On Jan. 25, the European Commission announced a proposal to reform the European Union's data protection framework. When making the announcement, the commission noted that the existing framework -- known as the 1995 EU Data Protection Directive -- is outdated because of globalization and rapid technological change.
Those pushing for reform contend that the existing framework lacks coherent rules among the member states, making it harder and more expensive for businesses to comply. The power of regulators in different member states varies, so the rules are not applied consistently or effectively, they add. This makes it more difficult for individuals to exercise their data privacy rights in some countries than in others.
The European Commission plans to reach an agreement with the European Parliament and the Council of the European Union on the new data protection framework by year's end. The rules will go into effect two years after they have been adopted by the member countries.
This FAQ is part of SearchCompliance.com's IT Compliance FAQ series.
Table of contents:
How would the European Commission's 2012 proposal protect personal data?
The proposal seeks to update the EU's data protection framework to:
- Give individuals more control over their data.
- Harmonize rules and enforcement throughout the EU.
- Ensure data protection in a globalized world.
- Extend the framework to include data use by police and criminal justice operations.
The proposal consists of two legislative measures: a regulation that updates the general framework and a new directive that establishes rules for police and judicial cooperation. The regulation mandates certain data protection requirements, but the directive leaves some room for interpretation when the rules are implemented.
Companies that are active in the EU, offer services to EU citizens and handle personal data outside the union are subject to the proposed rules.
What is the "right to be forgotten," and what other rules aim to give individuals greater control over their personal information?
A hallmark of the European Commission's 2012 proposal is the "right to be forgotten" provision, which requires companies controlling data to delete information upon request. Companies also would have to obtain explicit consent to collect certain data.
Individuals would be allowed access to their own data and be given a right to "data portability." This means they could request a copy of their stored data and move it to another service provider. Companies also would be required to let individuals know how their data is handled.
How does the European Commission's proposal change data breach notification requirements, and what other rules are proposed to improve data security?
Under the European Commission proposal, a company would have to notify regulators within 24 hours of a data breach and notify affected individuals "without undue delay." Companies with more than 250 employees or those involved in "risky processing" would have to designate a data protection officer. Companies involved in risky processing would have to conduct data protection impact assessments.
National regulators would be given greater power and independence so they could more effectively deal with complaints, conduct investigations and impose sanctions. Stricter penalties for data privacy violations also would be implemented.
How would the European Commission's 2012 proposal create a more consistent data protection framework throughout the EU?
The proposed rules would apply to all member countries. Data protection authorities (DPAs) in member countries would be given more power and greater independence, and members would be required to provide them adequate resources.
A DPA would be required to conduct inspections and investigations at the request of another DPA, and they would be required to recognize each other's decisions. An independent European data protection board also would be created.
DPAs would have the authority to issue fines of up to 2% of a company's global annual revenue for serious violations. For less serious offenses, fines would start at 250,000 euros, or 0.5% of revenue.
How would the data protection framework proposal affect businesses that collect and process personal data?
In the commission's view, a harmonized set of regulations and EU-level enforcement will reduce the complexities and costs of complying with data protection requirements. Under the proposal, a number of administrative formalities, including general notification requirements, would be eliminated. A one-stop-shop rule would also be established so companies would have to deal only with the data protection authority in the country where they're headquartered.
The commission projects that a harmonized set of rules and the elimination of some administrative requirements will save businesses approximately 2.3 billion euros annually. Reducing red tape and not making companies report all data protection activities to authorities will save 130 million euros annually, according to the commission.
Critics contend, however, that the new data protection requirements would be difficult and costly to implement. They also say the rule mandating notification of a security breach within 24 hours will likely spur companies to hasten their security auditing processes and force them to deploy new risk analysis and management tools.
The "right to be forgotten" provision could require many companies to re-engineer their technologies and business processes, and some critics say it could have a negative effect on the free flow of information online.