You may have heard about the new privacy regulation that is on the way. All sorts of rumours are making the rounds about high penalties and far-reaching powers of the regulators. Various parties are warning you that you must be ready in time for this new regulation. In this article I would like to briefly explain that you should not wait for this new regulation, but already get everything in order in your organisation now when it comes to dealing with personal data. In my view, you should also not focus too much on the text of the regulation as approved by the European Parliament.
What is the new privacy regulation?
Privacy law is, in essence, still a national issue in the European Union at the moment. The national laws of the Member States are what determine what may and may not be done with personal data. The European privacy directive does indeed give frameworks for the national legislation and the European Court of Justice is increasingly filling in these frameworks with its decisions, but the bottom line is that privacy law is still arranged on the national level at the moment. This gives rise to all sorts of differences within the European Union.
The European Commission has recognised this problem, which is why it proposed the privacy regulation. What it comes down to is that instead of national laws in each Member State, there should henceforth be a single European law (regulation) that provides for privacy law throughout the European Union. In order to guarantee uniform application of privacy law throughout Europe, this proposed regulation also contains all sorts of measures for the powers of and cooperation between regulators. The proposal also stipulates (substantial) penalties.
What is the status of the privacy regulation?
The proposal for the privacy regulation has prompted a great deal of debate and lobbying. Several thousand amendments have therefore been submitted at the European Parliament. Recently, the deliberations in Parliament ultimately resulted in the adoption of the text for the regulation.
We are still a long way from the finish line, however, since it is now once again the turn of the ministers of the Member States. They must consider the text adopted by the Parliament. The current proposed text may be approved or in fact amended and sent back to the Parliament.
The outcome of that process is still unknown. It is generally expected, however, that the proposal adopted by Parliament will not be the final proposal. There appears to still be heated discussion on, among other things, the aspects of the regulation concerning uniform application of privacy law in the various countries (which, after all, affects the autonomy of the countries). We will have to wait and see how the political discussion develops. We will also have to wait and see what priority the new European Commission will give to the topic of privacy.
Should I wait for the regulation?
At the moment it is still uncertain, therefore, exactly what new privacy rules will be coming from Europe. So there is not much point in preparing now for the text of the privacy regulation as it now reads, since this will most likely still be amended.
This does not mean, however, that you can sit back and wait until there is clarification on the future of privacy law. After all, there is already privacy legislation in effect. In the Netherlands this legislation is mainly set down in the Personal Data Protection Act. For an idea of this legislation, you can go through our free privacy check.
In the event of violation of this law, the CBP can impose an order subject to a penalty (periodic penalty until the violation is ceased, see section 65 WBP and section 5:32 Awb), or you can be held liable by the data subject (see section 49 WBP). The CBP cannot impose any penalties yet at the moment (with the exception of penalties for violating the notification duty), but it seems as if the CBP will be getting the power to impose penalties). More than enough reason to already adhere to the law.
Future legislation will most likely be very similar to current legislation, in terms of principles
Furthermore, the time you invest in complying with the current privacy legislation now will not have been time wasted once the new privacy legislation has been introduced.
New rules always bring changes, of course. But the key principles of privacy law are relatively stable. The most important principles were already set down in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg, 1981). You see these principles reappear in both the (current) privacy directive and the (possible future) privacy regulation. These are principles such as purpose limitation, data minimisation, limited retention periods, the requirement that data must be accurate and relevant and that data must be processed honestly and lawfully.
These key principles are contained in the current legislation – the Personal Data Protection Act – and will in all likelihood also reappear in all future privacy legislation. All the time and effort you put into complying with these key principles is therefore pure gain. In fact, the joint regulators already announced a few years ago (pdf) that they consider ‘accountability’ to be an important principle (that you can explain what you have done to comply with the privacy legislation, therefore). Accountability centres much more on complying with the key principles of privacy law and less on specific formal rules. In other words: you can probably still get away with failing to comply with a formal rule in privacy law, but probably not with failing to comply with a key principle.
These key principles touch the heart of your operations, however. After all, when designing a new system it is a very different matter to think about the privacy aspects of the system in advance (a key principle) than to just send a report to the CBP after the fact (a formal requirement). It therefore takes a great deal of time and effort to ensure that your organisation complies with these principles. You would be better off starting on this on time. If you wait until a new privacy regulation is in place before doing so, you will probably be too late.
By Mark Jansen