European data protection law proposals revealed

A draft of Europe's upcoming data protection laws is revealed for the first time.
Written by Zack Whittaker, Contributor

Draft legislation, which will pave the way for the new European Data Protection Directive, is set to be announced in January.

After two years of researching the reach and breadth of the USA PATRIOT Act, particularly how the U.S. government can access European data, the draft legislation will include measures to counteract how U.S. law enforcement acquires data from Europe covertly.

Gordon Frazer, managing director of Microsoft UK, told ZDNet nearly six months ago that "no company" could guarantee that European data will not leave Europe under any circumstances, even under a request by the Patriot Act.

Frazer's admission validated over a year's worth of research.

The European Parliament was furious at Frazer's admission. This outrage led to members of the European Parliament (MEPs) to ask questions of the European Commission, Europe's executive body, in a concerned bid to clarify the current data protection laws.

Viviane Reding, vice-president of the European Commission for Justice, Fundamental Rights and Citizenship, announced last month that the Commission would seek to update the data protection laws. Little detail was given besides a proposed date, where the law would be unveiled in January 2012.

In an exclusive, ZDNet can now reveal that the current European Data Protection Directive (95/46/EC) will be repealed, and the draft legislation once ratified will replace current data protection laws across the 27 member states.

(Source: Wikimedia Commons, CC)

Two drafts of legal instruments, prepared by the European Commission's Directorate-General for Justice, Francoise Le Bail, entered inter-service consultation. This process gives other Commission executives the opportunity to comment and amend the drafts before they are formally released.

The EU legislative process can take two or three years before the draft legislation becomes law. The current directive was ratified in 1995, but took an additional three years before the 27 member states of the European Union enacted the law into their own legal system.

European sources say that Reding will announce the final 116-page version of the drafts at the World Economic Forum in January 2012.

There are two draft documents:

The General Data Protection Regulation will allow the free-flow of data and the protection of individuals. The Police and Criminal Justice Data Protection Directive gives rights to those who work in law enforcement, for the purposes of prevention, investigation, detection or prosecution of criminal offenses.

A harsh field of measures lies ahead for businesses working within the confines of Europe. Companies, even if they are headquartered in the U.S. or another third-country to Europe, could face extreme financial repercussions if they are found to break the new legislation.

The regulation will become applicable in all 27 member states immediately. The directive will need to be transposed into member states' law through local parliaments.

Highlighted in the draft legislation, we find:

  • As the regulation would be top-down from Brussels, the home of the European legislative bodies, it will provide near-complete harmonizationof all future data protection laws.
  • The regulation again would force companies with operations in multiple European member states subject to the jurisdiction of one state's legal system, including its data protection laws. The designated headquarters of their European office determines this.
  • Data processors, such as Microsoft and Google, who merely store and manage data through its services, will be under many of the same obligations as data controllers, such as businesses and universities that own data.
  • Both data controllers and data processors will be made to sign an agreement allocating equal responsibility for data between them. Should an agreement not be made, both parties would be jointly responsible for all processing, and any data loss or privacy breaches.
  • Companies outside Europe -- such as the United States -- will continue to be subject to European law, if they have a European-based office, or European customers.
  • Opt-in consent will be made obligatory. This relates mostly to data processing for marketing, but this will require explicit consent to the data owner before companies can perform such actions.
  • The "right to be forgotten" will be sanctioned by Brussels. Though this has come up against criticism from the UK's data protection authority, measures will be put in place to allow European citizens' to have their data deleted by private companies.
  • If a company suffers a data loss or breach, both the data protection authority and the individuals must be informed within 24 hours of discovering the breach.
  • For public sector companies, or any company with more than 250 employees, internal data protection officers would be mandatory.
  • The Article 29 Working Party will be renamed to the "European Data Protection Board", which would be the executive body of all member states' data protection authorities.
  • The Commission will be granted the power to issue interpreting provisions of the regulation, allowing member states to delegate high-level cases directly to the European powerhouse.

One more thing:

  • The reforms will effectively replace EU/U.S. Safe Harbor regulations, and instead companies will be issued "adequacy" statements, allowing European companies to transfer data to their non-European counterparts.

This would make it illegal for the U.S. government, for example, to invoke the Patriot Act on a company like Microsoft or Google, or any other cloud-based or data processing company, in efforts acquire data held in the UK. The member states' data protection agency with authority over the company's European headquarters would have to agree to the data transfer.

If any of these rules are broken, member states' data protection authorities will be able to impose sanctions, which can range up to a maximum of 5 percent of a company's annual worldwide turnover.

As of June this year, Microsoft could be fined up to around $1.1 billion per incident, if it were found to be in breach of the draft data protection legislation. Google could equally be fined $430 million per breach.

Some MEPs are calling for immediate changes to the law.

Dutch MEP and vice-chair of the European Parliament’s Civil Liberties, Justice and Home Affairs committee, Sophie in 't Veld, argues that two or three years for the draft legislation to be ratified is too long.

in 't Veld, along with a number of other MEPs, are seeking emergency legislation to prevent the U.S. government accessing European data through the Patriot Act 'loophole'.


Also read ZDNet’s Patriot Act series:

Editorial standards