Privacy Regulation; drastic changes to come

For a long time the topic of privacy was not too high on the agenda of many organisations. This will change when the proposed regulations of the new EU Privacy Regulations (hereafter ‘the Regulation’) come into force. The Regulation is now being discussed by the European Parliament and is expected to come into force in 2015-2016. Although the contents are not definitive yet, it is clear that the Regulation will imply a number of drastic changes. In this news item we will discuss the most important modifications and their practical implications for organisations.

Current situation
At this moment Directive 95/46/EC is important for Dutch privacy legislation. This directive was implemented in 2000 in the Law for the protection of personal data (Wet bescherming persoonsgegevens, the Wbp). Among other things the Wbp regulates:

  • the disclosure obligations (and exemption from reporting) of personal data processing organisations to the CBP
  • the collection and processing of personal data
  • the rights of the parties involved

The Dutch Data Protection Authority (the College Bescherming Persoonsgegevens, CBP) is responsible for the supervision of the compliance with the requirements from the Wbp and for any necessary enforcement. Internally the responsibility for privacy compliance is often the task of a compliance officer or of legal affairs, but there are also organisations with a so-called privacy officer; someone who is specifically responsible for privacy.

EU Privacy Regulation
The publication of the proposal for the Regulation at the beginning of 2012 caused a great commotion in the world of privacy and personal data. The first striking aspect is that it concerns a regulation to replace Directive 95/46/EC, and that it is not a new directive. Contrary to directives a regulation has direct effect and is for that reason directly applicable in all member states. The choice for a regulation is understandable from a harmonisation perspective; this way actual differences in interpretation are largely circumvented.

Main topics of the Regulation
Hereafter we will focus on a number of the most important proposals arising from the Regulation and indicate which consequences they have for organisations handling personal data.

One authorised supervisor
This proposal is particularly important to, and an important improvement for, organisations that handle personal data in more than one member state. In this case the organisation will only have to deal with one supervisor situated at the ‘main establishment’. In other words, where the central administration of the organisation is based. Criteria have been implemented in the Regulation to determine where the ‘main establishment’ resides. For organisations this means that the ‘main establishment’ must be equipped to comply with the new requirements of the Regulation.

New rights for the individual
The Regulation introduces a new right for the individual; ‘the right to be forgotten’. This right implies that an organisation has to delete personal data in some cases and has to refrain from its further distribution. The individual can make use of this right when:

  • The need to keep personal data when the original purpose of collection no longer exists;
  • The individual withdraws his or her consent;
  • The individual objects to the processing, or;
  • When the organisation no longer complies with the stipulations from the Regulation.

Organisations will need to take a close look at how they process and store data and at how they can delete data permanently.

Besides the right to be ‘forgotten’ another new right for the individual is the ‘right to data portability’. On the basis of this proposal the individual can ask an organisation for a copy of the personal data obtained or the transfer of his or her personal data, for instance, exporting personal data to another responsible party (e.g. when someone switches over to another provider). The condition that applies here is that the individual gave the data him- or herself and that the transfer takes place on the basis of an agreement or with consent of the individual. Organisations will have to determine which personal data are provided by the individual him- or herself and adjust procedures accordingly so that data provided by the individual may only be transferred with individual’s consent or on the basis of an agreement.

Privacy Policy
The Regulation stipulates that a responsible organisation must have a privacy policy and also covers what aspects need to be incorporated in the policy. For instance, an organisation at least should have a policy concerning the technical and organisational measures for the protection of personal data, the privacy officer and the storage of data. For organisations it is important to evaluate and adjust their existing privacy policy to the new requirements of the Regulation in good time.

Information obligation
The Regulation contains a very detailed description of the information an organisation needs to give to the individual with regard to the processing of personal data. In particular with regard to the rights of the individual, for instance the right to request access and erasure, the organisation is obliged to explicitly and clearly inform the individual. This modification implies that organisations need to evaluate and adjust their privacy policy and statements.

Reporting obligation data leaks
For so-called ‘data leaks’ a reporting obligation will apply. The Regulation gives a broad definition of data leaks; in fact each incident where data are lost, destroyed, made accessible or spread without consent. Such leaks need to be reported to the supervisor within 24 hours.

Privacy officers
As noted before some organisations already have a ‘privacy officer’. The Regulation introduces the obligation to appoint such an officer for organisations with more than 250 employees. The tasks of this officer consist, among other things, of the supervision of the compliance with the stipulations of the Regulation, the implementation of the privacy policy and the protection of personal data. Organisations with more than 250 employees will have to search for an appropriate candidate in time, internally or externally, and draw up a clear job description for the officer.

One of the most important changes in the Regulation is the enforcement capabilities of supervisors. Based on the concept Regulation, supervisors (the CBP in the Netherlands) are able to impose (high) fines in the event of infringement of the stipulations of the Regulation. Examples of infringements punishable by fines include:
Incomplete or late informing of involved parties;
Not reporting or incomplete reporting of data leaks;
Requesting compensation for providing information concerning involved parties, or;
Not complying with the request for erasure of information or not providing the information requested by the involved party.

At this moment the CBP may only impose administrative fines up to a maximum of 4,500 Euros. The fines that supervisors may impose on the basis of the Regulation are however considerable; with a maximum fine of € 1 million or 2% of the annual worldwide turnover.

The Regulation uses a differentiated fining system; different fines for different infringements. This enables the supervisor to impose a fine of a maximum of 250,000 euro or 0.5% of the annual worldwide turnover in the event of an infringement of the stipulations concerning the information duty of the involved parties. The highest category of fines mentioned earlier applies when an organisation processes personal data without a legal basis. In some cases the supervisor may first issue a warning when an organisation unintentionally commits an infringement for the first time.

To conclude
As noted the proposal is currently under discussion in the European Parliament and it is possible that it will still be adjusted where appropriate. However, it is already clear that there will be major changes in the field of privacy. Based on the Regulation, the obligations of organisations will increase considerably. In addition, the supervisors will be able to take enforcement measures earlier and with higher sanctions.

Therefore the organisations responsible need to take a serious look at the implications the Regulations will have for them. As said the concept Regulation is now being discussed by the European Parliament, which will then vote on it. After approval by the Parliament the proposal must also be approved by the European Council. When the Regulation is adopted it will come into force two years later; the Regulation is therefore expected to come into force in 2015-2016. It should also be noted that, in spite of the direct effect of the Regulation, the authorised supervisor still has to be appointed by the national legislator, which also has to implement the possible use of enforcement measures into the Dutch law. Actions that still need to be taken by organisations when the Regulation has been adopted include:

  • Impact analysis of the organistion’s management.
  • Risk analysis with a description of the management/control measures.
  • Adjustment, completion or drawing up of the privacy policy.
  • Adjustment of the relevant processes and procedures to comply with the new obligations and periodic evaluation of the policy.
  • When appropriate, the appointment of a privacy officer.
  • Training and tuition of all employees dealing with privacy.

Charco & Dique
We will continue to follow developments regarding this Regulation and will return to the topic when there are further developments. If you would like to know more about this subject, the layout of an impact analysis or the drawing up, adjustment and implementation of a policy in the field of privacy, then Charco & Dique will be pleased to assist you.

For more information please contact Charco & Dique on 020-4165403 or send an email to: