Legal Alert – European Commission issues new data protection proposals
European Commission has proposed a comprehensive reform of the EU’s 1995 data protection rules. As the 1995’s Data Protection Directive has been implemented differently in the 27 Members States, the proposed regulation would improve the current situation where different interpretations of the Data Protection Directive are effective.
As a result of the prospective reform, Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data would set the general framework for data protection being directly applicable in all Member States. Additionally, Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data would harmonise the protection of personal data processed in the abovementioned matters.
The proposals, if entered into force, would give consumers new rights and would impose new obligations on companies. The key changes of the proposals are the following:
- Single set of rules on data protection valid across the EU.
- Tightening of the definition of consent. Consent must be explicit if required for the data to be processed. Consumer’s consent could no longer be assumed.
- Implementation of concept of right to be forgotten. This would give individuals a right to require their data to be deleted when they no longer want their data to be processed and there are no legitimate grounds for retaining the data.
- Impacts on cloud computing based services:
- Streamlining and extending the use of concepts such as binding corporate rules, so that common set of rules can be applied to data processors and within groups of companies, thus better reflecting the multiplicity of actors involved in global data processing activities
- Easier access to ones own data and the right to data portability, meaning, easier transfer of personal data from one service to another
- The proposed new rules would also have extraterritorial reach. EU laws would apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens or monitor the online behaviour of EU citizens.
- The introduction of so called corporate data protection officer. This would concern companies with over 250 employees and companies whose core activities consist of data processing operations which, by virtue of their nature, their scope and/or their purposes require regular and systematic monitoring of data subjects. The data protection officer may be employed by the data controller or data processor, or fulfill his or her tasks on the basis of a service contract.
- Unnecessary administrative burdens would be removed such as notification requirements for companies processing personal data.
The Commission’s proposal has been passed on to the European Parliament and the EU Member States (meeting in the Council of Ministers) for discussion. It should be noted that this political discussion phase concerning the draft proposal could be a lengthy one and it is uncertain when the final versions of the proposals are issued. Once the final proposals are adopted, the EU Member States will have two years to transpose the Directives provisions to national law. The Regulation will become enforceable two years after it has been adopted.