New EU Data Protection Regulation
The draft text of a new EU Data Protection Regulation (the “Regulation”) was approved by the European Parliament in March 2014. The purpose of the Regulation is to further strengthen data protection laws in the EU which are already considered extensive.
Negotiations to agree the final text of the Regulation are due to begin during 2014, so it is possible that the current draft will be altered before its final enactment. The Regulation currently proposes a two year lead-in time once the final text is agreed so it will be some time yet before its provisions will come into force.
The Regulation will harmonise data protection regulation across the EU with a view to creating savings for organisations currently dealing with fragmented rules in different Member States. The Regulation, however, also proposes to significantly increase compliance requirements along with a considerable increase in potential fines in the event of breaches.
Some of the key changes in the draft Regulation are as follows:
- Expanded Scope: The Regulation will apply to all organisations that process data relating to EU residents. Currently, certain data controllers who have no establishment in the EU fall outside European data protection legislation (even if they direct their activities towards people in the EU).
- Increased Fines: The Regulation proposes significant increases in potential fines for breaches. Currently, the draft Regulation prescribes a maximum fine of €100 million or 5% of the offending organisation’s global turnover (whichever is greater).
- Rights for Individuals: The Regulation introduces the controversial “right to be forgotten” which will give an individual the right to contact an organisation that holds and makes his personal information public and request that it be deleted.
- Centralised Data Protection Authority: Following the introduction of the Regulation, organisations that carry on business in the EU will only have to deal with a single data protection authority in Europe rather than multiple authorities in each Member State in which it operates.
EU Proposal for a Single Member Company
The European Commission has published proposals for a form of single member company which will have the same basic requirements in all Member States of the EU.
The aim of the proposed Directive is to reduce the hurdles associated with businesses operating across borders within the EU by harmonising the core rules applying to single member companies and, in particular, by minimising the legal and administrative burden on companies when looking to establish a subsidiary in another Member State. Currently, all Member States provide for the existence of a single member company under a previous directive (Directive 1989/667 on Single-Member Private Limited-Liability Companies). However, the rules and procedures relating to this form of company differ between Member States and this can complicate matters for companies operating across the EU.
The proposed Directive will require Member States to provide for a form of company under the name “Societas Unius Personae” (“SUP”) in their national legislation. The Directive prescribes certain core rules for this type of company that will be the same across Member States. After that, the SUP will be governed by national legislation.
The Directive was proposed by the European Commission on 9 April 2014 and is currently undergoing its first reading in the European Parliament. If and when the Directive is approved and enacted, Member States will have two years to transpose it into national law.
A copy of the European Commission’s proposal can be accessed here.
New EU Directive on Consumer Rights
The EU Directive on Consumer Rights (the “Directive”) came into force in the Member States of the EU on 13 June 2014. The Directive consolidates existing European consumer law and gives new rights to consumers, particularly where a contract for sale is entered into away from the trader’s place of business (“off-site contracts”) or by means of distance communication, for example, telephone or internet sales (“distance contracts”).
As a result of the Directive, there will be a single set of rules on consumer protection across the EU (with some minor variations between the Member States), compared to the disparate regimes currently in place in different Member States.
A central aim of the Directive is to reduce costs and uncertainty for businesses that operate in multiple Member States. In fact, the European Commission has estimated that the compliance cost for a business operating in all 27 Member States of the EU will be reduced by €68,000 following the introduction of the new Directive.
The key changes introduced by the Directive which businesses will need to be aware of are:
- Provision of Information: When selling a product or service to a consumer, a business will need to provide a minimum level of information relating to the contract otherwise it will not be binding on the consumer.
- Right to Withdraw: Consumers will be able to withdraw from off-site and distance contracts during a 14 day “cooling-off” period following entry into the contract. A failure to inform the consumer of the applicable “cooling-off” period will result in this period being extended by one year.
- Pre-Ticked Consent: When offering additional options during an online purchase process (for example, purchasing travel insurance when booking a flight), businesses will no longer be permitted to pre-tick the “yes” option.
Businesses found to be in breach of the Directive will be liable to fines of between €4,000 and €5,000, a prison term of up to 12 months, or both. In addition, breaches of the Directive by Irish companies may be published by the Irish National Consumer Agency.
In Ireland, the relevant piece of legislation transposing the Directive is the European Union (Consumer Information and Other Rights) Regulations 2013, can be accessed here. A link to the Directive can be accessed here.