The European Commission proposed yesterday a reform of EU rules on data protection in order to strengthen the right to privacy on the Internet and digital economy development in Europe. In addition, the 27 EU Member States have implemented differently the rules established in 1995, leading to divergence in terms of ensuring their application. A single legislation will eliminate the current fragmentation and costly administrative burden, leading to savings by enterprises of about 2.3 billion per year. The initiative will help strengthen consumer confidence in online services, providing a much needed boost to economic growth, employment and innovation in Europe.
“17 years ago, less than 1% of Europeans used the Internet. Today, large amounts of personal data are transferred and exchanged on every continent and across the globe at lightning speed”, said Viviane Reding, EU Commissioner for Justice and Vice-President of the Commission. The Commission’s proposals update and modernize the principles enshrined in the 1995 Data Protection Directive to ensure the future of the people’s rights to privacy. These include a communication on the policy showing the Commission’s objectives and two legislative proposals: a regulation establishing a general framework of the EU data protection and a directive on the protection of personal data processed for the prevention, detection, investigation or prosecution of crimes and related to judicial activities.
The main changes under this reform include:
• A set of rules concerning data protection to be applied throughout the EU. It will eliminate unnecessary administrative requirements such as reporting requirements for companies. This will result in savings of approximately 2.3 billion a year by the companies;
• Instead of current requirement for all companies to notify any activity related to data protection to the authority in this area – a requirement that led to unnecessary red tape and whose cost for businesses amounts to 130 million per year, the regulations provides a distinct responsibility for the entity processing the personal data;
• For example, enterprises and organizations must inform the supervisory national authority as soon as possible of any data security breach (if possible within 24 hours);
• Organisations will need to address a single national data protection authorities in the EU country where they have their headquarters. Also, people may address the data protection authority in their country, even if their data are processed by a company established outside the EU. If consent is required for data to be processed, it is clear that it must be explicitly granted and not to be only presumed;
• People will have easy access to their data and be able to transfer personal data from a service provider to another more easily (the right to data portability). This will improve competition between services;
• “Right to be forgotten” will help people better manage the risks of online data protection: they will be able to delete data concerning them, if there are no grounds for keeping them;
• EU rules should apply where personal data are treated abroad by companies operating in the EU market and offer their services to EU citizens;
• Independent national data protection authorities will be strengthened in order to ensure greater compliance with EU rules in their country. They will have the power to fine companies that violate EU rules on data protection. This violation can result in fines of up to EUR 1 million or up to 2% of global annual turnover of a company;
• A new directive will apply the principles and general rules of data protection regarding police and judicial cooperation in criminal matters. Rules will apply both for internal transfers and cross-border data.
The proposals will be submitted to the European Parliament and EU member countries (in the Council of Ministers) to debate. The proposals will take effect two years after adoption.
