Data Protection Masterclass: The New Draft EU Data

19 September 2012
©2012 Morrison & Foerster (UK) LLP | All Rights Reserved |
Data Protection Masterclass:
The New Draft EU Data
Protection Regulation
Data Protection Masterclass
London, September 19, 2012
Ann Bevitt & Karin Retzer
©2012 Morrison & Foerster (UK) LLP | All Rights Reserved |
EU Data Protection Proposals:
Where we are with the
Draft Regulation
How did we get here?
• Current framework governed by 1995 EU Data Protection Directive
• Amendments required to address challenges resulting from globalization and
technical advances
• Need for greater harmonization across Member States
• January 25, 2012 the Commission proposed two new draft laws
• Draft Regulation on the protection of individuals with regard to the processing of
personal data and on the free movement of such data (General Data Protection
• Draft Directive on the protection of individuals with regard to processing of
personal data for the purpose of crime prevention and investigation
This is MoFo.
The Key Players
• The European Commission (Commission)
• Composed of 27 Commissioners and administrative staff
• Proposes draft laws
• The Council of the European Union (Council)
• Composed of ministerial-level representatives from each EU Member State
• Adopts laws, sometimes alone and sometimes jointly with the European
• The European Parliament (EP)
• Composed of directly elected members
• Adopts EU laws together with the Council
This is MoFo.
How does it work?
• How is the Draft Regulation going to be adopted?
• Commission published Draft Regulation and sent it to the EP and the Council
• The EP and the Council may propose amendments and work on their own
versions of the text
• Institutions have regular exchanges to align their position; Commission assists the
• To be adopted Regulation must be jointly approved by the Council and the EP –
both must agree on the same text
• Will there be any changes to the Draft Regulation before it is
• Changes are very likely because the EP and the Council must achieve
This is MoFo.
Council’s Position
• Formal note from July 2012 includes comments from 20 Member
• Preference for Directive over Regulation – Member States want more for flexibility
in their law-making
• Call for more clarification on application to organizations established outside the
EU and on the place of main establishment
• Call for clearer definitions
• Criticism of high administrative burdens and unrealistic obligations, in particular
breach notification obligations, documentation of processing, mandatory DPOs
• Call for revision of mandatory imposition of sanctions
This is MoFo.
Council’s next steps
• Experts from Member States are discussing the Draft Regulation in a
dedicated working group
• First exchange between ministers due December 6-7, 2012
• Ministers to discuss outstanding issues where the working group cannot reach a
common position
• Several Member States demand more discussions; adoption of the
Regulation (or a Directive) may be a long way off
This is MoFo.
Parliament’s Position
• Responsible Committee
• Jan Philipp Albrecht
• MEP responsible for leading discussions in the EP and preparing EP’s position
• Supports Regulation as legislative instrument
• Calls for strong rules on DPOs, impact assessments, general data
breach notification, DPA powers, and severe sanctions for breaches
• Calls for clarification of rules on discovery requests from foreign
authorities, profiling of individuals, and technology-neutral rules for
data protection by design and by default
• Calls for adoption of Draft Regulation and Draft Directive on data
protection in criminal investigations in parallel
This is MoFo.
Parliament’s next steps
September 19, 2012
Second exchange of views
October 2012
Publication of Rapporteur’s working document
October 9-10, 2012
Meetings with national parliaments
November/December 2012
Publication of draft Report
January/February 2013
Discussion and amendment of text
February 2013
Discussion with other committees
March/April 2013
LIBE votes on text
During the course of 2013
Discussion with the Council
Unclear – but likely to be before
summer 2014
EP’s final vote
This is MoFo.
Entry into Force
• When is the Draft Regulation going to enter into force?
• Once adopted, Regulation will not require implementation and will be directly
• Regulation provides for transition period of 2 years following publication
This is MoFo.
Reading Materials
• Commission’s proposal for a Regulation
• Commission’s proposal for a Directive
• Albrecht’s Working Document
• Formal Note from the Council July 18, 2012
• Parliament’s procedure file
This is MoFo.
Data Protection Masterclass
London, September 19, 2012
Ann Bevitt & Karin Retzer
©2012 Morrison & Foerster (UK) LLP | All Rights Reserved |
EU Data Protection Proposals:
The Business Perspective
The global dimension
• How will the new Draft Regulation affect companies based outside
the EU?
• Will cross border transfers be easier?
• Will BCRs replace the Model Clauses?
• Will the Regulation have positive implications for cloud computing?
• What about compliance with foreign law obligations, like SOX or
FCPA? What about the foreign discovery process?
This is MoFo.
Improvements for companies
• How might the Regulation improve things for companies?
• What about the concept of main establishment? How does it work,
and will it apply to non-EU companies?
• Will the legal interpretations be more consistent across Member
This is MoFo.
Challenges for companies
• So, what challenges and problematic issues does the Regulation
• What about the cost of compliance? Will companies have to allocate
more resources?
• Will companies have to appoint DPOs?
• How would the Regulation affect data processors?
This is MoFo.
Challenges for companies (2)
• How about handling HR data? Will it be easier for employers?
• Will there be any specific implications for certain sectors?
• What does data protection “by design” and “by default” mean in
• Will all data security breaches need to be notified? What about
breaches by non-EU companies?
This is MoFo.
Ann Bevitt
Partner, London
44 20 7920 4041
[email protected]
Karin Retzer
Partner, Brussels
32 2 340 7364
[email protected]
This is MoFo.

similar documents