Overhaul of European Data Protection Law Announced

February 01, 2012

European Commission proposal for a new General Data Protection Regulation aims to strengthen and harmonise data protection law across Europe.

On 25 January, the European Commission published its proposal for a General Data Protection Regulation. The extensive proposals would significantly increase data protection across Europe.

The key proposals are as follows:

  • Harmonisation: A single set of rules will apply across Europe. It has been suggested that introducing a collective set of rules to replace the current assortment of European data protection legislation will save businesses around €2.3 billion a year.
  • Scope of the Regulation: The new rules will apply to businesses based in Europe as well as to businesses based outside the European Union that process European citizens' personal data for the sale of goods or services, or the monitoring of their behaviour. The new rules will therefore affect a large number of US and other international businesses.
  • Fines: The penalties for noncompliance will be significant, with businesses facing proposed fines of up to €1 million or up to 2% of their annual worldwide turnover (depending on whether the organisation is an 'enterprise').
  • Explicit consent: The new definition of 'consent' under the proposed Regulation includes a requirement that consent must be explicitly obtained. Businesses will not, therefore, be able to assume an individual's consent.
  • Right of portability: Accessibility to data will be improved, and individuals will have the right to freely transfer data from one electronic processing system to another.
  • Notification requirements: Organisations will be required to notify their supervisory authority of a security breach without undue delay, which means within 24 hours if that is feasible. If the notification is not made with 24 hours, it will need to be accompanied by a reasoned justification.
  • Right to be forgotten: Individuals will have the right, at their request, to be forgotten by a specific organisation and their data deleted from its files unless there is a legitimate ground for keeping it.
  • Data protection officers: Organisations that employ more than 250 people will be required to have a designated data protection officer. The data protection officer will have specific duties in relation to advising and monitoring the organisation and ensuring compliance.

Speaking at a press conference, the Vice President of the European Commission, Viviane Reding, explained that the changes would increase individuals' trust and confidence in how their data is being processed. However, preparing for the changes and ensuring compliance is likely to place a large administrative and financial burden on businesses with a European presence, and the penalties for noncompliance will be significant.

The next step for the implementation of the changes is for the proposed General Data Protection Regulation to be considered by the European Parliament and the Council of the European Union, during which time it is expected that there will be a widespread debate on the proposals, and that the proposed Regulation will be subject to amendment. Once the final Regulation is approved, it is likely that it will not come into force for a further two years.

If you have any questions or would like more information on the topic discussed in this LawFlash, please contact any of the following Morgan Lewis attorneys:

Matthew Howse
Celia Kendrick

Walter Ahrens