Alternative Investment Management Association
Simmons & Simmons
On 25 January 2012, the European Commission published a proposed new EU Data Protection Regulation (the “Regulation”), which sets out the rules that organisations would have to comply with in relation to their processing of personal data if the Regulation were to be implemented in present form. The Regulation includes a wide-ranging set of new requirements – relating to areas ranging from territorial scope to the notification requirements that apply if a data breach occurs – that would substantially change the data protection obligations applicable to asset managers and businesses operating in other sectors. We consider a number of these requirements in detail below. These requirements are particularly important as the proposed new fines for non-compliance, which represent a step-change in the enforcement measures that are available to data protection authorities, are severe.
The Regulation also includes some potential benefits for asset managers, which we consider further below.
The Regulation is not yet in approved form. It is currently being considered by the EU Member States and the European Parliament. Consultations are taking place in EU Member States. The process of approving a new item of EU legislation commonly lasts 12 months or more, depending on the number of readings and level of amendments required. As currently drafted, the Regulation will take effect two years after it is finalised. However, asset managers would be well-advised to consider the potential impact of the Regulation now and join in the debate on issues that affect them.
The purpose of this article is to highlight a number of headline issues and benefits that would arise out of the Regulation (if implemented in current form) to asset managers, with a view to this supporting their compliance planning processes and to helping them to join an informed debate in relation to the Regulation.
What is the current UK data protection law?
The main item of data protection legislation in the UK, the Data Protection Act 1998 (DPA) (that implements the EU Data Protection Directive (Directive 95/46/EC) (the “DP Directive”)), is now generally well understood by in-house counsel and compliance teams at asset managers, including as regards key points such as the rights of individuals, data security and overseas transfers of data.
What are the main new or amended requirements that the Regulation would impose, if implemented in present form?
Potentially the most eye-catching of the changes that the Regulation would impose is the level of fines for breaches, which are modelled on the existing sanctions for breach of competition law. Maximum penalties for intentional or negligent breaches would include fines of up to €1 million or 2% of an enterprise’s annual worldwide turnover. This change would mean that the risks associated with data protection non-compliance continue to increase, following the change in UK law in early 2010 to allow the UK data protection authority, the Information Commissioner’s Office (ICO), to impose monetary fines of up to £500,000 for serious breaches of the DPA.
Whereas under the DPA, only data controllers that are established in the UK or that use equipment in the UK for data processing are subject to the DPA requirements, the proposed Regulation significantly expands the territorial scope of the rules; it applies not only to those organisations that are established in the EU, but also to controllers that are established outside the EU where their processing relates to offering goods and services to individuals in the EU or the monitoring of their behaviour.
Asset managers frequently use offshore entities in their business activities, which could mean that those entities fall within the scope of the proposed new rules under the Regulation.
Data breach notification
Under the DPA, there is no general data breach notification obligation, although the ICO does recommend notification of data breaches in certain circumstances. In addition, Financial Services Authority (and other regulatory authority) rules may require notification under certain circumstances. Under the Regulation, controllers would be required, where feasible, to notify the relevant data protection authority within 24 hours of becoming aware of a data breach, regardless of the potential impact of the breach or whether measures are in place to reduce its potential impact. Controllers would also be required to notify data subjects (after notifying the authority) “without undue delay” of any breach which is likely to “adversely affect” the protection of the data subjects’ personal data or privacy, unless “appropriate technological protection measures” are in place and are being applied.
Based on our experience of data breach scenarios, the 24 hour timeline referred to above would be very challenging. In the immediate aftermath of a data breach, the controller usually carries out an initial process of assessing what the breach involves and how any individuals may be affected. The timeline proposed realistically does not allow for this. Moreover, it raises the prospect of data protection authorities being deluged with incomplete (and therefore unhelpful) notifications.
The Regulation would impose new requirements relating to the analysis and documenting of data processing activities. Controllers and processors would have to keep records of their data processing activities, individuals concerned and recipients of data. In addition, they would have to carry out impact assessments relating to processing to which an increased level of risk applies. Whilst we anticipate that some asset managers may have documented their data processing activities to a degree, the new requirements will require them to carry out a significant level of further analysis in relation to this area.
Data protection officer
Under the Regulation, all enterprises that have more than 250 people in permanent employment would be required to designate a data protection officer who has responsibility for compliance and monitoring of data security and provides a point of contact for the exercise of data subjects’ rights.
In addition to the points above, the Regulation includes a number of other significant measures that pose a challenge for asset managers, including new requirements that apply to data processors (those processing information on behalf of a controller), new requirements to allow individuals “the right to be forgotten” and to “data portability”.
What are the main benefits associated with the Regulation?
As the proposed new legislation is a Regulation (rather than a Directive, as is the case with the DP Directive, which is implemented separately in each EU Member State), it will have direct effect in all EU Member States. This would mean a greater level of consistency enabling enterprises operating across the EU to comply with one law, rather than various local laws implementing the DP Directive.
There is also a “one-stop shop” approach to supervision, which would involve a single data protection authority being empowered to make decisions regarding the activities of a pan-European organisation. In theory, this would result in a reduced administrative burden for pan-European organisations. However, some data protection authorities have already queried how a data protection authority would be chosen and have highlighted the possibility of organisations deliberately structuring their operations in such a way as to be subject to “lighter touch” regulation.
The Regulation would also remove the general requirement on organisations to maintain a notification of their data processing activities with their national data protection authority. EU Commissioner Viviane Reding envisages that the removal of this requirement will save organisations €130 million per annum. However, in the light of the level of new requirements (including the introduction of requirements to monitor and document personal data processing risks more generally), it is debateable whether there will be any net saving for organisations.
At this stage, we recommend that asset managers should familiarise themselves with the Regulation and start working out what challenges and opportunities it presents to their businesses. The requirements in the Regulation may move on; until it is in approved form, it remains a case of “watch this space”.
Back to Listing