Since 2010, consultations are ongoing on the revision of the
European Data Protection Directive 95/46/EC, which forms the legal
basis for the German Federal Data Protection Act
(Bundesdatenschutzgesetz, BDSG). Now, an in-official proposal for its revision by the EU Commission
leaked out. It includes important changes that we summarize for you
in this Newsflash. Once the official proposal has been made public
(to be expected at the end of January 2012), we will inform you in
more detail in one of our Newsletters.
The most important changes introduced by the in-official proposal are:
In order to achieve a greater harmonisation amongst Member States, a directly applicable Regulation, in connection with a number of specifications to be made by the Commission, shall replace the current Directive. In particular international companies will benefit from the possibility to apply a unique framework throughout the EU. The German Federal Data Protection Act shall (to a large extent) no longer apply to private enterprises.
The Regulation shall also apply to non-European bodies, if they address their activities specifically to EU citizens (e.g. Facebook).
The Accountability" Principle
Enterprises shall ensure compliance with the Regulation by internal policies and procedures. On the other hand German companies shall be relieved in relation to data protection officers (to be appointed only for companies with more than 250 employees) and, in most other countries, in relation to notification duties.
If different entities co-operate in the course of a data processing, they shall need to clearly define their responsibilities. If they fail to do so or act beyond their respective competencies, they – in case of doubts – shall be considered to be (joint) data controllers and be jointly liable.
Preemptive Data Protection
Data protection aspects shall be taken into consideration as early as possible by carrying out a data protection impact assessment and by use of data protection friendly measures (i.e. Privacy by Design, Privacy by Default).
Enhanced rights of data subjects
Apart from greater transparency, to be implemented by simple technical means, data subjects shall benefit from a "right to be forgotten" (e.g. relevant for social networks and search engines) and a "right to data portability" (e.g. relevant for cloud computing). As already implemented in Germany, there shall be far reaching obligations to notify security breaches.
Simplified international data transfers
There shall be easier rules on the acceptance of Binding Corporate Rules (including BCRs for data processors) and more simplified and standardised contractual regulations.
The enforcement of the Regulation shall be enhanced: Independent supervisory authorities with far reaching competencies shall co-operate internationally and are subject to mutual consistency mechanisms.
In case of infringements there shall be draconic sanctions all over Europe. Apart from specific sanctions of up to 1 million Euro for the acting individuals, companies may be subject to sanctions of up to 5 % of their annual global turnover!
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.