The European Commission
("Commission") has recently announced
its long-awaited proposals to update and modernise data protection
rules and principles, currently contained in Data Protection
Directive 95/46/EC.
As our previous
Law Now on this subject indicated, the
Commission's legislative proposals include a regulation to set
out a general European Union ("EU") framework for data
protection. Introducing the framework by way of a regulation
is significant, because it aims to ensure a single set of data
protection rules, valid throughout the EU. This should help
to eliminate some of the current inconsistencies across the EU,
which are challenging for international organisations when ensuring
data protection compliance.
The legislative proposals also include a directive on protecting
personal data processed for the purposes of prevention, detection,
investigation or prosecution of criminal offences and related
judicial activities.
Some of the key changes in the proposed regulation include:
- Penalties for non-compliance will be increased. For
serious violations supervisory authorities can impose fines of up
to €1 million, or in the case of an 'enterprise'
up to 2% of the global annual turnover, compared to the maximum
fine of £500,000 (in the UK) at present.
- An obligation will be placed on organisations to notify the national supervisory authority of serious data breaches without undue delay and, where feasible, within 24 hours.
- Where a data subject's consent is required for data to be processed, such consent will need to be given explicitly. Explicit consent could be given by way of a statement or other clear affirmative action (including by ticking a box when visiting a website). It will not be acceptable to assume consent from a data subject's silence or inactivity.
- Public authorities and enterprises with 250 or more employees or whose core activities involve processing operations which require regular and systematic monitoring, will need to appoint an independent data protection officer.
- 'Privacy by design' and 'privacy by default' are concepts that will need to be incorporated into business processes. This means that privacy safeguards will have to be integrated into products as they are developed and that in social networking, the default settings must protect the privacy of individuals.
- Data subjects will have the right to be forgotten. An individual will be able to ask an organisation to erase all personal data that the organisation holds on that individual, including any public links to or copies of personal data that can be found on the Internet. The organisation will be required to delete the individual's data unless there are legitimate grounds for retaining it.
- Data subjects will have the right to transfer personal data from one service provider to another without hindrance.
- Companies based outside of the EU that offer their goods or services to EU citizens (or monitor the behaviour of EU citizens) will have to apply EU data protection rules.
The Commission's proposals should bring greater legal
certainty and improve efficiency, as organisations will only have
to deal with a single national data protection authority in the EU
country where they have their main base. However, the
downside is that they will impose new obligations that are
unprecedented, at least in the UK, and appear both significant and
onerous. Businesses may have to make substantial investments
to ensure that they are compliant and those that fail to do so face
the prospect of a large fine and negative publicity.
This article provides a brief overview of the Commission's
proposals. For a more in depth analysis and advice on
complying with data protection legislation, please contact our
specialist team.
This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.
The original publication date for this article was 27/01/2012.