10 things you need to know about Europe’s coming data protection reforms


7 Sep 2015

Mason Hayes & Curran identify 10 things online businesses need to know about data-protection reform. Photo via igor.stevanovic/Shutterstock

Mason Hayes & Curran outlines 10 things any business dealing with the personal information of Europeans should know about proposed changes to data protection legislation.

When it was first announced, we looked at the European Commission’s proposals for reform of the EU data protection regime. There are now two proposals in place:

  • A General Data Protection Regulation (GDPR)
  • A directive which will address law enforcement matters

The GDPR has been gathering momentum in recent months. The EU Council adopted its general approach to the draft legislation on 15 June 2015. This created the impetus for ‘trilogue’ discussions beginning between the Commission, the Council and the Parliament.

Two initial meetings were held in June and July. Discussions will resume in earnest this month and lead negotiators have set a notional target for the adoption of the GDPR by the end of 2015. However, it is likely that this may slip into early next year.

Thoughts of the A29WP

The Article 29 Working Party (A29WP) is an independent advisory body composed of representatives of national data protection authorities (DPAs). It is tasked with safeguarding data-protection rights of EU citizens and residents.

The A29WP wrote to representatives of the European Commission, Council and Parliament in June. It attached a document setting out its thoughts on key issues in the debate over the GDPR.

We’ve set out below ten things that any individual or business operating online needs to know about the A29WP’s views.

The scope of the directive

1. Definition of personal data: ‘Personal data’ should be defined broadly. The concept of ‘identifiability’ should include the capacity to single out an individual. Reflecting recent Court of Justice of the European Union rulings, IP addresses and other online identifiers should be considered personal data.

2. Territorial scope: The GDPR should cover non-EU processors, where they act on the instructions of EU controllers.

3. Household exemption: The household exemption – which exempts the processing of personal data by an individual for personal, family or recreational reasons from data protection compliance – should be interpreted restrictively. It should apply to purely household activities only.

The role of national DPAs

4. Enforcement: DPAs should be given powers of enforcement to include the suspension of processing and significant fines.

5. One-stop shop approach: This approach, which would allow organisations to deal with only the DPA of their country of main establishment rather than many DPAs across the EU, should be retained. However, amendments relating to DPA co-operation and proposals that citizens can seek effective remedies in the courts of their member state should be supported.

Substantive issues

6. Consent: Data subjects’ informed consent must be obtained for a specific purpose with opt-in and opt-out provisions. Broad or generic consent is not acceptable.

7. Pseudonymisation: Pseudonymisation is to be recommended as a security measure. However, it should not be introduced as a new category of data that is regulated less rigorously than personal data.

8. Transfers: Justifying transfers to non-EU countries on the basis that such transfers are in the legitimate business interests of the data controller should be strictly exceptional.

9. Portability: Data portability ought to be a separate and independent new right for data subjects.

10. Profiling: Current drafts of the GDPR are insufficient to address profiling. Profiling means automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person. Specific provisions relating to the purposes for which profiles may be created and specific information obligations should be added to the GDPR.

We’ve only just begun

The next few months will determine the shape of European privacy regulation for the foreseeable future. It remains to be seen if the tough positions advocated by A29WP will make it into the final legislation. However, this is an issue that any business which uses the personal information of Europeans should follow closely.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.

Image by igor.stevanovic via Shutterstock