Data protection and security issues are about to be pushed much higher up the priority list of businesses across Europe and beyond. The European Commission’s proposal for a replacement of the existing Data Protection Directive was released in January 2012. Some of the key proposals are set out below.
The most significant change is a huge increase in the potential penalties for breach of data protection requirements. For the most serious intentional or negligent breaches, penalties of up to €1 million or up to 2% of the global annual turnover of a company are contemplated.
Other proposed changes include, for the first time, placing some direct responsibility for data protection compliance on data processors, mandatory breach notification within 24 hours for all but small organisations, and a requirement on every organisation with 250 or more employees to appoint a data protection officer.
The widely discussed (and controversial) topic of the “right to be forgotten”, has also been proposed. This new right would allow individuals to require an organisation holding its personal data to erase all traces of it. Quite apart from the potential implementation costs involved, many argue that this right would unduly threaten freedom of speech on the internet.
Significantly, this replacement of the Directive is in the form of a Regulation, which will have direct effect without the need for implementing legislation by Member States. The objective is for a more harmonised European framework on data protection to be achieved. This also means that the Regulation will come into force more quickly and that individual Member States will not have the flexibility to make changes in their implementing legislation.