Reprinted with Aspen Publishers, Inc.

permission, from the two-volume treatise Global Privacy

& Security Law by Francoise Gilbert, [Link], published by Aspen
Publishers, Inc. – Wolters Kluwer Law and Business, (800-638-8437)

Chapter 6A
PROPOSED
EU DATA PROTECTION REGULATION
Francoise Gilbert1

§6A.01 Background
[A] Historical Milestones
[B] A Regulation, Not a Directive
[1] Shortcomings of Directives
[2] Benefits of Regulations

§6A.02 Overview of the Proposed Regulation

§6A.03 Scope of the Proposed Regulation

[A] Material Scope
[B] Territorial Scope
[1] Processing by an EU Entity
[2] Processing by a Foreign Entity

§6A.04 Protected Information

[A] Personal Data
[B] Special Categories of Data
[1] Data of Children Under 13
[2] Biometric Data
[3] Sensitive Data
[4] Additional Exceptions

1
© 2012 IT Law Group – All Rights Reserved. Francoise Gilbert, JD, CIPP/US, focuses her legal practice
on information privacy and security, cloud computing, and data governance. She was voted one of the
country’s top legal advisors on privacy matters in a recent industry survey and, for several years, has been
recognized by Chambers, Best Lawyers, and Ethisphere as a leading lawyer in the field of information
privacy and security. Gilbert is the author and editor of the two-volume treatise Global Privacy &
Security Law (2,900 pages; Aspen Publishers, Wolters Kluwer Law and Business)
([Link]), which analyzes the data protection laws of 65 countries on all continents.
She is the managing attorney of the IT Law Group ([Link]) and serves as the general
counsel of the Cloud Security Alliance. She also keeps a blog on domestic and international data privacy
and security issues ([Link]) and is a contributing expert to
[Link].
She can be reached at (650) 804-1235 or fgilbert@[Link]

1
§6A.05 Protected Individuals

§6A.06 Covered Activities

§6A.07 Entities Subject to the Regulation

§6A.08 General Rules Governing Personal Data Processing

[A] Basic Principles
[B] Specific, Informed and Explicit Consent

§6A.09 Obligations of Controllers and Processors

[A] Accountability
[B] Data Protection by Design and by Default
[1] Data Protection by Design
[2] Data Protection by Default
[3] More to Come
[C] Data Protection Impact Assessment
[D] Joint Controllers
[E] Data Processors

§6A.10 Rights of the Data Subjects

[A] Transparency and Better Communication
[B] Right of Information
[C] Right of Access
[D] Right of Rectification
[E] Right to Object to the Processing
[F] Right not to be Subject to Measures Based on Profiling
[G] Right to be Forgotten and Right to Erasure
[H] Right to Data Portability

§6A.11 Security and Confidentiality

[A] Obligation to Provide Adequate Security
[B] Security Breach Disclosure
[1] Notification of the Data Protection Supervisory Authority
[2] Notification to the Data Subjects

§6A.12 Transfer of Personal Information out of the Country

[A] General Principles for Transfers
[B] Binding Corporate Rules

§6A.13 Documentation Requirements; Supervision by Data Protection Authority

[A] No More Notification Requirement
[B] Documentation Requirement
[C] Cooperation with Supervisory Authority
[D] Main Establishment
[E] Consultation and Authorization

§6A.14 Data Protection Officer

§6A.15 Complaints, Judicial Remedies

[A] Right to Lodge a Complaint with a Supervisory Authority

2
[B] Judicial Remedy against Data Controllers or Processors
[C] Judicial Remedy against Supervisory Authorities
[D] Class Action-Like Initiatives

§6A.16 Damages and Sanctions

[A] Individuals’ Right to Compensation
[B] Significant Penalties

§6A.17 Data Protection Supervisory Authority

[A] General Rules of Operation
[B] Cooperation and Consistency

§6A.18 European Data Protection Board

§6A.19 Possible Divergence among Member States?

[A] Is Uniformity Possible?
[B] Ability to Create Additional Restrictions
[C] Privacy and Freedom of Expression
[D] Special Data Processing Situations
[E] Operation of the Data Protection Supervisory Authorities
[F] Penalties

§6A.20 Next Steps

§6A.01 BACKGROUND
On January 25, 2012, the European Commission published a series of legislative texts
that are intended to create a new data protection framework as part of a sweeping reform of the
protection of personal data processed by private and public entities. One of these texts is a
proposed General Data Protection Regulation on the protection of individuals with regard to the
processing of personal data and on the free movement of such data (Proposed Regulation).2 This
proposed document is intended to supersede Directive 95/46/EC. Before delving into the detailed
analysis of the provisions of the Proposed Regulation, it is important to look at the historical
background and the unique rules of operation of the European Union. Both of these explain the
choices made, and the intent of the drafters.

[A] Historical Milestones

Since its creation, the European Union has functioned as a group of countries operating
under a set of rules that attempted to be consistent with each other, in order to ease the flow of
people and goods among the Member States. This was achieved by adopting directives and
requiring the Member States to implement these directives in their national laws. When
implementing the directives, each Member State, in fact, retained – or elected to take – a lot of
independence and autonomy in using their own words to implement the directives in their
national laws. While this strategy allowed establishing a sense of unity among countries that had

2
[Link]

3
different cultures, history and personalities, it ended up creating a patchwork of national laws that
had some resemblance to the base directive, but also their own personality – at times very
different personalities and requirements. These inconsistencies and discrepancies created a
difficult setting for companies operating in several Member States.

The ratification of the Treaty of Lisbon in late 2009 was a very important milestone in the
morphing of the European Union as a united power.3 It marked a critical step in the evolution of
the Union, creating deep changes in its rules of operation, increasing the power of the European
Commission and the European Parliament, removing the three-pillar system that fragmented the
operations, and moving the federation into a closer, tighter structure. With the Treaty of Lisbon,
the European Union moved towards more cohesion, more consistency, and more unity.

Shortly after the ratification of the Treaty of Lisbon, in November 2010, taking advantage
of the new structure and new expanded powers, the European Commission announced its intent to
reform the data protection regime in effect in the European Union and detailed its plans and goals
in a lengthy document. The document, Communication (COM) 609,4 outlined its plan to reform
the data protection regime in the European Union to take advantage of the new structures created
by the Treaty of Lisbon and to take into account the numerous major technological changes and
cultural changes of the recent years.5 Most of the key elements described in the November 2010
document that presented the blue print for the reform are found in the proposed legislative texts
that were published in January 2012 and especially in the Proposed Regulation with respect to the
protection of personal data with regard to the processing of personal data.

One of the concerns that were stressed in Communication 609 was the lack of harmony
and consistency between the national data protection laws adopted by the 27 Member States.
Communication 609 stressed that it was necessary to enhance the internal market dimension and
there were significant divergences between the national data protection laws in a large number of
sectors. These divergences were hampering the free flow of personal data and created legal
uncertainties both for the individuals and for the custodians of personal data. The Commission
stressed in particular that it intended to explore different possibilities for harmonization and
simplification. It also indicated that it wished to provide the EU data subjects with the same level
of protection regardless of the geographic location of the data controller.

[B] A Regulation, Not a Directive

With this background in mind, it is logical that the European Commission found that a
“regulation,” as opposed to a “directive,” was the most appropriate legal instrument to define the
new framework for regulating the processing of personal data by companies and government
agencies in their day-to-day operations. Due to the legal nature of a regulation under EU law,
relying on a data protection regulation instead of a directive to establish a single rule that applies
directly and uniformly, makes sense.

3
On the Treaty of Lisbon, see Chapter 4, “The Byzantine Process of European Data Protection Law
Making”; see also [Link]
4
See Chapter 5, §5.05 “2010 Plan to Overhaul the Privacy Framework.”
5
[Link]
[Link].

4
 [1] Shortcomings of Directives
For a long time since the creation of the European Union, directives have been used to
bring different national laws in-line with each other. However, directives prescribe only an end
result that must be achieved in every Member State. The form and methods of implementing the
principles set forth in a directive are a matter for each Member State to decide for itself. Once a
directive is passed at the European Union level, each Member State must implement or
“transpose” the directive into its legal system, but can do so in its own words. A directive only
takes effect through national legislation that implements the measures.

The current data protection regime, which is based on a series of directives – in

particular, Directive 95/46/EC, Directive 2002/58/EC (as amended) and Directive 2006/24/EC –
has proved to be very cumbersome due to the significant discrepancies between the
interpretations or implementations of each directive that were made in the various Member States.
When developing or revising their data protection laws to implement the data protection
directives, the 27 Member States created a patchwork of 27 rules with different structures,
different wording, and different basic rules. Some countries were very slow in implementing
some of the directives. This fragmentation creates a significant burden on businesses, which are
forced to act as a chameleon, and adapt to the different privacy rules of the countries in which
they operate, or risk retaliation by the local or national data protection supervisory authorities.

[2] Benefits of Regulations

EU regulations are the most direct form of EU law. A regulation is directly binding upon
the Member States and is directly applicable within the Member States. As soon as a regulation is
passed, it automatically becomes part of the national legal system of each Member State. There is
no need for the creation of a new legislative text.

Because a regulation is directly applicable, as is, in the Member States, by adopting a

Regulation for most data protection matters, the EU Commission intends to equip each of its
Member States with the same basic legal instrument that applies uniformly to all companies, all
organizations, and all individuals throughout the entire territory of the Union. The choice of a
regulation for the new general regime for personal data protection is intended to provide greater
legal certainty by introducing a harmonized set of core rules that will be the same in each
Member State.

§6A.02 OVERVIEW OF THE PROPOSED

REGULATION
The proposed provisions are laid out in a 119-page draft document. Among the most
significant changes, the Proposed Regulation would change the rules for consent to require that
there be an “explicit” consent. It would introduce some new concepts that were not in Directive
95/46/EC, such as the concept of breach of security, the protection of the personal information of
children, the generalized use of binding corporate rules, the special status of health information,
and the requirement that most corporations and government agencies hire a data protection
officer. The Proposed Regulation would also require companies to conduct privacy impact
assessments, to implement “Privacy by Design” rules, and to ensure “Privacy by Default” in their
applications and products. Individuals would have greater rights, such as the “Right to be

5
Forgotten” and the “Right to Data Portability.” Some of the key components of the Proposed
Regulation are discussed below.

§6A.03 SCOPE OF THE PROPOSED REGULATION

The material scope of the Proposed Regulation would generally be similar to that which
currently exists – but for the fact that the Regulation would apply directly in each Member State.
However, the territorial scope would be slightly extended. The Proposed Regulation makes it
clear that its provisions would apply, as well, to certain foreign entities.

[A] Material Scope

Under Articles 1 and 2 of the Proposed Regulation, the new Regulation would govern the
processing of personal data wholly or partly by automated means, and the processing other than
by automated means of personal data that form part of a filing system or are intended to form part
of a filing system. The processing of personal data by a natural person without any gainful
interest and in the course of its own exclusively personal or household activity would be outside
the scope of the Regulation, as this is the case currently under the 1995 Directive.

The Regulation would also not apply to the processing of personal data:

• In the course of activities that fall outside the scope of Union law, such as national
security;
• By the Union institutions, bodies, offices and agencies;
• By the Member States when carrying out activities that fall within the scope of the rights
reserved to the States;
• By competent authorities for the purposes of prevention, investigation, detection or
prosecution of criminal offenses or the execution of criminal penalties.

[B] Territorial Scope

The provisions pertaining to the territorial scope of the proposed document make it clear
that the Regulation is also intended to apply to entities that are not located on the EU territory, but
whose activities pertain to, or directly affect, EU citizens.

[1] Processing by an EU Entity

The Regulation would apply to the processing of personal data in the context of the
activities of an establishment of a controller or a processor in the Union.6

[2] Processing by a Foreign Entity

The Regulation would also apply to the processing of personal data by a data controller that
is not established in the EU if (i) the data pertain to a data subject residing in the Union and (ii)

6
Proposed Regulation, Art. 3(1).

6
the processing is performed by a controller that is not established in the Union, if the processing
activities are related to:7

• The offering of goods or services to such data subjects in the Union; or

• The monitoring of their behavior.

The Regulation would also apply to the processing of personal data by a controller that is
not established in the Union, if the processing occurs in a place where the national law of a
Member State applies by virtue of public international law.8

§6A.04 PROTECTED INFORMATION

The Proposed Regulation would distinguish personal data in general, from data of a more
sensitive nature, as this is the case under the 1995 Directive. Several additional categories of
personal information would receive specific attention, such as personal data pertaining to
children.

[A] Personal Data

The data to be protected would be the same as those protected under the 1995 Directive.
The term “personal data” is defined as “any information relating to a data subject.”9

As generally understood under the 1995 Directive, a “data subject” would be an

identified natural person or a natural person who can be identified, directly or indirectly, by
means reasonably likely to be used by the controller or by any other natural or legal person, in
particular by reference to an identification number, location data, online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that person.10 The definition introduces the concept of “genetic data.”

[B] Special Categories of Data

While the basic definition of personal data would remain, the rules that apply to special
categories of data or special categories of processing would be expanded. In the January 25, 2012
draft, these rules are found in Articles 8 through 10 and in Articles 80 through 85.

[1] Data of Children Under 13

The new Regulation would introduce the concept of the protection of children information.
Article 8 sets out the conditions for the lawfulness of the processing of data about children in
relation to information society services directly offered to them. The term “child” would be
defined as an individual less than 13 years of age.
7
Proposed Regulation, Art. 3(2).
8
Proposed Regulation, Art. 3(3).
9
Proposed Regulation, Art. 4(2).
10
Proposed Regulation, Art. 4(1).

7
 [2] Biometric Data
Biometric data would require special attention. If the processing would involve personal
data in large scale filing systems that include biometric data, a data protection impact assessment
would be required to ensure that the processing is strictly limited to the activities permitted under
the Regulation.11 The term “biometric data” is defined to include any data relating to the physical,
physiological or behavioral characteristics of an individual that allow their unique identification,
such as facial images, or dactyloscopic data.12

[3] Sensitive Data

The definition of “sensitive data” would be expanded to include genetic data, and criminal
convictions or related security measures.13

The notion of what constitutes “sensitive data” would continue to be significantly different
from that which is used in the United States. In the United States, data that are generally
identified as “sensitive” tend to be those that would result in identity theft in case of a loss or
breach of security; for example, credit card or driver’s license information. In the European
Union, the data that are deemed “sensitive” are those that might cause embarrassment or intrusion
into a person’s intimacy if the data were lost or exposed (for example, information about health or
sexual preference) or that may cause discrimination or retaliation (for example, information about
religion or trade union membership).

[4] Additional Exceptions

Articles 80 to 85 would provide additional rules with respect to certain categories of
processing. Some of these categories of data, such as health data or data collected by churches
were not specifically regulated under Directive 95/46/EC. The special categories would include
processing of personal data for:

• Journalistic purposes (Article 80);

• Health purposes (Article 81);
• Use in the employment context (Article 82);
• Historical, statistical or scientific purposes (Article 83);
• Access by a DPA to personal data and premises where data controllers are subject to an
obligation of secrecy (Article 84); and
• Churches (Article 85).

For these specific types of data, Member States would have the freedom to enact their
own laws, consistent with their own culture and past practices.

11
Proposed Regulation, Art. 33(2)(d).
12
Proposed Regulation, Art. 4(11).
13
Proposed Regulation, Art. 9.

8
§6A.05 PROTECTED INDIVIDUALS
The protected individuals would be people in general or “data subjects,” with special
rules for the protection of children under 13. Individuals are protected to the extent that they are
an “identified natural person” or a “natural person or a natural person who can be identified,”
directly or indirectly, by means reasonably likely to be used by the controller or by any other
natural or legal person, in particular by reference to an identification number, location data,
online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that person.14

§6A.06 COVERED ACTIVITIES

Like in the case under the 1995 Directive, the covered activities would be the different
forms of processing. The term “processing” retains its existing, very broad definition. Under
Article 4(3) of the Proposed Regulation, “processing” would be defined to include any operation
or set of operations that is performed upon personal data or sets of personal data, whether or not
by automated means, such as collection, recording, organization, structuring, storage, adaptation
or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, erasure or destruction.

§6A.07 ENTITIES SUBJECT TO THE REGULATION

As under the 1995 Directive, the two categories of entities that are primarily the subject
of the Regulation are the data “controller” and the data “processor.” However, under the Proposed
Regulation, the obligations and liabilities of the processors would be significantly increased. The
Proposed Regulation would significantly reduce the distinction between controller and processor.
The data processors would be subject to almost the same obligations as the data controllers and
would be exposed to the same liability, damages and sanctions.

§6A.08 GENERAL RULES GOVERNING PERSONAL

DATA PROCESSING
Articles 5 through 7 would incorporate the general principles governing personal data
processing that were laid out in Article 6 of Directive 95/46/EC. New elements would be added,
such as: the requirement for increased transparency, the establishment of a comprehensive
responsibility and liability of the controller, and the clarification of the data minimization
principle.

[A] Basic Principles

The seven basic principles relating to data processing would require that the personal data
be:15

14
Proposed Regulation, Art. 4(1).
15
Proposed Regulation, Art. 5.

9
 • Processed lawfully, fairly, and in a transparent manner;
• Collected for specified, explicit, and legitimate purposes, and not further processed in
ways incompatible with these purposes;
• Adequate, relevant and limited to the minimum necessary;
• Only processed if, and as long as, the purposes of the processing could not be fulfilled by
processing information that does not involve personal data;
• Accurate, kept up-to-date, with incorrect data being erased or rectified;
• Kept in a form that permits identification of the data subjects for no longer than
necessary;
• Processed under the responsibility and liability of the data controller, who must ensure
and demonstrate for each operation its compliance with the Regulation.

[B] Specific, Informed and Explicit Consent

One of the significant differences with Directive 95/46/EC is that the notion of consent
would be strengthened. Currently, in most EU Member States, consent is implied in many
circumstances. For example, in most countries, an individual who uses a website is often assumed
to have agreed to the privacy policy of that website.

Under the new regime, when consent is the basis for the legitimacy of the processing, it
will have to be “specific, informed, and explicit” (Article 7). The controller would have to bear
the burden of proving that the data subjects have given their consent to the processing of their
personal data for specified purposes. For companies, this means that they may have to find ways
to keep track of the consent received from their customers, users, visitors and other data subjects,
or will be forced to ask again for this consent.

This evolution is consistent with the way the European laws have changed in past few
years, with the new stringent requirements for cookies under the 2009 amendments to Directive
2002/58/EC.16 The amendment to Section 5(3) of the 2002 ePrivacy Directive has caused the EU
Member States to modify their national laws to require that the user’s specific (opt-in) consent be
obtained before cookies, other than technical cookies, can be sent to the user’s computer. Before
the 2009 amendments, cookies were subject to less stringent restrictions, and could be used
without a formal consent of the user. It was only necessary to inform them of their right to refuse
the use of cookies and their ability to block access to their computers.

§6A. 09 OBLIGATIONS OF CONTROLLERS AND

PROCESSORS
Articles 22 through 29 would define the obligations of the controllers and processors, as
well as those of the joint controllers and the representatives of controllers that are established
outside of the European Union.

[A] Accountability

16
See Chapter 7, “2002 EU Directive on Privacy and Electronic Communications.”

10
 Article 22 addresses the accountability of the controllers. This concept is a new one, and
slightly resembles the concept of accountability found in the APEC Privacy Framework.17

Under the Proposed Regulation, accountability would require that the data controller
adopt policies, and implement appropriate measures to ensure, and be able to demonstrate, that
the processing of personal data is performed in compliance with the Regulation. These measures
would include, for example, the following obligations for the data controller:

• The obligation to keep documents;

• The obligation to implement data security measures;
• The obligation to perform a data protection impact assessment in special circumstances;
• The obligation to implement mechanisms to ensure the verification of the effectiveness of
the measures described above. This may require retaining an independent auditor to
conduct the verification; and
• The obligations of the data controller to ensure data protection by design and by default.

[B] Data Protection by Design and by Default

“Data protection by design” and “data protection by default” are among the new concepts
introduced in the Proposed Regulation.

[1] Data Protection by Design

Article 23 of the Proposed Regulation would require the data controller, both at the time of
the determination of the means for processing and at the time of the processing itself, to
implement appropriate technical and organizational measures and procedures to ensure that the
processing will meet the requirements of the Regulation and ensure the protection of the rights of
the data subject. Since the Proposed Regulation tries to be technology neutral and general, it
specifies that this requirement must take into account the state of the art and the cost of
implementation but does not specify particular methods or steps to be taken.

[2] Data Protection by Default

Article 23(2) would require data controllers to implement mechanisms for ensuring that, by
default, the processing be limited to only those personal data that are necessary for each specific
purpose of the processing. Data controllers would also be required to ensure that data are not
collected or retained beyond the minimum necessary for the specific purposes for which they
were collected, both in terms of the amount of the data and the duration of their storage or
retention.

Article 23 stresses in particular that the data controller must ensure that by default personal
data are not made accessible to an indefinite number of individuals. This provision would affect,
for example, social networks, which tend to set default setting to choices that would make
individuals’ personal data available to large circles of individuals, if not, the public at large.

17
See Chapter 10, “Asia Pacific Region.”

11
 [3] More to Come
The entire scope of the proposed requirements for “privacy by design” and “privacy by
default” is not yet fully clear, and should be clarified through additional writings. Article 23(3)
and (4) allow the European Commission to adopt “delegated acts” in order to specify any further
criteria and requirements for appropriate measures and mechanisms, such as requirements that
would be applicable across sectors, products and services, or new technical standards.

[C] Data Protection Impact Assessment

While the Proposed Regulation would relax some of the administrative burden, such as
the notification requirements, it would contain stricter obligations with respect to certain
categories of processing that represent special risks. A data protection impact assessment would
be required, and a prior consultation with, and authorization from, the data protection authority
would be needed.

Article 33 would require controllers and processors to carry out a data protection impact
assessment if the proposed processing is likely to present specific risks to the rights and freedoms
of the data subjects by virtue of its nature, scope, or purposes. Examples of these activities
include: monitoring publicly accessible areas, use of the personal data of children, use of genetic
data or biometric data, processing information on an individual’s sex life, the use of information
regarding health or race, or an evaluation having the effect of profiling or predicting behaviors.

[D] Joint Controllers

Articles 24 and 25 would address some of the issues raised by outsourcing, offshoring
and cloud computing. While these provisions do not clearly indicate whether or when outsourcers
are joint data controllers, they acknowledge the fact that there may be more than one data
controller. Under Article 24, joint data controllers would be required to determine their own
allocation of responsibility for compliance with the Regulation. If they fail to do so, they would
be held jointly responsible. Article 25 would require data controllers that are not established in
the European Union, when their data processing activities are subject to the Regulation, to
appoint a designated representative in the European Union.

[E] Data Processors

Article 27, which is based on Article 16 of Directive 95/46/EC, would generally follow
the existing provisions to define the rules for processing under the authority of the data controller.
As is currently the case, data processors would be directly prohibited from processing personal
data other than pursuant to the data controller’s instructions.

Article 26 would build on Article 17(2) of Directive 95/46/EC and increase the
obligations of the data processors. It would add a very important element: a processor who
processes data beyond the instructions provided by the controller would be considered a joint
controller. This very important clarification is consistent with Working Paper WP 169 issued by
the Article 29 Working Party in March 2010. In this paper, the Article 29 Working Party
discussed when a data processor becomes a joint controller with the initial data controller.

12
 This clarification is likely to generate significant changes in the relations between a
company and its service providers – such as outsourcers and cloud service providers. In numerous
contracts, the service providers require the client to agree that the service provider retains the
freedom to make many changes or to make decisions such as when or where to modify the
application, to back up data, or to locate a disaster recovery site. On the other hand, most cloud
service providers have insisted on the client agreeing to a contractual provision in which the
client acknowledges that the cloud service provider is a data processor and not a data controller.
If a cloud service provider choses to move a data center or disaster recovery center to a different
location without consulting with the client, would it become a joint controller if the provisions of
this new Article 26 were applied?

§6A.10 RIGHTS OF THE DATA SUBJECTS

Articles 11 through 20 would define the rights of the data subjects. The Proposed
Regulation would increase the rights of data subjects, and improve their ability to have access to,
and control over, their personal information. In addition to the right of information, right of
access, and right of rectification, which exist in the current regime, the Proposed Regulation
introduces the “right to be forgotten” as part of the right to erasure, and the “right to data
portability”.

[A] Transparency and Better Communications

Article 11 of the Proposed Regulation would introduce the obligation for data controllers
to provide the data subjects with transparent and easily accessible and understandable
information, while Article 12 would require data controllers to provide procedures and a
mechanism for the exercise of the data subject’s rights. This would include identifying means for
electronic requests, requiring that response to the data subject’s request be made within a defined
deadline, and identifying the motivation of refusals.

Companies will welcome the fact that the rules for handling requests for access or
deletion would be the same in all Member States. In the current regime, the time frames for
responding to such requests are different, with some Member States requiring action within very
short periods of time, and others allowing up to two months for responding.

Article 13 would provide rights for data subjects in relation to recipients. This provision
is based on Article 12(c) of Directive 95/46/EC. It would require the data controller to
communicate any rectification or erasure carried in connection with the data subject’s right to
correction and blocking to each recipient to whom the data have been disclosed. Like under
Directive 95/46/EC, there would be a limit to this obligation when this communication would
prove impossible or involve a disproportionate effort. The notion of “recipient” includes all
natural or legal persons, public authority, agency, or other body to whom the data would have
been disclosed, including joint controllers and processors of the personal data.

[B] Right of Information

The right of information would be expanded from the current Articles 10 and 11 of
Directive 95/46/EC, to entitle the data subject to receive more information than is currently
required under the 1995 Directive. For example, individuals would have to be informed of the

13
length of the period during which the data controller intends to hold their data. They would also
have to be informed of their right to lodge a complaint, of the proposed crossborder transfers of
personal data, and of the source from which the data are originating.18

[C] Right of Access

The right of access to personal data, which is already found in Article 12(a) of Directive
95/46/EC, would contain additional elements, such as the obligation to inform the individuals of
the storage period, of their rights to erasure and rectification, as well as their right to lodge a
complaint.19

[D] Right of Rectification

Article 16 would continue the right of rectification, which is defined in Article 12(b) of
Directive 95/46/EC.

[E] Right to Object to the Processing

Article 14 of Directive 95/46/EC contains a right to object to the processing of personal
data. This right would be provided by Article 19 of the Proposed Regulation. Changes from the
1995 version would pertain to burden of proof and direct marketing. It is not clear how this new
provision would interact with the provisions in Directive 2002/58/EC, which regulates the use of
unsolicited commercial messages. The 2002 Directive provides more specific and detailed
requirements for companies to be allowed to send commercial messages to individuals and
contains a dual opt-in/opt-out process.20

[F] Right not to be Subject to Measures Based on Profiling

Article 20 would provide data subjects with a right not to be subject to measures based on
profiling. The provision generally follows the provisions currently in Article 15(1) of Directive
95/46/EC, and enhances them with slight modifications and additional safeguards.

[G] Right to be Forgotten and Right to Erasure

The right to erasure, originally in Article 12(b) of Directive 95/46/EC would be
significantly strengthened. In the current regime, individuals may obtain the erasure of their data
only in limited circumstances. Article 17 of the Proposed Regulation would provide the
conditions for the exercise of the “right to be forgotten.” Data subjects would have the right to
obtain from the data controller the erasure of personal data relating to them and the abstention
from further dissemination of such data in specific circumstances. In addition, the data controller

18
Proposed Regulation, Art. 14.
19
Proposed Regulation, Art. 15.
20
See Chapter 7, “2002 EU Directive on Privacy and Electronic Communications.”

14
who has made the personal data public would have to inform third parties of the data subject’s
request to erase any links to the personal data and any copy or replication of the personal data.

[H] Right to Data Portability

Article 18 would introduce the data subject’s right to “data portability,” that is, the right
to transfer data from one automated processing system to, and into, another, without being
prevented from doing so by the data controller. This right would include the right to obtain one’s
data from the controller in a structured and commonly used electronic format. The Proposed
Regulation is technology neutral. It does not explain how the copy could be created and what
format can be used to ensure that the file can be uploaded and read by a different platform.

The “right to be forgotten” and the “right to portability” reflect the pressure of the current
times. There have been numerous reports of the unexpected consequence of the use of social
media. Users of social networks have found out, to their detriment, that the ease of use of a social
network and the access to the service for no fee was tied to a price: that their personal data could
be used in forms or formats that they had not contemplated, would be shared with, or disclosed to,
others, and that the service provider would resist a user’s attempt to move to another service.

From a company’s perspective it is not clear how and to what extent the right to be
forgotten and the right to data portability could be implemented. The right to be forgotten poses
significant practical problems. Once data, statements, photographs, have been published on the
Internet, they can be quickly disseminated, copied, integrated in other content or databases. The
social network or other service that served as the publisher of the items in question would have no
way to know who copied or republished that item, and would have no ability to identify these
third parties or to exercise control over these third parties. Data may also be stored in archives or
on back up media, or duplicated on a host site for disaster recovery and business continuity
purposes. On the other hand, content that was intentionally provided to subcontractors, service
providers or co-marketers might be more easily traceable, for example, if the company keeps a
log of its data transfers.

§6A.11 SECURITY AND CONFIDENTIALITY

Articles 30 through 32 would focus on the security of the personal data. They would
include two major changes to the current regime. One is that data processors would be required
by law to implement appropriate security measures, while in the current regime under the 1995
Directive, their obligations come mostly from contractual obligations. The other major change is
the introduction of a general requirement to disclose security breaches.

[A] Obligation to Provide Adequate Security

Article 30 of the Proposed Regulation builds on the security requirements already found
in Article 17(1) of Directive 95/46/EC and extends these obligations to the data processors. Under
Article 30, both the data controller and data processor would be required to implement
appropriate security measures, irrespective of the terms of the contract. This provision is likely to
affect, among others, certain cloud computing agreements where the cloud service provider
places on the client the sole burden of providing adequate security, and disclaims any liability for
loss of the data.

15
 [B] Security Breach Disclosure
In addition, the Proposed Regulation introduces an obligation to provide notification of
“personal data breaches.” The term “personal data breach” is defined as “a breach of security
leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored or otherwise processed”.21

[1] Notification of the Data Protection Supervisory Authority

In case of a breach of security, a data controller would be required to inform the
supervisory authority within 24 hours, if feasible.22 A data processor that is the victim of a breach
would also be required to alert and inform the data controller immediately after establishing that a
breach of security occurred.

[2] Notification of the Data Subjects

In addition, if the breach were “likely to adversely affect the protection of the personal
data or the privacy of the data subject,” the data controller would be required to notify the data
subjects, without undue delay, after it has notified the supervisory authority of the breach.23
According to the preamble, a breach is “likely to affect the protection” of personal data if it could
result in identity theft, fraud, physical harm, significant humiliation or damage to reputation.24

§6A.12 TRANSFER OF PERSONAL INFORMATION

OUT OF THE COUNTRY
For most global companies, a critical aspect of the EU data protection laws is whether
and in which manner the national law of a country permits or restricts the transfer of personal
data out of the country. Under current national data protection laws, which are based on Directive
95/46/EC, the transfer of personal information out of the EEA and to most of the rest of the world
is prohibited unless an exception applies. This rule would remain. However, the Proposed
Regulation would provide for simplification. Some of the key aspects of the plan include putting
in place a “one-stop-shop” approach, removing the discrepancies in the regimes for crossborder
data transfers, and validating the use of binding corporate rules in all Member States.

[A] General Principles for Transfers

The general rules for the transfer of personal data out of the European Union would be
generally consistent with – albeit, slightly less cumbersome than – those that are stated in Articles

21
Proposed Regulation, Art. 4(9).
22
Proposed Regulation, Art. 31.
23
Proposed Regulation, Art. 32.
24
Proposed Regulation, Preamble, Recital 67.

16
25 and 26 of the 1995 Directive.25 Simply put, the transfer of personal data out of the EU or EEA
is prohibited unless the recipient country provides “adequate protection” to personal data and the
privacy rights of individuals. Only a handful of countries have been deemed by the European
Commission to provide “adequate protection.” For transfers of data to the other countries, the
recipient must enter into a written contract in which the recipient of the data commits to doing, or
to refrain from doing, certain acts. The European Commission has approved certain forms of
contracts. In addition, a majority of the EU Member States – but not all of them – currently
recognize “binding corporate rules” as a way for a group of companies to express their
commitment to provide and ensure the required “adequate protection” even when the recipient is
located in a country that does not offer this “adequate protection”.

In the Proposed Regulation, the conditions of, and restrictions to, data transfers to third
countries or international organizations, including onward transfers, would be defined in Articles
40 through 45. For transfers to third countries that have not been deemed to provide “adequate
protection,” Article 42 would require that the data controller or data processor adduce
appropriate safeguards, such as through standard data protection clauses, binding corporate rules,
or contractual clauses. It should be noted, in particular, that:

• Standard data protection clauses may also be adopted by a supervisory authority and be
declared generally valid by the Commission;
• Binding corporate rules are specifically introduced as a legitimate ground for allowing for the
transfer of personal information out of the European Economic Area. Currently they are only
accepted in about 17 Member States while in other Member States they are illegal;
• The use of contractual clauses other than the standard clauses would be subject to prior
authorization by the supervisory authorities.

Article 44 would spell out and clarify the derogations for a data transfer. These
conditions are based on Article 26 of Directive 95/46/EC. In addition, under limited
circumstances, a data transfer may be justified on a legitimate interest of the controller or
processor, but only after having assessed and documented the circumstances of the proposed
transfer.

Article 45 would provide for international cooperation mechanisms for the protection of
personal data between the European Commission and the supervisory authority of third countries.
It should be noted that Article 42 of the prior draft of the Regulation (Draft 56 of the Proposed
Regulation, dated November 29, 2011), has been removed. This article provided that foreign
judgments requiring a controller or processor to disclose personal data would not be recognized
or be enforceable in any manner, without prejudice to a mutual assistance treaty or an
international agreement in force between the requesting third country and the Union or a Member
State. It required a controller or processor to immediately notify the supervisory authority of the
request and to obtain prior authorization for the transfer. It is not clear why the provision was
removed and whether this issue will be addressed separately.

[B] Binding Corporate Rules

25
See Chapter 9, “Transferring Personal Data out of the European Union and European Economic Area.”

17
 Binding corporate rules would take a prominent place in the Proposed Regulation. Their
required content is outlined in Article 43. An organization’s binding corporate rules would have
to contain the following information:

• The structure and contact details of the entities in the group;

• The categories of personal data, the type of processing and its purposes;
• The type of data subjects affected;
• The third countries where data are to be sent;
• Their legally binding nature, both internally and externally;
• The general data protection principles, in particular purpose limitation, data quality, legal
basis for the processing, processing of sensitive personal data; measures to ensure data
security; and the requirements for onward transfers to other organizations;
• The rights of data subjects and the means to exercise these rights, including the right to
obtain redress and compensation for a breach of the binding corporate rules;
• The acceptance by the controller or processor established on the territory of a Member
State of liability for any breaches of the binding corporate rules by any member of the
group not established in the Union;
• How the information on the binding corporate rules is provided to the data subjects;
• The tasks of the data protection officer;
• The mechanisms to be used in order to ensure compliance with the binding corporate rules;
• The mechanisms for reporting and recording changes to the policies and reporting these
changes to the supervisory authority;
• The co-operation mechanism with the supervisory authority

§6A.13 DOCUMENTATION REQUIREMENTS;

SUPERVISION BY DATA PROTECTION AUTHORITY
The Proposed Regulation would significantly reduce the administrative burden, and the
related expenses, that result from the obligation to report to each local data protection authority
the existence of a database of personal information, and the proposed processing activities.

[A] No More Notification Requirement

The Proposed Regulation would eliminate the requirement to notify the Data Protection
Authority. This requirement was viewed as cumbersome, in particular for entities with operations
in several states. Under the national data protection laws that implement the 1995 Directive,
companies have to file notifications in each of the countries where they operate. The requirements
for these notifications, the forms to be used, and the information to be disclosed, the cost and
periodicity of the filing, and the exceptions to the conditions for filing notifications differ from
country to country.

Instead of the notification requirement, the Proposed Regulation would require both data
controllers and data processors to keep substantial records, written policies, and other
information, and to promptly respond to inquiries by the data protection supervisory authorities.

[B] Documentation Requirement

18
 Article 28 would detail the obligation for controllers and processors to maintain
documentation of the processing operations under their responsibility. This obligation would
replace the current requirement to “notify” the local data protection supervisory authority by
providing a description of the company’s data processing practices, as required by the national
laws that implement Articles 18 and 19 of Directive 95/46/EC.

This removal of the notification requirement reflects a significant shift in the attitude of
the European Commission, which is expressed throughout the Proposed Regulation: a switch
from tight supervision and reporting to a concept of accountability. In exchange for abolishing the
cumbersome and costly notification requirement, the new Regulation would require that data
controllers and data processors be “accountable.” They would be trusted to create their own
structures, but they would have to document them thoroughly. They would also have to be
prepared to respond to any inquiry from the Data Protection Authority, to promptly produce the
set of rules with which they have committed to comply, and to show that they do actually comply
with the provisions of the Regulation.

Article 28 identifies a long list of documents that would have to be created and
maintained by data controllers and data processors. The information required is somewhat similar
to the information that is currently provided in the notifications to the data protection
authorities―for example, the categories of data and data subjects affected, or the categories of
recipients. There are, however, also new requirements such as the obligation to keep track of the
transfers to third countries, or to keep track of the time limits for the erasure of the different
categories of data.

[C] Cooperation with Supervisory Authority

Article 29 would require data controllers, data processors, and, as applicable, the data
controller’s local representative, to cooperate, on request, with the supervisory authority in the
performance of its duties. In particular they will have to provide access to all personal data and all
information required by the supervisory authority, as well as to their premises and data processing
equipment in response to access requests made by the supervisory authorities in the exercise of
their investigative powers.

[D] Main Establishment

In the case of data controllers or data processors with operations in multiple countries,
Article 51 would create the concept of the “main establishment.” The data protection supervisory
authority of the country where the data processor or data controller has its “main establishment”
would be competent for supervising the processing activities of that processor or controller in all
Member States where the company or group of companies operate, subject to the mutual
assistance and cooperation provisions that are set forth in the Proposed Regulation.

[E] Consultation and Authorization

Article 34 would set forth the requirement for consulting with the data protection
authority and obtaining its prior authorization in the case of certain categories of processing that
present special risks. This provision is built on Article 20 of Directive 95/46/EC. The controller
or processor acting on the controller's behalf would have to consult the supervisory authority

19
before the processing of personal data in order to ensure that the intended processing complies
with the Regulation. This would be the case, in particular, where a data protection impact
assessment indicates that processing operations might present a high degree of specific risks, or if
the supervisory authority deems it necessary to carry out a prior consultation on processing
operations that are likely to present specific risks to the rights and freedoms of data subjects by
virtue of their nature, scope or purpose.

In addition, the data controller or the processor would be required to obtain an

authorization from the supervisory authority prior to the processing of personal data in the case of
certain crossborder transfers of personal data if it uses contractual clauses other than the standard
pre-approved clauses or does not provide for the appropriate safeguards in a legally binding
instrument for the transfer of personal data to a third country or an international organization.

§6A.14 DATA PROTECTION OFFICER

Articles 35 through 37 would require data controllers and data processors to appoint a
data protection officer. The rule would apply to the public sector, and, in the private sector, to
enterprises employing more than 250 employees, or where the core activities of the controller or
processor consist of processing operations that require regular and systematic monitoring of the
data subjects. Article 36 identifies the roles and responsibilities of the data protection officer and
Article 37 defines the core tasks of the data protection officer.

Under the current data protection regime, several EU Member States, such as Germany,
already require organizations to hire a Data Protection Officer, who is responsible for the
company’s compliance with the national data protection law. In the United States, numerous laws
and FTC consent decrees require entities to appoint a Data Protection Officer to be responsible
for all matters pertaining to data protection within the entity.

§6A.15 COMPLAINTS, JUDICIAL REMEDIES

Articles 73 through 79 would address remedies, liability, and sanctions. While some
provisions build on the current framework set forth in Directive 95/46/EC, some new provisions
would significantly increase companies’ exposure to complaints, enforcement, and legal
expenses.

[A] Right to Lodge a Complaint with a Supervisory

Authority
Article 73 would grant data subjects the right to lodge a complaint with a supervisory
authority. This right is similar to the right under Article 28 of Directive 95/46/EC.

[B] Judicial Remedy against Data Controllers or Processors

In addition to the administrative remedies – e.g., complaint with a supervisory authority –
, individuals would have a private right of action against a data controller or a data processor.
Article 75 would allow them to seek a judicial remedy against a controller or processor. The
concept is similar to that which is provided in Article 22 of Directive 95/46/EC. The new clause

20
indicates clearly that action may be filed against the data controller or data processor and would
provide individuals with a choice of courts. The action could be brought in a court of the Member
State where the defendant is established or where the data subject is residing.

[C] Judicial Remedy against Supervisory Authorities

Article 74 would provide a judicial remedy against a decision of a supervisory authority,
similar to that which is found in Article 28(3) of Directive 95/46/EC. This remedy would oblige a
Data Protection Authority (DPA) to act on a complaint. The courts of the Member State where
the DPA is located would be competent to hear the matter. In addition, it would allow the DPA of
the Member State where an individual resides to bring proceedings on behalf of a data subject
before the courts of another Member State where the competent (but delinquent) DPA is
established in order to require that it take action.

[D] Class Actions-Like Initiatives

Articles 73 and 76 of the Proposed Regulation increase the number of entities that can
file a complaint. In addition to individuals, consumer organizations and similar associations
would have the right to lodge complaints on behalf of a data subject or, in case of a personal data
breach, on their own behalf.26 In addition, Article 76 would grant bodies, organizations and
associations, such as consumer associations or other organizations that aim to protect privacy
rights, the right to seek judicial remedies. These group actions could be initiated against data
controllers or data processors that have infringed their members’ rights in violation of the
Regulation, or against a decision of a supervisory authority concerning their members.

These additions are very important. They would open the door to actions similar to a
class action suit, a form of action that is currently seldom used in the European Union, but with
which U.S. companies are familiar. Many of the class actions currently filed in the United States
cause great expenses to companies, and frequently bring little relief to the actual injured parties or
the named plaintiffs. Damages, if any, awarded against a company frequently consist in the
payment of funds that benefit research institutions, non-profit privacy advocates or consumer
organizations and the payment of the plaintiff’s attorney fees. The injured parties or the parties
directly affected by an incident may only receive a very small amount of money compared to the
large settlement amount.

§6A.16 DAMAGES AND SANCTIONS

The proposed Regulation would significantly increase the stakes in case of unlawful
processing or violation of applicable provisions. Articles 77 to 79 provide individuals with a right
to compensation, and set significant penalties and administrative sanctions against data
controllers and data processors.

[A] Individuals’ Right to Compensation

26
Proposed Regulation, Art. 73.

21
 The individual’s right to compensation is set out in Article 77 of the Proposed
Regulation. Under the new rule, individuals would be entitled to receive damages from data
controllers, data processors, joint controllers, and joint processors, as applicable, for the
damages suffered. When more than one entity is involved in the processing, the controllers and
processors would be held jointly and severally liable for the entire amount of the damages.

[B] Significant Penalties

Articles 78 and 79 would address penalties and sanctions. According to the Regulations,
these penalties would have to be “effective, proportionate and dissuasive.” Article 78 would
require Member States to lay down rules on penalties and to report to the Commission on the
provisions that it will have adopted. The provision targets in particular the failure by a foreign
entity to appoint a local representative. Where a representative has been established, the penalties
would be applied first to the representative.

Article 79 would grant each data protection authority the power to impose administrative
sanctions. The criteria to be used in determining the amount of the administrative sanction would
include:
• Nature, gravity, and duration of the violation;
• Intentional or negligent character of the infringement;
• Degree of responsibility of the natural or legal person;
• Previous breaches of the law;
• Technical, organizational and administrative measures implemented to protect the
security of personal information; and
• Degree of cooperation with the supervisory authority in order to remedy the violation,
infringement, or breach of the law.

The Proposed Regulation would specify significant sanctions for violation of the law.
Organizations would be exposed to penalties of up to 1 million Euros or up to 2% of the global
annual turnover of an enterprise. This is much more than the penalties currently in place
throughout the European Union. Apart from a few cases, the level of fines that have been
assessed against companies that violated a country’s data protection laws has been low, even
though it has periodically increased. The Proposed Regulation signals an intent to pursue more
aggressively the infringers and to equip the enforcement agencies with substantial tools to ensure
compliance with the law.

There would be three categories of fines applicable to specific categories of violations.

• Fines up to 250,000 Euros or up to .5% of the annual worldwide turnover of an

enterprise for minor violations, such as failure to provide proper mechanisms for the
exercise of the right of access, or charging a fee to provide information.
• Fines up to 500,000 Euros or up to 1% of the annual worldwide turnover of an
enterprise for most violations, such as failure to provide access or information, failure
to maintain required documentation, failure to comply with the right to be forgotten.
• Fines up to 1,000,000 Euros or up to 2% of the annual worldwide turnover of an
enterprise for the most serious or egregious violations such as, processing personal
data without a sufficient legal basis or failure to comply with the consent requirement,
failure to adopt the required policies (such as a security policy), failure to notify of a

22
 breach of security, failure to comply with the restrictions on the cross border transfers of
personal data.

§6A.17 DATA PROTECTION SUPERVISORY

AUTHORITY
The Proposed Regulation would also make administrative changes, and formalize and
streamline the way in which the administrative agencies have been operating. The Data Protection
Authorities would subsist as independent entities, and would receive additional powers. Their
mission would be enlarged and they would be required to cooperate with each other. The Article
29 Party would have increased authority and a new name, better suited to its role.

[A] General Rules of Operation

Articles 46 to 54 would define the new rules of operation of the Data Protection
Supervisory Authorities (DPA). While the provisions would build on the general principles of
Article 28 of Directive 95/46/EC, the new rules would enlarge the DPA’s mission and require
them to cooperate with each other and with the European Commission and to implement the
relevant case law.27

Article 49 would grant each of the Member States the freedom to establish their data
protection supervisory authority within the guidelines provided by the Regulation. This may
result in inconsistency in the way the data protection authorities are governed and managed. For
example, the Member States would have the freedom to determine the qualifications required for
the appointments of the members of the DPAs, and the regulations governing the duties of the
members and staff of the DPA.

Article 51 would set out the competence of the DPAs while Article 52 and 54 would
define their duties and Article 53 their powers. The competence of each DPA would be limited to
its own national territory in most cases. However, in the case of data processors or data
controllers established in several countries, the DPA of the principal establishment of the
corporate group would acquire a new competence as the lead authority for that corporate group.

As this is currently the case, the duties of the DPAs would include hearing and
investigation of complaints, raising public awareness of the rules, safeguards and rights, and
preparing annual reports.28 The proposed powers of the DPA would be very similar to those that
are set forth in Article 28(3) of Directive 95/46/EC and Regulation (EC) 45/2001, with some
additional powers, such as the power to sanction administrative offenses.

[B] Cooperation and Consistency

The Proposed Regulation sets forth a series of rules that may help ensure cooperation and
consistency among the DPAs. Articles 55 and 56 would introduce rules on mandatory mutual
assistance and rules on joint operations. Article 57 would introduce a consistency mechanism for

27
Proposed Regulation, Art. 20, 47, 48.
28
Proposed Regulation, Art. 52 and 54.

23
ensuring unity of application with respect to data processing that may concern data subjects in
several Member States. In some cases, unity and consistency may be obtained through opinions
of the European Data Protection Board, discussed below.29 There are also provisions giving the
European Commission the power to intervene.30

§6A.18 EUROPEAN DATA PROTECTION BOARD

The “European Data Protection Board” would be the new name for the “Article 29
Working Party.” The new Board would consist of the European Data Protection Supervisor and
the heads of the supervisory authority of each Member State.31 The composition of the group
would be slightly different from that of the Article 29 Working Party. The EU Commission
would not be a member of the group. However, the European Commission would have the right
to participate in the activities and to be represented.

Articles 65 and 66 clarify the independence of the European Data Protection Board and
describe its expanded role and responsibilities. Article 68 sets out its decision-making procedures,
which includes the obligation to adopt rules of procedure. Article 71 sets out a Secretariat of the
European Data Protection Board. The service would be provided by the European Data Protection
Supervisor.

§6A.19 POSSIBLE DIVERGENCE AMONG THE

MEMBER STATES?
[A] Is Uniformity Possible?
While on paper relying on a Regulation in order to force or instill more uniformity
amongst the EU Member States may seem a great scheme, it remains to be seen how these
fiercely independent countries, judges, lawyers or government officials will implement the new
single rule, if any. Further, there are numerous circumstances – described below – where the
Proposed Regulation would grant Member States the ability to enact their own rules or laws. This
additional freedom is likely to be used, especially in those countries that have already expressed
reservations on the content and substance of the Proposed Regulation.

The United States may be an example of this constant quagmire. The United States has
numerous federal laws that are intended to apply uniformly in all of its states and territories.
However, interpretations may vary significantly from one geographic area to another due to the
cultural, economic and other numerous circumstances. Even though for more than 220 years, the
U.S. Supreme Court has been trying to remove these discrepancies and even out the field, the
same laws continue to be interpreted differently throughout the U.S. States and territories as
evidenced by the frequent attempts at forum shopping by shrewd plaintiffs. It would not be
surprising if the data protection commissioners, the government agencies, and the judicial system
in each EU Member State also have differing interpretations of the same text.

29
Proposed Regulation, Art. 58.
30
Proposed Regulation, Art 59 to 63.
31
Proposed Regulation, Art. 64.

24
 The Proposed Regulation provides for checks and balances in the form of cooperation
and oversight so that the discrepancies between these interpretations should be less significant or
less numerous than those that are currently found among the Member State data protection laws.
Nevertheless, once the final text becomes effective, it will be imprudent and very risky to act as if
there were total uniformity.

[B] Ability to Create Additional Restrictions

Despite an obvious intent to ensure uniformity amongst the Member States, the Proposed
Regulation contains numerous provisions that grant the Member States or their Data Protection
Agencies the power to make decisions independently.

Article 21 grants the Member States the power to restrict through legislative measures
certain rights and obligations provided for in the Directive in order to safeguard, as necessary:
• Public security;
• The prevention, investigation, detection and prosecution of criminal offenses;
• Important economic or financial interests of the Members State or of the European
Union, such as monetary, budgetary and taxation matters, and the protection of market
stability and integrity;
• The prevention, investigation, detection or prosecutions of breaches of ethics for
regulated professions;
• The monitoring, inspection or regulatory function connected with the above; or
• The protection of the data subjects or the rights and freedom of others.

While this provision is substantially similar to Article 13 of Directive 95/46/EC, it should be

expected that Member States might be tempted to use it in order to regain some of the freedoms
that they may have lost otherwise as a result of the adoption of the Regulation and the repeal of
their national laws that implement the 1995 Directive.

The scope of this carve out is significant. It could drastically affect the hope for unity and
consistency. Article 21 would allow Member States to make restrictions to the basic data
protection principles that are set forth in:

• Article 5, which details the seven basic principles relating to the processing of personal
data. For example: the obligation to process the data fairly and lawfully, and in a
transparent manner, to collect only the minimum necessary, or to store the data only for
as long as necessary;

• Articles 11 to 20, which define the basic rights of the data subjects. This includes the
right to information, right of access, right of rectification, right of erasure, right to be
forgotten, right to data portability, right to object, right not to be subject to a measure
based on profiling; and

• Article 32, which would provide for an obligation of the data controller to notify the data
subjects in case of a breach of security.

While this carve out may generally be consistent with the current Article 13 of Directive
95/46/EC, it might gain a new life, and a new interest from Member States who may take
advantage of the provision to regain some of their past freedom and use it as a loophole to

25
introduce or re-introduce their own provisions. Since January 25, 2012, we have heard several
reports of critics made by Data Protection Authorities against the Regulation. For example, the
French Data Protection Authority, CNIL, is opposing the Proposed Regulation because it says
that the Regulation would largely deprive citizens of the protections offered by their national
authorities. The UK Data Protection Commissioner has also complained that the Draft Regulation
needed to be strengthened and that it would create compliance and enforcement problems.

With the door widely open by Article 21 to create amendments, restrictions and carve
outs, it is likely that there will be divergence and inconsistency in the actual implementation and
the interpretation of the document by the various Member States. The extent of these divergences
is, of course, difficult to predict at this point.

[C] Privacy and Freedom of Expression

In addition to the provisions of Article 21 of the Proposed Regulation, numerous other
provisions could allow Member States to enact their own laws. For example, traditionally there
has been a tension between the right of privacy and the freedom of expression. This issue would
subsist, and States would have the freedom to limit privacy rights to address freedom of
information. Member States would have the authority to adopt exemptions and derogations from
specific provisions of the Regulation where this is necessary to reconcile the right to the
protection of personal data with the right of freedom of expression.32 The scope of the power of
the Member States would nevertheless be somewhat restricted. The Member States would be
required to report to the European Commission on the laws that they would have adopted.

[D] Special Data Processing Situations

Articles 81, 82, 84, and 85 would also grant Member States special powers to enact their
own laws in specific situations. This would be the case for the protection of health information,33
the protection of employee personal data in the employment context,34 rules regarding interaction
with professionals having an obligation of secrecy35 and the collection of personal data by
churches and religious associations.36

[E] Operation of the Data Protection Supervisory Authorities

Divergences should be expected, as well, in the rules that pertain to the operations of the
supervisory authorities. Articles 46 to 49 would grant the Member States the power to appoint
one or several data protection authorities to be responsible for the monitoring of the application of
the Regulation. The Member States would have the power to define the rules of operation of the
data protection supervisory authorities within the general rules set by the Regulation. Further,

32
Proposed Regulation, Art. 80.
33
Proposed Regulation, Art. 81.
34
Proposed Regulation, Art. 82.
35
Proposed Regulation, Art. 84.
36
Proposed Regulation, Art. 85.

26
under Article 74, the Member States would be responsible for enforcing final court decisions
against their local data protection supervisory authority.

[F] Penalties
There may be differences, as well, with respect to the assessment of penalties. Article 78
would grant to the Member States the authority to lay down the rules on penalties applicable to
infringements of the Regulation. Member States would also have the authority to take the
measures necessary to implement these rules.

§6A.20 NEXT STEPS

The terms of the Proposed Regulation are not a major surprise. For several months,
Viviane Reding, Vice-President of the European Commission, and other representatives of the
European Union have provided numerous descriptions of their vision for the new regime,
including through a draft of the documents published in December 2011, and now with the
updated draft published on January 25, 2012. It is nevertheless exciting to see the materialization
of these descriptions, outlines, and wish lists.

If the current provisions subsist in the final draft, the new Regulation will increase the
rights of the individuals and the powers of the supervisory authorities. While the Regulation
would create additional obligations and accountability requirements for organizations, the
adoption of a single rule throughout the European Union would help simplify the information
governance, procedures, record keeping, and other requirements for companies unless the
Member States take advantage of the numerous loopholes in the Proposed Regulation to reinstate
the provision of their own laws that have been superseded by the Regulation.

It should also be remembered that Directive 95/46/EC has been a significant driving force
in the adoption of data protection laws throughout the world. In addition to the 30 members of the
European Economic Area, numerous other countries, such as Switzerland, Peru, Uruguay,
Morocco, Tunisia, or the Dubai Emirate (in the Dubai International Financial District) have
adopted data protection laws that follow closely the terms of Directive 95/46/EC. It remains to be
seen what effect the adoption of the Regulation will have on the data protection laws of these
other countries.

27