Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law
Although organizations in the United States have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure and, in some cases, one, or more, dedicated employees. While in some organizations "data privacy" and "data security" falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues. There is little commonality in how these offices are staffed, funded, or organized. For example, while some organizations have "Chief Privacy Officers" or "Chief Information Technology Officers" that report directly to senior management, other organizations have privacy officers that report through a General Counsel or to a Chief Compliance Officer.
Like the United States, the appointment of a privacy officer was not required under the EU Privacy Directive. Unlike the United States, some individual member states - most notably Germany - enacted legislation that went beyond the requirements of the EU Privacy Directive required that most businesses that operated in that country appoint a data protection officer.
The EU's new General Data Protection Regulation ("GDPR") adopts the German concept that a data-heavy company must appoint a data protection officer. In addition, the GDPR purports to apply the requirement to data-heavy United States companies that process personal information and (1) intend to offer products or services to people in the EU, or (2) monitors people in the EU.1 Specifically the GDPR requires:
- All companies that process data as a "core activity" and that engage in "regulator and systematic monitoring of data subjects on a large scale" must appoint a Data Protection Officer.2
- All companies that process certain types of sensitive data (g., race, ethnicity, political opinion, religious beliefs, union membership, biometric data, health information, etc.) as a "core activity" and on a "large scale" must appoint a Data Protection Officer.3
- Other companies (e., that don't monitor individuals on a large scale and/or process sensitive information on a large scale) may be required by individual Member States (e.g., Germany and others) to appoint Data Protection Officers.4
- The Officer that is appointed must have "expert knowledge of data protection law and practices."5 The level of expert knowledge should be proportionate to the company's "data processing operations carried out and the protection required for the personal data processed."6
- The Officer can either be an employee, or work for a third party (g., a law firm), but must be independent.7 If they are an employee, independence may inhibit a company's ability to terminate their employment.8
- The Officer must be given company resources to carry out their responsibilities and to obtain ongoing training to maintain their expert knowledge, access to the company's data processing personnel, and significant independence in the performance of his or her duties.