On 25 January 2012, the European Commission published the long-awaited and much-anticipated draft legislation that comprehensively reforms EU data protection law. The new legislation imposes significant changes to the way in which businesses comply with data protection laws in the European Union.
The idea behind the new draft legislation is to provide a comprehensive reform of the Data Protection Directive (95/46/EC), to take into account the technological changes that have taken place since 1995, to strengthen online privacy rights, and to boost Europe’s digital economy. It is also aimed at harmonising data protection law across the 27 EU Member States. As the Commission says, “A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs, and innovation in Europe”
We will be providing detailed analyses of the new draft legislation and reporting on its legislative progress in future EU IP Bulletins but provide here a broad overview of the key provisions of the new draft legislation.
OVERVIEW OF THE PROPOSED LEGISLATION
The legal form of the legislation is to be changed from a Directive to a Regulation, meaning that the new legislation will be directly applicable in all 27 Member States without the need for any national implementing legislation. This has been done in order to gain maximum harmonisation of the new rules across the European Union.
Some administrative requirements, such as notification requirements for companies, will be removed. However, the legislation provides for increased responsibility and accountability for those processing personal data, instead of the current obligation to notify data protection supervisors of all data protection activities. Most significantly, companies and organisations will have to notify the national supervisory authority of serious data breaches as soon as possible (within 24 hours if feasible). As part of making businesses accountable, there are also new rules on privacy impact assessments, the role of data protection officers, and the documentation on processing that must be in place. Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, individuals will be able to refer to the data protection authority in their own country instances where rules relating to their data have been violated, even when their data is processed by a company based outside the European Union.
Importantly, wherever consent is required for data to be processed, it has been clarified that it has to be given explicitly, rather than assumed, as is sometimes the case at the moment.
People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (known as data portability) to improve competition.
There is also a “right to be forgotten” provision to enable people to manage their data protection risks online. Individuals will be able to delete their data if there are no legitimate grounds for retaining it.
EU rules will apply to companies outside the European Union that offer their services to EU citizens, or monitor the behaviour of EU citizens.
Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules by up to €1 million, or up to 2 per cent of the global annual turnover of a company.
The new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.
The Commission’s proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. They will take effect two years after they have been adopted, with many commentators seeing 2014/2015 as the likely timeframe.
The changes are relatively far-reaching and no doubt impose greater responsibilities and obligations on businesses in terms of compliance. Although the Commission states that the administrative burden on businesses will be reduced, the increased level of responsibility will, initially at least, result in costs being incurred. The harmonisation of the rules should provide more clarity and certainty for businesses operating in more than one European country, but there will still be room for differences in opinion to arise as the national data protection authorities may well differ in their interpretation of the new rules.