo, Shanghai, Singapore, Sydney, Tokyo, Warsaw, Washington, D.C. I CS1204_CDD-2688_ADD