European Union: Complete Reform of EU Data Protection Law Announced. Requirements to Harden

Originally published January 25, 2012

Keywords: reform, EU data proctection law, fines, security breaches, data protection officer

The European Commission has today announced its proposals to substantially enhance data protection compliance throughout Europe. Some of the highlights include:

• Big fines: Fines of up to 2% of global annual turnover for companies that fail to comply with EU data protection requirements;
• Requirement to declare security breaches: Organisations to be required to notify national authorities of a serious security breach as soon as possible and within 24 hours if feasible;
• Requirement to appoint data protection officer: Businesses that have 250 or more employees will have to appoint a data protection officer, responsible for monitoring and implementing compliance with data protection requirements within those businesses;
• Businesses outside the EU that serve Europeans must also comply: Businesses that offer goods or services to individuals in the EU or monitor their behaviour will have to comply with EU data protection requirements when doing so irrespective of where those businesses are based in the world. Individuals will be able to refer those businesses to the national data protection authority in the individuals' home country if they wish to make a complaint or ask for sanctions to be taken against them;
• Consent will not be valid unless explicitly obtained: Where an organisation relies on having obtained consent for the processing of personal data, it will no longer be able to infer or assume from the circumstances that consent has been obtained by the individuals concerned, it will have to demonstrate that those individuals have given their explicit consent to the processing;
• Right to move data: Individuals will have the right to ask businesses to move their records to alternative service providers; and
• Right to be forgotten: Individuals will be able to ask organisations to delete all data that those organisations hold on them unless there is a legitimate reason for those organisations to retain it.

The European Commission proposes that a new single data protection law should be introduced implemented by way of a regulation. The result will be a single set of data protection rules that will apply across Europe as soon as the new regulation is adopted and brought into force by the European Union, rather than differing versions of data protection rules enacted in each EU member state as exists at the moment. Businesses will only have to work with and answer to a single national data protection authority in the EU country in which they have their main establishment, rather than each authority in every member state in which they are based within the EU.

The European Commission's proposals will now be considered by the European Parliament and the European Council and will take effect two years after they are adopted. Read the European Commission's announcement here.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2012. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.