European Data Protection Reform – The Enforced Data Privacy Officer

If your company touches any Europeans’ data you’d better prepare for what’s coming.

The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

The enforced Data Privacy Officer – revenue generation for lawyers?

For private legal entities, the obligation set forth in Art. 35 of the regulation to designate a Data Privacy Officer (DPO) only applies to the processing of personal data that affects large amounts of individuals (≥ 5000 data subjects in 12 months) or regular and systematic monitoring of data subjects or the processing of special categories of data, location data or children´s data in large scale filing systems. In all other cases the designation of a data protection officer is optional. Considering the ever increasing collection and processing of personal data across national borders, companies will have to acknowledge the fact that managing the duties of a data protection officer often is no longer a part time job and calls for close ties to the board of directors as well as the Chief Information Security Officer (CISO).

“It can be useful” observes Leupold. Under the current national laws in the European Union, if you have a data privacy officer you’re not so much subject to reporting duties to the supervisory authority. “You’re subject to fewer duties if you have a data privacy officer. This can be quite an advantage” continues Leupold.

What most companies might not realize is that this is not just a task that can be fulfilled along other routine activities. Following the entry into force of the regulation, it could easily become a full time job. “I know large corporations in Germany that already have data privacy officers. It is a full time job and as such it is also a cost factor” warns Leupold.

Creating a position within a company, or requiring a company to hire an individual to serve in a role of this nature, seems problematic. Creating clear, understandable, and implementable regulations may do more to ensure privacy than requiring a data privacy officer – particularly if that officer is not a company employee. Good regulations allow companies to empower employees to ensure compliance. Outside oversight is likely to be seen as a burden to overcome. Requiring small companies outside Europe to hire a lawyer or other professional to serve as a data privacy officer seems like an unworkable framework for that reason.

Balboni points out that “the current proposal states that this person should have clear knowledge of the legal aspects of data protection but also the technical aspects. We are looking at a hybrid profile. This is a professional who combines both technical and legal knowledge of data protection. Not so easy to find nowadays.”

As privacy regulations become more and more complex, especially for large multinational companies, it is unlikely that the data protection officer role will eventually be played by one single individual. Balboni foresees a team of internal and external professionals, under the supervision of the data protection officer.

There seems to be a consensus on the fact that it is important to have someone within any company who has the authority and the interest in monitoring privacy and security and in making sure that the organization is aware of these issues and it is doing what needs to be done. However, according to Snead “requiring that to be a formal role or title, doesn’t accomplish much other than make people feel good that some person in the company is called that.” In addition, small organizations might not have the ability to appoint someone for this role. And to appoint someone outside the company might not be a good idea.

To Snead “some of the proposals that I’ve read sound like really great ways for lawyers to make money and not do very much else. If you get to serve as the data privacy officer for 3,000 different companies, that really doesn’t do very much other than give a law firm money. External data privacy officers aren’t going to have any authority. It sounds like revenue generation for lawyers” observes Snead.


Next: Should you worry yet?

Previous: 24 hour disclosure or undue delay?

CREDITS

Dr. Andreas Leupold LL.M.

IT-Law, Outsourcing, Cloud Computing, Data Protection & Data Security.

Munich, Germany

David Snead

Internet Attorney and co-founder of Internet Infrastructure Coalition

Washington D.C. Metro Area

Paolo Balboni

Founding Partner at ICT Legal Consulting

Milan Area, Italy