European Justice Commissioner, Viviane Reding, has unveiled the new European data privacy framework that includes a new regulation and a new directive.
“This is a strong, consistent, future-proof framework for the next decade,” she said at a news conference in Brussels.
The framework, which applies to all 27 European member states, is a critical piece of legislation for growth and strength that is fit for the digital age and will encourage the development of new services, said Reding.
The new privacy framework, she said, is designed to eliminate all the uncertainty created by a patchwork of data protection laws and data breach notifications faced by businesses and assure the 72% of European citizens who are concerned about the privacy of their data.
The new regulation will enhance opportunities to do business and ensure citizens’ data is protected, while the new directive will ensure the smooth exchange of information between different law enforcement authorities while protecting individuals’ privacy, she said.
Data privacy regulation directly dictates legal requirements to EC countries, rather than leaving room for individual member states interpreting legislation in line with a directive.
The new privacy framework provides a single set of European rules on data protection that are valid across all member states and establishes each national data protection authority as a one-stop-shop for businesses and citizens in each member state, said Reding. “This will reduce the administrative burden on companies and save an estimated €2.3bn a year."
Reding confirmed that companies will be required to appoint data protection officers, but smaller companies (SMEs) with up to 250 employees will be exempt from this requirement and many of the requirements they are burdened with under existing rules.
Another key objective of the reform is to introduce clear rules for data transfer across borders within multinational corporations with a streamlined process that once approved by one data authority, will be accepted by all others.
Reding confirmed that organisations will have to notify citizens in plain language what information is collected and how it is used as well as explicitly get consent before using any personal information.
Users of online services must also have the right to be forgotten, which means they must be able to remove or delete personal information from an online service.
Reding said the new framework is aimed at ending the increasing number of data breach scandals by requiring organisations to notify the national data protection authority and all individuals affected by a data breach within 24 hours.
“The Commission’s wish to shift the focus is brave and welcome - away from paper-based, bureaucratic requirements and towards compliance in practice, genuine harmonization and individual empowerment,” said former UK Information Commissioner Richard Thomas, now global strategy advisor, Centre for Information Policy Leadership at legal firm, Hunton & Williams.
But there are real risks that new bureaucratic burdens will be created and that some proposals will be very difficult to implement in practice, he said. “The detail will require close scrutiny and more innovative solutions may be needed on some aspects.”
Jane Finlayson-Brown, partner in Allen & Overy's data protection team said the European Commission has clearly reacted to many of the concerns raised over the draft leaked a few weeks ago.
But the latest draft still includes a number of draconian requirements for businesses that will be difficult to implement for many and which are at odds with pledges to cut red tape and reduce costs to businesses, she said.
In an attempt to introduce more flexibility the EC has blurred some of the original tough, but clear requirements. “This is bad for everyone and will create uncertainty. We would expect, and hope for, more changes as these proposals continue to be debated,” she said.
Businesses operating in more than one EU country will, however, welcome the fact that they will be subject to oversight from one supervisory authority rather than multiple authorities, said Finlayson-Brown.
The Commission's proposals will now be passed on to the European Parliament and EU Member States meeting in the Council of Ministers for discussion. They will take effect two years after they have been adopted.
Key changes in the reform include:
•A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
•Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
•For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
•Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
•People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
•A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
•EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
•Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
•A new directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.