The Key Proposals
On 25 January 2012, the European Commission proposed a comprehensive reform of the EU’s 1995 Data Protection Directive “to strengthen online privacy rights and boost Europe’s digital economy”.
The Commission aims for a genuine single law which will do away with the current fragmentation and which will help reinforce consumer confidence in online services.
The Key Proposals
The Commission’s proposals update and modernise the principles enshrined in the 1995 Data Protection Directive. Key changes in the reform include:
- EU harmonisation: The new Regulation will apply directly across all EU Member States. This differs from the current position where the law is enacted locally by each Member State. The new approach is intended to remove the variations in how the current Directive has been implemented so as to ensure greater consistency of European data protection rules.
- Notification: Unnecessary administrative requirements, such as the obligation to notify data protection activities to the data protection supervisor, will be removed. Instead of notification, the Regulation provides for increased responsibility and accountability for those processing personal data.
- Consent: Wherever consent is required for data to be processed, it will to be given explicitly, rather than assumed.
- Right to data portability: People will have easier access to their own data and be able to transfer personal data from one service provider to another. This will improve competition among services (eg cloud services).
- Right to be forgotten: People will be able to delete their data if there are no legitimate grounds for retaining it.
- Data breach notification: Organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
- Data protection officer: Organisations with more than 250 employees will need to employ a data protection officer.
- Data processors: Will be directly liable for any breaches.
- Application to non-EU businesses: The proposed Regulation would apply not only to companies based inside the EU but also to any company based outside the EU that is active in the EU market and offers goods and services to EU citizens.
- Enforcement: Data protection authorities will be empowered to fine companies that violate EU data protection rules up to €1 million or up to 2% of the global annual turnover.
The European Commission’s proposals will be considered by the European Parliament and the European Council and will take effect two years after they are adopted. In view of the material changes and the tougher enforcement regime that is proposed, further developments should be monitored carefully.