Last reviewed 16 April 2012
by Eric Davies
Proposals for a new EU data protection regime aim to strengthen online privacy rights and boost the digital economy. The new package will introduce a General Data Protection Regulation and a directive on the protection of personal data processed in connection with criminal offences and related judicial activities.
Commenting on the proposals, EU Justice Commissioner Viviane Reding said they will “help build trust in online services because people will be better informed about their rights and in more control of their information”, adding that a single EU-wide framework “will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation”.
The new legislation will be enforced by national supervisory authorities which, for the most serious offences, will be able to impose maximum penalties of €1 million or 2% of a company’s global annual turnover (minimum fines will be set at €250,000 or 0.5% of turnover).
The term “personal data” covers any information relating to an individual, including name, photo, e-mail address, bank details, medical information, and computer IP address. The EU Charter of Fundamental Rights gives all EU citizens the right to personal data protection in all aspects of life.
Current legislation is set out in Directive 95/46/EC “on the protection of individuals with regard to the processing of personal data and on the free movement of such data” and in Council Framework Decision 2008/977/JHA “on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters”.
However, not only does the existing legislation fail to reflect recent technological developments and increasing globalisation, but the 1995 Directive has been implemented differently across the 27 EU Member States, resulting in uncertainty for businesses and consumers.
Under the proposals, a new General Data Protection Regulation will replace the 1995 Directive, and a new directive will replace the 2008 Decision. The new regime will establish a stronger, simpler and clearer data protection framework, which should encourage companies to maximise the potential of the Digital Single Market.
Businesses should find it easier to trade and do business in the EU thanks to greater legal certainty over data protection laws, and should also benefit from increased consumer confidence in online shopping and services.
Rather than having to notify up to 27 different national authorities of all data protection activities, as at present, businesses will only have to deal with a single national data protection authority in the Member State where they are based.
However, the regulation demands increased responsibility and accountability on the part of those processing personal data, including a requirement for companies to notify the national supervisory authority of serious data breaches as soon as possible.
In addition, wherever consent is required for data to be processed, it must be given explicitly rather than assumed, and where companies offer their services to EU citizens, the EU legislation will apply even when personal data is handled abroad. A so-called “right to be forgotten” will enable people to delete their data if there is no legitimate reason for a company to keep it.
The proposals must be approved by the European Parliament and Council. Both the directive and the regulation will apply two years after they enter into force.
Background to the proposals is given in the Communication Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century (COM(2012) 9). The draft regulation and directive were issued as COM(2012)11 and COM(2012)10 respectively. All three documents are available via the Commission’s data protection pages.