A new General Data Protection regulation was proposed by the European Commission in January 2012, covering such things as:
- mandatory breach notification for serious breaches
- the much publicised “right to be forgotten”
- fines of up to 2% of annual worldwide turnover
- one law applying throughout the European Union
- one law applying to companies dealing with European consumers, regardless of where they are based or their servers are located
- a simplification of bureaucracy, such as no more notifications for data controllers, an exemption for SMEs from the obligation to appoint a data protection officer, and for global or international companies the ability to deal with one data protection authority.
The proposal was made with a view to enhancing consumer trust in data protection in online services, but also to enable businesses to transfer personal data more freely from one Member State to another, in each case by providing clear and uniform rules to provide legal certainty and minimise the administrative burden on businesses.
Where are we now with the proposed regulation?
Back in March of this year, the European Parliament broadly endorsed the regulation, suggesting some changes (such as an increase in the fines of up to 5% of annual worldwide turnover, and the right to be forgotten becoming the “right to erasure”). However, for the data protection reform proposals to become law, the proposed Regulation has to be adopted by the European Council of Ministers. It is expected there will be further progress this autumn.
There have been some other developments in the mean time, such as the case brought by a Spanish citizen against Google concerning the right to be forgotten. The citizen in question complained that an auction notice of his repossessed home, shown on Google’s search results, infringed his privacy rights because the proceedings had been fully resolved a number of years previously and therefore were no longer relevant. He requested that Google be required to remove the personal data relating to him so that the search results no longer referenced him/his property. The European Court of Justice, in May 2014, held – in relation to the right to be forgotten – that individuals have the right, under certain conditions, to ask search engines to remove links with personal information about them. This applies where the information is irrelevant, excessive, inaccurate or inadequate for the purposes of the data processing. The court confirmed that the right is not absolute and will have to be balanced against other fundamental rights (for example freedom of expression) and this balance should be considered on a case by case basis, assessing the type of information in question, its sensitivity for the individual’s private life and the public interest.
Another recent development concerns the so-called Data Protection Umbrella Agreement, which covers transfers of personal data between the EU and US, taking place in the context of the prevention, detection, investigation and prosecution of criminal offences, including terrorism. Provisional agreement has now been reached on the scope and purpose of the agreement (to ensure a high level of protection of personal data and to improve cooperation between the US and EU), retention periods (data should not be kept for longer than is necessary and appropriate), the right for individuals to access and have rectified their personal data, and fundamental principles (for example non-discrimination and maintaining the quality, security and integrity of data).
Individuals and businesses should watch out for further developments in this field, which should provide further clarity on what rights individuals have and what steps businesses have to take in respect of any dealings with personal data.