On the 25th of January 2012 the European Commission published a proposal for a new Data Protection Regulation to replace the existing EU Data Protection Directive. The proposal sets out a general data protection framework aimed at unifying the current differing data protection rules in the EU. I have summarised the major changes this will make to EU data protection law in two articles, part 1 of which is set out below and how this will effect SAAS suppliers and customers.
Data Protection Authority
Currently each EU country has its own data protection agency which enforces that country’s law. Processing of personal data by businesses established in more than one EU country will in the future be monitored by one single data processing authority (DPA) – the “lead authority”. Generally the lead authority will be the DPA of the country where the business has its main establishment.
The main establishment of a business will be determined according to objective criteria, such as where the central administration of a business is located i.e. the headquarters where management decisions are usually made. However, individuals located in other EU countries, will still be able to refer privacy complaints to their local supervisory DPA.
One EU-wide Data Protection Law
If the Regulation is adopted, there will be one EU data protection law that SaaS suppliers will need to comply with. The new rules will apply throughout the EU and SaaS suppliers established in more than one EU country will no longer need to cope with the national rules of each relevant EU country. In the long term this means that current local data protection provisions – mainly exemptions that have been introduced by EU countries for national reasons – would disappear.
The new data protection rules will also apply to non-EU based businesses who offer their goods or services to EU customers based in the EU (or who monitor their behaviour). For example a US company with a subsidiary in the EU will be required to comply with the new EU data protection law as well as their own local US laws.
There are exceptions where the data controller (SaaS customer) is established in a country outside the EEA that ensures an adequate level of protection (for example a business registered under the Safe Harbor scheme in the USA), or if the data controller acts for a small or medium sized business or public authority.
Penalties for Breaches
A breach of the new data protection rules could result in a fine of up to €1 million or 2% of the global annual turnover of a company. Fines will be imposed by the DPA. Currently the maximum fine in the UK for a breach of data protection law is £500,000.
Serious data protection breaches must be notified to both the DPA and data subjects, although it is not clear whether the lead authority or the company itself will be obliged to inform the public of data protection breaches.
Notification should be without undue delay and, where feasible, within 24 hours. Companies will need to have adequate procedures in place to deal with these new requirements and it may be worth considering purchasing obtaining cyber risk insurance.
When will the Rules Change
The draft Regulation must be approved by all EU countries and the European Parliament before it comes into effect, possibly in about 3 years time. The rules will introduce significant and onerous new obligations upon SaaS suppliers and customers, who will need to implement time consuming measures to ensure compliance, in order to avoid the risks of facing substantial fines.
Preparing for Change
Although the proposals could be substantially amended before they are approved, it is advisable that SaaS suppliers and customers start to prepare for the proposed changes. For example, by devising a documentation system for recording data processing activities, reviewing how consent is obtained from data subjects and revising all data processing agreements.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Data Protection -New Proposed Rules Part 2
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code and Object Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Data Stored in the USA
- SaaS Agreements – Data Protection – Data Commissioner – UK Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Google Analytics in Germany
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – Need for an NDA Prior to Signing a SaaS Agreemnt
- SaaS Agreements – Distributor or Agent – Is There a Difference?
- SaaS Agreements, Software on Demand – Confused?
- Cloud Computing and the Legal Cloud