The EU has unveiled its plans for sweeping changes to its dated data
protection laws, which would have significant implications for
companies both inside and outside the EU that handle data of EU
citizens; and may subject them to severe fines of up to 2% of
global annual turnover for violations of the new rules.
We have highlighted below how some of the proposed amendments,
if adopted in this form, would change the current EU privacy
A single set of privacy standards would be established in all
twenty-seven EU countries (previously, privacy standards differed
by country). On one hand, compliance may be easier and less costly
because companies need only comply with a single set of standards,
rather than twenty-seven; on the other hand, the new uniform
requirements are more onerous than existing requirements in certain
EU countries with more lenient privacy laws (such as the
The amendments would also apply to U.S. and non-EU based
companies "that are active in the EU market and offer their
services to EU citizens." A memo explaining the proposed amendments states
that the European Commission will establish "clear rules
defining when EU law is applicable to data controllers established
in third countries, in particular by specifying that whenever goods
and services are offered to individuals in the EU, or whenever
their behaviour is monitored, European rules shall
Companies may be fined up to 1 million Euros or 2% of their
"global turnover" for serious offenses (such as
processing sensitive data without an individual's consent).
Less serious offenses (such as charging a fee when an individual
requests his or her data) may be subject to fines of 250,000 Euros
or up to 0.5% of "global turnover."
Wherever consent is required for data to be processed, consent
must be given explicitly, "meaning that it is based either on
a statement or on a clear affirmative action by the person
concerned and is freely given."
Individuals would have a "right to be forgotten."
There would be an explicit requirement that requires online social
networking services and all other data controllers (1) to minimize
the volume of users' personal data that they collect and
process and (2) to delete an individual's personal data if that
person explicitly requests deletion and there is no other
legitimate reason to retain it. There would also be a requirement
for "privacy by default" which means that the default
settings should be those that provide the most privacy.
A standardized security breach notification requirement would
be established (currently, this is only required of
telecommunications companies). All data processors would be
required to notify national Data Protection Authorities - within 24
hours of the breach being discovered, where feasible - and the
affected individuals "without undue delay."
Companies with more than 250 employees must appoint a privacy
officer. Firms which are involved in processing operations
"which, by virtue of their nature, their scope or their
purposes, present specific risks to the rights and freedoms of
individuals ('risky processing')" must appoint a
privacy officer and must carry out Data Protection Impact
EU companies would be subject to enforcement by a single data
protection authority, located in the country where the company has
its main European operations.
The reforms would also simplify the regulatory environment by
"doing away with formalities such as general notification
The Commission's proposals will be sent to the European
Parliament and EU Member States for discussion. They will take
effect two years after they have been adopted.
We will be providing further analysis on these changes in the
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The HHS Office for Civil Rights recently launched an updated version of the portal covered entities must use to notify OCR regarding a breach of unsecured protected health information (PHI) under 45 C.F.R. § 164.408.