The European Commission ("Commission") has recently announced its long-awaited proposals to update and modernise data protection rules and principles, currently contained in Data Protection Directive 95/46/EC. 

As our previous  Law Now on this subject indicated, the Commission's legislative proposals include a regulation to set out a general European Union ("EU") framework for data protection.  Introducing the framework by way of a regulation is significant, because it aims to ensure a single set of data protection rules, valid throughout the EU.  This should help to eliminate some of the current inconsistencies across the EU, which are challenging for international organisations when ensuring data protection compliance.

The legislative proposals also include a directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

Some of the key changes in the proposed regulation include:

  • Penalties for non-compliance will be increased.  For serious violations supervisory authorities can impose fines of up to €1 million, or in the case of an 'enterprise' up to 2% of the global annual turnover, compared to the maximum fine of £500,000 (in the UK) at present.
     
  • An obligation will be placed on organisations to notify the national supervisory authority of serious data breaches without undue delay and, where feasible, within 24 hours.
  • Where a data subject's consent is required for data to be processed, such consent will need to be given explicitly.  Explicit consent could be given by way of a statement or other clear affirmative action (including by ticking a box when visiting a website).  It will not be acceptable to assume consent from a data subject's silence or inactivity.
  • Public authorities and enterprises with 250 or more employees or whose core activities involve processing operations which require regular and systematic monitoring, will need to appoint an independent data protection officer.
  • 'Privacy by design' and 'privacy by default' are concepts that will need to be incorporated into business processes.  This means that privacy safeguards will have to be integrated into products as they are developed and that in social networking, the default settings must protect the privacy of individuals.
  • Data subjects will have the right to be forgotten.  An individual will be able to ask an organisation to erase all personal data that the organisation holds on that individual, including any public links to or copies of personal data that can be found on the Internet.  The organisation will be required to delete the individual's data unless there are legitimate grounds for retaining it.
  • Data subjects will have the right to transfer personal data from one service provider to another without hindrance.
  • Companies based outside of the EU that offer their goods or services to EU citizens (or monitor the behaviour of EU citizens) will have to apply EU data protection rules.

The Commission's proposals should bring greater legal certainty and improve efficiency, as organisations will only have to deal with a single national data protection authority in the EU country where they have their main base.  However, the downside is that they will impose new obligations that are unprecedented, at least in the UK, and appear both significant and onerous.  Businesses may have to make substantial investments to ensure that they are compliant and those that fail to do so face the prospect of a large fine and negative publicity.

This article provides a brief overview of the Commission's proposals.  For a more in depth analysis and advice on complying with data protection legislation, please contact our specialist team.

This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq

Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.

The original publication date for this article was 27/01/2012.