European Commission has proposed a comprehensive reform of the EU's
1995 data protection rules. As the 1995's Data Protection
Directive has been implemented differently in the 27 Members
States, the proposed regulation would improve the current situation
where different interpretations of the Data Protection Directive
are effective.
As a result of the prospective reform, Regulation
on the protection of individuals with regard to the processing of
personal data and on the free movement of such data would set the
general framework for data protection being directly applicable in
all Member States. Additionally, Directive on the
protection of individuals with regard to the processing of personal
data by competent authorities for the purposes of prevention,
investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, and the free movement of such data
would harmonise the protection of personal data processed in the
abovementioned matters.
The proposals, if entered into force, would give consumers new
rights and would impose new obligations on companies. The
key changes of the proposals are the
following:
- Single set of rules on data protection valid across the
EU.
- Tightening of the definition of "consent". Consent
must be explicit if required for the data to be processed.
Consumer's consent could no longer be assumed.
- Implementation of concept of 'right to be forgotten'.
This would give individuals a right to require their data to be
deleted when they no longer want their data to be processed and
there are no legitimate grounds for retaining the data.
- Impacts on cloud computing based services:
- Streamlining and extending the use of concepts such as
"binding corporate rules", so that common set of rules
can be applied to data processors and within "groups of
companies", thus better reflecting the multiplicity of actors
involved in global data processing activities
- Easier access to one's own data and the right to data
portability, meaning, easier transfer of personal data from one
service to another
- Streamlining and extending the use of concepts such as
"binding corporate rules", so that common set of rules
can be applied to data processors and within "groups of
companies", thus better reflecting the multiplicity of actors
involved in global data processing activities
- The proposed new rules would also have extraterritorial reach.
EU laws would apply if personal data is handled abroad by companies
that are active in the EU market and offer their services to EU
citizens or monitor the online behaviour of EU citizens.
- The introduction of so called corporate data protection
officer. This would concern companies with over 250 employees and
companies whose core activities consist of data processing
operations which, by virtue of their nature, their scope and/or
their purposes require regular and systematic monitoring of data
subjects. The data protection officer may be employed by the data
controller or data processor, or fulfill his or her tasks on the
basis of a service contract.
- Unnecessary administrative burdens would be removed such as
notification requirements for companies processing personal
data.
The Commission's proposal has been passed on to the European Parliament and the EU Member States (meeting in the Council of Ministers) for discussion. It should be noted that this political discussion phase concerning the draft proposal could be a lengthy one and it is uncertain when the final versions of the proposals are issued. Once the final proposals are adopted, the EU Member States will have two years to transpose the Directive's provisions to national law. The Regulation will become enforceable two years after it has been adopted.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.