The European Commission has released its proposals for a major reform of the EU data protection regime. The proposals take the form of a 54 page Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data and a complementary 118 page Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), aimed at strengthening online privacy rights and enhancing the digital economy.
The proposed changes, which have been handed to the European Parliament and EU member states for discussion, centre on updating the 1995 Data Protection Directive. The new regime would address criticism, highlighted elsewhere in this blog, that the EU Directives have failed to keep pace with developments such as the emergence of large-scale social network services, and that administration of the 1995 Directive by the 27 member states has been idiosyncratic. The proposals aspire to consistency across the EU at the level of principle and practice.
What would the new regime cover? The proposals encompass changes regarding extraterritorial reach, data protection agencies, consent, a right to be forgotten and portability.
In relation to extraterritorial reach EU rules would address developments in offshoring. They would apply to any processing of personal data related to EU citizens and people resident in the EU, even where the data controller is located in a state outside of the EU. Binding Corporate Rules (hitherto used to legitimise data transfers among members of a specific corporate group) would be explicitly addressed, with the Commission encouraging their use as a mechanism for transfer of personal data and as a simplification of regulatory approval.
Data controllers and data processors would be regulated by the data protection regulator in the EU state where those entities have their “main establishment,” encouraging a simplified 'one-stop-shop' approach. The powers of national data protection authorities would be strengthened, with the expectation that would assist more effective enforcement of the EU rules. The agencies would be empowered to punish commercial entities that violate specific EU data protection rules with penalties of up to €1 million or up to 2% of the entity's global annual turnover.
Public sector entities and private sector companies with over 250 employees would be required to have a data protection officer to ensure data protection compliance. Companies would be required to adopt measures to document and demonstrate compliance with the new rules.
An entity would be required to notify its national data protection regulator of a personal data breach without undue delay (where feasible, not later than 24 hours of initial awareness). Requirements regarding routine reporting to regulators of data protection activities would be simplified.
The proposals aim to assist 'data portability, with Individuals having easier access to data about themselves and being able to more easily transfer personal data from one service provider to another. That measure seeks to encourage competition.
Importantly, the proposals include the controversial 'right to be forgotten' (discussed for example here). Data controllers would be required to delete an individual’s personal data if that person explicitly requests deletion or when there is no legitimate reason to retain the data.
As noted in discussion regarding the notion of consent, explicit consent to process data would be required, with a requirement for parental consent when processing personal information from children who are under 13 years old. Consent would not be assumed.