In January 2012, the European Commission proposed a major reform of the EU legislation regarding the protection of personal data. The aim of the new proposals was to update the current Data Protection Directive (95/46/EU) passed in 1995 in order to provide a higher level of protection over EU citizens’ personal data. It is also meant to consolidate and harmonise data protection laws across all EU member states. Another key objective of the proposals is to ensure that the revised law addresses the recent developments in technology to cover progressions in e-commerce, social networking, and cloud computing. In terms of compliance, the new regulation is set to be stricter than the previous law with harsher enforcement and penalties. As the draft regulation will be directly effective in member states, there will not be a need for local legislation to implement it.
Key provisions of the Regulation
- Most businesses (including public sector bodies, private sector businesses with over 250 employees, and businesses that demand regular data monitoring) will be required to appoint or designate a data protection officer to ensure that data controllers and processors fulfil their duties, and monitor the implementation of policies.
- Companies will have to be more transparent about what they require data for. They can only collect the minimum amount of data that they require for a specified intention.
- Data subjects should have the right to ‘erase’ their personal data through a ‘right to be forgotten’.
- The activities of data processors will also be brought within the scope of the draft regulation. Previously, the Directive applied only to the data processing activities of data controllers. Furthermore, the regulation will also apply to data controllers who offer goods or services to data subjects in the EU, but who are not themselves established in the EU.
- Both data processors and data controllers will be required to implement security measures to strengthen online privacy.
- Data controllers will be obliged to inform the relevant national data protection authority of a data security breach within 24 hours of becoming aware of the breach.
Although the regulation cannot enforce criminal sanctions, there will be more significant consequences of breaching the draft regulation. This will include fines of up to 2% of a business’ annual turnover for intentional or negligent breaches.
According to the current timescales, the draft regulation is to be implemented before the European Parliament elections in May 2014, but is not likely to apply to the UK until 2016 at the earliest. Despite this, businesses should continue to keep informed about the proposed changes to ensure they are in a position to fulfil the requirements and comply with the key provisions when the time comes.