European Commission Proposed Data Protection Law

Authors:

On January 25, 2012, the European Commission released a proposed General Data Protection Legislation (“Proposed Regulation”) for comprehensive reform of existing European Union (“EU”) data protection rules.  Through the Proposed Regulation, the European Commission seeks to “strengthen online privacy rights and boost Europe’s digital economy.”[1] The Proposed Regulation also aims to harmonize data protection rules throughout the EU.  The current governing law is the 1995 EU Data Protection Directive, which has been implemented differently by the 27 member states.  As a result, the current law has led to different requirements for compliance and uncertain enforcement across the EU.  In contrast, the Proposed Regulation is self-implementing and applies directly; therefore, it works to harmonize the law across the EU.

Changes from previous EU data protection law

In addition to harmonization, the proposed data protection law contains a number of key changes.  The Proposed Regulation strengthens regulatory authority and contains changes that affect consumers and companies.

Consumers

The Proposed Regulation gives consumers greater online privacy rights.

  • The “right to be forgotten” allows for the deletion of unnecessary personal data.
  • Opt-in consent for data processing.
  • Easier transfer and portability of personal data.
  • Easy access to redress for consumers to handle issues through their home national data protection authorities, even if their personal data is processed in another country.

Through these changes, the Proposed Regulation attempts to give users greater choice and control over their data.

Companies and Organizations

Companies and organizations will also face significant changes for compliance with data protection law.  Some aspects of the Proposed Regulation will soften compliance and administrative requirements.  For example, companies would only have to deal with the national data protection authority in the EU country where they have their main establishment.  The Proposed Regulation also attempts to ease the rules for international data transfers through less administrative requirements. The Proposed Regulation replaces some existing requirements for data processing with similar requirements to be conducted differently (ex. data processing reporting).

Other aspects of the Proposed Regulation increase responsibility and accountability.  In addition to integrating privacy and “privacy by design” into products and services, many companies would face significant changes in the law.

  • Independent national data protection agencies will have greater enforcement power, including the ability to fine companies that violate EU data protection rules up to 5% of a company’s global annual turnover.
  • In addition, companies will have to give notification of serious data breaches without undue delay; if feasible, within 24 hours.
  • The Proposed Regulation will also apply to companies not established in the EU, if they offer goods or services in the EU or monitor the online behavior of citizens.
  • Companies with more than 250 employees will have to hire a data protection officer.

In sum, the Proposed Regulation seeks to simplify existing data protection law for companies yet strengthen enforcement against violations.

Initial Responses to the Proposed Regulation

The Proposed Regulation has faced mixed initial responses from EU national data protection authorities.  National data protection authorities welcome the efforts of the Proposed Regulation to harmonize rules and increase online privacy rights, but have already criticized the Proposed Regulation.  German Data Protection Commissioners (“DPAs”) criticized the Proposed Regulation for possibly adversely affecting the ability of German data subjects to enforce their constitutional rights in German Federal Constitutional Court.  The German DPAs also stated that it was “unacceptable” to give unelected European Commissioners ultimate authority with respect to data protection.[2]  The United Kingdom’s Information Commissioner’s Office (ICO) criticized the Proposed Regulation for being overly prescriptive and failing to recognize the reality of international data transfers in today’s globalized world.[3]

Although the Proposed Regulation has faced criticism, it represents a step towards increasing online privacy rights and harmonizing data protection law for companies.  Therefore, it includes valid points that are embraced by many in the EU and privacy community and should not be dismissed.  At this point, the Proposed Regulation is entering the EU legislative process.  The Proposed Regulation will likely be significantly debated and modified over the next couple of years before its possible adoption and another two years before it is effective.

Links

European Commission Data Protection Reform

http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

European Commission Press Release

http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/46&format=HTML&aged=0&language=EN&guiLanguage=en

1995 EU Data Protection Directive

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT

 


[1] European Commission Press Release

http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/46&format=HTML&aged=0&language=EN&guiLanguage=en

 

[2] German DPA Press Conference Coverage

http://www.huntonprivacyblog.com/2012/02/articles/german-dpas-comment-on-proposed-eu-data-protection-law-reform/

[3] UK Information Commissioner’s Office

http://www.ico.gov.uk/news/latest_news/2012/statement-initial-response-new-data-protection-regulation-proposals-25012012.aspx

By Fatima Khan, Research Fellow, Hastings Privacy and Technology Project