The European Commission put forward its EU Data Protection Reform in January 2012 to make Europe fit for the digital age (IP/12/46). An agreement was found with the European Parliament and the Council.

The Reform package will put an end to the patchwork of data protection rules that currently exists in the EU.

The Reform consists of two instruments:

  • The General Data Protection Regulation

The Regulation will enable people to better control their personal data, including:

  • easier access to your own data
  • a right to data portability (easier to transfer your personal data)
  • a clarified "right to be forgotten"
  • the right to know when your data has been hacked

The Regulation will also set down clear modern rules for business and provide for a single set of rules and a one-stop-shop approach whereby companies will only need to deal with one single supervisory authority. Companies based outside of Europe will have to apply the same rules when offering services in the EU. Privacy-friendly techniques such as pseudonomysation will be encouraged, to reap the benefits of big data innovation while protecting privacy. The reform will scrap notifications to supervisory authorities entirely. Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access. SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity. SMEs will have no obligation to carry out an impact assessment unless there is a high risk.

  • The Data Protection Directive for Police and Criminal Justice Authorities

The Directive will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. More harmonised laws will facilitate cooperation of police or prosecutors to combat crime and terrorism.

The final texts will be formally adopted by the European Parliament and Council at the beginning 2016. The new rules will become applicable two years thereafter.