The document summarizes the key points of the proposed European Union Data Protection Package. It discusses the reform of the 1995 EU Data Protection Directive and the proposed Regulation and Directive. The Regulation would apply broadly to any processing of personal data and introduce the "right to be forgotten". It would require consent for data processing and transparency about data collection and use. The Regulation establishes the authority of national data protection agencies and penalties for noncompliance.

1. 1
EUROPEAN UNION
DATA PROTECTION
PACKAGE
Marco Gioanola, December 2015

2. what happened
• Reform of UE Data Protection legislation: EU Directive 95/46/CE
• January 2012: new proposal of regulation
• March 2014: Parliament approves first draft
• June 2015: EU Council agrees on General Approach
• June 2015 – today: 10 “trilogue” meetings (Commission, Parliament, Council)
• December 16th-17th: package approved by EU Commission and Parliament
Committee on Civil Liberties.
• March-April 2016: approval by Parliament
• by March-April 2018: Data Protection Package goes into effect.

3. data protection package: what is it
1. Regulation on the protection of individuals with regard to the processing of
personal data and on the free movement of such data
2. Directive on the protection of individuals with regard to the processing of
personal data by competent authorities for the purposes of prevention,
investigation, detection or prosecution of criminal offences or the execution of
criminal penalties, and the free movement of such data
Regulation goes automatically in effect for all member states within two years. No
further action required.
Directive must be incorporated into local law within two years.

4. regulation: who/what it applies to
• Regulation applies to natural persons only, regardless of the person’s nationality
and regardless of where the processing of data takes place.
• Example: a Russian citizen accessing a US website while travelling in Europe.
• Regulation applies to any information (“personal data”) concerning an identified
or identifiable natural person.
• Introduces concept of pseudonymisation, profiling
• Need to ascertain whether data can be used by the controller/processor to identify individual
or not
• Specific sets of data or subjects require more strict protection: genetic data,
health data, children’s data, large-scale processing in general.
• Exceptions for reasons of public interest are described
• Specific terms for SMEs are described (no DPO, no impact assessment)

5. the regulation – the hype
• Hype: “age of consent for kids on the Internet”
• Reality: children’s (<16yo) data requires more protection;
Member States can set specific rules (down to <13yo) for
parental authorization to data processing.
• Hype: “right to be forgotten”
• Reality: no, you cannot ask Google to forget about that
time you robbed a bank
• Hype: “fines up to 4% of total worldwide annual
turnover”
• Reality: “up to” 20M€ or 4%

6. the regulation – major points
• Consent to data processing through clear affirmative action
• Inactivity does not constitute consent
• Request must be clear, concise, not disruptive to the use of service
• Individual must be able to refuse or withdraw consent without detriment (including provision
of the service)
• “It shall be as easy to withdraw consent as to give it”
• Principle of transparency: individual must be made aware of
• purpose of data collection
• risks, safeguards and rights
• Data storage must be limited to strict minimum of time.
• Right of access, to rectify, to transfer, to erase (“right to be forgotten”)
• “However, the further retention of the data should be lawful where it is necessary for
exercising the right of freedom of expression and information, [...] public interest,” etc.

7. the regulation – major points
• Controller and processor of data are responsible and liable
• Must be able to demonstrate compliance.
• Principles of “data protection by design” and “data protection by
default”.
• Pseudonymisation as soon as possible
• Notification of breach
• to competent authority within 72 hours
• to individuals without undue delay in case of high risk for rights and freedom
(including financial damage)

8. the regulation – major points
• Safe Harbor 2?
• “the level of protection of personal data transferred from the Union to third
countries should not be undermined”
• “transfers to third countries may only be carried out in full compliance with
this Regulation”
• However...
• “Member States may conclude international agreements [...] as far as such
agreements do not affect this Regulation”
• “The Commission may device with effect for the entire Union that certain
third countries [...] offer an adequate level of data protection”
• Periodic review

9. the regulation – major points
• National data protection authorities
• “Establishment of supervisory authorities in Member States is essential”
• to deal with complaints; corrective power and sanctions; penalties and fines
for any infringement of the Regulation; etc.
• Member States may add criminal sanctions, including deprivatino of profits
obtained through infringements
• “Lead supervisory authority” in case of multiple countries involved
• “one-stop-shop” mechanism
• European Data Protection Board
• legal personality set up as an independent body of the Union
• consists of heads of supervisory authorities of each Member State or
representative
• contributes to consistent application of Regulation

10. the regulation – interesting points
• The purpose of ensuring network and information security
constitutes a legitimate interest (thus making data processing lawful).
• Processing of data by public authorities, CERTs, CSIRTs, providers of electronic
communication networks and services, providers of security technologies and
services
• “This could, for example include preventing unauthorised access to electronic
communications networks and malicious code distribution and stopping
‘denial of service’ attacks and damage to computer and electronic
communication systems”.
• Controller and processor should:
• evaluate risk inherent to data processing
• implement measures to mitigate risks
• carry out a data protection impact assessment

11. the regulation – interesting points
• “The Member States, [...] shall encourage [...] the establishment of
data protection certification mechanisms and of data protections
seals and marks, for the purpose of demonstrating compliance with
this Regulation”.

12. the regulation – interesting points
• “A corporate group [...] should be able to make use of approved
binding corporate rules for its international transfer from the Union to
organisations within the same corporate group [...] as long as such
corporate rules include all essentials principles and rights to ensure
appropriate safeguards”
• Member State law or collective agreements (including ‘work
agreements’) may provide for specific rules on the processing of
employees’ personal data in the employment context.